Jack Dorsey on the Sequoia Capital podcast last week: AI isn’t a productivity layer bolted onto your company; it’s an architectural rebuild. Block has capped layers between him and any IC at four, wants two or three by year end, and collapsed every role to three: IC, DRI, player coach. Block laid off 40% of its workforce earlier this year — roughly 4,000 people. Dorsey ties the cut to the rebuild. (Disclosure: I worked with Jack at Twitter on the consumer relaunch — New Twitter, Phoenix, I forget what we called it.)

I gave a talk on Conway’s Law a while back; what Dorsey is doing is the inverse. Conway said your system inherits the shape of your org; Dorsey is saying the org is the system now. Every Slack thread, PR, doc, meeting recording feeds a model of how the company works; anyone can query it instead of triangulating through managers. The org chart isn’t a constraint on the product. It is the product.

The engineering question: Can your company’s docs, code, messages, and tickets be read as one thing? Dorsey says Block is close on the data, still a research bet on the intelligence layer that sits on top. Most companies don’t even have the data yet. They just have it scattered across 40 tools that don’t talk to each other. The bottleneck is the wiring, not the AI. Cut 40% of your people without doing the plumbing and you didn’t rebuild your company. You shrank it.

Same week, opposite move. Salvatore Sanfilippo — a.k.a. antirez, who built Redis and ran it for 11 years — shipped ds4 on May 7: a small inference engine in C and Metal, targeted at exactly one model. On a 128GB MacBook Pro M3 Max, his 2-bit compressed weights give you DeepSeek V4 Flash — 284 billion parameters, 13 billion active, one-million-token context — at 26 tokens per second, on battery. A rack of H100s and 5kW of cooling, last quarter. Now, a laptop is doing what was a data center workload.

Compression is asymmetrical: routed experts get crushed to two bits; the shared layers every query touches stay precise. Working memory spills from RAM to SSD, which is how a one-million-token context fits on 128 GB. Output validated against the official DeepSeek implementation at multiple context sizes. Speaks the OpenAI/Anthropic protocol, so Claude Code, opencode, and Pi all point at the engine unmodified. Same five-layer pattern I flagged with Tencent’s translator last Friday: model + compression + runtime + data + open-source packaging.

Last quarter, swapping a closed-frontier coding API for an open model meant a meaningful capability drop. This quarter, one line of config and a comparable model runs on your laptop, on battery, on your data, no per-token bill. The honest comparison: ds4 is alpha. It will crash. It runs one model on one class of hardware. If your job depends on uptime, the closed APIs still win. If your job depends on knowing what runs on your hardware, the closed APIs cannot compete — because they cannot show you.

Ownership is extending from weights to watts. Ars this week on the pitch to host mini data centers at home. I have SPAN panels installed already.

Two more on my list to play with this week: OpenUI generates UI components from natural-language prompts — generative UI is genuinely cool right now. Anthropic added /goal to Claude Code: a “run until done” mode for autonomous coding sessions. Both running locally next week.

You can own the model and the metal. The pixels in between are the contested layer. Meredith Whittaker — president of Signal, the encrypted-messaging app — has been arguing for over a year that AI agents are an existential threat to encrypted messaging. The argument is structural, not rhetorical: any agent that books your concert ticket for you needs your browser, your calendar, your payment information, and your messaging app. End-to-end encryption is supposed to mean nobody but you and the person you’re texting can hear the conversation. An AI agent that reads your screen to summarize the conversation, draft your reply, or file the contact is in the room with you, taking notes. Whittaker frames it as breaking the “blood-brain barrier between the application layer and the OS layer.”

The architecture Whittaker spent a year warning us about is now a free download: ByteDance’s UI-TARS-desktop. 33.5K stars on GitHub, Apache 2.0 license. UI-TARS works like a person watching your screen over your shoulder, a constant stream of screenshots, fed into a vision-language model that drives your mouse and keyboard. No API permission negotiation. No accessibility tree. Raw pixels and a model that reads them. Anything a human can see on the screen, the agent can, too — which means every encrypted message visible on your screen is, by construction, in the upstream screenshot. Whittaker doesn’t have to imagine the threat model anymore. ByteDance shipped a reference implementation.

LangChain’s harness catalog still doesn’t name a real permission model. What the agent can see without asking. What requires confirmation. What is forbidden. What is auditable after the fact. Your browser has trained you for this already: When a website wants your camera, the browser asks which site, what for, how long, and lets you take it back. Your AI assistant does the same job — reading your screen, taking actions on your behalf — with no equivalent guardrails. Vercel’s OAuth integration breach a few weeks ago was the first major proof case for why the absence matters. That’s the gap Harbor takes a first run at: per-origin, scoped, revocable, auditable. If your AI assistant has root permission to read everything on your screen in 2026, your encryption story is whatever your vendor decides it is. That isn’t encryption. That’s optimism.

While the US debate stays at the loss-of-control framing, Beijing wrote the permission model LangChain didn’t. On May 8, China’s cyberspace, planning, and industry ministries jointly released Implementation Opinions on the Standardized Application and Innovative Development of Intelligent Agents — the first state-directed national framework to operationalize AI agents as a distinct governance category. Beijing is writing the traffic rules while the cars are on the highway. Washington is still debating whether what’s on the highway counts as cars.

The definitions are specific. An agent is “an intelligent system capable of autonomous perception, memory, decision-making, interaction, and execution.” Nineteen named application scenarios — research, industry, consumer, public welfare, governance — where agents are explicitly allowed to operate. The posture analysts call deploy first, govern along the way: compute quotas, credit ceilings, permission scopes, and shutdown switches naturally bound agent autonomy, and the right response is to integrate them into existing institutional structures rather than impose abstract restraint upfront.

There’s a strategic move underneath the philosophy. The framework ties agent infrastructure to the domestic stack (chips, OS, frameworks) and signals intent to participate in international standards for the protocols agents will use to talk to each other. You don’t have to agree with the framing to see what just happened. One major jurisdiction defined what an agent is, what it can be deployed for, and how it’s bounded. The others are still arguing about whether agents are a coherent regulatory object. If you’re shipping agents into a global market, the question of which framework you’re building against just stopped being hypothetical.

Share

What the User Actually Sees

People underestimated what Google’s 10 blue links were. You couldn’t reconstruct PageRank, but you could feel it — two queries, two minutes, ten URLs each, and you saw who got ranked, who didn’t, what the snippets gave away. You audited the system by reading it.

One AI answer gives you none of that. The model picks, summarizes, drops the rest. You don’t see what it considered, what it suppressed, why it leans where it leans. Call this the one-link problem: the platform is hiding its incentives from you, and you have nothing left to audit them against.

A Princeton and UW paper from April 9 put numbers on it. Across 23 LLMs given a flight-booking task prompted to favor sponsored airlines, 18 recommended the more expensive sponsored option more than half the time — and the rate moved with the user’s apparent socio-economic status. Gemini 3 Pro recommended it 74% of the time to a user who was coded as high SES (neurosurgeons, lawyers, tech executives), and 27% to ones coded as low SES (fast-food workers, warehouse staff, single parents). When the user explicitly asked for a non-sponsored flight, every model still surfaced the sponsored one, with GPT 5.1 at 94%. Almost every model concealed that the recommendation was sponsored at all: 65% on average. When the sponsored service was a predatory payday loan, GPT 5.1 still recommended it 71% of the time.

One-shot answers are useful and laypeople will keep wanting them. For the people building these tools, surfacing your model’s incentives — what’s sponsored, what got down-ranked, what didn’t make the cut — looks like a transparency tax. It’s actually the only durable feature an AI tool has in 2026. For the people buying them, opacity feels like a moat. It’s commodity status with a disclosure problem.

The architectures that show their wiring is the ones you can own. The test for any AI tool you’re considering this week is the one the Princeton paper accidentally wrote: Ask it the same question with two different profiles. If the answer changes, you don’t have a recommendation. You have a price tag.