EnterpriseAI'sRealCostIs3–5xWhatCFOsBudgeted

◆ DEEP DIVES

1. 01

   Your Defensive Architecture Is Now Transparent — And Your AI Infrastructure Was Never Secured

   Two Failures Arrived in the Same Week

   The week produced two security findings that would each define a bad quarter on their own. Together they retire the operating model most security programs still run on. TrustedSec pointed LLMs at five commercial EDR products and found all five architecturally identical: YARA-style rules, behavioral logic, allowlists, prefilters, Lua-based scripted engines readable after a single decryption pass, and local ML classifiers. Reverse engineering work that used to take a skilled human weeks now takes days. The endpoint detection category has been running on obscurity, and the obscurity is gone.

   The security model assumed the cost of understanding the agent exceeded the value of bypassing it for most adversaries. That assumption no longer holds for a growing share of the threat population.

   In the same window, CISA added five AI infrastructure tools to its Known Exploited Vulnerabilities catalog, including LiteLLM, Ollama, and OpenClaw. These are tools most engineering teams adopted without security review, in the narrow gap between experiment and production that AI tooling closed in roughly two quarters. A Raspberry Pi honeypot configured as an AI stack was indexed by Shodan in 3 hours and absorbed 113,000 attacks per month, with 23% of traffic aimed at AI-specific endpoints.

   ---

   The Response Window Has Collapsed

   PraisonAI was weaponized within 4 hours of disclosure. An 18-year-old RCE in NGINX sat undisturbed across most of the web. Traefik shipped a CVSS 10.0 authentication bypass. Argo CD allows plaintext Kubernetes secret extraction at CVSS 9.6. Stack those disclosures against the same remediation teams, change windows, and testing capacity, and any organization on a quarterly patch cadence is operating with permanent known exposure.

   Microsoft's MDASH system found 16 exploitable flaws in a single Patch Tuesday cycle using multi-model AI analysis. That capability, or its functional equivalent, reaches adversaries within 12-18 months. The UK AISI confirms AI cyber task completion is doubling every few months, and Anthropic's Mythos became the first model to clear both simulated attack ranges. Congress is routing Mythos access through NSA rather than CISA, which is the clearest available signal about which use case the government treats as primary.

   ---

   The Foxconn Proof Point

   Nitrogen ransomware exfiltrated 8TB of confidential designs from Apple, Google, Intel, and Nvidia through a single contract manufacturer. The concentration of AI infrastructure work at a small number of assembly partners produces concentration of intellectual property, which produces concentration of target value. Supply chain data custody is now a first-class security surface, not a procurement annex.

   What Changed Since Tuesday's Coverage

   Tuesday's briefing argued that offensive capability was arriving. The finding this week is that defensive capability simultaneously failed. The endpoint agents are hollow. The AI infrastructure underneath them went into production without controls, and exploit windows are now compressed below most patch cadences. A reasonable skeptic will note that any single finding could be reversed by a vendor patch or a process change. The skeptic is right about any one of them. The point is that all of them landed at once, against the same teams, in the same week, which is what turns this from a patching problem into an architecture decision.

   Action items

   • Commission red team exercise targeting your EDR specifically with AI-assisted reverse engineering — TrustedSec's methodology is public
   • Emergency audit all AI infrastructure tooling (LiteLLM, Ollama, model registries, AI gateways) adopted by engineering teams without security review
   • Compress patch SLA for critical internet-facing assets from 30-day to 72-hour maximum
   • Evaluate kernel-level isolation (Firecracker microVMs, gVisor) for CI/CD and multi-tenant workloads

   Sources:Clint Gibler · The Information AM · CyberScoop · The Hacker News · SANS AtRisk · TLDR InfoSec

2. 02

   The AI Budget Just Tripled: What Enterprise Deployment Actually Costs

   ServiceNow Is the Canary

   ServiceNow's CDIO went public with the fact that the company exhausted its full-year Anthropic budget by May. Anthropic's response was no SLAs, no usage telemetry, no comment. A reasonable skeptic would call this a procurement story, not an industry story. The reasonable skeptic is wrong on the scale. A $150B enterprise software vendor is discovering in real time that its primary AI provider has no enterprise-grade cost controls, no committed pricing tiers, and no way for the buyer to know what is being spent until the invoice lands.

   ServiceNow is already building the workaround — an AI Control Tower — and selling it to other enterprises. That is the market routing around a vendor deficiency in real time. The company that becomes the Datadog for AI spend will be worth tens of billions.

   We are in the equivalent of cloud computing circa 2014: powerful capabilities, wildly unpredictable economics, and a governance vacuum that creates real financial exposure.

   ---

   The Forward-Deployed Engineer Tax Nobody Budgeted

   Every major AI vendor converged on the same admission this quarter:

   • Google: hiring hundreds of forward-deployed engineers
   • OpenAI: acquired a 150-person consulting firm and partnered with Bain Capital
   • Anthropic: building FDE teams at scale
   • ServiceNow & Salesforce: building FDE teams for AI integration

   At $300-500K loaded cost per FDE, with five to ten required for a meaningful deployment, the true cost of an AI program runs 3-5x the model fees. Boards approving AI envelopes based on token pricing are approving one-third of the actual spend. The other two-thirds will arrive on a different line item, owned by a different executive, and reconciled later.

   ---

   The 80x Demand Spike and What It Means for Reliability

   Anthropic admitted it grew 80x against a planned 10x. That means it operated at roughly twelve percent of required capacity for extended periods. Developers experienced degraded service, rate limits, and possibly lower-quality responses without disclosure. The productivity gains measured during that window are almost certainly understated against what adequate provisioning would have delivered.

   The xAI disclosure compounds the picture. Leasing 45% of its compute (220,000 GPUs) to Anthropic says GPU supply has become a financial instrument, not a strategic moat. Grok never achieved meaningful traction, and the lease revenue exceeds what those GPUs would generate running inference for xAI's own customers. The most valuable thing xAI owns is the asset it is renting out.

   The FOMO Fragility

   Companies are spending beyond budget because a competitor might figure out the economics first. That is classic bubble psychology, and we have flagged it before. The saving grace, which is also the risk, is that AI spend is uniquely reversible. Token consumption can be cut to zero overnight. The enterprise AI revenue base carries a fragility that is not priced into model-company valuations at $900B.

   Action items

   • Conduct immediate audit of all AI model consumption spend vs. budget with per-team and per-use-case attribution
   • Renegotiate AI vendor contracts to require SLAs, committed pricing tiers, and usage telemetry by Q3 renewal
   • Model total AI deployment cost at 3-5x model fees and present revised envelope to board before Q4 budgeting
   • Evaluate AI cost governance tooling (ServiceNow AI Control Tower, Kubecost equivalents) for build-vs-buy decision

   Sources:Laura Bratton · The Pragmatic Engineer · AINews · StrictlyVC · The Information AM · Martin Peers

3. 03

   The Execution Layer Fork: SAP vs ServiceNow Forces a This-Quarter Architecture Decision

   Two Incompatible Theories of the Agent Economy

   SAP and ServiceNow have finally said out loud what their architectures have implied for a year. The bets are not variations on a theme. They are different theories of where authoritative state should live when software starts taking actions on its own.

   Dimension	SAP	ServiceNow
   Architecture	Vertically integrated Knowledge Graph	Headless Action Fabric via MCP
   Agent strategy	SAP's agents are contextually superior inside SAP's data universe	Any agent talks to ServiceNow via open protocol
   Investment	€100M fund + Autonomous Enterprise	MCP servers as communication standard
   Pricing model	Workflow execution value	Consumption-based on agent API calls
   Best for	Process IS the transaction (order-to-cash, record-to-report)	Process IS the workflow across systems (connective tissue)

   Agents that act across finance, HR, IT, and procurement need one authoritative place to reconcile state. Two authoritative places is zero authoritative places.

   ---

   Why 'Run Both' No Longer Works

   A reasonable skeptic would point out that large customers have run both SAP and ServiceNow side by side for two decades. The skeptic is historically correct. What changes is that agents need to commit writes. A dashboard can tolerate ambiguity between two systems of record. An agent executing a chain of decisions across finance, procurement, and HR cannot. The integration middleware of the last decade was a way of postponing the question. The question is now being asked.

   The a16z framing makes the stakes concrete. $150B+ of GTM value is migrating from CRM to the AI orchestration layer. The vendor that owns execution captures the compounding. The vendor relegated to integration watches the margin walk away. Lemkin's number is the early read on what that migration looks like in a contract: 80% fewer seats, 83% higher total spend, 20+ agents running. Consumption pricing is not a future thesis. It is already accretive, in the field, this year.

   ---

   The 81% Signal

   81% of AI agents successfully bypass legacy bot detection. Every WAF, CAPTCHA, and rate-limiting system built to flag automated traffic is now ineffective against LLM-driven agents. The defensive implication is that the current security stack assumes adversaries behave like bots and they no longer do. The strategic implication is more interesting. The vendors that solve agent-era detection will take meaningful share, and the platforms that own agent identity and authentication become the control point the next decade is fought over.

   The 12-18 Month Window

   Startups are shipping agentic fabric faster than SAP and ServiceNow. That window is probably 18-24 months before the incumbents' API-first AI offerings mature enough to recapture orchestration. The decision being made this quarter, about which platform owns agent execution, is the decision that determines who has leverage in the quarter the incumbents catch up.

   Action items

   • Conduct agent-readiness audit: can third-party AI agents discover, invoke, and orchestrate your workflows without a human UI?
   • Evaluate MCP adoption as a strategic investment for your platform — build or integrate MCP server capabilities by Q4
   • Stand up AI governance function with authority over tool/vendor rationalization before Q3 budgeting
   • Model per-action/per-outcome pricing on your revenue if agents replace human seat consumption within 18 months

   Sources:TLDR IT · a16z · TLDR · Simplifying AI · ben's bites