AI FAQ

On 18 November 2025 the European Supervisory Authorities (EBA, EIOPA, ESMA) published the first official list of Critical ICT Third-Party Providers under the Digital Operational Resilience Act (Regulation (EU) 2022/2554, applicable from 17 January 2025). The list contains 19 designations, including AWS, Microsoft, Google Cloud, IBM, Bloomberg, LSEG, TCS, and Orange. Each designated provider sits under direct EU-level oversight by Lead Overseers under Articles 31–44 of DORA, with fines up to 1% of average daily global turnover applied per day for up to six months. Article 28 mandates contractual exit strategies, Article 30 specifies critical-function contract terms.

The CLOUD Act (18 U.S.C. § 2713, enacted March 2018) compels US-headquartered providers to disclose data "regardless of whether such communication, record, or other information is located within or outside of the United States." Microsoft's H2 2024 transparency report shows 5,587 US law-enforcement demands for consumer data, 115 of them warrants for content stored outside the US. In late 2024 Microsoft France told the French Senate it cannot guarantee EU-hosted data won't be transferred to US authorities under a CLOUD Act order. For an EU bank, this creates a structural conflict with the EU Data Act Article 32 requirement to resist third-country governmental access to non-personal data, and with DORA-mandated audit rights enforceable in the host jurisdiction.

Legally unresolved as of mid-2026. AWS European Sovereign Cloud is operated by EU-incorporated entities with EU-resident staff and dedicated infrastructure (first region eusc-de-east-1, Brandenburg, launching January 2026, €7.8B investment through 2040). A legal opinion commissioned by AWS argues the structure escapes CLOUD Act reach. A Dutch Ministry of Justice memo (February 2025) noted that the parent ownership is ultimately Amazon.com, Inc., and the CLOUD Act applies to providers with "possession, custody, or control" — corporate parent control plausibly satisfies that test. The question will only be settled by the first contested CLOUD Act warrant against an EU-resident hyperscaler subsidiary, which has not yet occurred.

Announced by Brad Smith at the Atlantic Council Brussels on 30 April 2025 and embedded as a contractual "European Digital Resilience Commitment" with EU national governments and the Commission, Microsoft pledges to challenge in court any government order to suspend operations in Europe and to escrow source code in Switzerland if it loses. Counter-evidence: Microsoft France's French Senate admission that it cannot guarantee non-transfer under a lawful CLOUD Act order, and the Microsoft / Karim Khan episode in which the ICC lost access to its chief prosecutor's Outlook account after EO 14203 sanctioned him. Microsoft denies actively cutting Khan off; the ICC migrated to openDesk anyway. The court-fight clause is a contractual commitment, not a statutory exemption.

Article 32(1) of Regulation (EU) 2023/2854 (applicable 12 September 2025) requires data-processing providers to take "all adequate technical, organisational and legal measures... to prevent international and third-country governmental access and transfer of non-personal data held in the Union where such transfer or access would create a conflict with Union law." Article 32(2) recognises a third-country court order only where it is based on an international agreement in force with the EU or relevant Member State. No EU–US CLOUD Act executive agreement exists, so a US warrant served on Frankfurt-hosted non-personal data is a statutory conflict the provider must resist. Most bank transactional metadata is non-personal under EU law and therefore falls inside Article 32's scope.

DACH bank supervision triangulates four layers. DORA (Regulation 2022/2554) applies EU-wide and creates direct supervision of the 19 Critical ICT Third-Party Providers. The ECB Guide on Outsourcing Cloud Services (16 July 2025) operationalises SSM expectations: concentration risk metrics, exit testing as a continuous obligation, audit rights as enforceable rather than contractual boilerplate. BaFin BAIT and MaRisk AT 9 (9th amendment, June 2024) align German national supervision with DORA; BaFin's March 2024 cloud guidance update adds specific German enforcement detail. FINMA Circular 2018/3 has been in force in Switzerland since 2018, is technology-neutral, and conditions outsourcing abroad on enforceable inspection rights in the host jurisdiction. The four converge on three operational requirements: a tested exit plan with a last-test date, jurisdictionally enforceable audit access, and a measurable concentration metric for ICT third-party providers.

DORA Article 28(8) requires exit plans to be comprehensive, documented, and sufficiently tested and reviewed periodically. In practice the supervisory standard is at least one tabletop exercise or partial migration every two years for any ICT third-party arrangement supporting a critical or important function. Tests must validate data portability, that alternative providers exist, and that the time-to-cutover is realistic. The ECB Cloud Outsourcing Guide of 16 July 2025 reinforces the point by treating exit testing as a continuous obligation; ticking the contractual box once is no longer enough.

Partially. By May 2026, eight of his dated technology and infrastructure predictions have confirmed (test-time compute, GPQA Diamond saturation, power as the binding constraint, Marcellus gas-for-AI, the Gulf chip pivot, AMD's compute TAM). Eight political-economy predictions have falsified (voluntary lab merger, Congressional trillions, a coalition of democracies, DPA invocation, tightening export controls). The technology and infrastructure record is roughly 8-of-10 confirmed; the political-economy record is roughly 8-of-10 falsified.

Aschenbrenner's window remains open but contested. Test-time compute paradigm shifts validated his framework in a register he did not himself emphasise. Pretraining scaling has slowed relative to RL post-training in ways that complicate the additive 5-OOM framing. Capability gains continued; whether the threshold he calls 'drop-in remote worker' is reached by 2027 is the open question his own LP is positioned around.

Aschenbrenner combines three positions normally held separately: a libertarian presumption against state action, a Burkean reverence for two-hundred-year-old institutions, and an empirical optimism about alignment tractability. The synthesis runs as a series circuit where each identity premises the next. He invokes Burke specifically to argue that AGI is a national-security-decisive technology that the existing constitutional architecture must absorb, which yields a Promethean prescription (a peacetime industrial nationalisation) defended on Burkean grounds.

Aschenbrenner was a member of OpenAI's Superalignment team. He has publicly stated, including in the Dwarkesh Patel interview, that he was dismissed in spring 2024, one to two weeks before his colleagues Ilya Sutskever and Jan Leike resigned. Per his own account, the factors discussed in his exit conversations included a security memo he had sent to the board, his decision not to sign the November 2023 employee letter supporting Sam Altman's reinstatement, and his views on AGI nationalisation. He has also publicly stated that he declined the company's non-disparagement NDA, forfeiting approximately one million dollars in vested equity. OpenAI has not commented publicly on the specifics. Within five weeks the Superalignment team was dissolved.

Situational Awareness LP is the San Francisco investment firm Aschenbrenner co-founded in mid-2024. Aschenbrenner has publicly named Patrick Collison, John Collison, Daniel Gross, and Nat Friedman as anchor investors in interviews. The fund's strategy, as Aschenbrenner has publicly described it, expresses the Situational Awareness framework in capital: long semiconductors, power utilities, behind-the-meter gas, and AGI-adjacent infrastructure; the 'big bond short' on real interest rates above 10% has not fired. None of the named LPs has independently confirmed specific position attribution; the descriptions are drawn entirely from Aschenbrenner's own public statements.

Aschenbrenner refuses probability distributions and instead 'tells the modal story', a vivid, dated, falsifiable narrative bet on what the decade looks like. The method's strength is that it is gradable: it produces dated claims that can be scored against reality. Its limitation is substrate-sensitivity: the method is durable on processes governed by empirical lawfulness (log-log scaling curves, capex aggregates, hyperscaler power draw) and brittle on processes governed by elections, executive turnover, and coalition politics.

Menlo's December 2025 State of Generative AI in the Enterprise report puts US enterprise GenAI spending at $37B, drawn from a survey of 495 buyers about their GenAI line items. The figure is US-only, GenAI-only (no traditional or predictive ML), and enterprise-only (no consumer subscriptions). Worldwide vendor-recognized AI revenue is materially larger because Menlo's perimeter excludes non-US revenue, non-GenAI AI SKUs, and the consulting and channel-margin layer.

IDC's AI Solutions Spending Guide pegs 2025 worldwide AI spending at $307B; Gartner's September 2025 forecast puts the same year at $1.478T. The 4.8x gap is definitional. Gartner's umbrella includes $389B of AI-enabled devices (smartphones and AI PCs at full retail value), $282B of broad AI services, and $268B of AI-optimized servers. IDC draws a tighter circle around enterprise AI solutions and excludes consumer devices entirely. Both numbers are correct under their published methodologies; they measure different perimeters.

Under strict GAAP segment-reporting standards (Tier A), only four vendors disclose AI revenue at 10-Q or 10-K segment-level granularity across the 68-vendor census: NVIDIA Data Center ($249B annualized), AMD Data Center ($23B), Broadcom AI semi ($34B), and CoreWeave ($5.1B FY2025 pure-play). All four sit structurally upstream of enterprise spend: the three silicon vendors sell into the cloud and OEM layers, and CoreWeave routes 67% of its revenue through Microsoft, which resells the capacity as Azure AI. Net of resale, Tier A contribution to enterprise-facing AI revenue is between $2B and $10B. The defensible audit-grade floor rests on Tier B (earnings-call dollar disclosures) and totals $63.2B narrow or roughly $72.5B broad after silicon, hardware OEM (ex-Arista's FY26 guidance figure), and resale netting.

The Spread Index is the ratio of audit-grade enterprise AI revenue to Gartner's umbrella AI spending figure: $63.2B / $1.478T = 4.28% narrow and $72.5B / $1.478T = 4.90% broad at v1.0 (May 2026). It captures the disclosure gap between what AI vendors recognize under SEC and earnings-call discipline and what the broadest published market-sizing exercise counts. Updated quarterly with each 10-Q cycle. If audit-grade revenue compounds faster than the umbrella, capex coverage improves on its own; if slower, the underwriting case deteriorates with no change in the headline numbers.

No. Combined 2026 hyperscaler capex guidance from Microsoft, Alphabet, Amazon, Meta, and Oracle approaches $690B. Against the $63.2B narrow floor, the capex-to-revenue ratio is 10.9x; against the roughly $72.5B broad floor, 9.5x; against the $123B reconciled midpoint, 5.6x. The 1990s telecom buildout peaked at roughly 3.5x. Even if only $400-500B of the $690B is genuinely AI-incremental, the ratio sits at 6.3-7.9x. Under 3-year economic amortization applied to the GPU subset of capex, AI revenue would need to reach approximately $400B by 2028 to cover the build; under the looser 5-6 year standard amortization applied to the full stack, the body's quadruple-in-30-months math implies a ~$250B 2028 target, and the gap between the two scenarios is the live finance question.

Microsoft's $37B Azure AI run-rate (disclosed at Q3 FY26 earnings) and OpenAI's reported $25B ARR overlap by approximately $11B because OpenAI's API consumption is largely served on Azure and resold as Azure OpenAI Service. The Microsoft figure is Tier B (CFO-disclosed in earnings call) and audit-relevant; OpenAI's $25B is Tier D, referenced in third-party reporting (Sacra) and discussed publicly by the CFO. Adding both naively double-counts $11B. The audit-grade reconciliation nets the overlap on Microsoft's side. A similar but smaller overlap exists between AWS, GCP, and Anthropic, treated as $7B as this report's analytical assumption.

A natural language autoencoder, or NLA, is a pair of fine-tuned language models that translates an activation vector from a target model into plain-English text and back. The activation verbalizer reads the vector and writes a paragraph describing what it encodes. The activation reconstructor reads the paragraph and tries to recover the original vector. Anthropic published the method on May 7, 2026.