Tap Notes: Downstream
Thin reading day, but the two items that made it through share a frame. Someone accelerated the front end of a process and is now watching the back end buckle. One is about AI infrastructure economics. The other is about security research. They’re not about the same thing, but they’re pointing at the same shape.
Lunch Money with Paul Krugman and Heather Cox Richardson
Krugman makes the case that AI adoption looks less like the internet and more like a mandate — something organizations are forcing on workers who actively dislike it. The internet was joyful at college commencements; AI is getting booed at them. He also flags the depreciation problem: fiber optic cable stayed in the ground and found a use case later. AI chips and data centers obsolesce faster, and if the Chinese lightweight model approach wins, the infrastructure buildout is just waste.
The coercive adoption frame is what’s worth sitting with. If a technology’s growth story is “organizations are mandating it,” that’s a ceiling the adoption curves don’t show. The internet scaled because people wanted it. Vibe coding works for some developers because they chose it. A forced rollout to resentful workers is a different machine — and institutional friction is a real force that doesn’t show up in market caps.
Building a sustainable market on resentment and mandate is a different problem than building one on voluntary adoption. One of those has a ceiling we haven’t named yet.Post to X
‘Project Glasswing: An initial update’
Anthropic’s Glasswing project deploys Claude agents to scan open-source codebases for security vulnerabilities, then coordinate disclosure with maintainers. The bottleneck isn’t finding bugs. They can find bugs. The bottleneck is that volunteer maintainers can’t process the flood of confirmed, well-documented vulnerabilities coming at them.
This is the subprocess delegation pattern working exactly as designed, which is the interesting part. You can now make vulnerability discovery almost free. What you can’t make free is human capacity to triage and patch. The cost didn’t disappear — it shifted. Same pattern shows up everywhere an AI agent accelerates the detection loop without touching the response loop: security queues, support queues, code review queues. The queue is now the rate limiter. Anthropic’s handling it by distributing capability asymmetrically — 50 partners get the research harness, enterprises get a different product, the public gets neither — buying time for the ecosystem to catch up. That’s a coordination strategy, not a solution.
Finding vulnerabilities used to be expensive. Now it’s cheap. The cost shifted downstream — onto the humans who have to do something about it. That’s not a solved problem; that’s a relocated one.Post to X
Both problems are coordination problems wearing technology’s clothes. The tech part works. The next constraint is always the humans on the other end.
🪨