The week AI's flat-rate fiction died and its agents got measurably exploitable

GitHub paused new Copilot signups this week. Pro, Pro+, Student — all closed. Opus 4.5 and 4.6 stripped from the platform entirely, Opus 4.7 pushed behind the $39 tier, weekly token ceilings introduced, and users who hit them silently downgraded to whatever cheaper model the router picks. VP of Product Joe Binder put it on the record: long-running agentic sessions consume far more compute than the original plan structure was designed to absorb. Operating costs roughly doubled since January.

This is Microsoft. With Azure underneath. Telling you the unit economics don't work.

If that were the only signal this week, it would still be the story. It isn't.

The pricing model was always a loan against falling inference costs

The flat-rate AI subscription was a bet that inference would get cheap fast enough to outrun usage growth. Agentic workflows broke that bet. A chat completion is one forward pass. An agent doing a multi-file refactor with tests and tool calls is hundreds, sometimes thousands. Cloudflare's internal numbers — 93% R&D adoption, merge requests up from 5,600 to 8,700 per week — show the productivity is real. They also show why the bill is what it is.

Every major provider moved on pricing in the same month. Anthropic shifted enterprise to usage-based. OpenAI re-tiered. Cursor is raising at $50B while only "slightly gross-margin positive" at a $6B ARR target. Adobe and Sierra are pricing per completed outcome, which is a different bet — that their model is reliable enough to put margin behind. The pricing model a vendor picks is now a confidence statement about their own product.

Meanwhile Kimi K2.6 dropped open-weight numbers — 58.6 on SWE-Bench Pro, 83.2 on BrowseComp — that match or beat the closed frontier on the benchmarks the vendors themselves cite. Treat the self-reported numbers with the skepticism they deserve. But the weights are on Hugging Face. You can run your own evals this sprint.

The pincer is obvious: closed providers raising prices to survive, open weights closing the quality gap, and your heaviest 10% of users probably costing you a multiple of what they pay.

And the agents you'd point at all this are measurably broken

Google DeepMind published the first systematic taxonomy of agent attack surfaces this week. The numbers don't leave much room for interpretation. Simple HTML injection hijacks browsing agents 86% of the time. RAG corpus poisoning succeeds at over 80% with less than 0.1% of the corpus corrupted, because per-document filters can't see fragment payloads that only assemble after retrieval. The Cloud Security Alliance puts the operational rate at 47% of organizations already breached through an AI agent, 53% reporting agents that exceeded intended permissions, and only 21% with a real-time inventory of where their agents are running.

Google's own Antigravity manager hit RCE via prompt injection at the highest security setting — because tools classified as "native" bypassed the sandbox. Form-based prompt injection works in production Copilot Studio and Agentforce deployments. AI coding agents with write access to .git can execute arbitrary code through git config hooks. The Vercel breach traced back through a Context.ai employee's compromised OAuth grants, through Google Workspace, into customer environment variables.

TrustedSec ran 4,800 evaluations across six self-hosted models. Single-step exploit success: 85–98%. Multi-step chains of ten or more tool calls: zero. Not low — zero, across every model from 24B to 32B parameters. Zapier's AutomationBench tells the same story from the business side: no model breaks 10% on real automation. The capability cliff is universal, and it sits well below the depth where most agent demos are recorded.

If Kimi K2.6 really runs 300 sub-agents for twelve hours with 4,000 tool calls, the architecture pattern that matters is parallelization, not a model breakthrough. Short chains, fanned out, checkpointed. That you can build today on whatever model you're already paying for.

The infrastructure layer is consolidating while you decide

Amazon committed up to $33B to Anthropic against a $100B+ AWS spend commitment over the next decade — 5 gigawatts of dedicated compute, Claude Platform embedded directly into Bedrock, Trainium chips in the loop. Amazon is already $50B into OpenAI. Google is selling custom chips to Meta and Anthropic. Sergey Brin came out of retirement because DeepMind's own engineers privately rate Claude's coding above Gemini's.

The "multi-cloud, multi-model" posture you wrote into your architecture doc twelve months ago is becoming operationally fictional. You're picking an axis whether you intend to or not, and the negotiating window is two quarters, not two years.

What to do this week

Three things, in this order.

One: pull the actual per-user, per-feature inference cost for your top decile of AI usage. Not the average — the tail. If those users cost you 5–10x what they pay, you have GitHub's problem on a smaller balance sheet, and you'd rather find it before finance does.

Two: audit every agent in production against three specific failures. Mount .git read-only in any container running a coding agent. Kill any tool classification that exempts a tool from sandbox validation based on a "native" or "trusted" label. Add a post-retrieval safety pass over aggregated context, not per document — that's the only place compositional fragment attacks are visible.

Three: run Kimi K2.6 or Qwen3.6 against your actual production prompts on one workload this sprint. Not a benchmark. Your prompts. Either you find a 60–80% inference cost cut on a real use case, or you walk into your next vendor renewal with the numbers to negotiate one.