When AI Starts Running the Room: Five Signals From the Week of May 5, 2026

Something shifted this week. The stories aren’t about AI getting smarter in a lab. They’re about AI getting smarter inside your infrastructure, your vendor contracts, your security perimeter, and your cost centers — simultaneously. The organizations that treat these as separate topics will spend the next quarter firefighting. The ones that read them as a single operating-model shift will move first.

The Timeline to Autonomous AI R&D Just Got a Number

Jack Clark — Anthropic co-founder and one of the field’s most credible forecasters — published a detailed argument this week assigning a 60%+ probability that fully autonomous AI R&D happens by 2028. That means a system capable of designing and training its own successor without human involvement. He’s not writing fiction. He’s reading arXiv papers, benchmark curves, and internal deployment patterns, and concluding that all the components are already present.

The benchmark data behind the argument is worth sitting with. Claude Opus 4.6 can now reliably complete tasks that take a skilled human roughly 12 hours — up from 30 seconds for GPT-3.5 in 2022. SWE-Bench, the gold-standard real-world coding test, went from a 2% solve rate at launch to 93.9% with Claude Mythos Preview. That’s not incremental improvement. That’s saturation of a benchmark that was designed to be hard. Clark’s framing is that “all the pieces are in place for automating the production of today’s AI systems” — including the engineering components of AI development itself.

One of the consistent patterns I see in enterprise AI governance reviews is that leadership teams are planning for a 3-to-5-year capability horizon. That horizon is already wrong. If Clark’s estimate is directionally correct — and I think it is — the question your board should be asking is not “what can AI do in our organization today” but “what decisions are we making today that assume humans will remain the primary source of AI capability improvements.” Supply chain strategy, talent planning, technology architecture commitments: all of these need to be pressure-tested against a 2-to-3-year timeline, not a 5-to-7-year one. For EMEA organizations, this also intersects directly with EU AI Act obligations — systems built on today’s assumptions may require reassessment as the capability baseline shifts.

Read more: Import AI #455 — Jack Clark

Your Third-Party Vendors Are Now a Frontier AI Attack Surface

Anthropic launched Claude Security in public beta on April 30 — a codebase vulnerability scanner powered by Opus 4.7, available directly inside Claude Enterprise with no API setup required. Hundreds of organizations had already used the research preview since February, finding vulnerabilities that existing tools had missed for years. Partners deploying it at enterprise scale include Accenture, Deloitte, PwC, BCG, and Infosys. CrowdStrike, Palo Alto Networks, SentinelOne, and Wiz are integrating Opus 4.7 directly into their existing security platforms.

The same week, Anthropic was investigating an unauthorized access incident involving its more powerful model, Claude Mythos Preview. A group gained access on the day of announcement through a third-party contractor portal, using knowledge of Anthropic’s URL naming conventions. Anthropic confirmed no core systems were impacted, but the breach vector itself is the story: a contractor employee, a developer portal, and an educated guess. The group has been using Mythos regularly since April 7.

This is not a theoretical risk. The pattern here — frontier AI capability leaking through a third-party vendor environment — is structurally identical to the supply chain attacks that dominated the early 2020s. Most enterprise AI security frameworks are still focused on prompt injection and output governance. Very few have extended their vendor risk management processes to include “which of our contractors have access to AI model APIs, and under what controls.” Your security governance review should add that question before your next vendor audit cycle. In enterprise deployments I’ve worked on, third-party access governance is almost always the last thing updated when AI capabilities are introduced — and the first thing that creates exposure.

The Cloud Infrastructure War Just Got Decided by Silicon, Not Software

On April 28, AWS ended three years of Azure’s effective monopoly on GPT model distribution. OpenAI’s models went live on Amazon Bedrock the day after Microsoft’s exclusivity was formally dissolved. Every major frontier model except Gemini is now available from a single cloud provider. But the model catalogue is not the real story — the silicon commitments are.

Anthropic secured up to 5 gigawatts of AWS Trainium capacity over ten years, committing more than $100 billion to AWS. OpenAI committed 2 gigawatts and expanded its AWS agreement by $100 billion over eight years. In Q1 2026, Bedrock processed more tokens than in all prior years combined, with customer spending up 170% quarter over quarter. AWS’s custom silicon business now generates more than $20 billion annually. Trainium-served models run at a 30–40% cost discount compared to equivalent NVIDIA GPU workloads — and that discount will grow as Trainium4 comes online in 2027.

For technology leaders making cloud vendor decisions, the practical consequence is straightforward: the “choose Azure for OpenAI, choose AWS for Anthropic” decision framework is over. Both models are now available on both hyperscalers. What remains differentiated is cost structure, existing enterprise discount programs, and data residency. AWS Enterprise Discount Programs can layer 5–25% off list pricing on top of Bedrock token costs. For EMEA organizations with data residency requirements under GDPR or sector-specific regulation, the relevant question is no longer which cloud has which model — it’s which cloud has the right regional footprint for your compliance posture. That assessment is worth doing now, before annual renewal cycles lock in commitments made under outdated assumptions.

AI Coding Costs Are Becoming a Finance Problem, Not an Engineering Problem

Three separate stories this week point to the same structural shift: AI coding tools are moving from “developer productivity” budget lines to CFO-visible cost management problems.

GitHub Copilot moves to usage-based billing on June 1. The pricing model transitions from flat premium request units to token-based GitHub AI Credits at $0.01 per credit. Base plan prices don’t change — Copilot Business remains $19/user/month, Enterprise $39/user/month — but agentic features, Copilot Chat, cloud agent, and Spaces now draw from a credit pool, with overages billed at per-token rates. Code completions and Next Edit Suggestions remain unlimited. Starting June 1, Copilot code review also consumes GitHub Actions minutes on private repositories, billed at standard Actions rates on top of AI Credits. Organizations should use the “Preview my bill” tool in the GitHub billing console — live in early May — before the cutover date.

Meanwhile, a practitioner-level breakdown of Claude Code costs this week showed the same workflow dropping from roughly $1,389 per month to $200 per month after Anthropic shipped three bug fixes in April. The four root causes of overuse — cache misses, context bloat, wrong model selection, and wrong input format — are structural, not accidental. Most teams hitting limits are paying for poorly structured prompts and bloated context, not for actual work output.

In enterprise agentic deployments, the most dangerous failure modes are invisible cost escalations that don’t trigger any alert until the monthly bill arrives. Flat-rate licensing created the illusion that AI tool costs were fixed. Usage-based billing makes that illusion expensive. Your governance framework needs a token budget owner — someone who sits between engineering and finance, understands what drives consumption, and can coach teams before patterns become invoices. In organizations I’ve worked with that have done this well, the function looks less like IT governance and more like cloud FinOps: proactive, data-driven, and embedded in the team cadence rather than reviewed quarterly.

Worth Watching

DeepSeek V4: The Cheapest Frontier Model, and What That Means for Procurement

DeepSeek released V4 on April 24 — same day as GPT-5.5, almost certainly intentional. V4-Flash costs $0.28 per million output tokens, undercutting every Flash, Mini, and Nano offering from Western labs. V4-Pro offers a 1M token context window at 27% of V3’s inference compute cost. Both models are MIT-licensed open weights on Hugging Face. For EMEA organizations, the cost advantage is real but the governance audit is mandatory — EU AI Act compliance, data residency, and supply chain risk assessments for Chinese-origin models are not optional. Organizations should model the total cost of ownership including those compliance costs before treating DeepSeek V4 as a direct drop-in alternative.

OpenSpec: Spec-Driven Development Is Becoming Standard Practice

OpenSpec — a lightweight framework that adds a spec layer in front of AI coding assistants — has reached 28k GitHub stars with an MIT license and support for 30+ tools including Claude Code, Cursor, GitHub Copilot, and Amazon Q. The core idea: AI coding without written specs produces unpredictable results because requirements live only in chat history. OpenSpec forces alignment on “what to build” before any code is written. Research shows AI performance degrades significantly when context exceeds 40% — OpenSpec’s external spec files function as persistent memory across sessions. For enterprise teams scaling agentic coding workflows, this is worth evaluating before the next sprint cycle.