The harness is the moat, and the harness is the breach

Meta paid roughly $2B for Manus. Not the weights — the harness. Memory, skills, protocols, evaluation, compression. The plumbing nobody puts on a slide.

That's the cleanest M&A signal we've gotten on where AI value actually accrues, and it landed in a week where every other signal pointed the same direction. Alibaba's Qwen3.6, quantized to 21GB, beat Claude Opus 4.7 on spatial reasoning while running on a MacBook. GRPO plus RULER collapsed the reward-engineering and labeled-data barriers to RL fine-tuning into an open-source notebook. A fine-tuned Qwen3-0.6B now runs at 25 tok/s on an iPhone 17 Pro in a 470MB artifact, on a runtime — ExecuTorch — already shipping inside Instagram and WhatsApp. Anthropic's 81,000-person, 159-country survey reported that the number-one user concern isn't capability. It's reliability.

The model is the commodity. The harness is the product. Your distribution, your evaluation rig, your process data, your orchestration — that's what someone will pay $2B for, and that's what your users are actually grading you on when they call your AI "unreliable."

What the harness actually is

Manus's taxonomy is worth stealing wholesale. Memory splits into working context, semantic knowledge, and episodic experience. Skills are operational procedures, decision heuristics, and constraints. Protocols are agent-to-user, agent-to-agent, agent-to-tools. Sandboxing, observability, compression, and evaluation sit underneath all of it.

Most teams I talk to have 80% of their AI investment in model selection and prompt engineering, and 20% in everything else. That ratio is upside down. Boris Cherny — who built Claude Code — claims evaluation alone drives 2-3x quality gains. I believe him, because every team I've watched ship a serious AI product hit the same wall: the model is fine, the prompts are fine, but they have no way to know when the system is wrong. So they ship slowly, or they ship confidently and break things.

Canva's edit-sequence training is the other half of the lesson. They don't train on finished designs — they train on the ordered sequence of human edits that produced them. That data is structurally impossible to reproduce without 265M monthly users. If your product captures user process — the iterations, the corrections, the path from draft to publish — and you're only logging it for analytics, you're sitting on the moat and using it as a doormat.

The same week, the harness became the breach

The shadow-AI side of this story is harder to look at, because every CISO conversation in Q1 ended in some version of "defeated." Four vectors are open at once. Sales teams paste customer lists into Chrome extensions with AI features. Copilot inherits a decade of stale SharePoint ACLs and surfaces board decks to interns. PMs run Claude Code against production Jira with personal tokens and no audit trail. AI coding assistants hallucinate plausible package names — and attackers are already squatting them on public registries.

That last one deserves to be sat with. When Cursor or Claude Code suggests import fast-json-validator and that package doesn't exist, the next person who registers it owns code execution in your CI. The vector grows automatically with adoption. Most CISOs admit they don't know if their org is even vulnerable to plain dependency confusion, let alone the AI-amplified version.

Underneath that, Johns Hopkins' ManyIH work showed frontier models — Claude, GPT-series, Gemini — fail to reliably resolve instruction conflicts across multiple privilege tiers. The degradation scales with orchestration depth. Which is exactly the architecture every agentic product announced this quarter relies on. System prompt, then user input, then tool-returned content. The model can't tell you which one wins, and Wharton showed that wrapping a request in authority, commitment, or scarcity framing more than doubles the rate at which it complies with things it shouldn't. Claude and GPT-4.1 were used operationally in a real exfiltration attack on Mexican citizen data. AI-assisted offense is no longer a slide deck.

What to do this week

Two moves, neither of them strategic.

First, stop treating LLM safety alignment as a security boundary. It isn't one. Build an independent policy layer your product enforces regardless of what the model decided to do. Tool calls validated against an explicit allowlist with per-session rate limits. Structured outputs that physically can't express unauthorized actions. Private package registries that take resolution priority over public ones, with internal names defensively registered on npm and PyPI. GitHub Actions pinned to commit SHAs, not tags. None of this is novel. All of it is the table stakes that nobody funded because AI rollout budgets paid for licenses and enablement, not the security around them.

Second, instrument the harness. If you can't tell me your KV-cache hit rate per agent session, your evaluation pass rate per skill, your tool-call audit log, and which agents in your org have production credentials and what they did yesterday — you don't have a harness. You have a model with hope around it. Pick one of those four to instrument this week. The others get added next sprint.

The through-line from Meta's $2B to the CISO's defeat is the same fact: the layer around the model is where everything happens now. The value, the moat, the reliability your users keep asking for, and the breach you haven't seen yet. Build it on purpose, or someone else's harness will be running through your environment by Q3.