In 2015, every cloud security breach got blamed on "human error." Customer data left exposed in cloud storage that should have been locked down. Passwords and access keys leaked into public code. User accounts with way more access than the job actually required. The press releases all read the same — some named SVP would talk about "an isolated incident due to a configuration mistake," there'd be a blog post about new safeguards, and the cycle would continue. Capital One. Verizon. Accenture. WWE, hilariously. The list went on for years.
The official explanation was always individual mistakes. The real explanation was that we were running powerful new infrastructure with almost no operating discipline around it. The cloud platforms were shipping new capabilities faster than the industry was building guardrails for them. The feature velocity was extraordinary. The operating maturity was a decade behind.
The market eventually corrected. An entire category of cloud security tooling got built. Audit logging that tracked every action became standard. Access management got serious. Organizations that had once treated cloud as "just a faster way to provision a server" came around to the idea that operating cloud infrastructure was a discipline of its own, different in kind, not just degree, from operating an old-fashioned server room. The tooling, the org structure, the headcount, the audit, all of it eventually showed up. It took about a decade. A decade of breaches paid for the lesson.
I want to be careful with the analogy I'm about to make, because forced analogies are how lazy thinkers get their content. But I've been around long enough to recognize the shape, and the shape is back.
We are running powerful new infrastructure with almost no operating discipline around it. The infrastructure this time is AI-built software — autonomous agents, custom applications shipped through Lovable, Bolt, Replit, Claude Code, and a thousand small workflow automations sitting inside ordinary businesses. The capabilities are extraordinary. The operating maturity is several years behind, at minimum.
A couple of recent receipts. Snap published last quarter that 65% of their new code is AI-generated. They're cutting a thousand people. That number is going to get demanded of every engineering organization by their boards within twelve months — and most of them won't have a good answer, which is its own kind of answer. Meanwhile, on the operations side, a core piece of AI software called LiteLLM had its supply chain compromised earlier this year. It's a library that sits inside more AI products than most leaders realize. Twelve percent of AI-related security breaches are now coming from autonomous agents. One AI researcher's autonomous agent ran 700 research experiments in two days. The next one will run 7,000.
Capabilities aren't the bottleneck anymore. Capabilities are getting embarrassingly cheap. The bottleneck is whether anyone knows what their agents are actually doing, whether their AI-built applications have any kind of monitoring on them, and whether anyone can answer for them when something goes sideways.
We don't have category-level tools for monitoring agents yet. We don't have audit trails that track what an agent decided and why. We don't have a generation of operators trained in how to oversee AI-built software the way we eventually got a generation trained in how to oversee cloud infrastructure. The gap between capability and operating discipline is exactly where the next decade of breaches and outages and "human error" press releases are going to come from.
This time, though, the gap manifests differently — because the people building the AI-driven systems aren't, primarily, engineering teams. They're operators. Founders, partners, ops managers, COOs. Smart, capable, busy people who built something real, who don't have an internal IT team, and who don't think of "operations" as their job. The cloud-era gap was between developers and operators inside engineering organizations. This era's gap is between builders and operators inside the entire small and mid-sized business economy. That's a bigger gap. That's a lot more software. That's a lot more critical workflow running on systems that nobody is watching at 2am.
The decade-of-breaches lesson is still cheaper than learning it again. Monitoring discipline for agents is going to become a category. Standardized observability for AI-built applications is going to become table stakes. Managed operating practices for the long tail of custom software outside the big engineering shops are going to fill in the gap. Whichever firms get there first are going to do well, and more importantly, the businesses that adopt those disciplines early are going to dodge a lot of pain that the late adopters won't.
The historical pattern is consistent. The firms that win the next phase aren't the ones that ship the most capability. They're the ones who get accountable for the capability they shipped. That's what I've been arguing about agents on LinkedIn for the better part of a year, and it's why I started Keepstone. The pattern doesn't repeat exactly. But it does rhyme. Capabilities are a commodity now, discipline is what's scarce, and the good news is — we know how this story ends, because we've already lived through one round of it.