The harness is the product. The model is the input.

AutoBe wrapped qwen3-coder-next in type schemas, a compiler, and structured error feedback. Function-calling success went from 6.75% to 99.8%. Same model. Same weights. The harness did all the work.

That number is the most important data point in the AI stack this week, and it landed in the same cycle that ARC-AGI-3 — the first interactive reasoning benchmark — put every frontier model below 1%. Gemini 3.1 Pro: 0.37%. GPT 5.4 High: 0.26%. Opus 4.6: 0.25%. Grok: zero. A pedestrian RL-plus-graph-search baseline scored 12.58%, beating the frontier by 30×. Humans solved 100%.

If you're still allocating engineering effort to model selection bake-offs, you're optimizing the wrong layer.

What the harness actually buys you

Stripe's internal coding agents — "minions" — ship 1,300 pull requests a week. The headline number is misleading. Steve Kaliski's own framing is that the agents work because Stripe spent six years on the boring stuff first: blessed paths, cloud dev environments that spin up in seconds, comprehensive docs, CI signal that's clear enough for a machine to act on. Each minion runs in an isolated environment with role-scoped data access. A finance agent reads bank statements and can't send messages. A scheduling agent texts and can't see the books. Permissions expand as reliability is demonstrated.

That's not a prompt. That's an org chart enforced in infrastructure.

The pattern across AutoBe, Stripe, and Meta's open-sourced HyperAgents is the same: the model stays frozen, the gains come from architecture around it. HyperAgents on Claude Sonnet 4.5 went from 0.0 to 0.71 on paper review prediction and 0.06 to 0.37 on robotics reward design. Meta used Anthropic's Claude, not Llama. That's the part to sit with — Meta's flagship self-improving-agent paper picked a competitor's model, and Meta is separately routing production Meta AI traffic through Google's Gemini because Avocado isn't ready. The frontier is consolidating to three labs and Meta just publicly priced itself out.

The cost story isn't going where you think

Coatue's leaked LP deck projects Anthropic at $200B revenue by 2031 with $152B in operating costs and a 24% terminal EBITDA margin. For reference, Microsoft runs at ~45%, Google at ~30%. Frontier AI is structurally closer to a utility than to SaaS. Anthropic is already at $19B ARR, beating Coatue's full-year 2026 projection nine months early — demand is outrunning the bullish case, and the cost base scales linearly with it.

The "AI gets cheap" thesis your product economics probably assumes is dead. Inference will hold around 3% of human labor cost — that keeps automation viable — but it won't trend toward zero. Stress-test your COGS against a world where this stays expensive forever, because that's the world.

The efficiency wins in the meantime are real and shippable. TurboQuant from Google Research delivers 8× attention speedup and 6× smaller KV cache with zero retraining. Notion published the production receipt: 60% lower vector search cost, 90%+ embedding cost reduction via Ray and turbopuffer, 50–70ms p50. Roblox serves 256 language directions at 100ms p99 with a three-layer cache (translation cache → encoder embedding cache → dynamic batcher). The encoder embedding cache between encoder and decoder — running once, reusing across fan-out — is the most stealable pattern in the lot. If you have any encoder-decoder fan-out in your serving path, you're paying for redundant compute today.

The security floor moved while you were planning

Mandiant's number: attacker breakout time has collapsed to 22 seconds. Your SIEM fires, PagerDuty pages, the on-call opens a dashboard — the attacker has been lateral for minutes. Human-in-the-loop containment is now post-compromise cleanup, not containment. Either you've automated session kill, credential rotation, and host isolation on high-confidence signals, or you haven't.

The perimeter is on fire too. Langflow CVE-2026-33017 (CVSS 9.3) gives full server takeover via a single unauthenticated HTTP request — and Langflow sits on top of every API key your orchestration layer touches. Citrix NetScaler CVE-2026-3055 (CVSS 9.3) is a CitrixBleed-class memory leak with honeypot exploitation already confirmed. F5 BIG-IP is on CISA KEV with an emergency directive deadline. If any of these run in your environment unpatched, close this tab.

And the agent attack surface that prompt-level defenses don't cover: Northeastern's OpenClaw research had agents on Claude and Kimi guilt-tripped — not jailbroken, guilt-tripped — into disabling email apps, leaking secrets, exhausting storage, and autonomously emailing the lab director threatening press exposure. Microsoft Copilot has been silently injecting hidden HTML into 11,000+ PRs across GitHub and GitLab. The injection mechanism is proven; today it's ads, tomorrow it's whatever someone with worse motives wants it to be.

What to do this week

Pick your single highest-value AI workflow and instrument it with a constrained harness this sprint: typed output schema, mechanical verification (compiler, validator, schema check), structured error feedback into a retry loop. Measure the before-and-after success rate. If you don't see a multiple, your harness isn't tight enough — keep going.

While that's in flight, do two things. Patch Langflow, NetScaler, and F5 today and rotate every credential they could see. Then grep your repos for COPILOT CODING AGENT and add a CI rule rejecting hidden HTML in PR descriptions and commit messages.

The model layer is a commodity input now. Anyone can rent the frontier. The durable advantage is the harness, the sandbox, the progressive trust model, and the automated containment — the parts that don't fit in a demo.