Mark’s Musings

  • The CFO Who Can’t Measure AI Is About to Become the CFO Who Can’t Raise

    The CFO Who Can’t Measure AI Is About to Become the CFO Who Can’t Raise

    When a $60 billion AI coding platform starts a CFO council, the signal is not subtle.

    Cursor — the AI coding company SpaceX has agreed to buy — just launched a working group of finance leaders to answer one question: how do you keep AI spend tied to value? That is not a product marketing stunt. It is the market admitting that “return on intelligence” has left the innovation lab and landed on the CFO’s desk.

    And if you are a PE-facing CFO who still treats AI as an IT experiment with a cute pilot budget, you are already late.

    The board is no longer asking “are we using AI?”

    They are asking the harder question: what is the return?

    Cursor’s own framing is blunt. AI spend is shifting from experimental pilots into a major recurring operating expense. McKinsey’s numbers make the gap obvious: most organisations have deployed AI somewhere, but only a minority can trace it to enterprise-level EBIT impact. That is the CFO’s problem in one sentence — high adoption, weak attribution.

    BCG’s token-cost work is even more direct: token costs are attracting CEO and board-level attention, and CFOs need answers when those questions start. This is no longer “can the model write a draft email?” It is “why did our model bill triple, and what operating leverage did we buy with it?”

    Boards do not fund vibes forever. They fund measurable capacity.

    Why PE will force this earlier than corporate

    In private equity, the conversation compresses.

    LPs want cleaner, faster, more machine-readable portfolio data. Operating partners want cycle-time compression, not another slide deck about “AI enablement.” And portfolio company CFOs are being asked, often mid-hold period, to show that AI is either:

    • cutting cost-to-serve,
    • shortening close / reporting cycles,
    • improving cash conversion, or
    • raising the quality of decisions under pressure.

    If your answer is “we’re experimenting,” you sound ornamental. In a PE board pack, ornamental dies quietly.

    The firms that win will treat AI less like a side project and more like a capital allocation problem: what is the unit cost of intelligence, where does it create EBITDA, and what do we stop funding if it doesn’t?

    Return on intelligence is a finance discipline, not a tech slogan

    Cursor’s council is aiming at the right missing layer: shared benchmarks for AI productivity, frameworks for measuring returns, and practical approaches to model allocation and cost management. That is classic CFO work dressed in new language.

    The practical version looks like this:

    • Define the unit of work. Not “AI usage.” Actual output: closed tickets, reviewed contracts, reconciled exceptions, forecast cycles, board packs produced, cash applications cleared.
    • Measure cost per accepted unit. Tokens are inputs. Accepted work is the output. If you only track spend, you are budgeting a furnace, not a factory.
    • Separate leverage from theatre. A tiny cohort of power users often creates most of the value. That concentration is a management problem, not a model problem.
    • Route work deliberately. Cheap models for routine extraction. Stronger models for high-stakes judgement. Unrouted “everyone uses the top model” is how token bills become board items.
    • Put AI in the operating rhythm. If it only lives in a pilot Slack channel, it will never show up in free cash flow.

    This is not anti-AI. It is anti-unmeasured AI.

    The CFO who can’t measure AI will struggle to raise

    In PE, capital is allocated on credibility. Credibility is the ability to explain what changed the numbers.

    So when a sponsor asks “what did AI do for this business?”, the weak answer is activity:

    • we rolled out copilots,
    • we ran workshops,
    • we have 40 use cases in the backlog.

    The strong answer is economic:

    • close cycle down from X to Y days,
    • cost per invoice exception down Z%,
    • forecast reforecast latency cut by half,
    • gross margin lift from better pricing/support triage,
    • token cost per accepted unit of work under control and declining.

    One of those lists gets you the next round of investment. The other gets you a polite nod and a smaller mandate.

    That is the real risk. Not that AI fails. That AI succeeds somewhere in the organisation while finance still cannot price, govern, or defend it. In that world, the CIO owns the tools and the CFO owns the blame when the bill arrives.

    What good looks like in a portfolio company

    If I were walking into a PE-backed finance function this quarter, I would not start with a model beauty contest. I would start with four controls:

    1. AI P&L visibility. Token/API cost by team, workflow, and vendor. No more “software misc.”
    2. Value hypotheses per workflow. Before scale-up: baseline metric, expected delta, owner, kill criteria.
    3. Routing rules. Which work gets which model, and who can override.
    4. Board language. One page: spend, output, unit economics, risks, next capital ask.

    That is enough to turn “we use AI” into “we run intelligence as an operating system with a cost of capital.”

    And yes — some initiatives will fail. Good. Failed experiments with clear kill criteria are cheaper than indefinite pilots with no owner.

    The quiet transfer of power

    For a decade, finance absorbed digital transformation after the fact: clean up the data, explain the variance, retrofit the controls. AI is different because the spend line is rising fast enough, and uneven enough, that boards will not wait for a post-implementation review.

    Cursor building a CFO council is confirmation, not novelty. The frontier companies already know the bottleneck is no longer model capability. It is economic discipline.

    So the question for CFOs — especially those in PE-backed businesses — is no longer whether AI belongs in the stack. It is whether you can sit in a board meeting and defend the return on intelligence without hand-waving.

    If you can’t, someone else will. And they will own the budget that used to be yours.

    Mark Hendy is a PE-facing CFO who works through Tanous. He writes about finance leadership where AI, capital allocation, and operating reality collide.

  • The CFO Case for Local AI

    The CFO Case for Local AI

    CFOs already understand concentration risk. We just usually apply it to banks, customers, and supply chains — not to the intelligence layer now writing board packs, cash forecasts, and diligence notes.

    If half your finance workflow depends on a model you do not host, do not control, and cannot audit end to end, you have built a single point of failure into the operating system of the business. That is not an IT preference. It is a governance decision. And boards should treat it as one.

    The Dependency Problem

    Cloud AI is extraordinary. It is also leased. You rent capability by the token, subject to vendor policy, pricing power, outages, and political weather.

    In June 2026 the US Commerce Department put export controls on Anthropic’s frontier models, and access was switched off globally overnight while the company worked out how to comply. The controls were later lifted after new safeguards. The point is not the politics. The point is the switch. One policy decision, and a production capability disappeared.

    A fortnight later, OpenAI previewed GPT-5.6 to a limited set of “trusted partners” first, explicitly at government request under a voluntary pre-release review framework. OpenAI said it did not want that model of access to become the long-term default. Fair enough. But enterprises now have a live example of frontier intelligence arriving through a gate, not a pipe.

    Then the market did what markets do: it routed around the constraint. Orchestration layers and open-weight alternatives appeared fast — Sakana’s Fugu among them — because capability that can be withheld will always attract substitutes.

    None of this requires a conspiracy theory. It requires a CFO’s instinct: if a critical input can be gated, censored, repriced, or reversed by someone outside your control, you should not build the entire house on it.

    Cost, Latency, Confidentiality

    Run the ledger properly.

    Cost first. Public API pricing looks cheap until usage compounds. Board packs, monthly closes, covenant models, contract review, management accounts commentary, buyer Q&A — token volume scales with ambition. Cloud spend is opex with a vendor’s hand on the dial. Local inference has capex and energy cost, but the marginal cost of the next confidential memo is near zero once the box is paid for. That changes the unit economics of “use AI everywhere.”

    Latency second. Interactive finance work hates round trips. Cash models, scenario trees, and live diligence chats feel different when the model sits on your network rather than three jurisdictions away. Speed is not vanity. It is whether people actually use the tool under pressure.

    Confidentiality third — and this is the one boards understand immediately. Sending draft SPAs, customer concentration analyses, working capital bridges, or management presentations to someone else’s model is a data-processing decision. Even with enterprise contracts, retention policies, and “we don’t train on your data” promises, you have expanded the attack surface and the counterparty list. For sensitive M&A work and PE portfolio reporting, that is not a technical footnote. It is risk acceptance.

    Encryption, access control, and data residency are not lifestyle choices for finance teams. They are controls. Local or private deployment puts those controls back under your policy, not a vendor’s product roadmap.

    What “Local” Actually Means

    Local does not mean a dusty server under the FD’s desk and a vow of technological poverty.

    It means a spectrum:

    • On-prem or colo hardware running open-weight models for high-sensitivity workloads.

    • Private cloud tenancy where you control the network boundary and keys.

    • Hybrid: public frontier models for low-sensitivity drafting; local models for cash, people, contracts, and deal data.

    • Open weights where the model parameters are yours to run, pin, and version — not a black-box endpoint that can change behaviour between Mondays.

    The mature pattern is the same one we used for banking systems and ERP: classify the data, then choose the environment. Public web search and generic writing can stay in the cloud. Anything that would hurt if it leaked — or freeze the close if it vanished — should have a home you control.

    You do not need the absolute best model for every task. You need a good enough model that is available, private, and accountable when the board pack is due at 7am.

    The PE Angle

    Private equity should care more than most.

    Portfolio companies are already wiring AI into forecast packs, pricing tools, collections, and customer support. That creates three diligence questions buyers will eventually ask:

    Where does the intelligence run? What happens if the vendor changes terms, price, or access? How much of the “AI-enabled” value creation is transferable at exit?

    Vendor lock-in used to mean ERP and CRM. It now includes model dependency. If a company’s operating edge is a prompt library glued to one closed API, the exit story is thinner than it looks. If the same company can run core finance workflows on owned infrastructure with portable open weights, the capability survives a change of control.

    There is also a portfolio resilience angle. One policy shock or regional outage should not simultaneously degrade reporting quality across twelve companies because they all rented the same brain. Concentration risk is concentration risk, whether the asset is a bank facility or an inference endpoint.

    For GPs and operating partners, local AI is not a gadget budget line. It is part of exit readiness, cyber diligence, and operational independence.

    Practical Starting Steps for a Finance Leader

    Skip the manifesto. Do this:

    1. Map the workflows, not the hype.

    List where AI already touches finance: board packs, commentary, covenant testing, invoice capture, contract review, data-room Q&A, FP&A scenarios. Rank each by confidentiality and operational criticality.

    2. Draw a hard line.

    Anything involving deal data, payroll, customer-level margin, unpublished results, or lender packs defaults to private or local processing unless there is a documented exception.

    3. Pilot one high-value, high-sensitivity use case.

    Local review of contracts. Private drafting of management accounts narrative from internal numbers. On-network Q&A over a diligence folder. Prove cycle-time and control benefits on something the board cares about.

    4. Measure like a CFO.

    Track cost per pack, hours saved, rework rate, incidents, and whether the process still works when the public API is slow or unavailable. If it only works on a perfect internet day, it is not production.

    5. Separate “assistant” from “system of record.”

    Models draft. Ledgers, workpapers, and approvals remain controlled systems with audit trails. Do not confuse fluency with authority.

    6. Demand architecture options from vendors and internal IT.

    “We use ChatGPT” is not a strategy. Ask for data flow diagrams, retention, key custody, fallback models, and an exit plan. If nobody can answer, you already know the risk posture.

    Control the Controllables

    You cannot control Washington’s export calendar, a lab’s safety incident, a vendor’s price sheet, or the next voluntary “trusted partner” gate. You can control where your sensitive numbers go, which systems are load-bearing, and how badly a third-party outage damages the close.

    Cloud AI will remain useful. Frontier models will remain impressive. Use them where the data is dull and the upside is speed. For the work that defines enterprise value — forecasts, cash, contracts, diligence, board decisions — ownership of the intelligence layer is becoming as important as ownership of the general ledger.

    The finance function’s job has always been to keep the business solvent, informed, and free to act. Depending entirely on rented cognition works against all three.

    Local AI is not nostalgia for servers. It is the boring, adult version of resilience: keep the critical path under your own keys.

  • The Gate Came Down Again: GPT-5.6 Goes Public and the Pattern Holds

    The Gate Came Down Again: GPT-5.6 Goes Public and the Pattern Holds

    Four days ago I wrote that the Fable 5 reversal wasn’t the story — the switch was. One signature darkened the world’s best model for nineteen days; another switched it back on, but only after the market had already routed around the damage. I flagged a second data point in that piece almost in passing: OpenAI had released GPT-5.6 as a government-gated preview, available to “trusted partners” only, at the explicit request of Washington. I called it the new shape of the pipeline. This week, that loop closed too.

    The Gate Came Down on Schedule

    OpenAI has confirmed that GPT-5.6 — Sol, Terra and Luna — launches publicly this Thursday, 9 July, with global preview access expanding now. The announcement lands roughly two weeks after the preview was first locked to a hand-picked list of partners under the government’s pre-release “voluntary framework.” The most capable model OpenAI has shipped goes from Washington-approved keyholders to the open market in the space of a fortnight.

    If that arc feels familiar, it should. It is the Fable 5 sequence again, run a second time in a single month: access restricted for policy reasons, then quietly widened once the restriction stopped being tenable. Two frontier labs, two gates, two reopenings — inside four weeks.

    Two Reversals Are Not Reassurance

    The comfortable reading is that the system is self-correcting. Models get gated, concerns get aired, models get released — no harm done. But a CFO doesn’t underwrite continuity on the assumption that the gate always reopens. He asks who controls the gate, and on what timeline.

    Here’s what both episodes actually establish: the frontier now routinely passes through a government checkpoint before it reaches you, and the duration of that checkpoint is entirely discretionary. Fable 5 spent nineteen days behind it. GPT-5.6 spent about fourteen. The next model might spend a day, or a quarter, or arrive gated the week you’re mid-integration and depending on it. You don’t get to know in advance, because the people setting the timer owe you nothing.

    Two fast reversals don’t prove the gate is harmless. They prove the gate is now standard — and a mechanism that reopens quickly today can hold shut tomorrow for exactly the same reasons it opened.

    The Pen-Stroke Test, Reapplied

    I ended the last piece with a question for any board treating AI as core infrastructure: which parts of your operation survive a pen-stroke? GPT-5.6 sharpens it. This isn’t a rogue export ban from one agency anymore — it’s the release process itself, at the largest AI company in the world, running through a state framework as a matter of course. The checkpoint isn’t the exception. It’s the pipeline.

    Which changes the risk calculus. When gating was an incident, you could treat it as tail risk. Now that it’s the default posture for frontier releases, it’s a structural feature of every model you rent through an API in that jurisdiction. Your access is conditional by design, not by accident.

    The Answer Hasn’t Changed — It’s Just More Obvious

    Nothing about the response shifts. If anything, the second reversal makes the case duller and more certain. Orchestration tools like Sakana’s Fugu that let you fail over between providers aren’t a performance play — they’re continuity planning for exactly this environment. And local open weights on your own hardware remain the only layer no framework, no executive order and no terms-of-service update can reach into and switch off. The lifeboat doesn’t need to be the fastest boat. It needs to be the one that’s still yours when the gate closes.

    Use GPT-5.6 on Thursday. It’ll be excellent, and I’ll be using it too. But watch the mechanism, not the model. We’ve now seen the frontier gated and reopened twice in a month. The switch works in both directions, and you don’t hold it.

    Own your intelligence, or accept that you’re renting it on someone else’s terms.

  • Voluntary Is How Mandatory Arrives: The UK’s Digital ID and the Quiet Closing of the Exits

    Voluntary Is How Mandatory Arrives: The UK’s Digital ID and the Quiet Closing of the Exits

    In January, the government announced it had “abandoned” plans for mandatory digital ID. Headlines celebrated. Campaigners claimed victory. And the machine kept building.

    Here’s what actually happened: the compulsion didn’t disappear. It moved. You won’t be required to carry a digital ID — but by the end of this Parliament, every employer in the country will be legally required to run digital right-to-work checks. You’re free to refuse the ID. You’re just not free to earn a living without it touching you.

    That’s not a U-turn. That’s a redesign.

    Voluntary Is How Mandatory Arrives

    No government in modern Britain will ever pass a law saying “citizens must carry identity papers.” We fought that battle over the 2006 ID card scheme and won it. The lesson Whitehall learned wasn’t “don’t do this” — it was “don’t do it like that.”

    So the new model is voluntary. Free to download. Stored on your phone, “secure as a banking app.” The official explainer is a masterpiece of reassurance: no central database, you control your data, alternatives for people without smartphones.

    And then, quietly, the perimeter closes:

    Want a job? Your employer must verify you digitally. Want a pint? From autumn 2026, digital ID becomes valid age verification for alcohol in England and Wales — optional today, default tomorrow, as retailers standardise on the cheapest compliance path. Benefits, childcare, banking, age-gated websites: each sector gets its own “convenient” integration via the Digital Access to Services Bill now moving through Parliament.

    Nobody mandates the frog into the pot. You just make the water comfortable and let network effects do the rest. When every checkout, landlord, employer and bank asks for the same credential, “voluntary” is a word that describes the law, not your life.

    The Threat Isn’t the Card. It’s the Chokepoint.

    Be precise about the danger, because it isn’t the technology. Cryptographic identity done properly — keys you hold, selective disclosure, no phone-home — is genuinely useful. That’s not what’s being built.

    What’s being built is a chokepoint: a single credential that mediates your access to work, money, services and age-restricted life, operated under government-defined rules that can change with a statutory instrument. The threat model isn’t today’s minister. It’s the permanent capability handed to every future one.

    We’ve just watched this movie in another theatre. In June, a US export order switched off two frontier AI models globally overnight — and switched them back on eighteen days later. One signature each way. The lesson wasn’t about AI. It was that centralised access is a switch, and someone else’s hand is on it.

    A digital ID chokepoint is the same switch, wired to your identity. Once every employer verification, every purchase check, every service login routes through one credential, the infrastructure for conditional citizenship exists — regardless of whether anyone currently intends to use it. “We would never” is not an architecture. It’s a mood.

    And the mood changes. Ask anyone whose bank account was closed for their politics, or who watched Canadian trucker-protest donors get frozen out of their own money in 2022. The tools get used because they’re there.

    What “No Central Database” Actually Means

    The government’s flagship privacy promise deserves scrutiny. “No centralised database of personal information” sounds decisive. But the ID scheme sits alongside GOV.UK One Login — a single sign-on across government services — and a planned UK Wallet for official documents. You don’t need one big database to build a surveillance capability. You need linkable identifiers and logging at the verification layer. Every time the credential is checked, somewhere a record can exist: who, where, when, for what.

    Distributed storage with centralised observability is not privacy. It’s a database with better PR.

    How to Resist — Practically, Legally, Now

    Resistance here isn’t dramatic. It’s a set of unglamorous habits that keep the analogue paths alive and the pressure on. The paths only stay open while people use them.

    1. Use cash, deliberately. Every cash transaction is a vote for an economy that doesn’t require identity to function. Cash is legal, private by design, and the single most effective everyday act against transactional surveillance.

    2. Keep and use physical documents. Passport, driving licence, paper records. From autumn, when a checkout offers digital age verification, hand over the physical card instead. Friction is the point — acceptance rates are the metric that decides whether alternatives survive.

    3. Respond to the consultations and the Bill. The Commons Library briefing is the best neutral summary of where the legislation stands. Write to your MP about the Digital Access to Services Bill — specifically demanding statutory guarantees: no verification logging, true offline alternatives with equal legal standing, and a prohibition on private-sector demands for the ID where physical documents suffice. The January climbdown proved pressure works.

    4. Support the organisations doing the heavy lifting. Big Brother Watch and the Open Rights Group have fought this fight since the 2006 scheme. They killed mandatory ID once. Fund them.

    5. Master the tools of self-sovereign identity. Encryption, keys you control, money you custody. The skills compound. A population fluent in cryptographic self-custody is structurally harder to herd through a single government credential — and if the state ever offers genuine self-sovereign ID (keys on your device, zero-knowledge age proofs, no logging), the people who understand the difference will be the ones who can tell.

    6. As an employer or director, choose maximum-privacy compliance. Those of us who run companies will be conscripted as enforcement points. Comply with the law — and implement it with minimum data retention, no gratuitous identity harvesting, and documented pushback through trade bodies. Conscripts can still drag their feet.

    The Line Worth Holding

    I’m not against digital identity. I’m against this shape of it: state-defined, employer-enforced, scope-creeping, observable at the point of verification, and sold as voluntary while the exits are bricked up one by one.

    Rights that depend on infrastructure are only as durable as the infrastructure’s owner is benevolent. The British instinct — the one that killed ID cards — was never anti-technology. It was the older, sounder instinct that the state serves the citizen, and a citizen who must be verified to work, buy and exist has quietly become the servant.

    The water is warming slowly, and comfortably, exactly as designed. Get out of the pot.

  • They Turned It Back On: What the Fable 5 Reversal Really Teaches Us About Owning Your Intelligence

    They Turned It Back On: What the Fable 5 Reversal Really Teaches Us About Owning Your Intelligence

    On 13 June 2026, the United States government switched off the most capable AI model on the planet with a single signature. On 1 July, another signature switched it back on. Nineteen days. That’s how long the world’s best publicly available intelligence spent in the dark — and if you think the story here is that it came back, you’ve missed the point entirely.

    I wrote about the shutdown the weekend it happened. The US Department of Commerce issued an export order barring foreign nationals from accessing Anthropic’s Claude Fable 5 and Mythos 5 — the first export control ever applied to AI models rather than the chips they run on. Anthropic, unable to reliably geofence a global product, pulled both models worldwide overnight. One day the frontier existed; the next it didn’t.

    The Reversal Nobody Should Celebrate

    This week the arc completed. Anthropic confirmed that Commerce has lifted the export controls, and Fable 5 returned online globally on 1 July — now fitted with a new safety classifier to block jailbreak techniques, a condition of its resurrection. Access restored, service resumed, everyone back to work.

    The temptation is to read this as the system working. Concerns raised, concerns addressed, model restored. But look at the sequence with a CFO’s eye for causality. The controls weren’t lifted into a vacuum. They were lifted after Sakana AI shipped Fugu, a commercial-grade answer to the Fable ban, benchmarking above the models Washington was still gatekeeping (the code is on GitHub, which is rather the point). They were lifted after roughly $2.87 billion flowed into decentralised AI — Bittensor, Venice, Morpheus — in the weeks following the shutdown. The state didn’t reconsider. The market routed around the damage, and then the state walked it back.

    That’s not oversight functioning. That’s a control mechanism discovering its own limits.

    Being the Best Is Not the Same as Being Unstoppable

    Fable 5 was, by most measures, the strongest model money could rent. It didn’t matter. Its existence depended on a policy posture, and policy postures change with administrations, with headlines, with whichever adviser had the last meeting. The model you build your workflows on is only as durable as the political consensus that permits it.

    And this isn’t a one-off anymore. The same week Fable came back, we learned that OpenAI released GPT-5.6 as a limited preview to “trusted partners” only — at the explicit request of the US government, under a new executive order creating a voluntary framework to review frontier models before public release. OpenAI said publicly that government-gated access “is not their preferred long-term model.” It doesn’t need to be preferred. It’s the new shape of the pipeline: the frontier now passes through Washington before it reaches you. A voluntary standards framework is expected to be formalised within days.

    One export ban is an incident. A pre-release government gate plus a ban plus a conditional reinstatement is an architecture.

    The Cypherpunks Called This Decades Ago

    Phil Zimmermann was criminally investigated in the 1990s for publishing PGP — strong encryption classified, then, as a munition. His response wasn’t to lobby. He published the source code as a printed book, protected by the First Amendment, and the control regime collapsed under its own absurdity. The lesson wasn’t that governments are evil. It’s that anything you can only access by permission can be revoked by the same permission — and the only durable answer is possession.

    The same logic now applies to intelligence itself. The 19-day Fable blackout was a live demonstration: your API key is a licence, not a right. It can be suspended by someone you’ve never met, for reasons you can’t appeal, on a timeline you don’t control.

    What a Rational Operator Does Now

    I run the finance function thesis on this, because that’s my lens. You wouldn’t build a treasury function on a single bank account in a jurisdiction with capital controls. So why build your firm’s intelligence layer on a single frontier API in a jurisdiction that has now demonstrated — twice in three weeks — that it will gate access to models for policy reasons?

    The posture that survives this environment has two layers:

    Orchestration as failover. Tools like Fugu exist precisely because the market demanded a way to keep working when a frontier model vanishes. Multi-model routing isn’t an optimisation anymore; it’s continuity planning. If your workflows die when one provider goes dark, you don’t have an AI strategy — you have a dependency.

    Local open weights as the lifeboat. A model whose weights sit on your own hardware cannot be switched off by the Department of Commerce, an executive order, or a terms-of-service update. It may not be the best model. It doesn’t need to be. It needs to be yours. Lifeboats aren’t judged on cruising speed.

    The Pen-Stroke Test

    Here’s the question I’d put to any board now treating AI as core infrastructure: which parts of your operation survive a pen-stroke? Because we now know, empirically, what a pen-stroke can do. It darkened the best mind on earth for nineteen days. The next one might last longer, or target a different model, or arrive the week you close a deal.

    Fable 5 is back. Be glad, use it — I do. But don’t mistake reinstatement for reliability. The switch still exists. It has now been flipped in both directions, and both flips were made by people who owe you nothing.

    Own your intelligence, or accept that you’re borrowing it.

  • Being the Best Isn’t the Same as Being Unstoppable

    Being the Best Isn’t the Same as Being Unstoppable

    Being the Best Isn’t the Same as Being Unstoppable

    In eighteen days this summer, a government switched off the smartest creative AI on earth, watched a market route around it, and quietly switched it back on. If your intelligence lives at the end of someone else’s permission slip, it was never really yours.

    On 13 June 2026, the most capable creative-writing models Anthropic had ever shipped — Claude Fable 5 and Mythos 5 — went dark. Not because of a bug. Not because of a data breach. Because the US Department of Commerce signed an export order barring foreign nationals from accessing them, and Anthropic, facing an unworkable compliance problem, pulled both models globally rather than try to build a border checkpoint into an API.

    By the following morning, the best in class was simply gone. Everywhere. For everyone. One signature.

    Then, on 1 July, it reversed. Anthropic confirmed that Commerce had lifted the controls and access would begin restoring the next day. The models came back exactly the way they left — at the stroke of a pen, on a timetable no user chose and no customer controlled.

    Sit with that arc for a second, because it contains the whole argument. The models didn’t fail. The company didn’t fail. The technology was flawless throughout. What failed — twice, in both directions — was the assumption that access to a tool you depend on is a property you own rather than a permission you rent.

    This Is Not a One-Off. It’s a Pattern.

    If the Fable 5 saga were an isolated event, you could file it under “unusual fortnight” and move on. It isn’t. It’s the middle data point in a line that’s now unmistakable.

    Rewind to two weeks earlier. On 26 June, OpenAI previewed GPT-5.6 — its Sol, Terra and Luna models — but not to you. (I wrote about the deeper question that raises in the Five Eyes AI warning.) Access went to “trusted partners” only, at the explicit request of the US government, under a new executive order creating a “voluntary framework” to review frontier models before public release. OpenAI said plainly this gov-gated arrangement “is not their preferred long-term model.” Reporting from the Guardian, Axios and VentureBeat all landed the same week.

    Read those two events together and the shape changes. A one-off export ban is an incident. A pre-release government gate on the next frontier model is architecture. We have moved, in a single summer, from “the state can remove a model after release” to “the state sees the model before you do.” That is not a policy footnote. For anyone building a business on top of these tools, it’s a supply-chain risk sitting one executive order away from your P&L.

    The CFO Translation

    Strip out the cypherpunk romance for a moment and put this in the language of a board pack, because that’s where it actually bites.

    You have spent eighteen months embedding a frontier model into your finance function, your customer service, your product. It writes your first-draft board commentary, triages your inbox, drafts your contracts, runs your analytics copilot. On paper it’s a productivity miracle. On the risk register, it’s a single supplier — headquartered in one jurisdiction, subject to that jurisdiction’s export law, reachable only through that jurisdiction’s permission.

    Now imagine the Fable 5 event happens to your production model on a Tuesday. No warning. No SLA that covers “sovereign shutdown.” Your workflows don’t degrade gracefully — they stop. That’s not a hypothetical any more; it’s a documented event with a date on it.

    A CFO’s instinct here should be the same one you’d apply to a sole-source component supplier, a single-bank treasury, or a one-country manufacturing base: concentration risk. The answer to concentration risk is never “hope.” It’s redundancy, and it’s ownership of the critical path.

    The Market Already Answered

    Here’s the part that should genuinely reassure operators rather than frighten them: the market didn’t wait for permission. It routed around the blockage before the blockage even lifted.

    Ten days after Fable 5 went dark, on 28 June, Sakana AI shipped Fugu and its Fugu Ultra orchestrator — a commercial, non-US answer to exactly this problem. It isn’t a toy. On the benchmarks that matter it went toe-to-toe with the frontier: SWE-Bench Pro 73.7 (ahead of Opus 4.8’s 69.2), TerminalBench 2.1 at 82.1, LiveCodeBench 93.2. Fugu’s whole design philosophy is delegation and resilience — a model that decides whether to answer directly or assemble a team of workers, which is another way of saying it was built to not have a single point of failure.

    And notice the timing on the reversal. Commerce lifted the Fable 5 controls on 1 July — after the commercial workaround had already emerged and after capital had started visibly flowing into decentralised alternatives. The state didn’t walk it back out of magnanimity. It walked it back once the market had demonstrated the ban was unenforceable in practice. Water finds the cracks. It always has.

    The money agrees. Capital has been pouring into decentralised and sovereign-AI infrastructure — Bittensor’s TAO network, Venice’s VVV, Morpheus’s MOR — with billions in inflows chasing exactly the thesis this summer proved. When roughly $2.87bn moves toward “AI you can’t switch off,” the market is pricing in the risk that your model provider might get a phone call from Washington.

    The Cypherpunks Wrote This Script in 1991

    None of this is new. It just wears new clothes.

    In 1991, Phil Zimmermann released PGP — strong encryption for ordinary people — and the US government responded by treating him as an arms exporter, opening a criminal investigation that dragged on for three years. The state’s position was straightforward: powerful cryptography is a munition, and citizens don’t get to have it without permission. Zimmermann’s position was equally straightforward: privacy is a right that predates the government, and you cannot un-invent mathematics.

    He won. Not in a courtroom, exactly — the case was dropped — but in the only arena that mattered: the code got out, it spread, and today the encryption they tried to classify as a weapon secures every banking app and every message you send. The lesson the cypherpunks drew from that fight is the same lesson the Fable 5 fortnight just re-taught: a capability that lives in the open, on hardware you control, cannot be recalled by decree. A capability that lives behind a corporate API in a single jurisdiction can be — and now demonstrably will be.

    Hal Finney, Zimmermann, the whole cypherpunk lineage understood that the fight was never really about any specific tool. It was about who holds the off switch.

    What Owning Your Intelligence Actually Looks Like

    This is not a counsel of paranoia, and it’s certainly not a call to rip out the frontier models — they’re extraordinary, and for most work they’re the right tool. It’s a call for a two-layer posture. The same posture any prudent operator applies to any critical dependency.

    Layer one: orchestration and failover. Don’t hard-wire your business to a single provider’s single model. Build an abstraction layer so that when — not if — a model goes dark, your workflows fail over to an alternative. A Fugu-class orchestrator, a second provider, a routing layer that treats models as interchangeable components rather than irreplaceable organs. This is resilience engineering, not ideology.

    Layer two: the local lifeboat. Keep a capable open-weights model — running on hardware you own, weights you’ve downloaded, inference that answers to nobody’s export desk — as the floor beneath everything. It won’t be the smartest model in the room. It doesn’t need to be. It needs to be yours, and it needs to still be there on the Tuesday morning when the smartest model in the room has been switched off by someone who never asked your permission. Because, as I put it after the first shutdown, your AI has a kill switch — and it isn’t yours to flip.

    The distinction the market is now pricing, and the one your risk committee should be too, is simple: being the best is a benchmark. Being unstoppable is an architecture. They are not the same thing, and this summer proved it with dates and signatures.

    The Bottom Line

    Fable 5 is back. Access is restoring. In a week most people will have forgotten it ever went away, which is precisely the danger — the lesson evaporates faster than the outage did.

    So write it down. On 13 June, one government deleted the best creative AI on earth with a signature and it was dark worldwide by morning. On 1 July, another signature switched it back on. Eighteen days, two pen-strokes, zero input from the millions of people and businesses who depended on it in between.

    If that arrangement is acceptable to you, carry on. If it isn’t — if you’d rather your intelligence answered to you than to a permission slip — then the work starts now: an orchestration layer for resilience, and open weights on your own metal for sovereignty. The cypherpunks were right in 1991. They’re still right. The only question is whether you build the lifeboat before you need it, or after.

    Related reading on this site: They Built a Mind You Can’t Switch Off — Sakana’s Fugu and the Commercial Birth of AI Sovereignty, They Switched Off a Mind on Friday, and Self-Custody Is Now a Civil Right in America.

  • The Bank of England Just Told You the Machine Out-Hacks Your Best Human

    The Bank of England Just Told You the Machine Out-Hacks Your Best Human

    On 15 May 2026, three institutions that almost never co-sign anything put their names to the same page. The Bank of England, the Financial Conduct Authority and HM Treasury issued a joint statement on frontier AI and cyber resilience. When the people who write the rules, the people who enforce them, and the people who hold the purse strings all clear their throats at once, it is worth reading what they actually said — not the press-release gloss, but the line that should make every finance chief sit forward.

    Here it is, in their words: the cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale, and lower cost.”

    Read that twice. The UK’s financial authorities have formally concluded that the machine is now a better attacker than your best human one. Faster. Cheaper. Tireless. And the firms most exposed, they note pointedly, are the ones that “have underinvested in core cyber security fundamentals.” That is not a warning about the future. It is a verdict on the present.

    The asymmetry nobody costed into the budget

    For thirty years the defender’s job had a comforting floor: attacks were ultimately bounded by human effort. Someone had to find the vulnerability, write the exploit, run the campaign. Talent was scarce, and scarcity was a moat. Frontier models drained that moat. A capability that used to require a skilled, expensive specialist is now available at the speed of inference and the cost of an API call.

    This is an asymmetry problem, and asymmetry is something every CFO understands in their bones. You are now defending a human-speed estate against a machine-speed adversary. Your patch cycle is measured in weeks. The model probing your perimeter is measured in seconds. The regulators were blunt about the implication: firms must be able to “triage, prioritise, risk assess, and remediate vulnerabilities more quickly, more frequently, and at scale” — and they used the word that finance functions flinch at, “automation,” because no human team can keep pace by hand.

    The uncomfortable translation for the boardroom is this. If your defence runs at human speed and the attack runs at machine speed, the gap is not a risk to be monitored on a heat map. It is a structural disadvantage that compounds daily until you close it.

    End-of-life systems just became a balance-sheet item

    Buried in the statement is a sentence that should ruin a few CTO–CFO meetings: investment decisions “should reflect the emerging threat, including increased exposure from end-of-life systems or those out of vendor support.”

    Every finance team has a quiet drawer of deferred IT spend — the legacy ledger system that still works, the server that is two versions behind, the integration nobody wants to touch because it would cost a quarter to replace and breaks nothing today. That drawer was always a calculated bet: the cost of replacement versus the probability of failure. Frontier AI rewrites the probability side of that equation. A model that can scan an entire technology estate and surface every unpatched, unsupported weakness in minutes does not care that your legacy box has run fine for nine years. It only cares that nobody is guarding it.

    The regulators even gestured at the insurance line — firms “should consider whether they have appropriate insurance in place.” When the FCA starts hinting about cyber insurance adequacy in a joint statement, the prudent reading is that they expect claims, and they expect underwriters to start asking hard questions about exactly those end-of-life systems you have been carrying.

    Your supply chain is now the soft underbelly

    The third pillar is the one that catches PE-backed groups and lean finance functions hardest: third parties and open-source software. Firms, the statement says, must “identify, monitor, and manage external applications, libraries, and services integrated into their networks” — and be ready to remediate vulnerabilities found by others “at scale.” (The NCSC has its own guidance on why defenders must be ready for frontier AI.)

    Modern finance runs on a stack of dependencies most CFOs have never enumerated. The reporting tool that pulls from the ERP. The open-source library three layers down in the data pipeline. The portfolio-monitoring dashboard that has read access to everything. Each is a door. Frontier AI is very good at finding doors. The data-readiness problem that every firm already has — fragmented systems, inconsistent data, integrations held together with goodwill — is also the attack-surface problem. They are the same map, read by different people for opposite purposes.

    Why this matters more than the louder AI headlines

    The discourse this year has been dominated by the dramatic stuff: models being switched off, export bans, governments demanding pre-release access to frontier systems. All real, all worth watching. But this quiet UK statement is, for an operating CFO, the more actionable document. It does not ask you to philosophise about sovereignty. It hands you a checklist and tells you the clock is running.

    And there is a deeper point underneath it. The regulators’ answer to machine-speed attack is, inevitably, machine-speed defence — they explicitly tell firms to “consider adopting automated and AI-enabled defences to operate at comparable speed.” Which means the only durable response to AI risk is more AI, deployed by you, under your control, inside your estate. The firms that win the next few years will not be the ones that fear the technology. They will be the ones that own enough of it to defend themselves at the speed the threat now moves.

    What I would put on the agenda Monday

    Strip the regulatory language away and there are five questions a finance leader can ask this week, none of which require a data scientist to answer:

    One. Does our board actually understand frontier AI risk, or do we have a slide that says we do? The statement leads with governance for a reason.

    Two. What is on our estate that is end-of-life or out of vendor support, and what is the real number to fix it? Get it costed before an underwriter or an attacker costs it for you.

    Three. Can we name every third-party and open-source dependency with access to our financial systems? If the answer is “not quickly,” that is the finding.

    Four. How fast can we patch a critical vulnerability — in days, or in weeks? The honest answer tells you the size of your speed gap.

    Five. Where are we deploying AI on defence, not just on the reporting deck? Automation is no longer an efficiency play. It is a resilience requirement.

    The establishment has rarely been a reliable early-warning system. This time it is. When the Bank of England, the FCA and the Treasury agree that the machine has out-paced the practitioner, the smart move is not to debate whether they are right. It is to assume they are, and to act before the gap becomes the incident.

  • Your AI Has a Kill Switch — And It Isn’t Yours to Flip

    Your AI Has a Kill Switch — And It Isn’t Yours to Flip

    Being the best is not the same as being unstoppable. The most capable model on earth went dark worldwide on the strength of a single government signature — and three weeks on, it is still dark. If your operating model now depends on frontier AI, that sentence should change how you think about resilience.

    What Actually Happened

    On 9 June 2026, Anthropic released Claude Fable 5 and Claude Mythos 5 — its most capable models to date. Three days later, on 12 June, the US Commerce Department ordered Anthropic to suspend access, citing a claimed jailbreak that could turn the models into unrestricted cyber tools. The order was issued under the Export Administration Regulations and targeted access by user nationality.

    Anthropic could not reliably tell foreign users from domestic ones in real time across every API call. So to comply, it did the only thing it could: it switched both models off for everyone, everywhere. As of late June, they remain suspended, with restoration “under negotiation.” (Forbes has the timeline.)

    This is the first time a government has compelled an AI company to revoke access to a deployed, commercial model based on who the user is. Not a chip embargo. Not a training restriction. A retroactive kill switch on a live product. (Background here.)

    Why a CFO Should Care About a Model Most People Never Used

    Strip away the geopolitics and you are left with a cold operational fact: a critical third-party dependency was withdrawn, globally, with effectively no notice, by a party that is not your vendor and not your regulator.

    We have a word for that on the risk register. It is concentration risk — and we usually apply it to a single supplier, a single bank, a single data centre. The Fable 5 episode says the quiet part out loud: frontier AI is now a concentrated dependency sitting upstream of a growing share of finance, operations and decision-support workflows, and its availability is subject to forces entirely outside the contract you signed.

    If you have quietly let an external model creep into reconciliations, forecasting, customer service, coding, or board-pack drafting, you have inherited a continuity exposure you almost certainly have not priced. The SLA does not cover “switched off by a foreign government.”

    The Sovereignty Scramble Is Already On

    The reaction abroad was immediate. European and Canadian leaders raised the alarm over the precedent, and the episode has hardened the case for sovereign AI — domestically controlled models and infrastructure that cannot be remotely disabled by another state. The Cloud Security Alliance has gone as far as publishing enterprise governance guidance on AI model export controls, which tells you this has moved from think-tank chatter to board-paper material.

    It is also fuel for the decentralised-AI thesis. Networks like Bittensor exist precisely to remove the single point of control — no central company to serve an order to, no switch for a single authority to flip. Whatever you make of the token economics, the architectural argument just got a real-world stress test, and it passed where the centralised model failed.

    The Cypherpunk Footnote

    There is history here. In the 1990s, the US classified strong encryption as a munition and prosecuted Phil Zimmermann for releasing PGP to the world. The state’s instinct — that powerful general-purpose technology must be controllable, and access gated by nationality — is not new. What is new is that this time the technology is intelligence itself, and the gate can be closed remotely, after deployment, in an afternoon.

    The lesson the cypherpunks drew then still applies: capability you do not control is capability you can lose. Owning your tools — running what you can locally, keeping a credible fallback, refusing to build a single load-bearing dependency on something you cannot switch back on yourself — is not paranoia. It is just good engineering, and good treasury.

    What I’d Actually Do About It

    • Map your AI dependencies. Where does an external frontier model sit in a process you cannot afford to lose for a week? You may be surprised how far it has spread without a decision ever being taken.
    • Demand a fallback, not just an SLA. For anything load-bearing, insist on a second model — ideally a different provider, ideally one that can run on infrastructure you control. Multi-model is the new multi-cloud.
    • Treat “availability risk” as distinct from “performance risk.” The best model is worthless if it is unreachable. Resilience now means a good-enough model you can always reach, not the best model you sometimes can.
    • Watch the sovereignty trend as an investor. Sovereign-AI infrastructure and credible decentralised alternatives are about to attract serious capital. For the PE-minded, that is a thesis worth forming a view on early.

    Frontier AI is extraordinary. But the Fable 5 kill switch is a reminder that “extraordinary” and “yours” are not the same thing. Build accordingly.

  • Months Away: The Five Eyes AI Warning, and the Question Underneath It

    Months Away: The Five Eyes AI Warning, and the Question Underneath It

    On 22 June 2026, the Five Eyes intelligence alliance — the signals agencies of the US, UK, Australia, Canada and New Zealand — did something they rarely do. They issued a coordinated public warning that AI models capable of devastating cyberattacks on governments and businesses are, in their words, “not years away, months away.” The instruction to leaders was blunt: act now.

    When the NSA, GCHQ and their counterparts speak in unison, it pays to listen. It also pays to ask why they’re speaking at all — because a coordinated warning from the world’s most powerful surveillance apparatus is never just a weather report. It’s an instrument. And this one landed in the same fortnight the US government blocked foreign nationals from using Anthropic’s most capable model. Hold that thought.

    What the warning actually says

    Strip out the urgency and the assessment is coherent. Frontier AI is compressing the offensive cyber timeline. Vulnerability discovery that took skilled humans weeks can be automated. Phishing and social engineering — already the cause of most breaches — can be produced at industrial scale and near-perfect quality. Malware can adapt. The agencies argue this will primarily accelerate the speed, scale and sophistication of attacks, lowering the bar for malicious actors who previously lacked the skill.

    The single most useful line in the whole intervention is this: cyber risk can “no longer be treated as solely a technical issue” — it is a core business risk and a leadership responsibility, demanding a whole-of-organisation response. CSOs are being told to rewrite their risk strategy. That reframing is correct, and it’s the part every board and CFO should internalise immediately.

    Now the counter-arguments — because there are good ones

    I take the threat seriously. I’m more sceptical of the framing. Three reasons.

    First: defence compounds too — and faster than they admit. The warning concedes, almost in passing, that AI will strengthen defence “over time.” That’s a tell. The same models that write exploits write detections. They triage alerts, parse logs, and patch faster. The attacker-defender asymmetry is real, but when the tooling is symmetric it’s measured in months, not epochs. The organisations that put AI into their own security operations won’t be passive victims of this curve — they’ll be riding it.

    Second: the fundamentals haven’t moved. AI makes the volume worse, not the vector new. The overwhelming majority of breaches still walk through the same three doors: unpatched legacy systems, weak identity, and phished credentials. AI lets attackers knock on those doors faster and more convincingly. It does not build a new door. If your patching cadence is tight and your identity controls are phishing-resistant, you have already closed most of the attack surface this warning is about.

    Third — and this is the one that should make you sit up: cui bono. The same week five governments tell us AI is so dangerous we must urgently defend against it, one of those governments decides AI is so dangerous that only trusted parties should be permitted to hold the best of it. Threat inflation and the control agenda travel together. “This technology is catastrophically dangerous” is the premise for both “spend more on defence” and “centralise capability into licensed, surveilled, government-approved hands.” One of those conclusions protects you. The other protects the gatekeepers. Be precise about which is which.

    And “months away” has a track record. We have been told imminent-catastrophe timelines on AI before. Healthy scepticism about the specific clock is warranted, even when the direction of travel is right.

    What businesses should actually do — the defensive half

    The boring measures are the effective ones. None of this is exotic:

    • Make cyber a board-level risk with a named owner. Not the IT line. A P&L and governance exposure with an accountable executive and a tested incident-response plan. Assume breach, and rehearse it.
    • Patch ruthlessly and kill legacy. Unsupported systems are the real attack surface. Accelerate the cadence; retire what you can’t defend.
    • Harden identity. Phishing-resistant MFA, least privilege, no standing access. Identity is the new perimeter.
    • Brief your people on cheap, convincing impersonation. Voice and video deepfakes are now trivial. For a finance function this is acute: payment-authorisation and supplier-bank-change controls are no longer process hygiene — they are fraud defence. The CEO-on-the-phone authorising a wire is a 2026 problem, not a hypothetical.

    And the half nobody puts in the headline — the offensive use

    The warning is almost entirely about threat. The opportunity gets a sentence. That imbalance is itself worth questioning, because the upside is where the advantage lives:

    • Put AI inside the SOC. Detection authoring, log triage, anomaly spotting, first-line response. Defenders who adopt will outpace those who wait for permission.
    • Use it on the unglamorous wins. Due diligence, contract review, continuous controls monitoring, reconciliations. The finance and risk functions are sitting on the highest-ROI, lowest-risk AI use cases in the business.
    • Hedge your sovereignty. The Fable episode is the lesson: do not build your operational stack on a single frontier model that a government can switch off by signature. Optionality — open-weight models, local fallback, multi-vendor — is now a resilience decision, not an ideological one. Owning, or at least controlling, your intelligence is becoming a continuity-of-business question.

    The real signal

    Read the warning twice. The first reading is the obvious one: the threat is accelerating, and any leader who treats cyber as someone else’s technical problem is negligent. That reading is correct — act on it.

    The second reading is the one the cypherpunks have been making for thirty years, and it’s the one that matters for the decade ahead. When the state simultaneously tells you a technology is too dangerous to be undefended and too dangerous to be widely held, the question stops being purely technical. It becomes a question about who gets to hold power, and on whose terms. Phil Zimmermann faced exactly this argument when he released PGP and strong encryption was treated as a munition. The technology won. The control attempt didn’t.

    So defend yourself properly — patch, harden, rehearse, train. But don’t accept the inference that protection requires surrender of capability to a licensed few. The genuinely resilient organisation does both: it builds a defensible perimeter, and it keeps its hands on the tools. Being the best is not the same as being unstoppable — and being protected is not the same as being dependent.

    The agencies are right that the clock is running. They’re just not the only ones who should be deciding what you do with the time.

  • They Built a Mind You Can’t Switch Off: Sakana’s Fugu and the Commercial Birth of AI Sovereignty

    They Built a Mind You Can’t Switch Off: Sakana’s Fugu and the Commercial Birth of AI Sovereignty

    Nine days ago I argued you should own your AI, because a government had just switched one off. This week a Tokyo lab shipped the commercial answer — a model built so that no single government can switch it off. The cypherpunk thesis just acquired an enterprise price list.

    On 13 June, the US Commerce Department forced Anthropic to disable Claude Fable 5 and Mythos 5 worldwide, three days after launch. I wrote at the time that the mechanism, not the model, was the warning: if your critical capability lives on someone else’s servers under someone else’s regulator, you are a tenant, evictable overnight. That was the principle. This week, Sakana AI turned it into a product.

    What Sakana actually shipped

    The Tokyo lab — founded by Llion Jones, co-author of the original “Attention Is All You Need” Transformer paper, and David Ha — has launched Fugu and Fugu Ultra. To the user it looks like one model behind one OpenAI-compatible API. Under the hood it is not a model at all in the usual sense: it is a language model trained to orchestrate a swappable pool of other LLMs — including recursive copies of itself — handling selection, delegation, verification and synthesis internally.

    Ask it something simple, it answers alone. Hand it something messy, long and multi-step — reproducing a scientific paper, a cybersecurity audit, a financial forecast — and it convenes a team of specialist models and referees their work. It builds on two of Sakana’s own ICLR 2026 papers, Trinity and Conductor. The pitch is explicitly philosophical: powerful AI is not a single-model problem but a collective-intelligence one.

    The numbers are not a rounding error

    Here is what makes this more than a press release. On Sakana’s published benchmarks, Fugu Ultra does not just keep up with frontier — it edges ahead of the very base models it orchestrates:

    • SWE-Bench Pro (real engineering): Fugu Ultra 73.7 vs Opus 4.8’s 69.2, GPT-5.5’s 58.6, Gemini 3.1 Pro’s 54.2.
    • TerminalBench 2.1: 82.1 vs Opus 4.8’s 74.6.
    • LiveCodeBench: 93.2, top of the table.
    • Humanity’s Last Exam: 50.0, narrowly ahead of Opus 4.8’s 49.8.

    The whole point: the orchestrated team beats its strongest individual member. And Sakana notes the kicker — neither banned Anthropic model is even in the pool, because they are no longer publicly available. Fugu hits these scores without the very models the US government just withdrew. Add them back and it would likely score higher still. One early tester said that where rival tools flagged three issues in a code review, Fugu surfaced more than twenty.

    The sales pitch is the cypherpunk argument in a suit

    Sakana is not being subtle about why this matters now. Straight from the announcement: “For an organization or a nation, relying on a single company’s APIs for critical infrastructure, finance, or governance is a material vulnerability. This risk is no longer a hypothetical possibility, but a reality.”

    They cite the Fable ban by name. Because the pool is fully swappable, if one provider goes dark — regulatory order, foreign-policy decision, price hike, outage — the orchestrator simply reroutes to the models still standing. This is vendor diversification reframed as resilience engineering. It is the same instinct that made Phil Zimmermann publish PGP and the cypherpunks treat capability as something you take, not something you are granted — only now it arrives with subscription tiers and a console login.

    Where I have to put the CFO hat back on

    I want this to be the whole story. It is not, and pretending otherwise would be exactly the hype I try to avoid. Orchestration is resilience, but it is not sovereignty.

    Fugu’s real-world capability depends entirely on which models are in its pool — and those models are still other companies’ APIs. If several top providers restrict access at the same time, Fugu’s options shrink with them. It routes around a single failure brilliantly; it does not route around a coordinated one. A swappable pool of rented engines is a far better position than one rented engine — but it is still rented. The only thing that genuinely cannot be switched off is a set of open weights sitting on a disk you own, which is why DeepSeek, Llama, Qwen and Gemma on your own hardware remain the actual lifeboat. Fugu is a much better fleet; it is not a lifeboat.

    So the honest framing for an operator is a two-layer one. Layer one: orchestration like Fugu for everyday frontier-grade work with built-in failover — a material upgrade on single-vendor dependence. Layer two: a genuinely local, open-weight model held in reserve for the day the whole rented fleet is unreachable at once. The first protects you from a supplier going down. Only the second protects you from the suppliers being taken from you.

    Why this is the more interesting signal than the ban itself

    The Fable 5 directive told us the state will assert control over AI capability. Fugu tells us something more useful: the market has already begun pricing that risk and engineering around it, within days, commercially. That is the cypherpunk pattern running exactly to script — capability becomes ungovernable not by petition but by architecture. Governments deleted the smartest models on earth with one signature on a Friday. By the following week, a lab had shipped a system whose entire reason to exist is to make that signature matter less.

    For any business whose operations now lean on AI, the question I posed nine days ago stands, just with a better answer available: what is your fallback when the model is switched off? “A single frontier API” is a single point of failure. “An orchestrator with failover, plus open weights on my own silicon” is a posture. Build the posture in calm water — because you do not provision for the storm once it is on you.

    Mark Hendy is a private-equity-facing CFO who works with technology and governance through Tanous Limited. If your business depends on AI and you have not stress-tested what happens when access is withdrawn, get in touch.