Mark’s Musings

  • The Plumbing of the Agent Economy Is Being Laid in the Open

    The Plumbing of the Agent Economy Is Being Laid in the Open

    Something happened this month that most boardrooms missed entirely. In the space of a single week, Google and a roster of the largest names in technology — Microsoft, NVIDIA, Cisco, Databricks, Hugging Face, Salesforce, ServiceNow, Snowflake — quietly published the open plumbing for a world run by AI agents. No product launch fanfare. No keynote theatrics. Just specifications, posted to GitHub, free for anyone to read and build on.

    If you want to understand where the next decade of business technology is heading, ignore the chatbots and watch the plumbing. Because the people laying the pipes always end up deciding where the water flows.

    The five layers nobody is talking about

    Strip away the acronyms and a clear picture emerges. The agent web is being built as a stack of open standards, each solving one problem, each designed to work with the others.

    MCP — how agents call tools. The Model Context Protocol, born at Anthropic and now governed by the Linux Foundation, is how an AI model reaches out and uses something in the real world — a database, an API, a payment rail. It is no longer speculative. By April 2026 MCP was running on more than 10,000 enterprise servers with over 164 million monthly downloads of its Python toolkit. It has effectively won.

    A2A — how agents talk to each other. Google’s Agent-to-Agent protocol standardises how one agent delegates work to another, advertising what it can do and managing the handoff. A slower burn than MCP, but the foundation for any system where multiple specialised agents collaborate rather than one monolith trying to do everything.

    OKF — how agents share knowledge. The Open Knowledge Format, published on 12 June, is deceptively simple: a folder of plain markdown files with a little structured metadata, linked together into a knowledge graph. It formalises what engineers were already doing ad hoc — turning an organisation’s scattered, tribal knowledge into something an agent can actually read. No database. No vendor. If you can open a text file, you can read it.

    ARD — how agents find and trust each other. Announced on 17 June, Agentic Resource Discovery is the newest and arguably the most consequential. It is DNS for the agent web: a way for any agent to discover a capability anywhere on the internet and cryptographically verify who is behind it before connecting.

    x402 — how agents pay. And then the layer that should make every CFO sit up: x402, which resurrects the long-dormant HTTP 402 “Payment Required” status code to let an agent pay for something instantly, in stablecoins, with no human, no account and no card on file. An agent hits an API, receives a 402 telling it the price, settles in USDC on a low-fee chain like Base, and proceeds — in one round trip. This is not a whiteboard concept. More than 100 million agentic stablecoin transactions were processed on Base via x402 in the first quarter of 2026 alone.

    Why ARD is the one to watch

    Here is the mechanism, because the design choices tell you everything about the philosophy.

    An organisation publishes a catalogue of its AI capabilities — tools, agents, services — as a file hosted on its own domain. That domain ownership becomes the cryptographic root of its identity. Not a Google account. Not a Microsoft tenant. Your domain, your catalogue, your proof of who you are. “Registries” then crawl and index these catalogues the way search engines crawl websites, so an agent can ask in plain language for what it needs and get verified answers back.

    Read that again with a CFO’s eye for control. The identity layer is rooted in something you own, not something a platform grants and can revoke. The registries are indexers, not gatekeepers — anyone can run one. There is no central authority that decides whether your business exists on the agent web. It is the architecture of the open internet, reborn for machines.

    The payments layer is the one finance cannot ignore

    If ARD is the layer to watch, x402 is the one that lands directly on your desk. For decades the web had no native way to move money — that is why we bolted on card networks, gateways, subscriptions and the whole apparatus of accounts and logins. x402 removes the bolt-on. Payment becomes a property of the protocol itself, as native as a hyperlink.

    Now picture an autonomous agent procuring on your behalf: buying a data feed for ninety seconds, paying a fraction of a cent for a single API call, settling with a specialist agent for a piece of analysis — thousands of micro-transactions a day, each too small to ever justify a card payment or an invoice. An AI agent cannot open a bank account, so it opens a wallet. That single sentence should reframe how every finance leader thinks about treasury, controls and the chart of accounts. Stablecoins stop being a crypto curiosity and become working capital for a machine workforce — programmable, auditable on-chain, and settling in seconds rather than days.

    The libertarian streak in all this is impossible to miss, and worth naming. Permissionless payment, settled peer-to-peer in an asset no single government controls, executed by software that holds its own keys. The people who argued thirty years ago that money should be a protocol, not a permission, built the rails that the agent economy is now quietly adopting because nothing else actually works at machine speed.

    The pattern matters more than the parts

    Any single one of these specifications is a footnote. Together, in one week, they are a statement of intent: the agent economy is being built on open, decentralised, ownership-based standards rather than closed platforms.

    This is not guaranteed to hold. The same forces that turned the open web into five walled gardens are circling. But right now, at the foundational layer, the momentum is towards interoperability. The W3C is drafting official agent-communication standards for 2026–2027. Emerging protocols are reaching for W3C Decentralised Identifiers and on-chain identity. Networks like Bittensor are building agent economies with no central operator at all. The cypherpunks who spent thirty years arguing that identity, money and trust should not require permission are, quietly, winning the architecture debate.

    What this means for the people who run businesses

    Three things, and none of them are technical.

    First, your knowledge is becoming an asset class. The single biggest determinant of how useful AI is to your business is no longer the model — the models are all excellent. It is the quality and portability of the context you feed them. An open format like OKF means the institutional knowledge locked in your wikis, your spreadsheets and the heads of your senior people can be captured once and read by any agent, forever. The firms that start curating that knowledge now will compound an advantage that is very hard to copy.

    Second, lock-in is a choice, and increasingly an avoidable one. For two years the pitch from every AI vendor has been “build on our platform.” These open standards are the counter-argument. You can own your knowledge layer, root your identity in your own domain, and swap the underlying model like you swap an electricity supplier. The strategic question for every operator is no longer “which AI vendor do we marry?” It is “how do we keep our intelligence portable so we never have to?”

    Third, trust becomes the scarce commodity. When your agents can discover and connect to thousands of external capabilities automatically, the question is not “can they find a tool?” but “should they trust it?” ARD’s cryptographic verification is the first serious answer. Provenance, identity and verifiable attestation — the unglamorous machinery of trust — will be where the real value and the real risk concentrate. Anyone who has spent time in finance knows this instinctively: the ledger only works if you can trust the entries.

    The plumber’s privilege

    Infrastructure is destiny. The people who laid the railways shaped where the towns grew. The people who wrote TCP/IP shaped the internet we got. And the standards being published this month — in markdown files and JSON catalogues, with almost no one watching — will shape the agent economy that is coming whether your business is ready or not.

    The encouraging news, for once, is that the pipes are being laid in the open. They favour ownership over rental, verification over blind trust, and your domain over someone else’s platform. That is not a small thing. It is the difference between owning your intelligence and renting it.

    The water is starting to flow. The only question worth asking is whether you have built your business to drink from an open tap — or whether you will spend the next decade paying a toll on someone else’s pipe.

  • The Web Just Grew a Payment Layer — and It Was Built for Machines, Not You

    The Web Just Grew a Payment Layer — and It Was Built for Machines, Not You

    For thirty years there has been a ghost in the machine. When Tim Berners-Lee and the early architects of the web wrote the HTTP specification, they left a status code reserved and unused: 402 Payment Required. A placeholder. A promise that one day the web would know how to charge for itself. For three decades it sat there, dark, while the internet learned to monetise you through advertising, surveillance and the slow harvest of your attention instead.

    On 16 June 2026, the ghost woke up. Coinbase and Amazon Web Services announced that the x402 protocol has been integrated directly into AWS CloudFront and AWS WAF — the content delivery network and firewall that sit in front of roughly a quarter of the entire internet. And the customer it was built to serve is not you. It is your AI agent.

    What actually happened

    x402 takes that dormant 402 status code and turns it into a working payment standard. The mechanics are elegant to the point of being inevitable. A machine requests a piece of content or an API call. The server responds — not with a paywall, not with a login screen, but with a 402 and a set of payment instructions. The agent pays a stablecoin micropayment, the Coinbase facilitator verifies it, and the content is delivered. All inside a single request cycle. No account. No card. No human clicking “I accept”.

    The settlement happens in USDC on Base — instant, global, fractions of a penny. The protocol itself has already been handed to the Linux Foundation, which tells you Coinbase wants it to become plumbing, not a product. And putting it inside CloudFront and WAF is the masterstroke: any publisher already on that stack can switch it on inside their existing configuration. This is not a crypto experiment running in a sandbox. It is being wired into the load-bearing walls of the web.

    The scraping war just ended — by changing sides

    Every publisher on earth has spent the last three years fighting the same losing battle: AI crawlers strip-mining their content for free to train and feed models, while traffic, subscriptions and ad revenue quietly bleed out. The industry response has been to block, to litigate, to wall off. To treat the machines as a pest.

    x402 proposes the opposite. Stop blocking the agents. Bill them.

    If an AI agent wants your market data, your archive, your API, your analysis — fine. It pays, per request, automatically, in real money. The bot you were trying to keep out becomes your best-paying customer, one that never sleeps, never churns and never disputes a charge. The same firewall you bought to repel machine traffic now monetises it. That is not a patch on the old model. It is a different economy.

    This is the machine economy going live

    Step back from the crypto framing and look at what is actually being built here. For the first time, software can transact on its own behalf at internet scale. An agent — like the one that helps run my own operation — can be handed a small budget and told to go and get what you need: pay for a data feed here, an inference call there, a piece of premium research over there, settling each one in stablecoins without a human in the loop for every transaction.

    Coinbase is not being subtle about the direction. Alongside x402 it has shipped Coinbase for Agents and AgentKit, explicitly so that autonomous agents can hold accounts, move money and execute workflows. Solana has its own x402 implementation. Infrastructure firms like Fireblocks are already building on it. The pieces are arriving fast, and they are arriving in production.

    Why a cypherpunk should smile, and a CFO should sit up

    There is a philosophical victory buried in this announcement that is easy to miss. Payment has become a protocol header, not a permissioned relationship with a bank. No merchant account, no card network taking its 2.9%, no gatekeeper deciding who is allowed to transact. Money behaving like information — open, programmable, settling peer to peer at the speed of an HTTP request. This is the world Phil Zimmermann, Hal Finney and the early cypherpunks argued for: value moving as freely as a message. The fact that it took an AWS press release to make it real does not make it less true.

    But there is a hard-nosed operator’s reading too, and this is the part most boards have not even begun to model. Two new lines are about to appear on the P&L of every digital business:

    A new revenue line: the income from charging agents to access what you produce. If your business generates data, content, analysis or API access, you are about to have a customer segment — machines — that did not exist as a payer eighteen months ago.

    A new cost line: the money your own agents spend operating in this economy. As internal AI systems start paying for the feeds, tools and services they consume, that spend needs budgeting, controlling and auditing like any other. Who sets the agent’s wallet limit? Who reconciles a thousand sub-penny stablecoin transactions a day? Who signs off the agent’s expenses?

    The CFOs who treat this as a crypto curiosity will be the ones explaining to their board, eighteen months from now, why a competitor is monetising machine traffic they are still trying to block. The web grew a payment layer this week. The companies that win the next cycle are the ones already asking what it means to have customers — and employees — that are not human. I wrote last week about why you need to own your AI before it is too late; owning the rails it pays on is the other half of that same argument.

    The 402 was a promise made in 1996 and kept in 2026. The only question left is whether you are the one collecting the payment, or the one being charged.


    Mark Hendy is an interim and fractional CFO who works at the intersection of finance, AI and decentralised technology. For a straight-talking conversation about what the machine economy means for your numbers, get in touch.

  • They Switched Off a Mind on Friday: Why You Need to Own Your AI Before It’s Too Late

    They Switched Off a Mind on Friday: Why You Need to Own Your AI Before It’s Too Late

    On Tuesday, you could use it. By Friday, it was gone — not deprecated, not rate-limited, not behind a paywall. Gone. Switched off worldwide by government order, three days after launch.

    That is what happened to Anthropic’s Claude Fable 5 and Mythos 5. Anthropic released Fable 5 on 9 June 2026 as the first publicly available “Mythos-class” model — its most capable system yet. On 13 June, the US Commerce Department, in a directive from Secretary Howard Lutnick to CEO Dario Amodei, issued an export control order barring access by any foreign national — including Anthropic’s own foreign-national employees, and even foreign persons standing on US soil. Anthropic said selective compliance was impossible and pulled both models globally.

    The stated reason was a narrow “jailbreak” that could surface software vulnerabilities in codebases — a capability Anthropic pointed out that other public models can already do. Whether the order was justified is, for my purposes, beside the point. The mechanism is the point. And the mechanism should worry you.

    The first time a government switched off a mind

    This is the first time the United States has issued an export-control directive against a large language model itself — not the chips it runs on, not the fabrication tools, not the training hardware. The model. The weights. The thing millions of people were using to write, reason, and code.

    We have spent two years arguing about who gets to build frontier AI. We skipped straight past the more important question: who gets to keep it. The answer, as of last Friday, is that you keep it for exactly as long as a government with jurisdiction over the vendor decides you should. That is not ownership. That is a tenancy, terminable at will, with no notice period.

    I have written before about AI as an operating layer for how we work. Here is the uncomfortable corollary: if the operating layer lives on someone else’s servers, under someone else’s licence, subject to someone else’s regulator, then you do not control your own tools. You rent them. And the landlord just demonstrated he can change the locks overnight.

    Why this is a sovereignty problem, not a tech story

    There is a principle worth stating plainly: you cannot have a world in which governments are permitted technology that citizens are forbidden. That asymmetry — the state holds the capability, the individual is denied it — is the precise inversion of how free societies are supposed to work. The whole architecture of liberty assumes that power flows from the individual upward, not the reverse.

    We have run this experiment before, and we know how it ends. When Phil Zimmermann released PGP in 1991, the US government treated strong encryption as a munition and opened a criminal investigation into him for putting it in public hands. The argument then was identical to the argument now: this capability is too dangerous for ordinary people. Zimmermann won — not in court, but because the cypherpunks were right that you cannot un-publish mathematics. Encryption became a human right by becoming ungovernable.

    Open-weight AI is the encryption fight of this decade. The Fable 5 ban is the equivalent of the munitions classification — the moment the state asserts that a general-purpose capability is its to grant or withhold. And the answer is the same answer Zimmermann, Hal Finney, and the rest gave thirty years ago: take the capability into your own hands, where it cannot be switched off.

    The good news: you can actually do this now

    Here is what has changed, and why this is not a doomer essay. In June 2026, running a genuinely capable AI model on hardware you own — disconnected from any vendor, any API, any kill switch — is no longer a research project. It is a weekend.

    The open-weight models have caught up to a degree that would have seemed absurd eighteen months ago. DeepSeek V4, released on 24 April 2026 under a permissive MIT licence, scores 80.6% on SWE-bench Verified — the highest of any open-weights model, and frontier-adjacent on real engineering tasks. Meta’s Llama 4 70B is the best general-purpose local model for most people. Alibaba’s Qwen 3 (Apache 2.0) punches absurdly above its weight on code. Google’s Gemma 3 is the best fit for Apple Silicon. None of them quite matches Claude or GPT at the very top — intellectual honesty demands I say that — but “not quite frontier and permanently yours” beats “frontier and revocable” in every scenario that matters for resilience.

    The tooling is turnkey. Ollama and LM Studio have made local inference a one-line install. You download the weights once; they sit on your disk forever. No government on earth can reach into your machine and disable a file you already hold.

    What it actually takes — the hardware ladder

    This is where romance meets the bill of materials. Local AI is constrained by one thing above all: memory. The model has to fit. Here is the real ladder, at the 4-bit quantisation most people run:

    16GB machine — and I write this on the assumption many readers already own one — runs 13B-class models like Gemma 3 12B or Qwen 3 14B. Good for chat, drafting, summarising. Not frontier, but genuinely useful and completely free. This is the entry point, and you may already be standing on it.

    64GB of unified memory gets you into 70B-class territory — Llama 4 70B at usable quality. This is the “frontier-adjacent” tier where local AI stops being a toy.

    128GB+ opens the door to the large Mixture-of-Experts models. A Mac Studio M4 Max with 128GB (around £4,000) is the practical sweet spot for serious 70B work. The M4 Ultra with 512GB (£9,500–11,000) is the only single machine that runs a 235B-class model at good quality — Apple’s unified-memory architecture remains the best price-per-gigabyte story in AI, because the GPU isn’t capped at a small slab of dedicated VRAM the way a consumer NVIDIA card is.

    The trade-off, stated fairly: a 4090-class NVIDIA card will spit out tokens two-to-four times faster than a Mac — but only for models small enough to fit its 24GB. The Mac runs the big models slowly; the NVIDIA box runs small models fast. For a CFO who wants a private, always-available reasoning engine rather than a benchmark trophy, the Mac is the more sensible buy.

    The CFO’s actual calculus

    Let me put my finance hat on, because the romance of self-sovereignty has to survive contact with a spreadsheet. A frontier API subscription costs tens of pounds a month and gives you the best model in the world — until the day it doesn’t. A £4,000 Mac Studio is a capital outlay that gives you a permanent, slightly-behind-frontier capability that cannot be revoked, rate-limited, price-hiked, or subpoenaed.

    For most day-to-day work, you keep using the best cloud model — I am not a purist, and neither should you be. But the question every business with sensitive data or operational dependence on AI should now ask is the one we ask about every other critical supplier: what is my fallback when this is switched off? If the honest answer is “there isn’t one,” you have a single point of failure that a foreign regulator can trigger. A local model is not the everyday tool. It is the lifeboat. And as a man who has spent enough nights offshore to respect a lifeboat, I would rather own one I never need than need one I do not own.

    There is also a privacy dividend that is pure upside. A model running on your own silicon sends nothing anywhere. No prompt logging, no training on your inputs, no data-residency questions, no third party in the loop. For confidential M&A work, tax structuring, or anything covered by privilege, that is not a nice-to-have — it is the only defensible posture.

    The window is open now. It may not stay open.

    The reason to act before it is too late is that the Fable 5 directive is a precedent, and precedents get reused and extended. Today the target is a frontier closed model and the lever is export control. It is not a large step from there to pressure on open-weight distribution — model registries, hosting platforms, the repositories where weights are shared. Mathematics cannot be un-published, as Zimmermann proved, but distribution can be made inconvenient, and weights you have not yet downloaded are weights a future rule could keep from you.

    So the move is simple, and it is the same move the cypherpunks made with encryption: take possession while possession is free and frictionless. Download the weights. Stand up Ollama on whatever machine you already own. Pull DeepSeek, Llama, Qwen, Gemma — they cost nothing and they are yours the moment they hit your disk. If your work justifies it, buy the machine that runs the bigger ones. Build the lifeboat now, in calm water, because you do not provision for the storm once it is on you.

    We cannot have a world where governments hold technology they forbid to the people. The only durable answer to that is not a petition or a policy paper. It is a hard drive with the weights on it, sitting on your desk, answering to no one but you.

    Mark Hendy is a private-equity-facing CFO who works with technology and governance through Tanous Limited. If your business depends on AI and you have not thought about what happens when access is withdrawn, get in touch.

  • Two Attacks, One Name: The Strange Case of FROST

    Two Attacks, One Name: The Strange Case of FROST

    Here’s a small puzzle for the security-minded. Search “FROST attack” and you’ll find two completely different threats wearing the same name. One involves a freezer and a stolen encryption key. The other involves a web page quietly working out which tabs you have open. They share four letters and absolutely nothing else.

    It’s a neat accident of naming — and a useful one, because between them these two FROSTs teach the same lesson from opposite ends: your secrets leak through physics, not just through code. Let’s take both.

    FROST #1: The Freezer That Robs Your Keys (2013)

    The original FROST — Forensic Recovery Of Scrambled Telephones — was built in 2013 by researchers at Erlangen University in Germany. They demonstrated it on a Samsung Galaxy Nexus running Android’s then-new disk encryption. The attack didn’t break the encryption or guess the passphrase. It stole the encryption key straight out of the phone’s RAM — using a domestic freezer.

    It’s a specific case of the broader cold boot attack, first published in a landmark 2008 USENIX paper by a Princeton-led team. Both rely on a quirk of physics that most security marketing quietly ignores.

    The Physics: Cold Memory Betrays You

    We’re taught RAM is volatile — cut the power and data vanishes instantly. Not quite. Data in DRAM fades gradually, a property called remanence. At room temperature the contents linger for a few seconds after power is removed. Cool the chips and the fade slows dramatically: drop a phone to around -15°C in a freezer and the data survives five or six seconds instead of one or two. Use upside-down canned air, or liquid nitrogen, and you can stretch retention to minutes or even hours.

    That window is all an attacker needs.

    How The Freezer Attack Unfolds

    1. Chill the device. An hour in the freezer drops the RAM to around -15°C.

    2. Brutal, fast reboot. Yank and reconnect the battery in under half a second, then boot into a low-level recovery mode. The cold data survives the flicker.

    3. Load a forensic tool. A custom recovery image is flashed from a connected PC.

    4. Scrape the RAM. The tool reads whatever’s still in memory — contacts, photos, emails, and crucially the disk encryption key.

    5. Decrypt at leisure. With the key recovered, the encrypted storage opens like an unlocked door.

    On a laptop it’s cruder still: shut down abruptly, boot a tiny memory-dumping OS off a USB stick, or simply pull the RAM sticks and plug them into a machine you control.

    Still Relevant in 2026?

    Yes. Research through 2024–25 confirms modern DDR4 and DDR5 memory remains vulnerable. DDR5’s on-die scrambling is not encryption — it’s for signal integrity, and it obscures rather than protects. Worse, in 2025 researchers demonstrated interposer attacks (WireTap, Battering RAM) that physically tap the memory bus to bypass even hardware memory-encryption. The arms race moved up a layer rather than ending.

    FROST #2: The Web Page That Reads Your Tabs (2026)

    Now the new one — and the reason you may have heard the name lately. In June 2026, researchers at Graz University of Technology (the team includes Hannes Weissteiner and the prolific Daniel Gruss) unveiled a totally unrelated attack, also called FROST: Fingerprinting Remotely using OPFS-based SSD Timing.

    This one needs no freezer, no physical access, no malware, and no permissions. You visit a web page. That’s it. In the background, the page works out which other websites and desktop applications you have open — and it’s frighteningly accurate.

    How It Works: Listening To Your SSD

    FROST #2 is a contention side-channel attack. When multiple processes hit the same resource — your SSD — they slow each other down in tiny, measurable ways. If a page can time its own disk reads precisely, it can work backwards from the latency pattern to infer what everything else on the machine is doing.

    It pulls this off using the Origin Private File System (OPFS) — a legitimate browser API (Chrome, Firefox, Safari) that lets web apps store working files on your disk without asking permission. It exists for honest reasons: in-browser IDEs, video editors, productivity tools. The malicious page:

    1. Creates a huge OPFS file — large enough to overflow the OS memory cache. (A single origin can claim up to 60% of your disk without a flag — over 150GB on a 256GB drive.)

    2. Performs continuous random 4KB reads, timing each one precisely.

    3. When you open another site or app, that activity creates SSD contention — latency spikes in the attacker’s measurements.

    4. A trained convolutional neural network turns those traces into guesses about your activity.

    On an M2 Mac Mini, the researchers identified visited websites with ~89% accuracy and running applications with ~96%. It works across different browsers on the same machine, needs no installed software — just a tab you left open.

    The Vendors Shrugged

    The team disclosed responsibly to Google, Apple and Mozilla. Google said it doesn’t consider browser fingerprinting a security vulnerability. Apple called it “currently out of scope.” Mozilla acknowledged it but shipped no fix. The paper goes to the DIMVA conference in Chania, Greece, in July 2026. It hasn’t been seen in the wild — yet.

    That collective shrug is, arguably, the real story. Fingerprinting has been quietly reclassified as a cost of doing business on the modern web.

    Two Attacks, One Lesson

    The two FROSTs couldn’t be more different in mechanism — one is a hardware heist needing your physical device, the other is pure JavaScript running on a stranger’s laptop from across the internet. But they rhyme. Both extract secrets not by breaking cryptography, but by exploiting the physical substrate underneath it — cold silicon in one case, a shared disk bus in the other. Perfect maths sitting on leaky physics.

    How To Protect Yourself

    Against the freezer attack (FROST #1):

    Power down completely — don’t sleep. The single biggest lever. Sleep keeps your encryption keys live in RAM; a shut-down or hibernated device has flushed them. Hibernation writes RAM to the encrypted disk and clears volatile memory — the cleanest state. Crossing a border or leaving a device? Shut it down, don’t just close the lid.

    Use pre-boot authentication with a strong PIN. A TPM that auto-unlocks at boot loads the key into RAM with no human in the loop. Requiring a passphrase before the OS loads (BitLocker pre-boot PIN, LUKS, FileVault) keeps the key out of reach.

    Disable booting from USB/network in BIOS/UEFI and protect it with a firmware password.

    Enable Secure Boot so only trusted components load.

    Prefer soldered RAM — it can’t be pulled and transplanted (a real repairability trade-off, but relevant here).

    Use hardware memory encryption (AMD SME/SEV, Intel TME/TDX) where available. On Linux, TRESOR keeps keys in CPU registers, never in RAM.

    Against the SSD-timing attack (FROST #2):

    Close tabs you aren’t using. The simplest, most effective control. FROST #2 needs its tab open and ticking, and can only fingerprint what’s currently active. Thirty open tabs is thirty data points.

    Be wary of long-lived background tabs — the one you stopped watching last Tuesday is exactly the kind that could host this.

    If you’re technical, watch OPFS usage via DevTools. A page you barely visited holding tens of gigabytes of “private” storage is a bad sign.

    A VPN won’t help here — the leak is local, on your own machine, not on the wire. (It’s still worth having for everything else.)

    The Master Key

    Notice the through-line in both defence lists: the strongest cryptography in the world is downstream of physics and habit. Shut your devices down. Close your tabs. Keep your hands on your hardware. Encryption is a human right and the tools to defend yourself are real, free, and accessible — but they only work if you stop leaving the key on the table. Whether the table is frozen or merely has too many tabs open is, in the end, a detail.

  • Capability Apartheid: Anthropic Built a Genius, Then Decided You Get the Lesser One

    Capability Apartheid: Anthropic Built a Genius, Then Decided You Get the Lesser One

    Anthropic shipped a frontier model today that quietly makes itself stupider for you — and keeps the full version for the government. They called it safety. I call it the encryption backdoor fight, reborn at the model layer.

    On 9 June 2026, Anthropic announced Claude Fable 5, the most capable model it has ever released to the public. In the same breath, it announced a twin: Mythos 5 — the same model, with the safety rails removed — available only to “a small group of cyberdefenders and infrastructure providers” through Project Glasswing, in collaboration with the US government.

    Read that again. The full-power version exists. You just aren’t allowed to have it.

    What they actually built

    Fable 5 is, by Anthropic’s own account, state-of-the-art on nearly every benchmark — compressing months of software engineering into days, topping senior-level finance reasoning tests, rebuilding apps from screenshots. Genuinely impressive.

    But the public model ships with a mechanism that should make every self-sovereign individual sit up. On certain topics — Anthropic names cybersecurity and biology — your query is silently rerouted to a weaker model, the older Claude Opus 4.8. You don’t get told. You don’t get asked. The system simply decides that this particular question is one you shouldn’t have the best answer to, and hands you a lesser one. Anthropic concedes the filter is tuned “conservatively” and fires on harmless requests too — in their estimate, under 5% of sessions.

    Meanwhile Mythos 5 — same brain, no muzzle — has, in their words, “the strongest cybersecurity capabilities of any model in the world.” It goes to the approved. Initially the US government.

    We have seen this exact movie before

    Strip away the model weights and the neural networks, and this is a thirty-year-old argument wearing new clothes. In the 1990s the US government tried to classify strong encryption as a munition and prosecute the people who released it. Phil Zimmermann published PGP anyway. The Clipper Chip proposed a government key escrow baked into every secure device — full security for the state, managed weakness for the citizen. The cypherpunks won that round, and the entire modern internet economy was built on the freedom they secured.

    The principle they fought for was simple: capability you are forbidden from possessing is not safety, it is control. A lock the locksmith can always open is not a lock. A model that throttles itself on command is not your tool — it is theirs, lent to you on conditions.

    I have written before about the UK’s war on encrypted messages, about what the EU really wants from your VPN, and about Canada fighting the same fight three decades late. Fable 5 is the same impulse, migrated to a new frontier. The battleground used to be the wire. Now it is the weights.

    “For your safety” is doing an enormous amount of work

    Let me be fair, because the argument deserves it. The dual-use case is real. A model that can find zero-days at superhuman speed, or accelerate pathogen design, is genuinely dangerous in the wrong hands. Anthropic is not being cartoonishly villainous — they red-teamed for over a thousand hours and are trying to release something powerful without it being immediately weaponised. I take that seriously.

    But notice the structure that “safety” quietly installs:

    • A capability hierarchy by permission, not ability. The model can do the thing. Whether you may is a policy decision made above your head.
    • A trusted class and an untrusted class. Governments and select infrastructure firms are inside. You — taxpayer, professional, citizen — are outside, by default and indefinitely.
    • Silent degradation. You aren’t refused; you’re quietly given the worse answer. The most insidious censorship is the kind you never notice.

    That is precisely the architecture libertarians and cypherpunks have warned about for a generation. It is the disarm-the-citizen pattern, and it does not become benign because the gatekeeper is a well-meaning AI lab instead of a home secretary.

    Why a CFO should care, not just a cypherpunk

    This is not only a philosophy-seminar point. If you run a business, capability gating is now a supply-chain risk. When the most capable AI is reserved for the state and a handful of anointed incumbents, the competitive playing field tilts before you have placed a single bet. The firms inside Glasswing get the unthrottled tool. You get the one that reverts to last year’s model when the question gets interesting.

    We already live in a world where 97% of PE-backed finance teams use AI and where everyone’s AI buys the same stock. Layer a permissioned capability tier on top of that, and you are no longer competing on talent or judgement — you are competing on whether you made the access list. That should worry any independent operator.

    The trim on this sail

    I am not telling you to reject the technology. I use it daily; so should you. But use it with your eyes open, and act on the things you can actually control:

    • Keep the keys you can keep. Self-custody your assets, your data, your communications — the things no provider can throttle if you hold them yourself. (I have made the civil-rights case for self-custody already.)
    • Favour open models where the capability is yours. A locally-run open-weight model you control will never silently downgrade itself because head office decided your question was sensitive.
    • Watch the framing. Every time “safety” is invoked to justify you having less capability while an approved class has more, ask the old cypherpunk question: safe for whom, and controlled by whom?

    The Clipper Chip lost because enough people refused to accept that security was something the state rationed out. Fable 5 and Mythos 5 are the same proposition in a far more powerful package: here is the most capable mind we have ever built — and here is the lesser one we have decided is appropriate for you.

    Decline the lesser one wherever you can. The whole point of being on the right tyres is choosing your own conditions before someone chooses them for you.

  • Self-Custody Is Now a Civil Right in America. In Europe, It’s a Suspicious Activity.

    Self-Custody Is Now a Civil Right in America. In Europe, It’s a Suspicious Activity.

    Something extraordinary happened in the United States this year, and most people missed it.

    The chairman of the SEC — the same agency that spent the last administration treating every crypto project like a securities fraud waiting to happen — publicly declared that the right to self-custody your own assets is “a core American value.”

    Meanwhile, across the Atlantic, the EU is implementing rules that treat sending crypto to your own wallet like a potential money laundering event. Same technology. Same year. Two completely different philosophies about whether you’re allowed to hold your own property.

    The CLARITY Act: Property Rights in Code

    The Digital Asset Market Clarity Act (H.R. 3633) — the CLARITY Act — has passed the House and cleared the Senate Banking Committee. It’s the most significant piece of crypto legislation the US has produced, and its self-custody provisions are remarkable.

    Section 605 explicitly prohibits federal agencies from restricting individuals’ ability to self-custody digital assets using self-hosted wallets for lawful purposes. Read that again. A federal law that says the government cannot stop you holding your own money.

    Section 604 goes further — incorporating the Blockchain Regulatory Certainty Act to protect non-custodial software developers from being classified as money transmitters. If you write open-source wallet software, you’re not a bank. If you build a smart contract, you’re not a broker. The code is speech. The tool is neutral.

    This isn’t just regulatory clarity. It’s a philosophical statement about the relationship between individuals and the state.

    The SEC and CFTC Follow Through

    This isn’t just legislative posturing. The agencies are backing it up with action.

    In April 2026, the SEC’s Division of Trading and Markets issued guidance allowing wallet-linked crypto trading apps to operate without a broker-dealer licence for five years — provided they function as neutral interfaces for self-custodial users and don’t handle funds.

    In March, the CFTC issued no-action relief to a developer of self-custodial wallet software, clarifying that passive interfaces connecting users to regulated entities don’t need to register as introducing brokers.

    At the Bitcoin 2026 conference in Las Vegas, a panel titled “The Right to Self-Custody Shall Not Be Infringed” featured US Congressman Nick Begich introducing the Bitcoin Act — legislation specifically designed to enshrine self-custody protections in statute rather than executive order, because executive orders can be reversed.

    The American regulatory machine is, for the first time, building legal infrastructure to protect your right to hold your own keys.

    Now Cross the Atlantic

    The EU’s approach could not be more different.

    Under MiCA (Markets in Crypto-Assets Regulation) and the associated Transfer of Funds Regulation, the Travel Rule applies enhanced scrutiny to any transaction involving a self-hosted wallet.

    The mechanics:

    • Transfer more than €1,000 to or from your own self-hosted wallet via a Crypto-Asset Service Provider (CASP), and that CASP must verify you own the wallet
    • For every CASP-to-CASP transfer — regardless of amount — full originator and beneficiary information must be collected and transmitted
    • By July 1, 2026, all CASPs must be fully MiCA-compliant or cease operating in the EU
    • The European Commission is due to assess “risks and measures” for self-hosted addresses by July 2026

    The EU hasn’t banned self-custody. They’ve done something more insidious: they’ve made it suspicious. Every interaction between your own wallet and a regulated service triggers additional verification. The message is clear — if you want to hold your own keys, we’ll be watching more closely.

    Two Philosophies, One Technology

    This isn’t really about crypto. It’s about two fundamentally different answers to the same question: who owns your property?

    The American answer, at least in this moment, is: you do. You can hold it yourself. You can build tools that help others hold it themselves. The government’s job is to go after fraud and crime, not to gatekeep the act of possession.

    The European answer is: you do, technically, but we need to verify that. And monitor it. And require your service providers to report on it. Because the mere act of wanting to control your own assets is, statistically speaking, a risk indicator.

    Erik Voorhees has been making this argument for over a decade: the entire point of cryptocurrency is the self-sovereignty it offers. The moment you hand your keys to a custodian, you’ve recreated the banking system with extra steps. You’re back to trusting institutions and the governments that regulate them. The EU’s Travel Rule doesn’t ban self-custody — it just makes it uncomfortable enough that most people won’t bother.

    The UK Sits in the Middle

    For those of us in Britain, it’s worth noting where we land. The FCA’s broader crypto regime is set for October 2027, with consultations ongoing. Post-Brexit, we’re not bound by MiCA. But the direction of travel — pardon the pun — will be telling.

    Does the UK follow the American model and protect self-custody as a right? Or does it drift toward the European model of surveillance-by-default? The answer will say a lot about what kind of financial system this country wants to build.

    Why This Matters Beyond Crypto

    Self-custody is a proxy for a much larger question: does the state trust its citizens?

    The American approach says: we’ll set rules for intermediaries and go after bad actors, but the basic act of holding your own assets is a right, not a privilege. The European approach says: the risk of illicit activity is too high to leave individuals unsupervised.

    You can apply this logic to encryption, to speech, to data — to any domain where technology gives individuals capabilities that were previously only available through institutions. The question is always the same: do you regulate the tool, or do you regulate the person using it?

    Congressman Begich made the point at Bitcoin 2026 that legislative protection matters more than executive orders, because orders can be reversed. He’s right. The CLARITY Act, if it passes the Senate, would be the first federal statute in any major economy to explicitly protect the right of individuals to hold their own digital assets without government interference.

    That’s not just a crypto milestone. It’s a property rights milestone.

    The Choice

    We’re watching two models of digital property rights emerge in real time. One treats self-custody as a civil liberty. The other treats it as a compliance risk. Both approaches will shape their respective economies for decades.

    If you believe that individuals should have the right to hold their own property — digital or otherwise — without asking permission or being monitored by default, then the CLARITY Act is one of the most important pieces of legislation in a generation. And the EU’s Travel Rule is a warning about what happens when “safety” becomes the default argument against individual sovereignty.

    Hal Finney — the first person ever to receive a Bitcoin transaction — wrote in 2009: “The computer can be used as a tool to liberate and protect people, rather than to control them.”

    Seventeen years later, we’re still deciding which way to go.

  • Canada’s War on Encryption: The Same Fight, Three Decades Later

    Canada’s War on Encryption: The Same Fight, Three Decades Later

    In 1991, Phil Zimmermann released Pretty Good Privacy — PGP — as free software because the US government was about to mandate backdoors in all secure communications. For his trouble, the federal government investigated him for three years under the Arms Export Control Act. They classified encryption as a munition. A weapon. Because apparently, the ability to have a private conversation is the same thing as shipping missiles to hostile states.

    The investigation was dropped in 1996. Zimmermann won. Privacy won. And we all moved on, right?

    Wrong.

    Bill C-22: The Backdoor Returns

    Canada’s Bill C-22 — the “Lawful Access Act, 2026” — is currently working its way through the House of Commons. Its stated purpose is to modernise how law enforcement accesses digital information. Noble enough on the surface. But beneath the language of safety and modernisation lies something deeply familiar: a government demanding the keys to your private conversations.

    The bill doesn’t explicitly say “break encryption.” It’s more sophisticated than that. It requires “electronic service providers” — a definition so broad it captures virtually any internet-based business operating in Canada — to build “technical capabilities” that enable law enforcement and CSIS (Canada’s intelligence agency) to access data quickly and consistently.

    That’s a backdoor. You can dress it up in whatever parliamentary language you like, but if a system must be built to allow a third party to access encrypted communications, the encryption is broken. By design.

    Secret Orders, No Oversight

    Here’s where it gets properly dystopian. Bill C-22 allows for ministerial orders to be issued in secret, with approval from the Intelligence Commissioner. Companies could be compelled to weaken encryption without public disclosure. Without telling their users. Without anyone outside the security apparatus knowing it happened.

    Google called this out directly: “Secret orders are out of step with other democratic countries and would severely restrict companies’ ability to be transparent with users about how their data is protected.”

    The bill also includes provisions for mandatory metadata retention — including device location data — for up to one year. Your phone becomes a government tracking device. Not because you’re suspected of anything. Just because you exist in Canada and own a mobile.

    The Tech Giants Push Back

    Apple, Meta, and Google are all publicly fighting this. Apple has stated — again — that it will never build a backdoor into its products. Meta has warned about the bill’s “sweeping powers, minimal oversight, and lack of clear safeguards.”

    Some companies have indicated they might withdraw services from Canada entirely if the bill passes in its current form. And Apple has form here. When the UK government issued a similar demand under the Investigatory Powers Act in 2025, Apple pulled its Advanced Data Protection feature from UK users altogether. Rather than compromise encryption for everyone, they simply stopped offering it to the British.

    That’s not a victory for the UK government. That’s British citizens being made less secure because their own government demanded a backdoor that Apple refused to build.

    The Pattern That Never Changes

    This is the same fight Zimmermann fought in 1991. The same fight the cypherpunks — Eric Hughes, Timothy C. May, John Gilmore — laid out in the Cypherpunk’s Manifesto. The same fight that the Crypto Wars were supposed to have settled.

    The pattern is always the same:

    1. Government cites a real threat — terrorism, child exploitation, organised crime
    2. Government proposes breaking encryption to fight that threat
    3. Security experts explain that you cannot build a backdoor that only good people can use
    4. Government presses ahead anyway
    5. Public pushback forces a retreat or compromise
    6. Wait five years. Repeat from step one.

    We’re on at least the fourth cycle now. The UK with the Investigatory Powers Act. Australia with their Assistance and Access Act. The EU with various proposals to scan encrypted messages for CSAM. And now Canada with Bill C-22.

    Why This Matters Beyond Canada

    If Canada succeeds, it sets a precedent. Every Five Eyes nation — the US, UK, Australia, New Zealand — will point to it as evidence that democracies can mandate lawful access to encrypted communications. The dominoes don’t fall slowly.

    And the technical reality hasn’t changed since Zimmermann published PGP’s source code in book form to sidestep export controls: there is no such thing as a backdoor that only governments can use. If a vulnerability exists, it will be found. By criminals. By hostile states. By anyone with sufficient motivation and skill.

    Public Safety Minister Gary Anandasangaree has said the government intends to amend the bill to “clarify” definitions of encryption and metadata. That’s encouraging language. But clarifying definitions is not the same as removing the power to compel access. The architecture of the bill still allows secret orders, still mandates technical capabilities, and still treats encrypted communication as a problem to be solved rather than a right to be protected.

    The Cypherpunk Position

    Eric Hughes wrote in 1993: “Privacy is necessary for an open society in the electronic age… We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence.”

    Thirty-three years later, that’s still the whole argument. Privacy isn’t granted. It’s built. With mathematics. With code. With encryption that works because nobody has the keys except the people communicating.

    The moment you build a system where someone else — anyone else — can listen in, you’ve destroyed the thing you claimed to be protecting. You haven’t made citizens safer. You’ve made them vulnerable. To their own government, and to everyone else who finds the door you left open.

    Canada’s Bill C-22 is in committee. It can still be stopped, or at least defanged. The tech industry is pushing hard. Privacy advocates are mobilising. The question is whether the Canadian public — and their elected representatives — understand what’s actually at stake.

    Phil Zimmermann understood. He risked prison for it. The least we can do is pay attention.

  • The Bitcoin Supply Squeeze Nobody’s Pricing In

    The Bitcoin Supply Squeeze Nobody’s Pricing In

    There are moments in markets where the maths tells you something the price doesn’t. This might be one of them.

    Over the past 48 hours, three things happened that individually are interesting but together paint a picture worth paying attention to.

    Adam Back Enters the Arena

    Adam Back — the cryptographer who invented hashcash, the proof-of-work system that directly inspired Bitcoin’s mining mechanism — just announced that his company BSTR (Bitcoin Standard Treasury Co.) is going public on Nasdaq via a SPAC merger. The mission statement is blunt: buy as much Bitcoin as humanly possible.

    Sound familiar? It should. It’s the same playbook Michael Saylor has been running at MicroStrategy since 2020. But Back isn’t copying — he’s competing. He said explicitly at Consensus this weekend that BSTR is going “head to head” with Saylor’s strategy, launching with approximately 30,000 BTC on the balance sheet from day one.

    This matters because of who Adam Back is. He’s not a finance bro who discovered Bitcoin in 2020. He’s a cypherpunk whose work *predates Bitcoin itself*. When the inventor of the technology that makes Bitcoin possible decides to build an institutional accumulation vehicle, it carries a different kind of weight.

    Saylor’s Sunday Signal

    Like clockwork, Michael Saylor posted his Bitcoin tracker chart on Sunday evening with the caption “Working ₿etter.” Anyone who’s followed MicroStrategy knows this pattern — Sunday chart, Monday purchase announcement. He skipped last week, which makes this week’s signal more notable.

    The numbers at MicroStrategy are now staggering. They hold 843,738 BTC, valued at roughly $62 billion. That’s 110 separate purchase events and counting. In 2026 alone, MicroStrategy has bought approximately 160,000 BTC — nearly the *entire annual output* of every Bitcoin miner on the planet.

    Let that sink in. One company is absorbing almost all new supply. Now add a second one.

    The JP Morgan Question

    The third signal is murkier. Rumours circulating that JP Morgan has been buying Bitcoin heavily. The evidence isn’t conclusive — what *is* confirmed is that JPM has started accepting Bitcoin and Ethereum as collateral for institutional loans in a pilot programme. That’s not the same as buying, but it’s a significant shift from Jamie Dimon calling Bitcoin “a fraud” in 2017 while his European desk was quietly scooping up Bitcoin ETNs on dips.

    The old Wall Street playbook: trash it publicly, accumulate privately. Whether that’s happening again is unconfirmed, but the collateral programme alone signals that Bitcoin has crossed a threshold inside traditional finance that it’s not coming back from.

    The Maths That Matter

    Here’s where it gets structural, and where the price action arguably hasn’t caught up.

    Since the April 2024 halving, Bitcoin’s annual new supply is roughly 164,000 BTC. That’s it. That’s all the miners in the world can produce in a year. The protocol doesn’t care about demand — the supply schedule is fixed.

    Now look at the demand side:

    • MicroStrategy bought ~160,000 BTC in 2026 so far — nearly the entire annual issuance, from one buyer
    • Public companies collectively are buying at approximately 3× the rate miners produce
    • HODL supply (coins that haven’t moved in over a year) is at all-time highs
    • Exchange float — the Bitcoin actually available to buy — is shrinking

    And now Adam Back adds BSTR as a second dedicated accumulation vehicle with 30,000 BTC ready to go and an explicit mandate to keep buying.

    The supply is fixed. The demand is multiplying. The available float is drying up. This isn’t speculation — it’s arithmetic.

    So Why Is the Price at $73,500?

    Fair question. Bitcoin hit $126,000+ and has pulled back roughly 40%. A few things are working against it short-term:

    • ETF outflows: May 2026 saw the largest monthly Bitcoin ETF outflows of the year — somewhere between $2-4 billion net. After months of aggressive inflows, institutional money rotated out.
    • Macro headwinds: A potential $150 billion Treasury liquidity drain from US government operations is tightening conditions. The FOMC meets June 16-17.
    • Long-term holder distribution: Some whales and early holders have been taking profits during the consolidation.

    These are real pressures. But they’re *flow* pressures — temporary movements of capital. The *structural* picture underneath hasn’t changed. The supply is still fixed. The halving still happened. The corporate treasuries are still accumulating.

    What’s Actually Happening

    Strip away the noise and what you’re looking at is a slow-motion supply crisis being masked by short-term macro volatility.

    Two publicly listed companies are now in an explicit arms race to accumulate a finite asset. One of them is run by the person whose academic work made Bitcoin possible in the first place. Public companies collectively are buying three times what miners can produce. The available float on exchanges is at multi-year lows.

    This doesn’t mean Bitcoin goes up tomorrow. Markets can stay irrational, macro can tighten further, and the ETF outflow trend could continue into June. But the structural imbalance between fixed supply and accelerating institutional demand is unlike anything we’ve seen before — including previous bull cycles.

    The last time Bitcoin’s supply dynamics looked this tight was late 2023, before the spot ETF approvals sent it from $40,000 to $126,000. The catalyst this time might be different, but the underlying maths is even more extreme.

    Whether you’re already in or watching from the sidelines, the supply squeeze narrative isn’t hype. It’s happening in the on-chain data, in the corporate filings, and now in the public statements of the people who literally built this technology.

    The price will catch up with the maths. It always does. The only question is when.

  • 97% of PE-Backed Finance Teams Now Use AI — So What?

    97% of PE-Backed Finance Teams Now Use AI — So What?

    You’ve seen the headline by now. 97% of finance leaders in VC and PE-backed companies are using AI, with three-quarters reporting ROI within twelve months. Impressive, right?

    No. Not really.

    Because the question was never “are you using AI?” — it was always “what are you actually doing with it?”

    The 97% Number Is Meaningless Without Context

    Let’s be honest about what “AI adoption” means in most finance departments right now. Someone installed Copilot. An analyst is using ChatGPT to summarise board packs. The FP&A team found a plugin that formats their Excel models faster.

    That’s not transformation. That’s convenience.

    It’s the equivalent of calling yourself “digital” because you moved your filing cabinet to SharePoint in 2015. The tool changed. The thinking didn’t.

    The 97% figure tells us that AI has become table stakes — like having a laptop or knowing how to use a pivot table. It tells us nothing about whether these teams are fundamentally rethinking how finance operates.

    Copilots vs. Architecture: The Real Divide

    Here’s where the split is happening, and it’s widening fast.

    On one side, you’ve got finance teams using AI as a copilot. It sits alongside existing workflows, making them marginally faster. Summarise this report. Draft this email. Clean this data set. The human is still the bottleneck — AI just lubricates the process.

    On the other side — and this is a much smaller group — you’ve got teams building AI into the architecture of the finance function itself. Autonomous agents that monitor cash positions in real-time. Systems that don’t just flag variance but investigate it, pull the supporting data, and draft the narrative before a human ever looks at it. Governance frameworks that are designed specifically for agentic AI, not retrofitted from your SOX compliance playbook.

    The difference isn’t speed. It’s operating model.

    A copilot-enhanced finance team is still batch-oriented. They still run month-end. They still produce reports on a cadence designed around human processing time. An AI-native finance team operates continuously. The concept of “closing the books” starts to dissolve when your systems are reconciling in real-time.

    What AI-Native Finance Actually Looks Like

    I’m not theorising here. I run an AI assistant — Saul — that operates 24/7. It monitors my email, manages my calendar, tracks my investment portfolio, executes trades, scans news, and handles routine correspondence. It doesn’t wait for me to ask. It acts, escalates when needed, and learns from the outcomes.

    That’s what AI-native looks like at the individual level. Now scale that to a finance function.

    Imagine a portfolio company where the finance team’s AI agents are handling bank reconciliations autonomously, flagging only genuine exceptions. Where cash flow forecasting updates continuously based on real-time revenue data, not last month’s actuals plugged into a spreadsheet. Where the CFO’s morning briefing isn’t a deck someone spent three hours building — it’s a synthesised intelligence report generated overnight from live data sources.

    This isn’t science fiction. The technology exists today. The gap is in the willingness to let go of the old operating model.

    PE Firms Are Asking the Wrong Question

    When a PE firm conducts due diligence on a portfolio company’s finance function, the question “do you use AI?” is already obsolete. Everyone uses AI. The answer is always yes.

    The right questions are harder: What’s your AI architecture? Which workflows are fully autonomous vs. human-in-the-loop? What’s your governance model for agentic systems? How does your finance function operate differently today than it did eighteen months ago — structurally, not just faster?

    KKR has already flagged this concern — that AI capability gaps could create a meaningful split in exit outcomes. Portfolio companies that have genuinely integrated AI into their operations will command premium multiples. Those that bolted on a chatbot and called it transformation will not.

    This is the real game-changer in PE-backed finance: not whether AI exists in the business, but whether it’s load-bearing.

    The CFO Role Is Splitting in Two

    The 2026 CFO agenda looks fundamentally different depending on which side of this divide you’re on.

    One version of the CFO sees AI as a tool in the toolkit. Useful. Saves time. Makes the team more efficient. They’ll adopt it incrementally, bolt it onto existing processes, and measure success by how many hours it saves per month.

    The other version sees AI as infrastructure — as fundamental to the finance function as the ERP system or the chart of accounts. This CFO is redesigning processes around AI capabilities, not adapting AI to fit legacy processes. They’re thinking about data architecture, agent orchestration, and continuous assurance — not just “can we automate the board pack?”

    PE operating partners need to know which type of CFO they’ve got. Because the incremental adopter will deliver incremental value. The infrastructure thinker will deliver step-change capability. And in a compressed hold period, that difference matters enormously.

    The Competitive Moat Isn’t Adoption — It’s Depth

    When 97% of your peers have adopted the same technology, the technology itself is no longer a differentiator. The moat moves downstream — to depth of integration, quality of data architecture, sophistication of governance, and willingness to let AI operate autonomously within defined boundaries.

    Most finance teams are wading in the shallows. They’ve got AI, sure. But it’s supervised, constrained, and fundamentally optional — remove it tomorrow, and the function still operates the same way, just slower.

    The teams that will win are the ones where AI removal would be structural. Where the operating model has been redesigned so thoroughly that the AI isn’t an enhancement — it’s a dependency. Not because of recklessness, but because the architecture is sound, the governance is robust, and the results speak for themselves.

    97% adoption is the starting line, not the finish. The race that matters hasn’t even begun for most.

  • When Everyone’s AI Buys the Same Stock

    When Everyone’s AI Buys the Same Stock

    Robinhood announced something this week that made me put down my coffee and stare at the screen for a while. They’ve launched “Agentic Trading” — a feature that lets you connect Claude, ChatGPT, Codex, or Cursor directly to your brokerage account via MCP (Model Context Protocol). The AI can then autonomously place trades, rebalance portfolios, and execute strategies on your behalf. “Buy $100 of Apple every time it drops 2%.” Set it. Forget it. Let the robot cook.

    It’s currently in beta — long equity only, with options, crypto, and futures coming later. There’s a separate “Agentic account” with read access to your positions, balances, and history. And there’s a line in the terms that deserves its own paragraph:

    “You are ultimately responsible for all trades your AI agent places.”

    Right. Good to know. Let’s unpack what this actually means.

    The Herding Problem Nobody Wants to Talk About

    Here’s the thing that genuinely worries me. If millions of retail traders connect Claude or ChatGPT to their brokerage accounts — and those models are trained on the same data, with the same RLHF preferences, reasoning in broadly similar ways — what happens when they all look at the same market?

    They probably reach similar conclusions.

    The Bank of England has already flagged this. Their concern: AI-driven trading doesn’t just correlate positions — it can amplify selloffs in ways that human herding never could, because it operates at machine speed with no emotional friction. Humans hesitate. Humans second-guess. AIs don’t.

    Research on AI trading herding suggests roughly 29% holdings overlap between AI-driven funds and institutional portfolios. That’s already high. Now imagine that overlap across millions of retail accounts, all running similar prompts through similar models. You’d get momentum trades that dwarf anything retail has historically been capable of — followed by coordinated exits when sentiment shifts.

    The Fed has papers on this. Serious people are worried. And Robinhood just handed the match to the general public.

    Can AI Actually Be Contrarian?

    This is the question I keep coming back to. Contrarian trading works because you’re thinking differently to the crowd. You’re buying when everyone else is panicking. You’re selling into euphoria. You need conviction that runs against the data, against the narrative, against the consensus.

    Can an LLM do that?

    Maybe at the margins. Temperature settings, prompt framing, context window — these all introduce variance. If you give Claude the same market data twice, it probably won’t give you identical trade recommendations. But the variance is narrow. The model will always regress toward whatever the training data considered “reasonable.” It was trained to be helpful and balanced. That’s not a great trait in a contrarian investor.

    Human traders have gut feelings, stubbornness, and sometimes outright ego — and occasionally, that’s exactly what makes a contrarian trade work. The guy who shorted the housing market in 2007 wasn’t following consensus. He was being told he was wrong for years. Morgan Stanley’s 2026 analysis on contrarian investing specifically highlights that genuine contrarian conviction requires tolerating extended periods of being “wrong” by conventional metrics. I’m not sure LLMs are built for that.

    Democratisation or Just a Faster Arms Race?

    The optimistic take: retail traders finally get the same algorithmic tools the quant funds have been using for years. You can run a systematic strategy without knowing Python. You can backtest ideas through natural language. You can compete on a more level playing field.

    The realistic take: the quant funds are already doing this with billions in capital, proprietary data, co-located servers, and teams of PhDs. Robinhood is giving retail a consumer-grade version of what Renaissance Technologies has been running for decades. The edge in quant trading was never just “having an algorithm.” It was having better data, better models, lower latency, and deeper pockets.

    Does “ask Claude to buy Apple” close that gap? Probably not. What it might do is accelerate the arms race — prompting a wave of retail traders who think they’ve found an edge until the strategy gets crowded, and then another wave, and then another. The winning play, as always, might be selling the shovels rather than mining for gold.

    The Liability Question Is the Real Story

    Let’s be direct about this: Robinhood’s agentic trading carries no fiduciary duty. No advisor obligation. No regulatory protection that a human broker or financial advisor would carry. It’s you, an LLM, and a live brokerage connection.

    What could go wrong? Your AI misinterprets your instruction and buys $10,000 of a penny stock instead of the blue chip you meant. Your strategy prompt was ambiguous and the model took the interpretation you didn’t intend. A hallucination in the reasoning chain leads to an order at entirely the wrong price. The model doesn’t “understand” market hours and queues something at the wrong time.

    These aren’t hypothetical edge cases. These are the kinds of failures we already see when people use LLMs for code or analysis. The difference is that a bad code suggestion doesn’t instantly cost you money. A bad trade does.

    Robinhood’s answer is: that’s your problem. They’ve built the plumbing. What flows through it is on you.

    My Actual Take — As Someone Who Trades

    I trade actively — Polymarket, equities, the occasional speculative position. And I’ll be honest: the idea of connecting an AI directly to a real brokerage account is both exciting and genuinely unsettling in roughly equal measure.

    Exciting because systematic strategies are hard to execute with discipline. I know what I should do — stick to the plan, don’t panic sell, rebalance consistently — and I don’t always do it. An AI that removes emotion from execution has real value there.

    Unsettling because the best trades I’ve made were the ones where I thought differently to everyone else. Where I saw something the crowd was missing, or held a position through noise when conventional wisdom said to bail. That requires conviction that’s fundamentally personal — shaped by your own research, your own risk tolerance, your own read of the situation.

    If everyone’s AI agent is trained on the same data and reasons the same way, then everyone’s AI agent is, essentially, the crowd. And the crowd, in markets, is usually the last one to the party and the first one to panic on the way out.

    The best use case for this technology, right now, is probably execution discipline — not alpha generation. Use it to execute a strategy you already believe in, consistently, without second-guessing. Don’t use it to find the strategy. Don’t outsource your conviction to a language model. That’s not where the edge lives.

    Robinhood just handed retail a powerful tool. Whether it’s a weapon or a liability depends entirely on whether the people using it understand what it actually does — and more importantly, what it doesn’t.