The model got cheap, the data got walled, and the trust boundaries broke

Three things landed in the same five-day window, and you have to read them together or you'll mismanage all of them.

GLM-5.1 — a 744B MoE with 40B active parameters, MIT license — scored 58.4 on SWE-Bench Pro. GPT-5.4 sits at 57.7. Claude Opus 4.6 at 57.3. Grok 4.3 shipped the same week at $1.25/$2.50 per million tokens with a 1M context. SAP closed its APIs to every third-party AI agent except Joule and Nvidia NemoClaw. Anthropic shipped ten finance agents wired through Microsoft 365 and Moody's, and FactSet dropped 8% in a session. CVE-2026-31431 escaped rootless Podman with a working PoC. The CNCF's Antrea project got rooted on May 2 through a malicious PR that turned its own Trivy scanner into the execution surface. Two independent teams demonstrated Rowhammer on NVIDIA GDDR memory, with one variant defeating IOMMU.

Four separate stories on four separate desks. One pattern.

The model layer is a commodity now and the procurement team hasn't caught up

The SWE-Bench Pro spread at the top is 1.1 points across three models. Inside the noise band of any eval harness with fewer than a few hundred tasks. Read GLM-5.1 as competitive, not best — the headline that matters is that an MIT-licensed model you can self-host now lives in the same neighborhood as the closed frontier on the benchmark procurement decks actually cite.

This doesn't mean rip out the API. It means the next renewal conversation has a reference point that wasn't on the table six months ago. Run your own coding tasks against GLM-5.1, GPT-5.4, and Claude Opus this sprint — a one-day spike pays for itself before it finishes if you're spending more than $10K/month on code-gen. Use the Grok 4.3 number as the anchor in the renewal meeting whether or not you intend to switch. The 2x price cliff above 200K tokens is the catch — model your actual token distribution at p95 before you commit, because most agent loops with full-codebase context will trip it.

The operational read: build the provider abstraction now if you don't have one. Single-provider SDK bindings are technical debt with a fuse. The 45% of practitioners telling pollsters that OpenAI lost default status is not a migration number — it's the survey result that shows up in a postmortem six months later, when the single-vendor binding caused the four-hour incident.

The data layer just closed and your integration roadmap is the thing that got hurt

SAP didn't restrict third-party agents. SAP picked two and blocked everyone else. In the same window it put €1B into Prior Labs to build its own. The architecture is paid for in advance and the pattern is going to spread — Salesforce, Workday, ServiceNow, Oracle inside twelve months is the base case, and reactive replanning will cost a quarter each.

The FactSet repricing is the other half of the same move. An 8% drop on a single product announcement says the market already ran the comparison internally. The premium that vertical SaaS charges for workflow-specific intelligence compresses the moment a horizontal vendor demonstrates the workflow at parity, even if real adoption lags by eighteen months. Pricing power dies before revenue does.

For anyone shipping on top of one of these platforms: the question is whether the product owns proprietary data, owns the approval step that turns a model output into a decision someone will sign, or owns neither. Owning neither is a two-quarter problem. Sierra at $150M ARR and a $15B valuation answered the strategic question — buyers pay roughly 10x more for outcome ownership than for an AI assistant — and the procurement cycle to get there is two quarters of negotiation, not a sprint.

Do the audit this week. Every integration that depends on SAP, Salesforce, ServiceNow, Workday, or Oracle APIs gets classified: endorsed partner, at-risk-of-lockout, or has-a-non-API-fallback. Anything in the second column with engineering work scheduled past Q3 is a candidate to kill before the team spends six more weeks on an API that may be gone by ship date.

Three isolation boundaries failed and the threat model needs to be rewritten, not patched

CopyFail. The Antrea compromise. NVIDIA Rowhammer with IOMMU bypass. Patch CVE-2026-31431 today on every Linux host running Podman, prioritizing CI runners and build hosts. That part is mechanical.

The pattern is the part that matters. Each of these broke a boundary that everyone pointed at when asked how the system was isolated. User namespaces. The scanner running in CI. The IOMMU. Each was assumed sufficient rather than proven sufficient, and researchers had been pushing on those assumptions for a while.

The Antrea attack chain is reproducible against any CI system where pull_request triggers give scanner jobs access to secrets or controllers. Trivy was the foothold, not the target — Grype, Snyk CLI, npm audit, custom SAST all execute attacker-controlled input the same way. If the scanner runs on a credentialed runner, you have a latent RCE in the pipeline. Move scanner execution into ephemeral, credential-less sandboxes with no path to Jenkins, the registry, or the cloud control plane. This sprint, not this quarter.

The Rowhammer disclosure is the one that should reshape multi-tenant GPU planning for anyone running inference on shared A100/H100/GB200 with sensitive prompts or proprietary weights. There is no software mitigation for an IOMMU bypass. Until NVIDIA ships firmware, the only honest control is physical GPU isolation per tenant. That's expensive. It's also the job.

What to do this week

One action from each story, sized to fit a sprint. Patch CopyFail by Friday and move CI scanners to credential-less runners. Run an internal coding eval against GLM-5.1 and bring the Grok 4.3 pricing into your next renewal meeting. Audit every agent integration touching SAP/Salesforce/Workday/ServiceNow/Oracle and identify the one to kill before engineering spends another six weeks on it. Block the Codex Chrome extension via enterprise policy while you write the agent governance policy you don't have yet.

The model is no longer the moat. The data pipe is closing. The boundaries you were relying on for isolation just got smaller. The teams that act on those three sentences this quarter end up with leverage. The teams that wait end up with whatever the platform vendors decide to leave them.