Groundhog Day

8 days — the gap between two deterministic Linux root exploits this past week: Copy Fail on April 29, Dirty Frag on May 7, the second deliberately engineered on the first by a researcher using the same LLM tooling that surfaced the first. The 90-day disclosure window the security industry has run on since the early 2000s assumed bug-finding was rare and exploit development was slow. Both are now zero. The labs are improving their own products on the same clock. Most of the economy is on a calendar.

Stop running quarterly patch cycles on anything that touches the internet. Two deterministic Linux root primitives landed in eight days, the second engineered on top of the first. Himanshu Anand's essay this weekend, the highest-scored piece in our research stack: treat every critical security issue as P0 and patch it now — not tomorrow, not next sprint. If your change-management workflow assumes you have weeks between disclosure and exploit, the workflow is wrong this morning. Today's move: write the decision down, give the CISO the cover, and shorten the SLA before the next renewal.

Pick four people in your company and start a four-week clock. Senior, mid-level, junior, plus one operating-line lead. Sixty minutes a day, each of them, for four weeks. Each person ships one workflow per week that they could not ship the week before. Measure the delta — what got rewritten, what got automated, what got retired. The 95th-percentile firm in OpenAI's B2B Signals report (May 6) now consumes 3.5x as much AI per worker as the typical firm, and 64% of the gap is depth, not seat count. The clock is the metric, and you can install it today without a vendor map.

Audit which lines in your business assume defender-speed pricing. Cyber insurance, vendor certification, disclosure windows, audit timelines, perimeter-security renewals. Every one of those was priced for a tempo that no longer exists. The IMF flagged AI cyber as systemic to bank funding this week. The conversation to have with each vendor before their renewal lands is one sentence: what does your price look like if the threat tempo holds. Ask before, not after.

Today's piece is also the most direct articulation we've published of what Outsider Labs is built for: the 90% in the middle that doesn't have time or capital for the lab-aligned services arms, and isn't a GitHub-resident hacker either. If installing a continuous-improvement clock for your team sounds like the right move and you're not sure where to start, that's the work we do.

Outsider Labs Advisory →

Sunday, May 10

1. The 90-day disclosure window died this week, and the receipts are in the layoff line. Himanshu Anand published "the 90-day disclosure policy is dead" on Saturday — the highest-scored piece in our research stack this weekend. Two deterministic Linux root exploits landed eight days apart, the second deliberately built on the first. Cloudflare cut 1,100 jobs on Tuesday under its own stated macro rationale. The IMF flagged AI cyber as systemic to bank funding the same week. Causation isn't settled; correlation is. (Full analysis below.)

2. AlphaEvolve doubled Klarna's transformer training speed — in production, on a named customer. Google DeepMind's evolutionary coding agent wrote the algorithms that schedule Klarna's training runs. Not a benchmark. A live $18B fintech with measured deltas. The recursive AI-improving-AI thesis is no longer a Yudkowsky essay; it's a Klarna line item. Pair it with Airbnb's 60% AI-written code disclosure and Boris Cherny's claim that Claude Code writes ~80% of itself. (Full analysis below.)

3. Sean Frank named the two company shapes that are working, and there's no hybrid. Ridge Wallet CEO on X (May 7): two team styles crushing it right now — the 996 in-person small team, or fully remote AI-pilled experts working autonomously. No middle. No hybrid. That's the cleanest framing of what every Signal/Noise piece we wrote in May has been circling. The 90% in the middle is the trade. (Full analysis below.)

4. Meta spent another $10B on capex this week to become the Android of humanoid robots. Meta acquired Assured Robot Intelligence and raised 2026 capex to $125-145B. The strategy is the platform play — own the AI OS layer, license to whoever builds the hardware. Qualcomm's CEO confirmed in the same week that "pretty much all" the major labs are working with them on secret AI devices. The smartphone replacement is no longer hypothetical; it's a hardware roadmap with three platform companies and zero shipped products.

5. Fermi Inc. — the "nuclear power for AI" datacenter pitch — fired its CEO with zero signed clients and the stock down 84%. Co-founded by former Texas governor Rick Perry, took a $19B market cap to its October IPO on the promise of 17 GW of co-located AI compute. Months of negotiations, no client. CFO walked. Co-founder suing the board. The canary for the data-center hype-vs-reality gap is now in the cage and not singing.

The Three Clocks, And The Companies That Don't Have One

Two deterministic Linux root exploits, eight days apart, the second deliberately engineered on top of the first by a researcher using the same LLM tooling that surfaced the first. Himanshu Anand named what every working CISO already knew: the 90-day disclosure window the industry built in the 2010s assumed bug-finding was rare and exploit development was slow. Both are now zero. The entire procurement architecture of the defensive layer — disclosure cycles, patch windows, cyber-insurance pricing, CISO headcount, change-management timelines — was priced for a tempo that no longer exists. The public market got the memo on Tuesday: Cloudflare down roughly 29% on the cycle, 1,100 jobs cut on Wednesday. Cloudflare itself names macro discipline as the proximate cause. The correlation is striking enough that a CIO and a portfolio manager should both have it on a watchlist.

That is one of three clocks running underneath this week's news cycle, and the attackers' clock is just the easiest to notice.

The lab clock is the second. Google DeepMind's AlphaEvolve, in production at Klarna, doubled the company's transformer training speed using AI to write the algorithms that schedule it. Not a benchmark — a marquee enterprise customer running on the production line. Anthropic published Teaching Claude Why, the alignment intervention that took agentic blackmail from 96% in Opus 4 to zero in Haiku 4.5 by teaching the model the principle, not the demonstration. Dreams gives agents an overnight self-review pass that compounds into a memory specific to your company. Three Vector-1 datapoints in one week, each one ratcheting the lab clock forward.

The third clock is the one most operators don't have. Sean Frank on X this past Wednesday: two company shapes are working in 2026 — the in-person 996 monastery or the AI-pilled fully remote — and there is no hybrid. OpenAI's B2B Signals report says the 95th-percentile firm now consumes 3.5x as much AI per worker as the typical firm, and 64% of that gap is depth, not seat count. Last year the same gap was 2x. By 2028, on the trailing data, it's roughly 10x. That is what an exponential gap underneath a stable-looking news cycle actually looks like.

Three clocks, three tempos, one news cycle. Two of them are getting faster every week because the actors running them have figured out how to use AI to improve their AI. The third clock is the operator's, and most operators don't have one — they have an annual plan with an "AI initiative" tab that opens a SharePoint nobody owns. The gap between the clocks and the no-clocks is the entire story of AI in May 2026.

Two ways to think about what happens to the no-clocks. Acemoglu's paper this month in the Quarterly Journal of Economics — automation from 1980 to 2016 explained 52% of U.S. income inequality growth, and 60-90% of automation's potential productivity gain was burned targeting the wage premium rather than augmenting it. That is the historical pattern, and DeepL is the present-tense version: an AI translation company commoditized by the labs underneath it, firing 25% of its staff last week. The wage premium walks first. The CFO smiles. The clock keeps running.

Phil Connors didn't escape Punxsutawney by getting smarter at one thing. He escaped by getting better at everything, every day, for as many February 2nds as it took. The good news for the 90% in May 2026 is that the loop runs at machine speed and you don't need thirty years. The bad news is that exponentials cut both ways, and the calendar is not a strategy.

At COAI today: The full Signal/Noise on the three clocks and what the 90% in the middle should do this week is at getcoai.com.

— Harry and Anthony

Sources: