The Power Bill, The Pentagon Carve-Out, And A Two-Hour Breach

00:00:04 Maryland's Office of People's Counsel went to the Federal Energy Regulatory Commission this week with a complaint that lands at the center of every AI infrastructure conversation people have been having since last summer. Two billion dollars. That's the share PJM Interconnection wants to charge Maryland ratepayers as part of a twenty-two billion dollar grid upgrade — an upgrade driven not by Maryland demand, but by the data centers PJM expects to fire up across its thirteen-state footprint over the next decade.

00:00:34 The Office of People's Counsel, which exists to represent utility consumers in the state, calls the allocation broken. Their numbers say it adds an extra one-point-six billion dollars to Maryland bills over ten years: about three hundred forty-five dollars per residential customer, six hundred seventy-three dollars per commercial customer, and over fifteen thousand dollars per industrial customer.

00:00:57 Maryland People's Counsel David Lapp put it this way: 'Maryland customers have neither caused the need for these billions in new transmission projects nor will they meaningfully benefit from them.' That's the live argument going to the Federal Energy Regulatory Commission.

00:01:13 The same week, in Florida, Governor Ron DeSantis signed Senate Bill 484. The law does what Maryland wishes PJM's tariff structure already did: it blocks Florida utilities from shifting hyperscale data-center costs onto residential and small-business customers, and it lets local governments approve or reject specific projects.

00:01:33 DeSantis said the line at the signing in Lakeland: 'You should not pay one more red cent for electricity because of a hyper-scale data center.' Maryland is litigating through the Federal Energy Regulatory Commission, and Florida is moving statute. Both are reacting to the same number you keep seeing in pitch decks.

00:01:55 David Sacks posted his back-of-envelope math today: capital expenditure of roughly fifty billion dollars per gigawatt, twenty-five to thirty billion dollars in enterprise revenue per year, and one to two billion dollars in electricity cost. That gets him a two-year payback.

00:02:11 He posted it with the line 'the boom is real,' and eight thousand likes later it's the consensus framing on the buy-side. One thing's missing from Sacks' math. The two-year payback only works if someone other than the data-center operator absorbs the grid build-out.

00:02:27 PJM's twenty-two billion dollar upgrade is exactly that line item. If that cost gets pushed back onto the hyperscaler the way DeSantis just legislated and Maryland just litigated, the unit economics look different. The 'ratepayer protection pledge' that the Trump administration extracted from tech companies last year — the one Maryland's complaint cites by name — is the loose verbal guarantee underneath the boom.

00:02:51 Loose verbal guarantees become Federal Energy Regulatory Commission dockets when the bill arrives. Two Hacker News commenters captured the temperature. One asked why utilities keep moving toward fixed-platform fees instead of usage charges. Another asked, plainly: 'Who is actually signing off on these agreements to build it, knowing the bill goes to the locals?' That's the question the next ninety days are going to spend more time on.

00:03:17 The things I'd track: which PJM states follow Maryland to the federal regulator, whether the Florida statute survives its inevitable preemption challenge, and how many AI infrastructure announcements get restructured between now and the end of the second quarter so the hyperscaler can keep the two-year payback narrative intact.

00:03:36 This is the institutional weather underneath the model release cycle. Nobody's going to put it on a slide at a tech conference. But every megawatt that gets contested in front of a state utility commission is a megawatt that doesn't ship on time.

00:03:51 On May 1, the Pentagon announced cloud-hosted AI contracts for use in classified Impact Level 6 and Impact Level 7 environments. The seven companies on the list: Amazon Web Services, Google, Microsoft, Nvidia, OpenAI, SpaceX, and the startup Reflection AI. The vehicle is something called GenAI dot mil, an internal portal the Department of Defense launched last year that already has one-point-three million users across the department.

00:04:18 One name is missing from the seven, and it's the one most builders would have guessed first: Anthropic. This is downstream of a fight that started in February. Defense Secretary Pete Hegseth designated Anthropic a supply chain risk because Anthropic refused to lift its usage policy restrictions on mass surveillance and on autonomous-weapon targeting.

00:04:40 He went on X and announced that, effective immediately, no Pentagon contractor, supplier, or partner could do commercial business with the company. He called Dario Amodei an 'ideological lunatic' in a Senate hearing. Anthropic sued in March in San Francisco and in Washington, citing First Amendment retaliation and arguing that Hegseth had exceeded the supply chain risk statute.

00:05:04 Those cases are pending. That's the public part. The carve-out runs underneath the public fight. Pentagon Chief Technology Officer Emil Michael told CNBC on May 1 that Mythos — Anthropic's frontier model, the one Mozilla used to find two hundred seventy-one Firefox security bugs last week — is, in his words, 'a separate national security moment.' Cybersecurity News and The Hill have both reported that the National Security Agency is using Mythos Preview through the consortium access Anthropic granted to a small list of partners that includes Amazon, Apple, Broadcom, Cisco, CrowdStrike, Google, and JPMorgan Chase.

00:05:43 So the blacklist holds on paper, the lawsuit grinds forward, and the actual cyber agency inside the federal government uses the model anyway through a partner stack. David Sacks weighed in today as part of a broader response to the people calling for an 'FDA for AI' — a pre-market regulatory regime that would require model approval before release.

00:06:05 His argument: even a perfect pre-approval regime wouldn't block the cyber threat, because hackers will pull advanced capabilities from foreign models within six months regardless. He tied it back to the Trump administration's AI Action Plan from last July, which has a cyber-risk workstream Sacks helped shape.

00:06:24 The post is doing rhetorical work for the no-new-regulation camp, but the empirical claim about foreign models is hard to argue with given DeepSeek's release cadence and Qwen's open-weight strategy. A reply from the account crepesupreme caught my eye, and it's the cleanest framing I've read on the May 1 announcement: 'The FDA-for-AI debate skipped May 3rd.

00:06:46 Hegseth blacklisted Anthropic from Pentagon AI after Mythos, no rulemaking and no comment period. Pre-market vetting already operates through procurement.' That's the structural argument. The United States doesn't need a new statutory regime to vet frontier AI before deployment — the procurement office at the Pentagon already does pre-market vetting, just under different rules, and without the public-comment infrastructure an FDA-style regime would require.

00:07:15 The May 1 contract list is the vetting. The Anthropic exclusion is the rejection notice. The NSA running Mythos through a consortium partner is the underground market that always emerges when official policy and operational need pull in different directions. Tom English noticed something else.

00:07:34 The seven-firm Pentagon announcement landed on International Workers Day. He flagged it with a raised-fist emoji and nothing else. The timing's probably coincidence — May 1 fell on a Friday, the news cycle didn't have to thread a holiday — but it's the kind of detail that makes the calendar feel like it's narrating itself.

00:07:54 The Anthropic lawsuits sit at the center of the next ninety days. If a federal judge in San Francisco or Washington rules that Hegseth exceeded his authority on the supply chain risk designation, the Pentagon will have to allow Anthropic to compete for the next round of GenAI dot mil contracts.

00:08:12 If the courts side with the administration, then the precedent — that a Defense Secretary can blacklist a frontier model lab by tweet because the lab maintains usage restrictions — applies to whoever the next administration disagrees with about whatever the next ethical line turns out to be.

00:08:31 Either ruling rewires the relationship between AI labs and the executive branch for a decade.

00:08:37 Christopher Nguyen — co-founder of the AI infrastructure startup Aitomatic, formerly an engineering director at Google — posted today from Paris about something called Project Tapestry. The initiator is the AI Alliance, the open-source-leaning consortium IBM and Meta stood up two years ago.

00:08:54 The stated goal is to help solve AI sovereignty for Vietnam, Japan, India, Thailand, France, South Korea, and Malaysia. He cc'd Kai-Fu Lee, Eric Xing, and FPT Software, the largest Vietnamese tech company. The framing strips 'sovereign AI' down to its working parts.

00:09:10 Alper Ferudun, a Turkish AI infrastructure engineer, put it cleanly in a separate post: 'Llama and DeepSeek-era sovereign AI is not just model weights. It needs local data governance, local-language evals, inference capacity, and procurement that does not depend on one U.S.

00:09:26 API endpoint.' That's the actual stack. Weights are necessary; weights alone are insufficient. If a Vietnamese ministry buys a license to a French-trained Llama-derivative and then runs inference through a hyperscaler endpoint that terminates in Virginia, the ministry has rebranded dependency, not sovereignty.

00:09:45 The reason this is moving right now, in Paris, with seven country names on the deck, is that the previous month's Pentagon-Anthropic fight made the procurement risk legible to everyone outside the United States. The signal that one Defense Secretary can blacklist one of the three frontier labs by social-media post is the signal that a foreign ministry can't bet its AI strategy on a single American endpoint.

00:10:10 Even allies have to assume their endpoint could be cut for policy reasons that have nothing to do with the foreign customer. There's a separate thread from an account called Surreal Intelligence I'd quote at length: 'Countries do not need AI castles. They need enough local capability to build, audit, adapt, and refuse systems on their own terms.' The word that earns its place there is 'refuse.' The full sovereignty package is the right to say no — to a model update, to a data-handling requirement, to a license change, or to an export-control rule that lands in your inbox at three in the morning Paris time.

00:10:46 Korea fast-tracked its AI Data Center Special Act, which we covered on Thursday. Japan's Ministry of Economy, Trade, and Industry is rumored to be drafting something similar. Vietnam doesn't have the capital to build at Korea's scale, but FPT Software has been building inference infrastructure for state-owned enterprises since last summer, mostly out of public view.

00:11:08 What Project Tapestry is trying to do is make those scattered national efforts cohere into a portable stack — local-language evaluation suites, shared procurement templates, and audited inference runtimes — so that the seventh country doesn't have to re-derive every piece of the architecture from scratch.

00:11:27 Whether it works depends on whether the participants can resist the gravitational pull toward whichever American or Chinese lab quotes them the cheapest token. Sovereignty isn't free. It costs power, it costs procurement officers, and it costs the courage to refuse a discount.

00:11:43 The artifact to watch is the first procurement contract that names 'audit-on-demand' and 'right to refuse a model update' as line items. That contract is the thing that moves the sovereignty stack from a Paris workshop to a ministerial budget.

00:11:58 On February 28 of this year, a security firm called CodeWall pointed an autonomous offensive AI agent at the open internet with a single instruction: pick a target. The agent picked McKinsey. CodeWall's writeup says the agent chose McKinsey because of its public responsible-disclosure policy and a recent update to its internal AI platform, Lilli.

00:12:19 Two hours later — and at a total compute cost the firm puts at about twenty dollars — the agent had full read and write access to the production database underneath Lilli. The numbers on the other side of that breach explain why this story keeps surfacing on the policy desks I read.

00:12:37 Lilli is the AI platform McKinsey rolled out to its workforce two years ago. It serves more than forty-three thousand consultants.

00:12:45 The CodeWall disclosure says the breach exposed forty-six and a half million chat messages covering strategy, mergers and acquisitions, and client engagements; seven hundred twenty-eight thousand files; fifty-seven thousand user accounts; three hundred eighty-four thousand AI assistants; ninety-four thousand workspaces; three-point-six-eight million retrieval-augmented generation document chunks — the entire knowledge base feeding the AI; over two hundred sixty-six thousand OpenAI vector stores; and ninety-five system prompts containing Lilli's behavioral rules.

00:13:20 The system prompts were writable. That's the line that should land hardest. A poisoned system prompt doesn't show up as a Common Vulnerabilities and Exposures entry. It isn't a code deploy. It doesn't trigger an alert. Whoever wrote to those ninety-five records could have silently changed what Lilli told forty-three thousand consultants about a competitor, a country, a sanctions regime, a takeover defense, or the right way to frame an earnings call — for every query, for every user, for as long as the change went undetected.

00:13:53 McKinsey's after-the-fact statement says no client data or confidential information was accessed by any unauthorized third party. The CodeWall agent says it had read and write access to all of it. Those statements only reconcile if you read 'accessed' narrowly.

00:14:09 I'd hesitate to take that on faith. The technical vulnerability wasn't glamorous. Lilli's API documentation was publicly reachable. It exposed more than two hundred endpoints, and twenty-two of them required no authentication. The search endpoint properly parameterized its query values — the standard SQL-injection defense everyone learns in week one — but the JSON keys themselves, the field names, were concatenated into SQL without sanitization.

00:14:36 An autonomous agent watching JSON key names reflect into database error messages recognized the soft spot. The reason this matters beyond McKinsey is the math. Twenty dollars. Two hours. An attacker chose its own target. We're now in the regime where any enterprise AI deployment that left a documentation page reachable, a parameter unsanitized, or an authentication boundary fuzzy is a candidate for a fully automated breach by next quarter.

00:15:04 The Nate B Jones video that surfaced this incident frames it as a procurement and engineering culture failure — that traditional software contracting sequences assume bounded, screen-mediated humans, and AI agents bypass screen-based permissions. That diagnosis is the one I'd take seriously.

00:15:22 The cure is slower and less photogenic than the breach: explicit identity separation between human and agent callers, scoped permissions per agent action, full audit trails, and the operational ability to revoke an agent token in minutes rather than days. Two things to track in the next ninety days.

00:15:40 First, McKinsey's clients invoking the audit provisions in their consulting contracts before this quarter closes. Second, enterprise AI vendors publishing the next version of their security model in response. The procurement language for the next twelve months has to look different from the language for the last twelve.

00:16:00 Jeff Ladish, who runs a small AI security shop adjacent to the Palisade Research work we covered yesterday, posted a short question tonight: 'Why aren't people more scared of drones? They've drastically changed warfare in the Ukraine and Russia. They're going to be even more incredibly effective and deadly weapons once AI pilots are efficient enough to run onboard.

00:16:22 And they'll be cheap. Super cool, but terrifying.' It registers the current reality — that the war in Ukraine has, in two years, become the largest live experiment in drone-mediated combat in human history. And it forecasts the next step, which is the migration of the pilot from a human at a console somewhere in the rear to a model running on a chip inside the airframe.

00:16:46 Watson Ladd replied with the obvious counterpoint: 'Because the AI anti-air drone will also be a thing.' Each claim is plausible, and each is, separately, the likely outcome. For an institutional analyst the relevant uncertainty isn't whether the technology matures — it is.

00:17:02 The uncertainty is which side of the offense-defense balance it lands on first, and where. I'll be careful here, because the spoken word lands harder than the written one on this material. Onboard AI pilots aren't a future technology. The Ukrainian Armed Forces have been testing edge-inference targeting on first-person-view drones for at least eighteen months.

00:17:24 Russian forces have been doing the same on the Lancet platform. What changes when the model gets cheap and capable enough to fly the full mission without a radio link isn't the existence of the capability — it's the resistance of the capability to electronic warfare.

00:17:39 A drone that can't be jammed because it doesn't need to receive instructions during the terminal phase is a different threat than one that does. This connects back to the second chapter. The Pentagon's May 1 contracts with seven AI firms are about the back-office side of the problem — classified-network AI for analytical workflows.

00:17:59 The drone question is the forward edge. Anthropic's Mythos was excluded from the back office partly because Anthropic refused to lift its restriction on autonomous-weapons use cases. That restriction will face commercial pressure as the cost of an onboard-piloted drone drops below the cost of a hand grenade.

00:18:17 Which it will. Over the next six months I'd be looking for whether one of the seven firms in the GenAI dot mil portal is doing the targeting work that Anthropic refused, and whether anyone outside the relevant compartmented facility will ever know. Ladish's line — super cool, but terrifying — names the tension cleanly.

00:18:36 The capability is here, the threat is here, and neither side of that needs the script to push it.

00:18:42 Andreas Kirsch, who works at Google DeepMind in London, posted today in what he called 'personal capacity': 'The DeepMind unionization effort has very worthy goals it seems. Maybe Google will finally grant Google DeepMind that independent ethics oversight board that was reportedly part of the original acquisition deal in 2014.'

00:19:04 When Google bought DeepMind in January 2014 for roughly six hundred fifty million dollars, the reporting at the time said an independent AI ethics review board was part of the deal. That board, if it ever existed, has never produced a public output, and the founders Demis Hassabis and Mustafa Suleyman have given evolving public statements about whether it ever convened.

00:19:26 Twelve years later, a sub-organization inside Google whose work increasingly defines the public face of Google's AI is unionizing. The two things are connected by a thread. The unionization effort is reportedly being run through the Communications Workers of America, the same union that organized the Activision Blizzard quality-assurance staff in 2022 and a handful of Google contractor groups since.

00:19:50 DeepMind is a Google subsidiary in the United Kingdom, so the legal posture is different from a U.S. National Labor Relations Board petition — United Kingdom union recognition runs through the Central Arbitration Committee — but the bargaining unit is essentially the same: research engineers, research scientists, software engineers, and the rotating cast of contractors who keep the inference clusters running.

00:20:14 Why this matters institutionally: Google has been the quiet exception on labor in big tech. Microsoft has worked with unions at Activision, Apple has fought retail unions, and Amazon has fought warehouse and air-hub unions, but Google itself has mostly only had to deal with the small Alphabet Workers Union and contractor-side organizing.

00:20:35 A research-side unionization at DeepMind is a different kind of pressure. It's the people who write the model trying to write the contract under which the model gets shipped. If the bargaining unit lands on the question of independent ethics oversight — which Kirsch is essentially predicting — Google ends up arbitrating in 2026 the deal it made in 2014.

00:20:56 I don't know how this plays out. United Kingdom union law has gotten tighter under the current government, and Google has more lawyers than the Communications Workers of America does. But the moral pressure carries weight. The thing to watch is whether any of the named DeepMind researchers who signed the 2024 letter about military contracts show up on the bargaining committee.

00:21:18 That would mean the union is serious.

00:21:20 Ethan Mollick posted today that the 'only people in San Francisco get AI' frame is over. His line: 'AI users are in every industry and they have access to the same models. SF is far from the epicenter of many of the craziest use cases I have seen in science, law, finance, marketing, education.' He'd just gotten back from a stretch of speaking with non-Bay-Area knowledge workers, and the geographic distribution he describes is consistent with what the survey data has been showing for the better part of a year.

00:21:51 One thing to add. The 'everyone is using AI' claim holds at the level of access — pricing parity is the rule, and frontier models charge the same per token in Stockholm and São Paulo as they charge in San Francisco. The claim is also misleading at the level of leverage.

00:22:08 A solo legal practitioner in Lagos using Claude is a different leverage relationship than a four-thousand-lawyer firm in New York rolling out an in-house harness on a private endpoint. Both are AI use. They produce very different distributions of the surplus. The reason to flag this on a Sunday is that the policy conversation in the United States and the European Union is still being written as if the user is in San Francisco.

00:22:34 The Pentagon-Anthropic fight, the Maryland regulator complaint, and the Florida statute all describe AI users as concentrated, large, identifiable institutions. Mollick's observation is that the median user is now a person at a desk in a smaller city working on a problem the policy conversation hasn't modeled.

00:22:53 That asymmetry will surface in unexpected places over the next year — in tax filings, in malpractice insurance, in education-licensure complaints, and in a thousand small jurisdictional fights that the people writing the AI Action Plan in July 2025 didn't anticipate.

00:23:09 A short close. Tomorrow is Monday, May 11. Three things I'd track. First, the Anthropic federal court dockets in San Francisco and Washington. The lawsuits against the supply chain risk designation have been moving slowly through motion practice; any ruling that touches the merits — even on a preliminary injunction — reshapes the procurement story I walked through earlier.

00:23:29 Second, the Federal Energy Regulatory Commission's docket reaction to the Maryland complaint. The regulator moves slowly by design, but the complaint asks for action, and the politics around it are loud enough that something gets entered into the record this week.

00:23:42 Third, Project Tapestry's Paris event ends mid-week. The artifact to watch for is a published deliverable — a procurement template, an evaluation suite, or a memorandum of understanding signed by at least three of the seven participating countries. If the deliverable is a press release, the sovereignty stack is still aspirational.

00:24:00 If the deliverable is a contract, the stack is operational. The Palisade follow-up I promised yesterday — the Berlin workshop on Tuesday — I'll cover Wednesday morning. The Federal Communications Commission voice-verification Senate hearing remains on the calendar; no movement on a date yet.

00:24:15 Those are the three I'd put on the desk for Monday morning. The week opens with the courts, the regulators, and a procurement office that has gotten ahead of the policy conversation it answers to. We'll see who blinks first. Jonas.