15 Days. Six Vendor Moves. Three Breaches. One Threat Actor.

In the last 15 days, the four most consequential AI infrastructure vendors in the regulated enterprise stack each shipped a customer-side move. OpenAI and Anthropic each did it twice. In the same fortnight, a single threat actor named TeamPCP ran a coordinated supply chain campaign that breached Grafana, Mistral, OpenAI’s corporate environment, and GitHub.

Six vendor moves toward the customer perimeter. Three confirmed breaches. One threat actor. One direction. The framework that explains the pattern is the article I will publish on Tuesday. This is the question. Tuesday is the answer.

May 4: Two signals on the same day

The fortnight opens with two vendor moves on a single day.

Signal A. Palantir Q1 2026.Palantir reported 85% revenue growth in Q1. AIP is now positioned, in the company’s own words, as an “operational system for deploying agents with governance, cost attribution, and auditability.” Not a model wrapper. US Commercial revenue was up 133% year-over-year, with full-year US Commercial guidance projecting at least 120% growth. The fastest-growing piece of the fastest-growing AI infrastructure company is the part that operates AI inside the customer’s authority and ontology.

Signal B. Anthropic + Wall Street consultancy JV.The same day, Anthropic announced a $1.5 billion enterprise AI services joint venture with Blackstone, Hellman & Friedman, and Goldman Sachs, with additional backers General Atlantic, Leonard Green, Apollo Global Management, Singapore’s GIC, and Sequoia Capital. The mechanism: embed Anthropic engineers and models directly inside mid-size businesses, especially the portfolio companies of the world’s largest PE firms. The venture targets PE-owned healthcare, manufacturing, financial services, retail, and real estate. This is a distribution channel no software vendor has had at this scale. Anthropic just bought the pipe to the next decade of mid-market AI procurement.

May 11: OpenAI DeployCo announced. Two OpenAI employee devices compromised. Same day.

OpenAI launched a $4 billion standalone business unit, internally called DeployCo, designed to embed Forward Deployed Engineers inside client organizations. The mechanism is exact. OpenAI is not building deeper APIs. OpenAI is hiring humans to sit inside the customer’s perimeter and operate the AI from there.

On the same day, OpenAI confirmed that two employee devices in its corporate environment had been compromised by the TanStack npm supply chain attack, with credential-focused exfiltration activity observed. The TanStack attack disclosed on May 11 hit 170 npm packages and 2 PyPI packages, totaling 404 malicious versions, including the entire TanStack router ecosystem, Mistral AI’s SDK on both npm and PyPI, UiPath’s automation tooling (65 packages), OpenSearch (1.3M weekly downloads), and Guardrails AI. The threat group signed the campaign “With Love TeamPCP.”

OpenAI launched DeployCo to put Forward Deployed Engineers inside customer perimeters on the same day OpenAI’s own perimeter was being breached by the supply chain attack OpenAI was responding to. That is not coincidence. That is the architecture problem visible in real time.

The TanStack attack is also the first documented case of a malicious npm package carrying valid SLSA provenance, the cryptographic certificate that is supposed to prove a package was built from a trusted source. The trust marker itself was forged. The integrity guarantee meant to underwrite the supply chain failed at the cryptographic layer.

May 16: Grafana Labs codebase stolen

Five days after the TanStack disclosure, Grafana Labs confirmed that a stolen GitHub token had given attackers access to its codebase. The root cause was a recently enabled GitHub Action containing a Pwn Request vulnerability, a misconfigured workflow triggered on pull_request_target events that granted external contributors access to production secrets during CI runs. The breach originated from the same TanStack campaign. Grafana refused the ransom demand. The attribution is TeamPCP and a connected operation called CoinbaseCartel, linked to the broader ShinyHunters, Scattered Spider, and LAPSUS$ ecosystem.

May 18 (Dell Technologies World, Las Vegas): Two signals at the same event

The vendor-side inflection point of the fortnight happened at one conference, with two announcements on the same morning.

Signal A. Dell AI Factory with NVIDIA. Dell announced AI Factory with NVIDIA as a continuum from local workstation to liquid-cooled rack, alongside fiscal 2026 results showing $9 billion in AI server revenue, up 342% year-over-year, with a $50 billion projection for FY27. Dell COO Jeff Clarke said plainly that routing agent workloads to public cloud creates unsustainable costs and latency for many enterprise datasets, and that token consumption for AI reasoning has risen by 320x. The infrastructure manufacturer is publicly arguing that the public cloud model does not work for agent operations at scale.

Signal B. OpenAI Codex on-prem with Dell.Hours later, at the same event, OpenAI announced that Codex, its fastest-growing enterprise product with more than 4 million weekly developers, would be deployed into hybrid and on-premises enterprise environments via the Dell AI Data Platform and Dell AI Factory. Press coverage called this OpenAI’s first explicit hybrid-and-on-prem enterprise distribution play. Targets are UK financial services, healthcare, and government buyers that cannot send data to public cloud. This is OpenAI’s second customer-side move in seven days.

May 19: Anthropic Self-Hosted Sandboxes and MCP Tunnels. And GitHub.

Two signals on the same evening, on the closing day of the fortnight.

Signal A. Anthropic ships self-hosted sandboxes and MCP tunnels.The agent loop remains on Anthropic’s infrastructure, but tool execution moves to customer-controlled environments, on AWS, Cloudflare, or the customer’s own datacenter. MCP tunnels reach private services inside enterprise networks without exposing them to the public internet. This is Anthropic’s second customer-side move in fifteen days. The first was the Wall Street consultancy JV on May 4. The mechanism is different (engineers inside portfolio companies, versus tool execution inside customer networks) but the direction is identical: the trust boundary moves inside the customer.

Signal B. GitHub confirms 3,800 internal repositories exfiltrated.The same evening Anthropic announced its self-hosted sandboxes, GitHub confirmed that approximately 3,800 of its internal repositories had been exfiltrated. The attack vector is the architectural point. A malicious VS Code extension installed on an employee’s device executed hidden code on installation, used the employee’s credentials and developer tooling, and reached GitHub’s internal source code. TeamPCP is offering the stolen source on the Breached forum at a $50,000 floor. GitHub states no customer data is impacted; the investigation is ongoing.

This is the third confirmed breach in the same supply chain campaign that hit Grafana, Mistral, and OpenAI’s corporate environment in the preceding eight days. Same threat actor. Same vector class. Same surface area that every AI coding agent, every productivity plugin, and every MCP server inhabits. The largest software supply chain provider in the world had its internal perimeter reached through the developer-tool layer that AI agents now live inside.

The pattern

Eleven signals in 15 days. Six vendor moves. Three breaches. One threat actor. One direction.

The two companies that defined cloud-native AI in 2022 each made two distinct customer-side decisions in the same fortnight, with the same mechanism: forward-deployed engineering inside the customer’s perimeter. OpenAI launched DeployCo on May 11 to embed Forward Deployed Engineers inside client organizations, and OpenAI Codex on-prem with Dell on May 18 to put inference inside the customer’s data center. Anthropic launched a $1.5 billion Wall Street consultancy JV on May 4 to embed engineers inside the portfolio companies of the world’s largest PE firms, and self-hosted sandboxes with MCP tunnels on May 19 to put tool execution inside the customer’s network. Four customer-side decisions from two cloud-native AI companies, independently, in the same window.

Palantir is operating AI under the customer’s ontology and authorization. Dell is selling the rack the AI runs on inside the customer’s datacenter, and partnering with OpenAI to populate that rack with the world’s most-used coding model. And on the same fortnight, TeamPCP ran a coordinated supply chain campaign that breached Grafana’s codebase, listed 5GB of Mistral’s internal source code for sale, compromised two OpenAI employee devices, and exfiltrated 3,800 of GitHub’s internal repositories. The campaign used a malicious npm package with forged SLSA provenance, a stolen GitHub token from a misconfigured CI workflow, and a poisoned VS Code extension. Three different vectors. One supply chain. One direction.

None of the six vendor moves is a cloud retreat. None of them abandons the cloud-native model. What is happening is more specific. The locus of control over enterprise AI, the place where the trust boundary sits, is moving from the vendor to the customer. The two cloud-native AI titans have each made two distinct customer-side decisions in fifteen days. The breach campaign over the same days is what makes the move strategic instead of optional.

The question this raises is what to call this and how to architect for it. “On-prem” is the wrong word, because five of the six vendor moves are not on-prem in the 2010 sense. “Sovereign AI” is closer, but it overstates the geography and understates the architecture. The right word is the trust boundary. And it has moved.

I will publish the framework that explains what to do about it on Tuesday. Tuesday’s piece is a tale of two cities. SaaS wants your data. The regulated enterprise wants it back. The vendors are quietly choosing sides. Two of them chose twice.

For now, hold the eleven signals next to each other. The pattern is the story.

Paul Goldman is Founder and CEO of iTmethods. He has spent 21 years building managed infrastructure for regulated enterprises and writes weekly on AI governance in the agentic era. Building the Trust Layer for Enterprise AI at itmethods.com.