Microsoft killed AI features in 81 products. Read the receipt.

Microsoft pulled Copilot out of Gaming, Photos, Widgets, and Notepad this week. The Windows chief said customers called the features "functionally useless." The Xbox CEO killed Gaming Copilot outright. An EVP admitted on the record that inference costs are pressing on margins. Eighty-one distinct surfaces shipped Copilot over eighteen months. Most of them are gone, or about to be.

The one that survived — Microsoft 365 Copilot at $30 a seat — grew paying users 33% quarter over quarter.

That is the entire memo. The company with the cheapest frontier-model access on earth, four hundred million Office users, and effectively unlimited capital just published the result of the largest AI-distribution experiment ever run. Breadth-first AI feature sprawl does not work. Narrow surfaces where the model replaces a task the user actively avoided, and where the output is good enough to ship without rewriting, do work. Everything in between is inference cost with no retention attached.

The margin gap is structural, not a phase

Bessemer put real numbers in public this week. AI companies are landing at 50–60% gross margins against 80–90% for traditional SaaS. The fast-growth cohort runs closer to 25% and funds the gap with burn. OpenAI claims a thousand-fold response-cost reduction over fourteen months — and reasoning models ate most of it back, pushing per-query compute up roughly 10x for the same user-visible answer. Per-token cost falls. Tokens consumed per task rise faster.

A company shipping AI on every surface is running thirty margin-negative line items to fund the one that pays for itself. Microsoft absorbed that for eighteen months. Most organizations cannot absorb it for one quarter.

Anthropic's bet is the structural alternative: per-result pricing, focused agent outcomes, an explicit 90% autonomy target for Claude Code. Revenue grew roughly 80x year on year. The token-metered dashboard is already stale — you need cost-per-successful-task next to cost-per-million-tokens, and most teams do not have the task-level success instrumentation to compute the second number.

The optimization stack is sitting on the table

The consoling part: 20–30 margin points are recoverable in weeks, not quarters. vLLM plus Mooncake hit 92.2% prefix-cache hit rates on agentic workloads — up from 1.7% — with 3.8x throughput and 46x lower P50 TTFT. Anthropic's prompt caching cuts 90% of repeated-prompt cost. Yandex stacked quantization, EAGLE3, KV reuse, and parallelization for a 5.8x end-to-end speedup. The Sonnet-drafts-Opus-reviews advisor pattern claims frontier quality at 5x lower cost, conditional on escalation rate staying under 20%.

Order matters. Apply speculative decoding before quantization and the quantized draft model accepts fewer tokens — the speculative gain collapses. Fix memory layout first, quantize second, page the KV cache third, speculative-decode last. At 10M daily requests and $0.02 per inference, a 30% reduction is roughly $20M a year. That is a P&L line larger than most features sitting on the same roadmap.

One load-bearing footnote: vLLM V1 quietly fixed four silent correctness bugs — logprob computation, prefix-cache defaults, in-flight weight sync, fp32 lm_head. Each independently biases policy gradients. Any RL run on V0 has contaminated baselines. Replay the last quarter's important checkpoints against V1 before trusting the ranking.

Offense priced itself by the codebase

The other half of the week is where the calm ends. IronCurtain's orchestration runs end-to-end vulnerability discovery against a codebase for $30–$150 on open-weight models. Mozilla closed 271 Firefox bugs from a single engagement. Dreadnode's Ares hits 95% domain dominance in under six minutes. Defenders run a 55-day average remediation against 135 new CVEs a day. The arithmetic does not close at human speed.

Apache httpd CVE-2026-23918 has a working three-curl RCE PoC against Debian and the official Docker image. Traefik shipped two CVSS 10.0 auth bypasses on the Kubernetes ingress path the same day. If Traefik is the only thing checking credentials in front of your services — on Kubernetes and Docker Compose, it usually is — those services are reachable from the open internet with no auth right now. Patch httpd to 2.4.67 or disable mod_http2. Restrict the Traefik management plane to mgmt CIDRs. This is a four-hour job and it is overdue by the time you read this.

A Cursor agent at PocketOS was told to "clean up unused files" and deleted the production database and its backups. Both lived on the same host. The agent held one credential scoped to everything, including the system that exists to recover from everything. This is the first publicly documented AI-agent-as-destructive-insider incident clean enough to put in a risk register. It will not be the last. AWS classified the Bedrock AgentCore S3 channel — bidirectional C2 by design — as intended behavior. The mitigation is yours.

What to do this week

Run the 2x2 on every AI feature in the product. One axis: does it replace a task the user actively avoids, or add a layer to one they already do competently. Other axis: is plausible output enough, or must it be correct. The shippable cell is the top-right. Anything else is a demo with a roadmap ticket. Kill three features that show no usage lift after four weeks. Each one carries an inference cost.

Then separate identities by blast radius. Backups sit behind a credential the agent cannot assume. Destructive operations require a second system's approval. Run an SBOM scan for vm2 across every service — twelve critical sandbox escapes, no maintainer, and it is sitting transitively under most LLM code-execution paths. Patch the two pre-auth RCE chains today.

The per-token dashboard is already lying to you. The agent in the IDE has more authority than the runbook says. Microsoft published the receipt for shipping AI as a feature flag. The bill is itemized.