Plutonic Rainbows

Anthropic's dynamic workflows let Claude Code write a script that fans a task out to dozens or hundreds of subagents, then runs it in the background while your session stays free. Turn on ultracode with /effort ultracode and Claude stops waiting for you to ask. It plans a workflow for every substantial task, often several in a row: one to understand the code, one to make the change, one to verify it. This is the most powerful mode the tool has, and the one most likely to flatter you into believing scale is the same thing as progress.

The pricing is honest if you actually read it. Each subagent burns its own tokens, so a hundred agents working a hundred files costs roughly a hundred times what one agent on one file does. Ultracode compounds that by turning a single request into a chain of workflows. Anthropic caps a run at 1,000 agents with 16 running at once, which stops a runaway loop while doing nothing about the cost of a run you fully meant to launch.

The orchestration is real engineering. The plan lives in a JavaScript script the runtime executes on its own, away from the conversation, so intermediate results stay in variables instead of clogging Claude's context. Agents editing files in parallel can each be handed their own git worktree, a private copy of the repo, so two of them never write over the same line. Nothing improvises; the script decides what runs next.

That is the gap the caps don't cover: they protect you from accidents, not from intent. The machinery guarantees the agents won't collide, but it has nothing to say about whether you needed a hundred of them. A weak plan doesn't get better when you run it in parallel; it just gets more expensive to be wrong.

Anthropic has decided the safest place for its most restricted model is not a vault. It is a larger, supervised room full of people who run things that break badly. On Tuesday, the company said Project Glasswing will expand from roughly 50 early partners to about 150 additional organisations in more than 15 countries, with Claude Mythos Preview pointed at code that sits under power, water, healthcare, communications, and hardware.

That sounds like a rollout, but the word is too clean. This is a controlled spread of capability that Anthropic itself treats as dangerous enough to gate. Each new organisation has to meet its security requirements before access. The point is not that Mythos can write better incident reports or draft friendlier Jira tickets. The point is that it can find vulnerabilities at a scale human teams can't comfortably absorb.

The numbers have the unpleasant brightness of a successful stress test. Anthropic says the initial partners have found more than 10,000 high- or critical-severity flaws since the early April launch. In a separate open-source scan, the company reported 23,019 potential vulnerabilities, with 6,202 estimated as high or critical. Of 1,752 high- or critical-rated findings that were independently reviewed, 90.6 percent were true positives.

That is impressive, obviously, and also a workload generator with a safety label on it. CyberScoop quoted Anthropic's own description of the new bottleneck: the "human capacity to triage, report, and design and deploy patches." I don't think that is a footnote. It is the story. Security has spent years saying that defenders are outnumbered by attackers, by legacy systems, by badly maintained dependencies, by the sheer amount of code that modern life has made ordinary. Now a lab has built a machine that can make the backlog visible faster than the institutions can fix it.

There is a strange moral inversion here. If a powerful vulnerability-finding model stays inside the lab, the defenders remain underpowered. If it leaves, even under a vetted programme, the circle of people who can operate it gets larger. I wrote in April about the earlier Glasswing fight, when the politics around Mythos looked like a contest between private access, national-security anxiety, and a government that wanted the tool close while worrying about everyone else using it. Today's announcement doesn't dissolve that tension. It formalises it.

The partner list is also doing political work. Anthropic's launch page named AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks among the launch partners, with up to $100 million in Mythos Preview usage credits and $4 million in donations to open-source security groups. SecurityWeek, citing the Financial Times, says the new wave includes organisations such as Okta, Samsung, ENISA, and NATO. Dark Reading reported on ENISA's likely access a day earlier, framing it as the result of cooperation between the European Commission and Anthropic. Put less politely: this is becoming infrastructure policy by customer list.

That may be the only practical route. Nobody wants the model handed around casually. Nobody serious wants critical software maintainers to keep finding flaws at human speed if attackers are going to get similar tools. So the answer becomes a club: enough members to matter, few enough to audit, with security requirements standing in for public law.

The awkward timing is that Anthropic is also trying to become legible to public markets. Yesterday's confidential S-1 filing made the company look less like a private research lab and more like a systemically important vendor preparing for quarterly scrutiny. Glasswing makes the same argument in operational form. If Claude is now part of how governments, banks, cloud providers, and infrastructure operators think about software risk, then the old category of "AI company" starts to feel too small.

I don't have a neat objection to the expansion. The alternative is not purity. It is slower discovery, quieter defects, and the hope that adversaries remain less capable than the people patching the pipes. Hope is a poor patching strategy. Still, this is a hard thing to watch without noticing how much authority is moving into private coordination: who gets access, which vulnerabilities get prioritised, whose infrastructure counts as globally important, and how quickly the rest of us hear about the bugs already found.

Prada's Spring 1996 show looks almost deliberately difficult in archive photographs: avocado greens, muddy browns, awkward sandals, prints with the suburban cheer drained out of them. It doesn't have the instant legibility of Versace sex or Chanel's logo theatre. Even the title, Banal Eccentricity, sounds like a private joke told by someone who expects you to work a little.

That was part of the force. Prada's own archive lists the show as SS 1996 womenswear, with the runway broken into exits like evidence. Vogue dates the collection to 1 October 1995 and describes the palette around avocado greens, sludge browns, mixed clashing prints, and sandals that seemed to resist prettiness on principle. I like that phrase, resist prettiness, although it risks making the clothes sound pious. They weren't pious. They were odd, dry, and sometimes funny.

Miuccia Prada had already made luxury behave strangely. She took over the family company in 1978, and the nylon backpack of 1984 had done something quietly rude to the old leather-goods hierarchy. Nylon was not supposed to be the material of desire. It was supposed to carry gym shoes, rain, airport irritation. By the mid-90s, that same intelligence had moved onto the body: ordinary fabrics, sour colours, deconstructed shapes, the kind of domestic pattern that looked as if it had escaped from a kitchen curtain and found itself in Milan.

AnOther's account of mid-90s Prada gets the shock of it right. The show has become folklore as the moment avocado, ochre, chartreuse, turquoise, lilac, and brown turned from bad taste into a proposition. Kristen McMenamy opened; Amber Valletta, Kate Moss, Shalom Harlow, Kirsty Hume, and Carolyn Murphy followed. Marcos Valle's "Rio Boogie" played underneath, which is a detail I enjoy because it gives the whole thing a lightness the clothes sometimes refuse. There was music, movement, models with faces fashion already knew, and still the collection would not do the expected glossy thing.

The easy reading is that Prada made ugliness chic. True enough, but too neat. Ugly chic was not just a reversal, as if she had taken an ugly object and stamped beauty on it. The better trick was making taste feel unstable. A brown could be ugly in one room and exact in another. A Mary Jane could read schoolgirl, dowdy, perverse, clever, or all four by the time it reached the end of the runway. The collection didn't ask to be liked. It made liking look like the least interesting response.

nss magazine's history of ugly chic notes the 1950s patterns, Mary Janes, dreadful purples with avocado greens, and muddy browns, and also repeats the strange show-day detail of a bomb scare at Prada headquarters. That almost sounds too symbolic, the literal threat arriving before the aesthetic one, but fashion history is full of these impolite coincidences. Editors still went. The show mattered enough to risk being late, or frightened, or both.

Alexander Fury later called Miuccia Prada the master of "ugly", arguing that she makes the undesirable desirable. That is close, though I think the verb "desirable" smooths the texture too much. Desire is part of it, yes. So is embarrassment. So is the tiny social panic of noticing that the thing you dismissed as wrong has started to organise the room.

What survives from Spring 1996 is not merely a colour story or a shoe shape. It is a permission slip for fashion to mistrust its own good manners. The collection made taste look less like an instinct than a learned reflex, and once you see that, the whole polished surface gets less convincing. A bad green starts doing philosophy. A clunky sandal becomes an argument with the mirror.

The television rental shop was one of those places where the future arrived with a payment book. Not the bright future, exactly. A heavier one, with a service counter, a van round the back, and a showroom window full of sets that looked less like furniture than weather systems. You didn't buy the future. You agreed to have it in the house for another month.

Radio Rentals began in Brighton in 1930, renting radio sets before the company grew into television and video recorders. By the colour-TV years, chains such as Radio Rentals, DER, Rediffusion, Granada, Visionhire and Martin Dawes had become ordinary names on the British high street. A Historic UK account of the colour-TV rental boom puts the appeal bluntly: sets were expensive, valve and cathode-ray-tube technology could be temperamental, and monthly rental made the machine feel possible. If it failed, somebody came out.

That last part matters. Renting a television was not just a credit arrangement, although it was certainly that. It was a relationship with an infrastructure of maintenance. The shop window promised novelty, but the real product was continuity: the engineer, the replacement set, the sense that this big humming box in the corner belonged partly to a company whose sticker was still on the back. Domestic technology had not yet become disposable enough to pretend it was weightless.

The figures are slightly absurd now. Radio Rentals claimed more than two million customers, 500 shops, and more than 6,000 technicians and skilled installers. That is not a niche. That is a parallel utility system, threaded through sitting rooms and shopping precincts, doing for entertainment what the gas board did for heat. A television came with a man in a branded van, which is a sentence that already feels older than the object it describes.

There is a useful little ache in that model. The rented set made modernity feel conditional. You could watch the same coronations, Cup Finals, sitcoms, news disasters and Saturday night light entertainment as everyone else, but the apparatus was on loan. The image belonged to the nation; the box belonged to Thorn, Granada, Visionhire, whoever had the paperwork. It was mass culture with a standing order attached.

The end came with the usual mixture of consolidation and cheapness. Radio Rentals was acquired by Thorn in 1968; Granada's rental line grew out of Robinson Rentals, incorporated in 1954 and renamed around 1969. By 2000, the Radio Rentals and Granada names had been folded into Boxclever, and a retrospective account of the lost TV rental shop records the bricks-and-mortar side ending in 2003. Boxclever still exists online, its own company history describing an amalgam of Radio Rentals, Visionhire, Rediffusion, DVR and DER. The ghost survives, but without the shop window.

I like the vanished shop more than I probably should. Not because renting was romantic. It could be expensive, paternalistic, and mildly humiliating in the way all household credit can be humiliating. However, it left behind a clear shape of dependency. You knew the machine had a chain of responsibility behind it. Somebody carried it in. Somebody could take it away.

Flat screens killed that theatre. So did supermarkets, online finance, consumer credit, landfill thinking, the whole clean nonsense of frictionless ownership. The old rental shop asked you to walk into town and negotiate with modernity over a counter. It made the future local, brown-carpeted, slightly warm from the backs of twenty display sets. Somewhere in that warmth was a truth we now hide inside checkout buttons.

Anthropic has moved from private-market rumour to SEC machinery. On Monday, the company said it had confidentially submitted a draft Form S-1 for a proposed IPO of common stock. The offering has no share count yet, no price, and no public prospectus. It is still conditional on SEC review, market conditions, and the usual list of factors that mean, in plainer English, this can be paused if the weather turns.

However, the signal is not cautious. Anthropic has put its hand on the door first. CNBC reports that OpenAI is preparing its own confidential filing, while Axios frames the year as a race between SpaceX, Anthropic, and OpenAI for public-market attention at trillion-dollar scale. That sounds absurd until you look at the numbers Anthropic is already asking investors to swallow.

Last week the company announced a $65 billion Series H at a $965 billion post-money valuation, led by Altimeter Capital, Dragoneer, Greenoaks, and Sequoia Capital. Its own Series H note says run-rate revenue crossed $47 billion earlier in May. In February, according to the Guardian's summary of the funding history, Anthropic was valued at $380 billion. The market has not so much repriced the company as yanked it through a trapdoor into another category.

I wrote in April about Anthropic moving past OpenAI in the private valuation story. At the time, the IPO talk sounded aggressive because the company was still being priced in whispers, board meetings, and preemptive term sheets. Now the sequence is visible: raise at almost a trillion, file confidentially, let the public S-1 follow if the regulator's comments and the market both behave. The filing does not guarantee a float, but it changes the tempo.

The public S-1, if Anthropic proceeds, is where the romance gets audited. Axios makes the useful procedural point: a public filing would include financial data, risk factors, and the details that private-market storytelling can blur. Revenue run rate is one thing. Gross margin, compute obligations, customer concentration, stock-based compensation, related-party cloud deals, and the real cost of serving Claude Code are another. A frontier lab can be a religion in private. In public markets it becomes a spreadsheet with a risk section.

This is why the timing matters more than the ceremonial language around going public. Anthropic has spent the spring making itself legible to capital. The company raised at a near-trillion valuation, talked about compute expansion and product partnerships, and kept pushing the enterprise story that makes Claude look less like a chatbot and more like operating infrastructure. Its Wall Street embedding strategy already pointed this way. The model was not merely a product; it was a reason for banks, private equity firms, and portfolio companies to reorganise how work gets done.

Public investors will be less patient with mythology than late-stage private money, at least in theory. They will want to know whether $47 billion of run-rate revenue can hold its shape when discounts, compute costs, and implementation work are all counted honestly. They will also want to know how much of the AI boom is now a queue for the same finite capital. NPR quoted Wedbush calling the moment an opening of the IPO floodgates. Floodgates are a good image, but queues may be better. SpaceX, Anthropic, and OpenAI cannot all be the single impossible listing that defines the year.

The funny part is that confidential filing is meant to reduce drama. It gives the company a private conversation with the SEC before the theatre begins. In this case the privacy is almost beside the point. Anthropic has told everyone where it wants to go, and now the rest of the market has to decide whether a frontier-model lab is a software company, an infrastructure company, a consultancy, a defence-adjacent contractor, or some expensive composite of all four.

Maybe the S-1 will make that cleaner. More likely it will make the argument more interesting.

The awkward thing about an export-control loophole is that it is rarely a hole in the law shaped like a cartoon tunnel. It is usually a place where paperwork, geography, corporate structure, and enforcement patience fail to line up. A chip does not have to travel to Shenzhen to end up in a Chinese AI system. It can go to a subsidiary, a cloud tenant, a reseller, a lab in a friendlier jurisdiction, and still do the same work.

That is why the Commerce Department's weekend guidance matters. CNBC reported that the department moved on 31 May to enforce licence requirements for the most advanced AI chips when the entity is headquartered in China, even if the buyer is physically outside China. The article names Nvidia's Rubin and Blackwell processors and AMD's MI350x as the kind of hardware at stake. The important phrase is not "outside China". It is "headquartered in China", because Washington is trying to make ownership and control matter as much as delivery address.

This is also an admission that the old map was too simple. Last year the Commerce Department said it would not enforce the AI Diffusion rule, which had tried to govern global access to AI chips. According to CNBC, that left a year-long opening in which subsidiaries of Chinese AI firms in places such as Malaysia could potentially buy chips that the broader policy was supposed to keep away from China. Chris McGuire, a former State Department official, told CNBC that overseas subsidiaries could buy Blackwell chips without a licence under the previous posture.

I wrote recently about how Huawei silicon was setting a new floor for Chinese AI pricing. This is the same story from the other side of the table. If Chinese labs can get enough restricted Nvidia or AMD compute through offshore entities, the domestic substitution pressure weakens. If they cannot, Huawei, Cambricon, Moore Threads, and the rest of the local stack become less like patriotic alternatives and more like necessity.

The South China Morning Post's broader account of China's chip redesign makes that pressure visible. The fight is no longer just to build a single Nvidia replacement, but to create a domestic ecosystem that can support leading models reliably. That means GPUs where possible, ASICs where useful, and a lot of unglamorous software work around compilers, interconnects, memory, and serving. Export controls don't create that ecosystem by themselves. They do, however, make the unpleasant engineering trade-offs feel less optional.

Nvidia had a different kind of news cycle running at the same time. The BBC reported from Computex that Jensen Huang announced RTX Spark, a PC chip for personal AI agents, with Windows machines due in the autumn from Asus, Dell, HP, Lenovo, Microsoft Surface, and MSI. Huang called the reinvention of the PC as big as the smartphone shift. That line is keynote-ready, maybe too neat, but the contrast is useful. On one stage Nvidia is selling the future as a domestic appliance: a personal machine that moves from tool to teammate. In Washington, the same company's highest-end silicon is being treated as a strategic material whose customer list has to be read through corporate control.

Those two versions of AI hardware now live together. Consumer abundance at the front of the shop, geopolitical rationing behind the counter. The border between them keeps moving, because every restriction creates a new routing problem and every routing problem creates a new rule. The chip is still just a chip, until someone asks who really owns the company buying it.

The children got the best seats, which is still the cleanest way to understand Martin Margiela's Spring/Summer 1990 show. Not the clothes first, not the myth of the invisible designer, not the later museum language around deconstruction. Start with the seating. Local children in a Paris playground, watching fashion people arrive somewhere that had not been arranged for them.

The show was for the third collection of a house that was still barely formed. Palais Galliera describes the setting as a derelict Parisian wasteland, with models walking among neighbourhood children in raw hems, deconstructed garments, and repurposed items turned into clothes or accessories. A later runway account places it in the 20th arrondissement, in a North African neighbourhood playground, with an uneven dirt-and-rock surface instead of the ceremonial strip of carpet the industry knew how to read.

That surface matters. A polished runway teaches everyone where to look and who matters. Editors sit where their authority can be photographed. Buyers are placed according to rank. The designer appears at the end, usually for the small ritual of applause and confirmation. Margiela pulled at all of that without giving a speech about it. Put the audience on rough ground, let the children sit where the front row should be, and the hierarchy starts looking less natural than it did ten minutes earlier.

I wrote recently about the Tabi boot, and the playground feels like the next move in the same argument. The boot made authorship visible from the ground up. The playground made the fashion system visible by refusing to build its usual room around it. Both gestures were theatrical, of course. Anti-spectacle is still a kind of spectacle when people have come to watch. However, the difference is that Margiela's theatre kept pushing attention away from polish and back toward circumstance.

The clothes did not become secondary, exactly. They became less obedient. Fifty-nine looks, according to the runway account, moved through a place that would not flatter them automatically. Raw hems and reused fabric can look precious inside a gallery-white fashion space, where every fray reads as a curatorial decision. On dirt, near children, with the show partly slipping out of control, they looked closer to an actual proposition about use, damage, and the social life of clothes.

There is a danger in making this too saintly. Fashion loves a rebellion once it has aged into archive material. The same gesture that first unsettled the room can become a handsome wall text later. Palais Galliera now has the language to hold it: deconstructed garments, challenged fashion aesthetics, visible construction. Vogue, writing about the Galliera exhibition, places his disused car parks, abandoned metro stations, and derelict supermarkets inside the long story of designers taking audiences out of their comfort zones.

All true, but the playground still resists being tidied away. What I like about it is the logistical awkwardness. The dust. The children not behaving like trained extras. The fact that fashion people had to stand around in a place that belonged to someone else. There is more actual critique in that than in most manifestos, because it changes the body before it changes the argument. You can't believe in the sanctity of your assigned seat if there isn't one.

Margiela's best early work often has that quality: a simple displacement that does more damage than a grand refusal. Take away the label. Refuse the usual designer performance. Show the clothes where the audience has to negotiate the ground. After a while the system starts revealing how many of its customs were only customs. A front row is not a law of nature. It is furniture with an ideology.

The old bus ticket was a tiny act of geography. Not the romantic kind, no contour lines or folded sheets spread across a cafe table, just a thin strip of paper with a fare, a date, sometimes a stage number, and the faint authority of something a conductor had made in front of you while the bus moved.

A Setright machine looked too heavy for such a small output. It sat against the body on a strap, all dials, levers, counters, and crank, a portable accounting office for a public vehicle. The conductor selected the fare, turned the handle once, and the machine printed a receipt from a blank roll. Inside, mechanical counters kept the money total and the number of tickets issued. No battery. No network. One hand, one fare, one small proof that the journey had entered the books.

This is not just nostalgia for paper. Paper was often inconvenient and occasionally absurd. It got damp. It hid in coat pockets. It collected in handfuls at the bottom of school bags and handbags, each one too official to throw away immediately and too trivial to keep. However, the printed bus ticket belonged to a system in which travel still had to be declared locally. You did not simply tap into a metropolitan abstraction called mobility. You told someone where you were going.

The TIM machines used in the Tees Valley from the late 1940s make the point beautifully. The museum description has the conductor dialling a price, turning a handle, and producing a ticket that showed boarding stage, price paid, and date. That stage number matters. It tied the fare to a sequence of places: not just distance, but a route understood as named segments, stops, boundaries, little civic units of movement.

London had its own machine culture. Transport for London's archive guide notes that Bell Punch and TIM machines were replaced by Gibson machines between 1952 and 1958, while Setrights were used on Green Line coaches where a larger range of fares was required. The archive names the dull, lovely paperwork around the machines too: conductor instructions, garage procedures, emergency tickets, staff instructions for Gibson, TIM, Almex, Setright, and Ultimate designs. Ticketing was not a mere transaction. It was a discipline with manuals.

I wrote about rural bus shelters that survive after the service has gone, and the ticket machine feels like the smaller companion object. The shelter is the fixed trace, concrete at the edge of a road. The ticket is the moving trace, carried away in a pocket, creased between fingers, then lost. Both belong to a version of public transport that made its promises visible. A roof here. A fare stage there. A printed timetable behind perspex. A conductor with a bag and a machine that clicked.

What changed with driver-only operation, smartcards, and contactless payment was not only convenience. Convenience is real, and I use it without moral drama. A modern ticket machine can store hundreds of routes, track the bus for an app, accept cards, and send messages to drivers. That is genuinely useful. It also dissolves the encounter. The fare becomes a backend event, settled somewhere between a reader, a bank, a transport account, and a data system that knows far more about the journey than the old paper strip ever did.

The Setright did not know much. That was part of its dignity. It knew the fare it had printed, the count it had advanced, the date the conductor had set. It made no behavioural profile and predicted no demand. It did not care whether the same passenger travelled at 8:12 every morning or only on wet Thursdays. Its knowledge was narrow, physical, and accountable in the old literal sense: read the counter, fill in the waybill, pay in the takings.

There is a sound I associate with this whole vanished arrangement, though I cannot swear the memory is clean. The snap of the ticket, the bag shifting against a hip, coins moving somewhere close by, the crank giving its little mechanical answer. A bus was never quiet, so the machine had to join the noise rather than dominate it. It was just another rhythm inside the vehicle.

Now the proof of the journey is mostly elsewhere. On a card statement, in an app, in a database, as a line item only the system really sees. The old ticket was less efficient and less clever, but it let the journey leave a mark small enough to lose and specific enough to remember.

Palo Alto Networks buying Portkey is not the loudest AI story of the weekend, partly because gateways don't demo well. Nobody queues up a keynote clip to watch routing policy, observability, identity, and caching do their work. However, the dullness is the point. Once agents leave the lab and start touching live systems, the interesting question shifts from intelligence to permission.

The deal closed on 29 May, after Palo Alto had announced its intention to buy Portkey at the end of April. In the closing release, Palo Alto describes Portkey's AI Gateway as the core gateway for Prisma AIRS, giving companies a control plane to monitor, orchestrate, and govern autonomous agents at scale. That phrase, control plane, is doing a lot of work. It admits that the agent is no longer just a chat window with better manners. It is becoming a small operator inside the enterprise, passing between models, tools, data stores, and other agents.

I don't think this is mainly a cybersecurity bolt-on story. It is closer to plumbing becoming politics. If an agent can call three APIs, use an internal tool, choose between model providers, and keep working after the employee has gone to lunch, then the gateway becomes the place where the organisation decides what kind of autonomy it can tolerate. Who can an agent speak to? Which model is allowed for a sensitive task? What gets logged? When does a shortcut become an incident?

Portkey's appeal is that it sits in the traffic. Palo Alto's product post says the gateway will offer a unified API to LLMs, an agent registry, semantic routing, caching, and access to more than 3,000 LLMs, MCP servers, and agents. Those are vendor details, but they sketch the same larger movement I wrote about in oversight: the safety argument is moving upstream. Instead of waiting for a bad output or a compromised workflow, the platform wants to shape the route before the agent acts.

There is a faintly comic historical rhythm here. We spent two years talking as if the important boundary was the model itself: which lab had the newest frontier system, which benchmark moved, which chatbot sounded most like an expensive consultant after three coffees. Now the enterprise problem is turning into something older and less glamorous. Gateways. Registries. Logs. Identity. The stuff that makes a network legible to the people who own the risk.

The April acquisition announcement said Portkey processes trillions of tokens per month. That number is useful less as a boast than as a weather report. It says there is already enough model traffic passing through these layers for security companies to treat them as infrastructure, not experimental middleware. Agents don't need to become conscious, charming, or even especially clever for this market to matter. They only need to become common enough that bad routing and weak permissions start producing expensive ordinary failures.

This is where I get less excited and more attentive. Agent security sounds like a niche until the agent is the one reconciling invoices, opening tickets, querying customer records, or deciding which software patch deserves a human page at 2 a.m. The old security perimeter was already half imaginary. Agentic systems make it feel theatrical. The boundary is no longer just where the network begins. It is wherever a model is allowed to turn a sentence into an action.