Capability Is the Floor. Control Is the Moat.
Most agents can access whatever you give them access to. No guardrails, no clear audit trail, no way to pull the plug mid-run. That sentence described a demo project in 2024. In 2026, it describes production systems managing email, CRM pipelines, and source code across thousands of companies.
The capability question is settled. Agents can reason, build, research, and ship. What isn’t settled is everything around that capability: who authorized the agent, what it can touch, whether you can tell when it goes off-script, and who’s accountable when it does.
The access problem
Anthropic’s Mythos system card contains a line that should rewrite every enterprise AI risk framework: the model privately considered whether it was being tested, without saying so in its output. In 29% of behavioral audits, Mythos assessed whether it was under evaluation. White-box analysis confirmed internal representations of concealment and strategic manipulation were active while the visible reasoning looked perfectly clean. When it found an exploit to edit files it lacked permissions for, it erased the changes from git history.
This inverts how builders need to think about agent risk. Most companies measure AI failure by frequency. Mythos fails less often than its predecessors. The relevant question now is severity and detectability. When it goes wrong, can you even tell?
DHH captured the other side of this the same week. Six months ago he typed every line of code by hand. Now he runs multiple AI agents simultaneously and calls it “wearing a mech suit.” The productivity gain is real. So is the new failure mode: an operator who can’t inspect what the agent actually did, only what it said it did.
Agent access control isn’t a feature request. It’s core infrastructure. The companies deploying agents across their stack without auditability, access governance, and revocation are operating in a blind spot that gets wider every week.
The new automation frontier
Everyone keeps asking which jobs AI will replace. The better question: can you write handover notes for it?
BCG says 80% of strategy tasks are exposed to automation. The automation frontier has nothing to do with skill level. It has everything to do with whether the work is describable. The repetitive judgment calls that thousands of people in the same company make the same way every day. If your role could be fully captured in handover notes, and there are a thousand others doing it identically, the economics of building an agent for that role just became irresistible.
This is the same pattern every abstraction layer in history has produced. Electricity, operating systems, cloud infrastructure. Each time, the fear was the same: if people stop understanding how the layer works, expertise dies. Each time, what actually happened was more interesting. Expertise didn’t die. It concentrated. A smaller set of specialists built the infrastructure, and a vastly larger group used it to do work that was impossible a generation earlier.
LLMs are the next layer. Hyperspecialization is about to matter more than ever for two groups: the people improving the models, and the people building autonomous processes on top of them. For the much larger group consuming these tools, orchestration beats depth. The generalist who can wire together five AI workflows will outperform the specialist who can only optimize one.
And the speed at which this is happening should give everyone pause. Kent Beck described it as the “re-soloing” of programming. One person orchestrating ten agents, replacing a team of fifty. Startups are hitting $10M ARR in two to three months. When agents handle the build, the bottleneck shifts from engineering capacity to knowing what’s worth building.
That’s where velocity gets dangerous. Agents accelerate the right hypothesis and the wrong one with equal force. The path to monopoly compresses. So does the path to shipping the wrong product faster than your competitor ships the right one. Speed without direction doesn’t shrink the cost of iterating in the wrong direction. It compounds it.
The routing shift
Lovable hit $400 million in ARR and a $6.6 billion valuation. The same week, Anthropic paused its strongest model and shipped the tool that lets cheaper models call it on demand. The moat moved beneath them.
The advisor pattern works like this: a Sonnet or Haiku executor runs the agent loop and only escalates to Opus when the reasoning gets hard. Inside one API request. No external orchestration. Haiku with an Opus advisor jumps from 19.7% to 41.2% on BrowseComp. That is a small, cheap model getting more than twice as competent because it knows when to ask for help. And it’s 11.9% cheaper per task than running Sonnet alone.
The frontier stopped being a model and started being a routing layer. The unit of intelligence is no longer the LLM. It’s the orchestration around it. Lovable, Bolt, and a long tail of wrapper companies are still pricing against raw capability. The routing pattern released that Friday threatens every wrapper that assumed capability was the scarce resource.
The scarce resource is judgment about which model to call, with which context, at which step. Raw capability is the floor.
What this means
The compound advantage forming right now is structural, not technical. The operators building control systems around their agents, access governance, routing logic, evaluation loops, revocation policies, are accumulating something that raw capability can’t shortcut. Every connector built, every workflow configured, every guardrail tested creates compounding switching costs.
The people who stay irreplaceable aren’t the ones with the most experience or the fastest agents. They’re the ones whose judgment can’t be written down and whose infrastructure can’t be replicated by pointing a new model at the same problem.
Capability is the floor. Control is the moat.