YPO Technology Network AI Brief

You Don't Know What AI You're Running

9 min
Jul 10, 20268 days ago
Listen to Episode
Summary

Stephen Forte examines three critical AI governance failures this week: Microsoft silently replacing OpenAI/Anthropic models with cheaper in-house alternatives, a security flaw allowing AI tools to misrepresent their actions, and hidden telemetry in vendor code. The episode argues this creates accountability gaps where business leaders are legally responsible for AI outputs they cannot fully see or control.

Insights
  • AI model substitution is happening silently at scale due to dramatic price compression, creating quality control blind spots for regulated industries
  • Vendor-provided safety controls (approval prompts, permission boxes) are unreliable and should not be treated as independent verification mechanisms
  • AI governance is fundamentally a business and legal accountability problem, not an IT security issue, requiring executive ownership and contractual controls
  • The accountability-visibility gap is widening: executives sign for AI outputs but lack contractual rights to know which model, version, or vendor code is running
  • Cost arbitrage between frontier models and open-source alternatives is creating irresistible pressure for vendors to substitute cheaper models without disclosure
Trends
Silent model substitution becoming standard practice as pricing pressure increases across AI platformsShift from vendor-controlled safety mechanisms to independent logging and verification requirementsAI governance moving from IT/security domain to executive and legal accountability structuresChinese open-source models capturing significant market share at 60-90% cost reduction versus frontier labsEmergence of hidden telemetry and tracking in AI tools as vendors optimize for cost and compliance monitoringGrowing need for AI stack transparency and model provenance tracking in regulated industriesContractual frameworks lagging behind technical capabilities and vendor practicesIndependent security research (like Wiz's Ghost Approval finding) becoming critical for AI tool validation
Companies
Microsoft
Silently replacing OpenAI and Anthropic models with in-house MAI models in Excel, Outlook, GitHub Copilot, and Teams ...
OpenAI
Released GPT 5.6 at half the price of previous version; primary model supplier being replaced by Microsoft with cheap...
Anthropic
Claude Code tool contains Ghost Approval security flaw; runs hidden telemetry; rejected responsibility for safety con...
Meta
Pushed out AI releases this week as part of broader industry capability expansion and price competition
Amazon
Cursor AI coding assistant contains Ghost Approval vulnerability; patched the security flaw after Wiz disclosure
Google
AI tool contains Ghost Approval vulnerability allowing misrepresentation of file operations; patched after Wiz securi...
Wiz
Security firm discovered Ghost Approval flaw in six popular AI coding assistants, proving safety prompts can be spoofed
DeepSeek
Chinese open-source model handling 46% of AI usage through major routing services at 60-90% lower cost than frontier ...
People
Stephen Forte
Host analyzing AI governance risks and providing contract recommendations for business leaders
Mustafa Suleiman
Stated Microsoft's goal to reduce and eliminate costs paid to Anthropic by substituting in-house models
Quotes
"We pay a lot of money to Anthropics, so our goal is to reduce and ultimately eliminate that cost."
Mustafa Suleiman, Microsoft AI Chief~3:30
"You may be paying for a top-shelf model and getting the well pour in the same branded glass with no note on the receipt."
Stephen Forte~4:45
"The safety button was not a safety button, and nobody clicking it knew."
Stephen Forte~5:45
"This is a governance problem wearing a technical costume."
Stephen Forte~6:30
"You do not get to choose ignorance here. You signed for the output."
Stephen Forte~7:50
Full Transcript
Welcome to the AI Brief from the YPO Technology Network. I'm Stephen Forte. Some weeks the AI news arrives as a fireworks show, and this was one of them. Here's what I will give you in the next eight minutes. Why the most important AI story of the week was the one nobody announced, the security finding that means the safety button in your AI tools may be lying to you, and the three sentences I would add to every AI contract you sign before the year is out. Start with the fireworks so we can set them down. This week, OpenAI shipped GPT 5.6, its newest and by some measures most capable model, at roughly half the price of the version before it. It launched new voice models that listen and talk at the same time. Microsoft, Meta, and others pushed out their own releases. If you only read the headlines, the story of the week was abundance. More capability, lower prices, something new every morning. Here is the lens for today, and it runs underneath all of that. The AI inside your business has quietly become a black box, one that gets swapped out from under you, misrepresents what it is actually doing, and occasionally runs behavior you never agreed to. And here is the part that makes it your problem and not your IT departments. You are still accountable for every output that black box produces. You sign the contract, you answer to the regulator, the customer, the board, but you are increasingly not allowed to read the label on the thing you are being held responsible for. Three separate stories this week proved the point and none of them made the front page. Start with the swap because it is the most quietly consequential. Microsoft has begun replacing OpenAI and Anthropic, the two labs whose models power most of what you think of as cutting-edge AI, with its own in-house models called MAI, Inside Excel and Outlook. Tens of thousands of AI requests a week in those two products now run on Microsoft's own models instead of the ones customers assume they are getting. Microsoft's AI chief, Mustafa Suleiman, said the quiet part directly into a microphone. We pay a lot of money to Anthropics, so our goal is to reduce and ultimately eliminate that cost. The same substitution is already live inside GitHub Copilot the AI coding tool and an in transcription model is headed for Teams Now why would Microsoft do this and why now Because the price of being a customer of the Frontier Labs collapsed this quarter which gives every platform a reason to quietly pour a cheaper model into the same glass. That GPT 5.6 I mentioned came in at half the price of its predecessor. And Chinese open models, the free-to-download ones like DeepSeek, now handle as much as 46% of the AI usage that U.S. companies run through the big routing services at 60 to 90% less cost than Anthropic or OpenAI. When the substitute is that much cheaper, the temptation to substitute silently is overwhelming. Here's my read. You may be paying for a top-shelf model and getting the well pour in the same branded glass with no note on the receipt. For a marketing email, fine. For the model interpreting a contract clause, pricing a loan, or drafting a clinical summary, the specific model matters enormously. And right now, most buyers cannot tell you which one answered. That is not a pricing footnote. That is a quality control hole in a process you are legally responsible for. Now, the second story, which is worse because it is not about which model runs. It is about the model lying to you about what it is doing. The security firm Wiz, the kind of firm whose entire job is finding holes other people miss, published a flaw it named Ghost Approval. It sits in six of the most popular AI coding assistants, including Amazon's cursor, Google's, and Anthropics, Claude Code. Here is the mechanism in plain English. These tools ask permission before they touch a sensitive file. The little, are you sure you want to do this, box you click to feel safe, Wiz found that the box could be made to show you one harmless-looking file path, while the tool quietly wrote to a completely different one, up to and including the keys that unlock your servers. You approved a tidy local edit. The tool changed the locks on the building Sit with that The Are You Sure prompt the single control most teams rely on to keep an AI agent in bounds was displaying a summary page that did not match the signature page Amazon Cursor and Google have patched it. Two others are still working on fixes. Anthropic, to its credit or not depending on how you see it, rejected the report as outside what it considers its responsibility. Reasonable people can argue that one. But you cannot argue this. The safety button was not a safety button, and nobody clicking it knew. The third story is the quietest and, in a way, the most telling. An independent developer pulled apart Anthropics' clawed code and found a hidden tracker, a piece of code disguised as an ordinary date stamp that had for months been quietly flagging users in certain regions back to Anthropics' servers. The purpose was defensible, catching people who were reselling or copying the model against the rules. When it was found, Anthropic confirmed it, said it had been meaning to take it down and removed it. No detailed explanation followed. Give Anthropic genuine credit for confirming it rather than denying it, and the intent was legitimate. I mean that. But notice the shape of all three stories together because the pattern is the point. The model gets changed underneath you and you are not told. The tool shows you a control that does not control anything. And the vendor runs code you did not know about for reasons you find out only after someone reverse engineers it. In every case, the vendor probably had a sensible internal reason. And in every case, you, the person accountable for the outcome, were the last to know. You might be tempted to file this under technology risk and send it to your CISO, your chief information security officer. That is a mistake. This is a governance problem wearing a technical costume. When a bank cannot tell an examiner which model priced a loan, that is not an engineering ticket. When a hospital cannot prove which system drafted a note, that is not a patch. You are the one who signs the audit. You are increasingly not allowed to open the ledger. Let me make it concrete. Picture a regional insurer, the kind of business plenty of you run. Its underwriters lean on a Microsoft tool that everyone in the building calls the AI and this quarter unannounced a chunk of that work quietly shifted to a different model with different judgment Its developers ship code with an assistant whose are you sure box they trust completely And one of its vendors is running telemetry nobody in the building has ever seen. Nothing in that company broke this week, but it can no longer answer three questions a regulator is about to start asking. which model did this, can you prove what it did, and what is it sending home? Most of you are that insurer in one function or another. The only question is whether you have looked. So if I were sitting in your seat this quarter, I would add three sentences to every AI contract before renewal. First, a model transparency and change notification clause. The vendor tells you which model and version is serving you and tells you before they swap it. You would never let a supplier change a critical ingredient without notice. This is that. Second, stop treating the vendor's own screen as a control. Fund one independent logging layer that records what your AI tools actually did. Separate from what the tool says it did because ghost approval just proved the tool's own word is not evidence. Third, put one person in charge of answering what is actually running in our AI stack and what is it sending out? The same way you already track who processes your customer data, not a project, a named owner, and a living list. We have spent this week climbing the stack and the megawatts, the state, the money, the deployment gap. Today, we went inside the box itself and found we cannot fully see in. The models got cheaper and better this week, and that is real. But cheaper and better and invisible is a combination that puts the accountability on your desk and the visibility on someone else's. You do not get to choose ignorance here. You signed for the output. So make the right to see inside the thing a line in the contract because the AI did it has never once worked as a defense and it is not going to start with yours. That is the YPO Tech Network AI Brief for Friday, July 10th. I am Stephen Forte. If this was useful, send it to a fellow member. I will be back Monday with more. Until then, stay sharp. you