One Layer Deeper Than the Platform Can Swallow

The model layer commoditized in two weeks. Providers pushed downward into silicon, devices, and the infrastructure builders thought they owned. The supply chain turned hostile from below in the same window. Anyone shipping an agent product right now is getting squeezed from both ends, and the surface that’s left to own is narrower and more specific than it was a month ago.

Here’s the map of what moved, and where to plant a flag that the platform cannot absorb on its next release.

The model became a commodity in a single week

Opus 4.7 shipped with the same sticker price as 4.6 and a new tokenizer that maps the same input to between 1.0 and 1.35 times more tokens per call. Nathan Lambert pointed out the quieter implication: a new tokenizer means a new base model. Nate Jones ran four days of production tests and called it the tokenizer tax. GitHub Copilot, the platform with the deepest agent usage data in the industry, paused Pro and Pro+ signups, pulled Opus from the Pro tier, and let leaked internal numbers show weekly Copilot costs nearly doubled since January. That is what an industry does when the unit economics moved overnight, not when capability is still scarce.

Kimi K2.6 landed in the same week, eight to ten times cheaper than Opus for agentic work, open weights, 262k context. The frontier is still pulling ahead on hardest-prompt benchmarks, and production work now has multiple viable substrates underneath it.

A week later OpenAI cut Microsoft’s exclusive license, deleted the AGI capability trigger from the contract, and announced a $38B AWS deal the same day. Codex and OpenAI models are now landing on Amazon Bedrock alongside Bedrock Managed Agents. Microsoft retains a 27% stake and a capped revenue share through 2030. Ming-Chi Kuo reported OpenAI is working with MediaTek, Qualcomm, and Luxshare on an agent-first phone for 2028.

Read those moves as one strategy. The model is now distributed across every cloud a builder might run an agent workload on. The same provider is moving down to the silicon and sideways into the device. The model layer turned into a distribution play.

The supply chain just turned hostile

While the model layer was compressing, the substrate everyone is about to ship on got attacked.

Antiy CERT flagged 1,184 malicious skills on ClawHub, roughly one in five packages in the OpenClaw MCP registry at peak. Independent analysis of 2,614 MCP implementations found 82% use file operations exposed to path traversal and 67% expose APIs prone to code injection. AgentBrief reported a 40% failure rate on production multi-agent systems from retry storms: one agent fails a tool call, retries, cascades the retry into every agent downstream, and the orchestration layer ends up DDoS-ing its own API.

Shopify turned on MCP write access to 5.6 million live stores in the same window. Vercel says 30% of deploys are now agentic. The blast radius of a hostile tool, a misbehaving retry policy, or a poorly scoped permission now lands on production traffic, against live customer data, at scale.

The two stories collapse into one. The model is getting cheaper to swap out, and the rest of the agent stack is getting more expensive to get wrong.

What Harvey’s $11B round actually says

Harvey raised at $11B this month to scale agents across law firms. The pitch quietly stopped being a fine-tuned legal model and became an agent platform. That is the whole story of vertical AI in one funding round.

The pattern repeats in every vertical worth looking at. Hippocratic in healthcare. Bloomberg-GPT in finance. The army of co-pilot startups in security and ops. Each one originally bet that fine-tuning on a proprietary corpus was the moat. Each one is now competing against a frontier model that is one Skill, one MCP server, and one well-tuned retrieval pipeline away from the same answer at lower cost. The smartest team in vertical AI just accepted the new physics and re-pitched as an agent company.

When raw reasoning stops being the differentiator, the differentiator becomes what context the model sees, in what order, with what verification. Embedding quality. Reranker policy. Vector store recall. The ability to surface a citation trail an auditor will accept. MongoDB bought Voyage AI for a reason. Turbopuffer is pricing vector search like object storage for a reason. ColBERT-style late interaction is back in production pipelines for a reason. ML-JKU’s modern Hopfield layers are getting repurposed as associative-memory retrieval primitives that pull exact patterns out of noisy embeddings. That is the precision step that closes the hallucination gap in regulated workflows.

The reranker is the new model selection. The retriever is becoming a learned component in its own right. Filing this under tooling is a category error. It belongs in product strategy.

The candidate defensible surface is the gateway

Underneath all three stories sits a thin layer that the platform has not fully absorbed yet. Call it the gateway. It is the interface between an agent and everything outside its weights.

The gateway has four jobs. It decides which model gets which call, with which context, at what reasoning effort. It enforces tool permissions, rate limits, and retry policies that prevent a misbehaving step from cascading. It maintains the memory the model is no longer big enough to hold by default, and the citation trail an enterprise buyer needs to sign off. It escalates to a human at the exact boundary where confidence drops below a threshold, with enough context that the operator can decide in seconds.

Each of those looks like a competitive product surface today. Whether each is still a competitive product surface in twelve months is the open question.

Routing: Anthropic’s Advisor pattern lifts Sonnet’s score on SWE-bench Multilingual at 11.9% lower cost per task than running Sonnet alone, by escalating to Opus only when reasoning gets hard. A routing layer that picks between Opus, Sonnet, Haiku, Kimi, and an open model on a per-step basis is a margin advantage no single-model wrapper can match. The honest counter: cross-provider routing is exactly what the cloud platforms are positioning to absorb. Bedrock Managed Agents now hosts OpenAI, Anthropic, and Amazon’s own models behind one runtime. The window where neutral routing is a startup is the window before AWS, Azure, and GCP turn it into a checkbox.

Retrieval: a memory layer of your own, built on embeddings you control and rerankers you tune, becomes the asset that survives the next model swap. Hermes Agent crossed 72K stars on a 3,575-character memory budget while Claude Code sessions can eat 129GB of RAM holding state. The honest counter: Anthropic shipped a memory tool, a Skills system that loads knowledge on demand, and context compaction inside the harness. OpenAI’s File Search and Vector Stores keep improving. The defensible version of retrieval is the one tuned to a domain corpus the platform cannot reach.

Reliability: a runtime that fails closed on tool errors it cannot reason about, and escalates with context the human can act on, is the difference between a 40% multi-agent failure rate and a system that ships. The honest counter: Anthropic Managed Agents already moved sandboxing, permissions, state, and error recovery into the platform. Routines added the trigger layer on top. The piece that’s still up for grabs is the policy layer between the agent and tools the provider doesn’t host, where retry behavior, rate limits, and escalation thresholds get tuned to a specific business.

Agent-readiness: Brian Scanlan’s CLI at Intercom lets an agent sign up, verify its own email by reading Gmail, and finish install with no human in the loop. He walked through the broader playbook on Lenny’s How I AI: if you don’t build the agent-friendly path, your customers’ agents brute-force your website, burn tokens, get frustrated, and build the workaround themselves. The signup form is a machine-to-machine interface now, and isitagentready.com is already grading public domains on it. This one looks the most durable, because a model provider cannot ship the agent-friendly version of someone else’s product. The owner of the surface has to do it.

The pattern across all four: the gateway is defensible only where it sits on context, policy, or surface area the provider does not control. Anywhere it doesn’t, the harness eats it.

Build one layer deeper than the platform can swallow

The window is short. Anthropic shipped a memory tool, a Skills system that loads knowledge files on demand, and an Advisor that routes between Sonnet and Opus inside a single API request. OpenAI’s File Search and Vector Stores keep getting better. Bedrock Managed Agents is now a thing. Each release pulls another piece of what used to be the builder’s stack into the provider’s surface.

The teams that win the next 12 to 18 months are the ones who own pieces the providers cannot absorb without breaking their own neutrality. The routing policy across providers, not just inside one. The retrieval pipeline tuned to a domain corpus the platform doesn’t have access to. The reliability runtime that sits between an agent and a tool surface no one provider controls. The agent-friendly product surface that turns your own users’ agents into customers instead of bots brute-forcing the signup form.

Margin used to live in the model. It moved out two weeks ago. The next twelve months are about who builds fast enough to plant flags one layer deeper than the platform can swallow on its next release.

The model is the commodity. The gateway is the company.