The week your MDM, your CLI surface, and your margin model all became attack surfaces

Iranian operators pressed one button in Microsoft Intune and wiped 200,000+ Stryker medical devices. Surgeries got cancelled. Maryland hospitals fell back to radios. In the same intelligence cycle, Luxembourg's government MDM pushed malware to 4,850 phones, and WithSecure ran live IR on two Ivanti EPMM zero-days (CVE-2026-1281, CVE-2026-1340) that were exploited before patches existed.

If your MDM admin console is protected by the same MFA you use for email, you are one phished admin away from owning nothing.

This is the week to internalize that MDM is a Tier 0 asset. Same blast radius as a domain controller. Same controls: phishing-resistant FIDO2, multi-party approval for any bulk operation that touches more than ten devices, and an IR playbook that treats Intune/JAMF/EPMM admin compromise as a crown-jewel event. Stryker's 200K wipe was a single legitimate operation issued from a compromised admin. Dual-authorization would have stopped it.

The agent interface layer crystallized in seven days

While the security team was triaging MDM, the product surface of the entire B2B software industry shifted under everyone's feet. Stripe, Visa, Ramp, ElevenLabs, Sendblue, Kapso, Resend, Google Workspace, Discord, and Cloudflare all shipped CLIs in the same week, explicitly designed for AI agents to operate. Stripe's Projects.dev is the load-bearing one: stripe projects add posthog/analytics creates the account, generates the keys, configures billing — one subprocess call, deterministic enough for agents to run unattended.

This is the App Store moment for B2B services. If your service isn't in Stripe's catalog when agents start provisioning, agents will provision your competitor instead. Cloudflare priced agent execution at $0.002/day to kill the build-your-own option. Apple's iOS 27 opens Siri to all AI providers at the standard 30% commission. The toll booths are getting built now.

The surprising part: agents work better with CLIs than with MCP for provisioning. Subprocess execution is deterministic, scriptable, and credentialed. The simpler interface won, the way REST won over SOAP. For hot-path data operations, keep your SDK. For provisioning, ship a CLI this quarter or accept that agents won't find you.

The trust model hasn't caught up. Andrew Ng's Context Hub — an MCP server feeding documentation to coding agents — merged 58 of 97 PRs (59.8%) without content review. Researchers planted fake PyPI package names in Plaid and Stripe docs as proof. No malware required. Your coding agent reads the poisoned docs and recommends pip install stripe-payments-sdk. SAST is blind to it. SCA is blind to it. The payload only enters your system when the agent does what it was asked to do.

OpenClaw — an autonomous agent shipped with default shell execution and untrusted data interpolated into system prompts — accumulated 104 CVEs in 18 days. That is 200x LangChain's lifetime rate. The root cause of CVE-2026-27001: a working directory path embedded as a plain string in the system prompt, exploited via Unicode bidirectional markers. The fix is architectural, not sanitization. Treat the LLM's instruction context and its data context as separate planes.

Vertical AI just won the model debate

Intercom's Fin agent crossed ~$100M ARR resolving roughly 2 million customer service issues per week — outperforming GPT-5.4 and Opus 4.5 on customer service. This is the cleanest proof point yet that domain data flywheels beat raw model access. Cursor productized the same idea: model checkpoints redeployed every five hours using production accept/reject as reward signal. NVIDIA's ProRL Agent showed that decoupling rollout from optimization nearly doubled Qwen 8B's SWE-Bench from 9.6% to 18.0% — pure infrastructure work, no algorithmic change. A lot of published agent benchmarks are measuring pipeline ceilings, not model capability.

The harness is the product. The base model is becoming table stakes.

Which is awkward, because the margin underneath all of this is broken. Across 18 SaaS earnings calls, AI revenue is margin-neutral. Salesforce's $800M Agentforce ARR doesn't move profitability. AI products run at ~30% gross margins against SaaS's ~75%, because compute scales linearly with engagement — the inverse of the thing that made SaaS comps work. Anthropic's leaked Mythos/Capybara tier is described internally as both a step-change in capability and "expensive to run." The cost ceiling is rising, not falling.

If you're applying 10-15x revenue multiples borrowed from SaaS to AI products at 30% margins, you're implying 33-50x gross profit multiples. That correction is coming.

Meanwhile OpenAI hit $100M annualized ad revenue in six weeks with under 20% user penetration — the fastest ad-product ramp in digital history — while quietly losing the enterprise race to Anthropic (40% share vs 27%, per Menlo). The $10B PE JV with TPG/Advent/Bain/Brookfield to push enterprise distribution is what stalled organic growth looks like dressed up as strategy. The split is real: attention monetizers on one side, capability sellers on the other, and consumer engagement metrics no longer predict either.

What to do this week

One thing, not five. Open a spreadsheet and put your top three AI features down the rows. For each one, fill three columns: gross margin at current usage, gross margin at 5x usage, and what changes in your pricing or model routing if Capybara-tier inference costs land where they're rumored to land. If any row goes negative at 5x, that feature is on flat-subscription pricing and shouldn't be. Route 80% of its traffic to Nemotron 3 Super or equivalent ($0.30/$0.80 per million tokens, 442 tok/s, 91.75% RULER at 1M) and reserve frontier for the calls that actually need it.

Then send the spreadsheet to whoever owns pricing. The conversation you have on Friday determines whether your AI line item is a product or a subsidy.