A fascinating new study from MIT and Wharton is challenging one of the most common narratives in technology today.

The headline sounds impressive:

Agentic AI coding tools are driving an explosion in software creation.

The data backs that up. According to the paper Writing Code vs. Shipping Code, AI coding tools have dramatically increased developer output. Commits are up. Projects are up. App releases are up. In some cases, coding activity has increased by more than 100%.

But there is a catch.

The researchers found that these productivity gains shrink dramatically as work moves through the software delivery process. By the time code reaches actual software releases, much of the gain has disappeared. More importantly, while iOS app releases have surged since the arrival of agentic AI tools, app usage has barely moved.

In other words:

We are producing far more software, but not necessarily creating more value.

That observation immediately reminded me of the early 2000s.

During the dot-com boom, the breakthrough wasn’t that companies suddenly discovered customers. The breakthrough was that they discovered websites.

Almost overnight, everyone could launch a .com.

The barriers to publishing online collapsed. Web hosting became easier. Development tools improved. Capital flowed freely. Thousands of startups appeared.

But many of those companies failed for a simple reason:

Building a website was never the hard part.

I remember watching companies spend enormous amounts of money building impressive online storefronts, only to discover that their real problems had nothing to do with technology.

Selling 40-pound bags of pet food online sounds revolutionary until you realize somebody still has to ship them.

Selling CDs online sounds simple until you have to manage inventory, customer acquisition, fulfillment, returns, and margins.

The bottleneck wasn’t HTML.

The bottleneck was business execution.

The same pattern may be emerging with AI. (Related read on this exact tension between agentic coding and shipping discipline: Vibe Coding Is Amazing. It’s Also a Lot.)

AI has dramatically reduced the cost of building software. It has not reduced the cost of understanding customers, building trust, creating distribution, earning attention, or solving meaningful problems.

The MIT researchers describe this as a “weak-link” problem. AI can automate coding, but the rest of the process still depends heavily on human judgment, review, coordination, testing, integration, marketing, and customer adoption.

That is why app releases are soaring while app usage remains flat.

We haven’t suddenly created millions of successful software companies.

We’ve simply made software creation much easier.

When production becomes abundant, value migrates elsewhere.

During the dot-com era, value migrated toward logistics, operations, fulfillment, customer acquisition, and trusted brands.

In the AI era, value may be migrating toward discovery, validation, distribution, knowledge management, and trust.

This is why I believe many organizations are asking the wrong question.

The question is no longer:

“Can we build it?”

AI has largely answered that.

The question is:

“Should we build it?”

And perhaps more importantly:

“Can we get anyone to care?”

The winners of the next phase of AI won’t necessarily be the companies that ship the most software.

They’ll be the companies that still know what is worth shipping.

Frequently Asked Questions

What did the MIT and Wharton “Writing Code vs. Shipping Code” study find?

It found that agentic AI coding tools have driven a sharp increase in raw developer output. Commits, projects, and app releases are all up, with coding activity rising more than 100% in some cohorts. The catch is that the gains compress as work moves through the software delivery process, and iOS app usage has barely changed since the tools arrived. More software is being produced, but not noticeably more value is reaching users.

Why is software production rising while usage stays flat?

AI radically reduces the cost of writing code, but not the cost of understanding customers, building trust, designing experiences, earning distribution, or doing the messy work of shipping. The researchers call it a “weak-link” problem: AI automates coding while the rest of the delivery chain still relies on human judgment, review, coordination, testing, integration, marketing, and customer adoption. The weak link gates the value.

How is the AI app boom similar to the dot-com era?

In both cases, a wave of new tooling collapsed the cost of production. Anyone could launch a website in 2000. Anyone can ship an app today. In both cases, the easy production created the impression of a revolution while the real bottlenecks (logistics, operations, fulfillment, brand, distribution, customer acquisition) stayed exactly as hard as they were before, and the companies that ignored those bottlenecks failed.

What is a “weak-link” problem in agentic AI software delivery?

A weak-link system is one whose performance is gated by its slowest, most fragile component, not its strongest. Agentic coding tools strengthen one link (writing the code) while the rest of the chain (review, integration, testing, deployment, support, marketing, distribution, retention) stays human-paced. Speeding up one link doesn’t speed up the chain. It just produces more work piled up against the unchanged bottlenecks.

Where does value migrate when AI makes production abundant?

Toward the parts of the chain AI does not yet automate well: discovery, validation, distribution, knowledge management, and trust. Choosing the right problem becomes worth more than building any given solution. Reaching the right user becomes worth more than shipping more features. Trustworthy brand, clean knowledge, and direct customer relationships become structural advantages because they cannot be cheaply duplicated by a coding agent.

What should organizations be asking instead of “can we build it?”

Three sharper questions. Should we build it (does it solve a real problem worth solving). Will anyone use it (do we have a credible path to attention, trust, and adoption). And can we actually ship and operate it well (does our delivery chain absorb the new pace without breaking on testing, integration, support, and governance). AI answered “can we build it” for most teams; the harder questions are the ones it cannot answer for you.

Does this mean agentic AI coding tools are overhyped?

No. The productivity gain in writing code is real and large. The mistake is treating that gain as a complete software-economics story. The dot-com era teaches the same lesson in reverse: cheap websites were a genuine breakthrough that still required cheap shipping, working fulfillment, real brands, and actual customer relationships to translate into durable companies. The shipping side of AI is where most of the unanswered work now lives.

The post App Releases Are Soaring, App Usage Is Flat. AI Just Hit Its Dot-Com Moment. appeared first on Colin Smillie.

Apple’s WWDC 2026 announcement may be remembered for something nobody expected.

Not because Siri got dramatically smarter. Not because Apple partnered with Google. But because one of the world’s most valuable companies showed off a flagship AI experience it can’t immediately ship to hundreds of millions of users in Europe.

Apple introduced a new generation of Siri running on a mix of its own models and Google’s Gemini. The experience promises what people have been waiting for: personal context, multi-step actions, persistent memory, conversations that follow you across devices. (I wrote about how this direction was visible months ago in Apple’s AI Strategy May Be Simpler Than We Think.)

In a lot of ways it’s the future of personal computing.

And Apple says it won’t launch on iPhone and iPad in the European Union at first, citing regulatory concerns.

That should get your attention.

The hard part isn’t building the AI

For three years the industry has been obsessed with model capability. How many parameters. How many benchmarks. How many tokens per second. The assumption was that whoever built the smartest model would win.

The Apple-Google partnership points at a different reality. Building the AI is now easier than governing it.

A modern assistant doesn’t just answer questions. It reaches into your calendar, messages, notes, contacts, photos, documents, and location history, and it increasingly acts on your behalf.

Generating an answer is no longer the challenge. The challenge is proving what data was accessed, why, by which system, where it was processed, what actions were taken, what got retained, and what got rejected.

The more autonomous the AI becomes, the harder all of that gets.

When one company owns the user and another owns the model

The Apple-Google relationship creates a governance problem that didn’t exist before.

Apple’s privacy story used to be simple. Apple built the device, controlled the operating system, ran the user experience, and owned most of the processing environment. AI breaks that.

Picture a request like this: “Find the email from my wife about summer vacation, compare it with my calendar, book the open dates, and add the itinerary to my notes.”

To pull that off, the assistant might touch email, calendar, notes, contacts, a travel service, and a payment system. Possibly across several providers.

The user sees one assistant. Behind it, several systems are doing the work.

So who’s responsible for the decision? For the data? For the cleanup when something goes wrong?

Those questions get a lot harder when the company that owns the operating system and the company that owns the model aren’t the same. (Microsoft is wiring its own version of this stack together as Agent 365: Microsoft’s AI Strategy Is Becoming Clear, And It’s Much Bigger Than Copilot.)

Europe is stress testing the future

You can like European regulation or hate it. Either way, the EU is running a large-scale experiment on AI governance right now.

The AI Act, GDPR, and the Digital Markets Act all converge on the same set of issues: transparency, accountability, competition, personal data.

They add up to one blunt question. Can you prove what your AI system actually did? Not what you intended. Not what your policy says. What happened.

Old-school software compliance was manageable because applications followed deterministic logic. Auditors could read the code, review the controls, trace a decision from input to output.

Generative AI puts probabilistic behavior inside systems that touch personal information. At that point the problem stops being software engineering and starts being evidence.

The rise of AI accountability infrastructure

This is why a new category of technology is starting to show up.

Most organizations have poured money into model performance. Far fewer have spent anything on model accountability.

The next wave of AI infrastructure is going to be the unglamorous stuff: data lineage, access controls, policy enforcement, audit trails, consent management, jurisdiction-aware processing, cryptographic verification, decision traceability.

Systems that help you answer hard questions after an AI interaction. Or better, stop the bad interaction before it happens.

I know this sounds dull next to billion-parameter models and multimodal assistants. It’s the opposite of dull. It’s where the money is going to be.

Whole technology markets have been built on trust before. Cybersecurity became a trillion-dollar industry because organizations needed proof their systems were secure. Identity management became a category because organizations needed proof their users were authorized.

AI governance is heading down the same road.

The new competitive advantage

The real lesson from Apple’s announcement is that AI competition has entered a new phase.

For a few years the question was “Can you build the AI?” Now it’s becoming “Can you prove what the AI did?”

The companies that answer that second question may end up mattering as much as the companies building the models. In a world where AI can read your messages, your calendar, your photos, your finances, and your personal history, raw capability isn’t enough.

Trust, accountability, and governance are turning into product features.

And as Apple just showed, even the best AI experience on earth is only as deployable as the governance behind it.

Frequently Asked Questions

Why is Apple delaying its new Siri in the European Union?

Apple introduced a next-generation Siri at WWDC 2026 built on a mix of Apple’s own models and Google’s Gemini, with personal context, multi-step actions, persistent memory, and cross-device continuity. It said it will not launch on iPhone and iPad in the EU at first, citing regulatory concerns tied to how the new experience handles personal data, partner model access, and platform competition obligations under the EU’s overlapping rules.

What is AI governance, in plain terms?

AI governance is the set of rules, controls, and evidence trails that prove what an AI system actually did. It covers what data the system accessed, where it was processed, which model handled it, which actions were taken on the user’s behalf, what got retained, and what got rejected. As assistants become autonomous and reach into personal data, those questions get a lot harder to answer.

Why does the Apple-Google partnership create a governance problem that didn’t exist before?

Apple’s privacy story used to be vertical: Apple built the device, owned the operating system, and ran most of the processing. When the assistant routes work to a third-party model and orchestrates across email, calendar, contacts, travel, and payment systems, the operating-system owner and the model owner are not the same company. Responsibility for the decision, the data flow, and the cleanup gets distributed, and so does the legal exposure.

How are the AI Act, GDPR, and DMA pushing in the same direction?

Each one targets a different surface but they converge on the same core question. Transparency: was the user told what the AI was doing. Accountability: can the operator prove what the AI actually did. Competition: is one platform locking out alternatives. Personal data: was sensitive information processed lawfully and minimally. Together they put AI operators on the hook for evidence, not just intent.

What is AI accountability infrastructure?

It’s the unglamorous layer of technology that makes AI behaviour auditable: data lineage, access controls, policy enforcement, audit trails, consent management, jurisdiction-aware processing, cryptographic verification, and decision traceability. Most organizations have poured money into model performance. Far fewer have spent anything on the evidence layer underneath, and that’s the gap regulators and enterprise buyers are about to close.

Why is AI governance the next big technology market?

Whole industries have been built on trust before. Cybersecurity became a trillion-dollar market because organizations needed proof their systems were secure. Identity management became a category because organizations needed proof users were authorized. AI now needs proof of what the model did with personal data, what actions were taken on the user’s behalf, and which provider was responsible. That demand is structural, and it’s where a meaningful share of the next decade of enterprise spend is heading.

What’s the takeaway for organizations deploying AI right now?

Even the best AI experience on earth is only as deployable as the governance behind it. Treat data lineage, audit trails, consent, and jurisdiction-aware processing as load-bearing product requirements, not paperwork. The competitive question is no longer “can we build it?” but “can we prove what it did?” Organizations that answer the second question well are going to ship into more markets, more verticals, and more sensitive workloads than the ones that don’t.

The post Apple Just Showed Why AI Governance Is the New Battleground appeared first on Colin Smillie.

For almost twenty years, the deal between Google and publishers was simple. Publishers made content. Google sent traffic. Publishers turned that traffic into money through ads, subscriptions, or commerce.

It worked for everyone.

AI search broke the deal. (For the broader pattern this fits into, see Google Is Breaking the Internet.)

Now you can ask Google a question and get a finished answer without clicking through to a single source. Great for the person asking. A problem for anyone who funds journalism with clicks, page views, and subscriptions.

Google is finally testing something to fix the imbalance.

In May, it said AI Overviews and AI Mode would start flagging content from publications you already subscribe to with a “Subscribed” label. Google claims people were significantly more likely to click those links in early testing.

Looks like a minor UI tweak. I don’t think it is. I think it’s the first sign of how Google plans to handle the economics of AI search.

The old contract is broken

Old-school search paid publishers in traffic. Even when Google showed a snippet, you still had to click through to read the whole thing, compare sources, or dig deeper.

AI search rewrites that math. The answer now lives inside Google’s interface. You get what you came for and leave. The publisher supplied the knowledge and may get nothing back.

The numbers are starting to land. A 2026 study of AI Overviews found they cut traffic to Wikipedia by roughly 15%. That’s some of the first hard evidence that an AI summary can replace a visit to the source.

Another large analysis found more than half the pages cited inside AI Overviews carry advertising. So when someone reads Google’s summary instead of the page, the publisher loses the ad revenue that would have paid for the work.

Google’s problem writes itself. If publishers can’t make money, fewer of them will bother producing the journalism and analysis these AI systems feed on. (Related pattern from the agent side of this: Robots.txt Was Built on Trust. AI Agents Are About to Break That.)

What Google is actually testing

The feature links your Google account to the publisher subscriptions you already pay for. When Google pulls content from one of those publications into an AI Overview or AI Mode answer, it tags the citation as “Subscribed.” Google says that tag drove more clicks in testing.

Notice what Google is not doing. It isn’t trying to bring back the old traffic model. It’s building a different incentive.

Instead of rewarding publishers through rankings and traffic alone, Google is starting to reward the ones that have a direct, paid relationship with a reader.

That’s a real shift.

Why a subscription is different

For years Google leaned on signals like relevance, authority, backlinks, and engagement.

A subscription adds something those never captured: trust.

A subscription tells Google three things. A reader cares enough about a publication to pay for it. The publisher has a standing relationship with that reader. And the content is worth coming back to, not just useful for one search.

A backlink can be bought. A click can be an accident. Paying for a subscription is a choice someone makes on purpose. That’s a stronger signal than almost anything else Google has, and it’s useful to publishers and to any AI system trying to figure out which sources actually matter.

From SEO to GEO to something else

Digital publishing ran on SEO for years. Then AI brought GEO, Generative Engine Optimization, where the goal is to become a source the AI cites in its answer.

This experiment hints at a third stage. Call it relationship optimization.

The question stops being “which source ranks highest” and becomes “which source matters to this particular person.” A paid subscription is about the clearest answer Google can get.

It doesn’t have to stop at news. Newsletters, creator memberships, paid communities, YouTube subscriptions, saved source preferences all point the same way. Search is going to get a lot more personal than the one-ranking-fits-everyone model we grew up with.

The timing isn’t a coincidence

Google made this move while publishers and regulators were leaning on it.

This month the UK’s Competition and Markets Authority told Google it has to let publishers opt out of AI summaries without losing their place in regular search results. Regulators also want more transparency, better attribution, and real control over how publisher content gets used in AI products.

The message is hard to miss. AI search can’t survive if it guts the economics of the content it depends on.

Google’s recent changes, more visible links, richer source previews, stronger attribution, community citations, and now subscription labels, read like a direct response to that pressure.

What this actually means

This is bigger than a label.

Google is admitting something publishers have been shouting about for over a year. AI answers create huge value for users while siphoning off value that used to flow to the people making the content.

The subscription label is the first real sign Google is hunting for ways to send some of that value back.

Is it enough? On its own, no. But it’s an admission that AI search needs healthy publishers to survive.

The winners of the next phase of search probably won’t be the sites with the most traffic. They’ll be the ones with the strongest direct relationship with their readers.

If you publish, that makes your subscriptions, memberships, newsletters, and communities worth more than they’ve ever been. And for Google, it might be the first step back toward the deal that made the web work in the first place.

Frequently Asked Questions

What is the new Google Subscribed label in AI Overviews?

It’s an experimental feature inside AI Overviews and AI Mode that tags cited sources you already pay for with a Subscribed badge. Google links your account to the publisher subscriptions you hold, then surfaces those publications more prominently in AI-generated answers. In early testing, Google says users were significantly more likely to click the labelled citations.

How did AI Overviews break the old traffic deal between Google and publishers?

For almost twenty years the deal was simple. Publishers produced content, Google sent traffic, publishers monetized through ads, subscriptions, and commerce. AI Overviews now answers the question inside Google’s interface, so users get what they came for and leave. A 2026 study found AI Overviews cut Wikipedia traffic by roughly 15%, and more than half the pages cited inside AI Overviews carry advertising, which makes the lost click a lost revenue event.

Why is a paid subscription a stronger signal than backlinks or clicks?

A backlink can be bought. A click can be an accident. A paid subscription is a deliberate choice a reader makes with their wallet, on purpose, repeatedly. That makes it one of the strongest trust signals Google has access to and a clean differentiator between sources someone actually relies on and sources that just rank well.

What is “relationship optimization” in search?

SEO optimized for rankings. GEO (Generative Engine Optimization) optimizes for AI citation. Relationship optimization is the proposed third stage, where the question stops being “which source ranks highest” and becomes “which source matters to this particular reader.” Subscriptions, memberships, newsletters, paid communities, and saved source preferences are all early instruments of that shift.

How does this connect to the UK CMA decision on AI summaries?

The UK’s Competition and Markets Authority recently told Google it must let publishers opt out of AI summaries without losing their place in regular search results, alongside demanding more transparency, better attribution, and real publisher control. Subscribed labels, richer source previews, and stronger attribution all read as a direct response to that regulatory and publisher pressure.

What should publishers actually do about this?

Treat subscriptions, memberships, newsletters, and paid communities as load-bearing infrastructure, not nice-to-have add-ons. Direct reader relationships are the asset Google is now starting to reward in AI surfaces, and that signal will likely spread to other AI search products. The publishers who go into the next phase with healthy paid-relationship lists will be in a structurally stronger position than those still optimizing only for traffic.

Is the Subscribed label enough to fix the AI search revenue problem?

On its own, no. It’s a UI nudge that drives more clicks to publications a reader already pays for, which helps incumbents with strong subscription bases more than independent publishers. But it’s the first real admission from Google that AI search has to send value back to the publishers it depends on, and it sets a direction other AI products will probably follow.

The post Google Broke the Search Contract. Are Subscriptions the Fix? appeared first on Colin Smillie.

I recently read a piece of research from CleverHans that gets at a future a lot of security people have seen coming for years: AI-powered worms that can reason, adapt, and spread on their own.

Research article: CleverHans latest research.

For most of the history of malware, worms have depended on a specific vulnerability. Defenders find the weakness, patch it, and the worm loses most of its ability to spread. That has been the basic rhythm of the whole field.

The CleverHans team built something that breaks the pattern. Instead of hard-coding a single exploit, their prototype uses an AI agent to look at each target, find an opening, pick an attack path, and keep moving through the network. It behaves less like a traditional worm and more like an automated penetration tester. (For a broader take on agent-shaped risk on personal infrastructure, see Your Computer, Your Agent, Your Risk.)

It is still a research project, but it points at a real shift in how we should think about risk.

The old threat was “exploit vulnerability X.” The new one is closer to “get access to that system, and figure out how yourself.” That difference is bigger than it sounds.

Reading the paper brought back one of the worst security incidents I have watched up close.

In 2017, while I was at Hill+Knowlton, part of WPP, the company got hit by NotPetya. I had never seen anything like it. Machines could be infected within minutes of connecting to the corporate network, across WPP’s global operations, IT teams went into full emergency mode. Systems were shut down, services were pulled offline, and business stopped in places all over the world. Email, file sharing, collaboration tools, ordinary day-to-day processes, all of it gone at once.

Here is the part that stays with me. NotPetya wasn’t smart. It wasn’t using AI. It wasn’t reasoning about its surroundings or choosing its own path. It exploited known vulnerabilities and ran a fixed set of propagation techniques, and that was enough to become one of the most destructive attacks ever recorded. Billions of dollars in damage, worldwide.

Now picture NotPetya’s speed combined with an agent that can actually think.

Instead of hunting for one vulnerability, it could weigh dozens. Instead of following a set route, it could find new ones. Instead of stalling at a patched system, it could go looking for another way in.

That is the scenario the CleverHans work asks us to take seriously.

The strange comfort here is that the defensive playbook barely changes:

• Strong identity and access management
• Network segmentation
• Least-privilege access
• Fast patching
• Continuous monitoring
• Zero Trust architecture
• A real incident response plan

What changes is the weight on each of them. These controls matter more, not less, once an attacker no longer needs a predetermined path through your environment.

For anyone running technology, the takeaway is that we are moving into a different phase. Past threats were exploit-driven, the next ones look objective-driven. Rather than being handed a specific vulnerability to use, an autonomous agent gets a goal and works out the route on its own.

Maybe AI-powered worms become common in a few years. Maybe they stay mostly in the lab. Either way the direction is obvious. Attackers are getting more adaptive, and our defenses have to do the same.

Frequently Asked Questions

What is an AI-powered worm?

An AI-powered worm replaces the hard-coded exploit at the core of a traditional worm with an autonomous AI agent. Instead of relying on one known vulnerability to propagate, the agent inspects each new target, picks an attack path, adapts when it gets blocked, and keeps moving, functionally it behaves much more like an automated penetration tester than a classic worm.

What did the CleverHans research demonstrate?

CleverHans built a prototype that swaps a fixed exploit for an AI agent making decisions in real time, choosing targets, finding openings, and picking propagation paths on its own. It’s still research, not a deployed threat, but it makes the architectural shift concrete: from “exploit vulnerability X” to “achieve objective Y, figure out the route yourself.”

Why does this differ from traditional malware like NotPetya?

NotPetya was devastating without any intelligence at all. It chained known vulnerabilities and a fixed propagation pattern into one of the most destructive cyberattacks ever recorded. An objective-driven AI worm wouldn’t be bounded by a static playbook. It could weigh dozens of vulnerabilities, find alternate paths when patches blocked one, and adapt to unfamiliar environments, at machine speed.

How does objective-driven malware change defensive priorities?

The defensive playbook stays familiar, strong identity and access management, network segmentation, least-privilege access, fast patching, continuous monitoring, Zero Trust architecture, and a real incident response plan. What changes is the weight on every one of those controls. They matter more, not less, once an attacker no longer needs a predetermined path through your environment.

Are AI-powered worms a near-term threat or a future one?

Today it’s a research-stage capability, not a live in-the-wild threat at scale. The direction is the important part: attackers are getting more adaptive, models are getting cheaper and more capable, and the gap between “automated penetration tester” and “autonomous worm” is narrower than it was a year ago. Defenders should be hardening for objective-driven adversaries now rather than waiting for a first major incident.

What should security teams do first?

Start with the controls that limit blast radius regardless of attack path, strong identity, segmentation, and least privilege. Add fast patching and continuous monitoring so a single foothold doesn’t sit unnoticed long enough for an agent to pivot. Treat Zero Trust as architecture, not a slogan, and rehearse the incident response plan against scenarios where the adversary chooses its own propagation path instead of following a known one.

The post AI-Powered Worms Are Coming: What CleverHans’s Research Means for Defenders appeared first on Colin Smillie.

Every AI company says its model is the best.

OpenAI publishes benchmark scores. Anthropic talks about safety and reasoning. Google points to multimodal results. xAI sells real-time information. Everyone has a scorecard, and everyone wrote their own test.

If you are a professional trying to pick a tool, that is not much help. It is noise. (I’ve made the case before that model choice in 2026 turns on fit-to-workflow, not raw benchmark scores.)

Crosscheck is LinkedIn’s attempt to cut through it. You can see the live version at the Crosscheck leaderboard.

On the surface it is simple. You submit a prompt, you get responses from several models, you rate what comes back. Those ratings pile up into a score for each model. Rotten Tomatoes, except the critics are working professionals and the films are language models.

The interesting part is not the feature. It is who is running it.

LinkedIn knows who you are. Not in the vague way an ad network knows you, but specifically: your industry, your job function, your seniority, your career history. No other AI evaluation has that context attached to the person doing the rating.

So a marketing director, a software engineer, an HR lead, and a CFO can rate the same model and disagree completely, and all four ratings are useful, because LinkedIn knows which one is which.

That changes what “best” means. For the first time a model can be ranked by whether it actually helps with your job, not by how it scores on a test someone built to make their own model look good. (Related: why most organizations have no idea which AI to trust.)

Which raises the questions worth asking. Will companies start choosing vendors off Crosscheck rankings? Will the labs tune their models to win professional ratings instead of benchmarks? Could a leaderboard for a single industry end up mattering more than every academic benchmark combined?

There is a privacy side to this too. Crosscheck runs on prompts, responses, ratings, and professional context, all collected and aggregated. LinkedIn says the point is to help professionals see which models work best for their kind of work. Fair enough. But anyone using it should be clear about what they are handing over and how it gets used.

Here is the pattern I keep coming back to.

Search engines ranked websites. Social networks ranked content. Now the platforms are ranking the models themselves.

Whoever owns those rankings may end up with more power over AI adoption than the people building the models. That is the part almost nobody is talking about yet.

Crosscheck looks like a product feature today. I think it is closer to infrastructure.

Frequently Asked Questions

What is LinkedIn Crosscheck?

Crosscheck is a LinkedIn Labs project that lets professionals submit prompts, receive responses from multiple AI models, and rate the answers. Aggregated ratings turn into a leaderboard scored against the rater’s industry, job function, and seniority. Functionally, it’s a Rotten Tomatoes for language models. Every reviewer comes with verified professional context attached.

Why is Crosscheck different from MMLU, MT-Bench, or other AI benchmarks?

Traditional benchmarks measure how a model performs on tests written by researchers, often the same labs that build the models. Crosscheck measures whether the model is actually useful to working professionals on real prompts, segmented by who’s doing the rating. That moves the evaluation from “which model is technically best” to “which model is best for my kind of work.”

Why does LinkedIn have an unusual advantage here?

LinkedIn knows the rater’s verified industry, job function, seniority, and career history. No other AI evaluation surface has that context. That means a marketing director, software engineer, HR lead, and CFO can rate the same model differently and every rating is independently useful, because the platform knows which one is which and can segment accordingly.

Could Crosscheck change how enterprises choose AI vendors?

Quite possibly. If a credible leaderboard shows that one model meaningfully out-performs others for legal, healthcare, marketing, or engineering work, as rated by actual professionals in those roles, that becomes the kind of signal procurement teams use, and AI labs respond to. Industry-specific leaderboards may end up shaping vendor selection more than general academic benchmarks.

What are the privacy considerations with Crosscheck?

Crosscheck collects prompts, model responses, user ratings, and professional context, then aggregates them to build the leaderboard. LinkedIn’s stated purpose is helping professionals identify which models work best for their kind of work. Anyone using it should be clear-eyed about what they’re submitting, how it’s stored, and what it’s used for downstream. Treat any prompts you’d consider sensitive as if they’ll be retained.

Why is Crosscheck closer to infrastructure than a product feature?

Search engines ranked websites. Social networks ranked content. Crosscheck ranks the models themselves. Once a professional-context leaderboard becomes the default reference for “which AI is best for my role,” it stops being a feature and starts behaving like market infrastructure, shaping vendor selection, model tuning, and AI adoption at scale. Whoever owns that layer may end up with more influence on the AI market than the labs building the models.

The post LinkedIn Just Created the Rotten Tomatoes of AI appeared first on Colin Smillie.

The reports about Meta’s AI-powered support systems should make every organization rushing to deploy AI agents and copilots stop and think.

The lesson here isn’t that AI is insecure. The lesson is that a lot of organizations are making the same architectural mistake: they’re treating AI like a trusted employee instead of an untrusted interface.

That difference matters more than most security teams have realized yet.

The Wrong Question

When organizations start building AI support systems, the questions usually sound like this. How do we prevent prompt injection? How do we stop users from tricking the model? How do we make the AI follow instructions?

Every one of those questions assumes the AI can be trusted. It can’t.

Large language models are probabilistic. They interpret language, generate responses, and infer intent. They were never designed to make security decisions, and pretending otherwise is where the trouble starts.

The better question is simple. What happens if the AI gets manipulated?

If the answer is “nothing important,” your architecture is probably fine. If the answer is “the AI can reset passwords, unlock accounts, issue refunds, or change permissions,” then you’re trusting something that hasn’t earned it.

The Security Boundary Principle

Cybersecurity has run on one idea for decades: never trust user input.

AI changes what the interface looks like. It doesn’t change the principle. Every message sent to an AI system is untrusted input, which means the AI itself should never be the security boundary. The boundary belongs outside the model.

Take a common support scenario. A customer contacts support because they can’t get into their account. A lot of teams reach for a workflow that looks like this:

Customer → AI Support Agent → Account Recovery System

The AI takes in the information, evaluates the request, and performs the recovery. The flaw is right there in the diagram. An attacker only has to convince the AI.

A safer design adds the steps that actually matter:

Customer → AI Support Agent → Identity Verification Service → Authorization Engine → Recovery Workflow

The AI still gathers information, explains the policy, and walks the customer through the process. What it doesn’t do is decide whether the customer is who they say they are. That stays with a dedicated identity system, where it belongs.

AI Should Explain Security, Not Perform It

Think of the AI as a concierge.

A concierge can tell you where the conference room is, but can’t issue you a badge to get in. A concierge can explain how the refund process works, but can’t approve your refund. A concierge can walk you through password recovery, but doesn’t get to decide whether your password should be reset.

The AI’s job is communication. The security system’s job is authorization. The risk shows up when those two jobs blur together.

The Emerging Enterprise Pattern

The more mature AI deployments are converging on a layered approach.

Layer 1: Conversation. The AI talks to the customer. It answers questions, summarizes information, explains policies, and collects the details that are needed. It cannot execute sensitive actions.

Layer 2: Verification. Dedicated identity systems handle multi-factor authentication, device verification, identity checks, and fraud detection. The AI plays no part in the decision.

Layer 3: Authorization. Policy engines decide who can do what, under what conditions, and what approvals are required. These rules are deterministic and auditable.

Layer 4: Execution. Workflow systems carry out password resets, account recovery, billing adjustments, and membership changes. Only after verification and authorization are done.

The Mindset Shift

For years, organizations have poured effort into making systems trustworthy, with AI, the goal needs to be different.

The old question was “how do we make the model safe?” The question worth asking now is “how do we make the architecture safe even when the model fails?”

That sounds subtle. It isn’t. No competent security team assumes every employee makes perfect decisions, that every email is legitimate, or that every user is honest. There’s no reason to extend your AI a level of trust you’d never extend to a person.

Designing for Failure

The strongest AI security architectures start from the assumption that compromise is possible.

Prompt injection can succeed, social engineering can succeed. The model can lose the thread of the conversation. The model can hallucinate. None of that should be allowed to cause real damage.

The point was never to build a perfect AI. The point is to build a system where an AI mistake stays a mistake and never becomes a security incident.

The Future of AI Governance

The organizations that do well with AI over the next decade won’t be the ones with the most powerful models. They’ll be the ones with the strongest governance. (For a sector-specific take on what proportional governance actually looks like, see AI Governance for Canadian Nonprofits.)

In practice that means least privilege access, independent verification systems, human approval for high-risk actions, real audit trails, and a clear line between communication and authorization.

The Meta incident won’t be the last AI security story this year, but it might be one of the more useful ones, because it’s a reminder of what AI actually is. Not a trusted employee. A powerful interface sitting between your users and systems that still need the same security controls they always did.

Frequently Asked Questions

Why is AI an untrusted interface and not a trusted employee?

Large language models are probabilistic. They interpret language, infer intent, and generate plausible responses. They were not designed to make security decisions, and prompt injection, social engineering, and hallucination all give an attacker ways to manipulate model output. Treating any input arriving via an AI surface as untrusted is the same principle that has governed web security for decades; the interface has changed, the principle hasn’t.

What was the lesson from the Meta support AI incident?

The Meta support incident wasn’t really an “AI is broken” story. It was a story about putting AI inside the security boundary, with authority to make decisions that should have lived in independent verification and authorization systems. The architectural fix is to move sensitive decisions out of the model entirely.

What is the layered architecture for safe AI support systems?

Four layers, each with one job, conversation: the AI talks to the user and collects information; it cannot act on sensitive systems, verification: dedicated identity systems handle MFA, device checks, and fraud detection, authorization: policy engines decide what actions are allowed and what approvals are required, deterministically and auditably. Execution: workflow systems perform the actual change (password reset, refund, account recovery) only after verification and authorization are complete.

How do you protect against prompt injection in production?

You don’t try to make prompt injection impossible. You make it harmless. Assume it will succeed sometimes, then design so a compromised model output cannot trigger a sensitive action without passing through an independent verification system, a deterministic authorization engine, and (for high-risk operations) human approval. Input filtering and prompt hardening are useful defence-in-depth, but they should never be the only line.

What are the enterprise best practices for AI security?

Five hold up across most deployments: least-privilege access for AI agents (only the permissions the task actually needs); human approval for high-risk actions (money, identity, permissions, legal commitments); comprehensive audit trails (logs of prompts, decisions, tool calls, approvals, outcomes); separation of thinking from acting (AI can recommend, dedicated systems execute); and never trusting external content (treat every retrieved document, web page, or tool output as untrusted input and filter and sandbox it).

Should AI ever execute sensitive actions on its own?

For low-stakes, reversible actions with strong audit trails, yes. That’s how agentic systems get useful. For high-stakes actions (password resets, financial transactions, permission changes, account recovery, legal commitments), the answer is no. Those decisions should always flow through independent verification, deterministic authorization, and. Where the blast radius justifies it. Human approval. The goal is not zero AI autonomy; it’s autonomy proportional to blast radius.

What’s the single most important mindset shift for AI security?

Stop asking “how do we make the model safe?” and start asking “how do we make the architecture safe even when the model fails?” That single reframing pushes you toward defence-in-depth, independent verification, deterministic authorization, and least privilege. The controls that already work for every other untrusted interface in your stack.

The post Stop Treating AI Like an Employee: What the Meta Support Incident Teaches Us About AI Security appeared first on Colin Smillie.

Most organizations still treat social media accounts as marketing channels. For a lot of brands, though, those accounts have turned into something far more important: critical business infrastructure. That’s where the trouble starts.

Over the past few years, stories of people and businesses losing access to their Facebook and Instagram accounts have piled up, sometimes the account gets hacked, sometimes the employee who ran it leaves, sometimes an automated system disables it for reasons nobody can explain. The outcome tends to be the same. The organization gets stuck in a recovery process with almost no visibility, little support, and no obvious way out.

The problem isn’t really account security. It’s ownership.

A Story I’ve Seen Firsthand

A few years back I worked with a large national brand that got locked out of its Instagram account after the employee who managed it left.

What should have been a routine handoff became a multi-year mess.

The organization tried every path it could find. It contacted Meta support. It submitted ownership documentation. It worked through agency relationships and escalated through business channels. It provided evidence of trademark ownership and brand control.

None of it worked. Months turned into years.

Eventually they gave up. Instead of recovering the original account, they spun up a new one and rebuilt their audience from zero.

The original account is still there. It sits on Instagram’s servers as a ghost of the brand’s history, a duplicate the legitimate organization can’t access, control, or take down.

Sit with that for a second. Imagine losing the keys to a retail store and being told the building stays open forever, but nobody can go inside. That sounds ridiculous. It happens in digital spaces all the time.

The Problem Meta Created

Account recovery is hard, and it should be. It’s one of the highest-risk security functions on the internet. Make recovery too easy and attackers walk in. Make it too hard and legitimate users get locked out for good.

So I understand Meta’s challenge. What I don’t accept is the operational failure underneath it.

For years Meta has pushed organizations to build communities, audiences, customer relationships, and ad strategies on its platforms. Businesses have poured billions into creating value for Facebook and Instagram. Then a dispute comes up, and those same businesses find out the support they get is nowhere near the value of what’s at stake.

Meta wants companies to treat these accounts as mission-critical, while handing them recovery tools that look like consumer self-service. That gap is the risk.

The Hidden Risk of Platform Dependency

This goes well beyond Meta. A lot of organizations have let critical assets become dependent on platforms they don’t control, often without noticing it happen.

Look at what disappears when a social account is lost:

• Followers vanish.
• Advertising history is gone.
• Customer communication channels go dark.
• Verification status is stripped.
• Historical content becomes inaccessible.
• Brand confusion sets in as duplicate accounts linger.

For some businesses, the social account is effectively the customer database. The difference is that with a CRM you actually own and administer your data. Here, you don’t. The platform owns the infrastructure, runs the recovery process, and decides who gets in.

This Isn’t Just a Meta Problem

Google accounts, Microsoft identities, Apple IDs, LinkedIn profiles, and plenty of others carry the same risk. What sets Meta apart is how much value sits behind a single login.

One Facebook profile can control:

• Instagram accounts
• Facebook Pages
• Meta Business Manager
• Advertising accounts
• Messenger communication
• Marketplace listings
• Community Groups

When one account fails, the damage spreads fast and wide.

The Rise of “Shadow Recovery Services”

This support gap has spawned an entire side economy. Search around and you’ll find no shortage of consultants, agencies, and recovery specialists who claim they can get your lost Meta account back.

Some of them are legitimate experts who genuinely understand Meta’s tangled support system, some lean on partner relationships and escalation channels regular users never see, and some work in far murkier territory, relying on insider contacts, contractors, or practices you’d rather not ask about.

When a market grows up around getting past official support, it tells you something. The official process is failing enough people that an alternative becomes worth paying for.

The Real Lesson: Own Your Audience

The lesson here isn’t about Instagram. It’s about resilience.

Treat social platforms as distribution channels, not as primary assets. The things that actually matter should be owned outright:

• Your website
• Your email list
• Your CRM
• Your customer database
• Your content archives
• Your identity systems

Social platforms are still enormously useful. For discovery, engagement, and reach, nothing else comes close, but they should never become the only place your customer relationships or brand equity live.

A social media account isn’t property. It’s access granted by a third party, and as plenty of organizations have learned the hard way, access can vanish a lot faster than it took to build.

The Governance Question Every Executive Should Ask

If your main social media administrator walked out tomorrow, could your organization recover every account within 24 hours?

If you’re not sure, you don’t have a social media problem. You have a governance problem.

The companies that do well over the next decade won’t be the ones with the biggest followings. They’ll be the ones that understood the difference between renting an audience and owning a relationship.

Frequently Asked Questions

Why is losing an Instagram or Facebook account such a big deal for businesses?

For many organizations the social account has become critical infrastructure. It holds followers, ad history, verification status, historical content, and an active customer communication channel. When access disappears, that entire stack goes with it, and the platform alone decides whether and when it comes back.

Why is Meta account recovery so difficult for businesses?

Meta’s recovery tooling is fundamentally consumer self-service, designed for individual users who forgot a password, not for organizations defending mission-critical brand assets. The result is a process with little visibility, limited human support, slow response times, and ownership-documentation paths that often fail even with strong evidence (trademarks, brand control, agency relationships).

What actually disappears when a business loses a social media account?

Followers vanish. Advertising history is gone, customer communication channels go dark, verification is stripped. Historical content becomes inaccessible, and duplicate accounts often linger, creating brand confusion the legitimate organization can’t fix.

Is this only a Meta problem?

No. Google accounts, Microsoft identities, Apple IDs, and LinkedIn profiles all carry the same dependency risk. What makes Meta especially exposed is how much sits behind a single Facebook profile. Instagram, Pages, Business Manager, ad accounts, Messenger, Marketplace, and Groups can all share the same fate when one login fails.

What are “shadow recovery services” and should businesses use them?

They’re the side economy of consultants, agencies, and specialists offering Meta account recovery outside the official support path, some are legitimate experts with deep partner-channel knowledge, some lean on escalation paths regular users don’t see, some operate in murkier territory using insider contacts or contractor relationships. The fact that the market exists at all is a strong signal that the official process is failing enough organizations to make alternatives worth paying for, but engaging an outside recovery service carries its own due-diligence work.

What assets should organizations actually own outright?

Your website, your email list, your CRM, your customer database, your content archives, and your identity systems, social platforms are still extremely useful for discovery, engagement, and reach, but they should be treated as distribution channels, not as primary assets. The customer relationship and brand equity should always live somewhere you control.

What is the one governance question every executive should ask?

“If our main social media administrator walked out tomorrow, could we recover every account within 24 hours?” If the answer isn’t a confident yes, the problem isn’t social media. It’s governance. Documented ownership trails, multiple admin roles, business-verification status, and offline copies of audience and content data should all exist before they’re needed.

The post You Don’t Own Your Instagram Account. Meta’s Recovery Process Proves It. appeared first on Colin Smillie.

Every year I go through lists like The Peak’s Emerging Leaders and the various 40 Under 40 roundups. It’s interesting to read the profiles of the next generation of leaders, but I also seek a deeper value.

I read them because they work as a snapshot of what the economy values right now. Who gets recognized, which skills get rewarded, which industries are growing, and where investors and institutions think things are headed.

This year I spent some time with The Peak’s 2026 Emerging Leaders list, and a few patterns jumped out that have less to do with the individuals than with the direction of the whole thing.

1. AI Has Become Plumbing

A few years ago, the AI people on these lists were researchers, startup founders, or builders shipping AI products.

Now AI shows up everywhere. Healthcare leaders using it on patient outcomes. Financial services people applying it to risk and customer experience. Public sector folks trying to modernize government services with it. Education and climate organizations folding it into how they make decisions.

The part I find most telling is that most of the recognized leaders are not building AI. They are putting it to work.

The question has shifted from “Who can create AI?” to “Who can actually deploy it against a real problem?” That is what it looks like when a technology stops being exciting and starts being infrastructure.

2. Operators Are the New Founders

For a long stretch the startup world treated founders as the only people worth celebrating.

The 2026 list reads differently. A lot of these names are operators, product leaders, growth executives, policy people, and community builders.

That tracks with where Canada actually is. We have shown we can start companies. What we have struggled with is scaling them, keeping them alive, and reshaping the institutions we already have. The people who can execute on that are now worth as much as the people who can invent.

I would go further than the list does. In Canada, execution has been our weak spot for years, and the fact that operators are finally getting recognized feels overdue rather than novel.

3. Government Is Pulling in Real Talent

The most noticeable change is how many of these leaders work in government, policy, and public service.

There was a time when ambitious young professionals saw government as the place that slowed innovation down. A lot of them now see it as the place where the interesting work is.

Housing, healthcare, digital services, infrastructure, climate adaptation. These are among the hardest problems the country faces, and solving any of them takes people who can work the policy and the delivery at the same time. The wall between public and private sector careers keeps getting thinner.

4. Purpose and Profit Have Stopped Arguing

Another thing that stood out is how many of these leaders sit right at the meeting point of growth and social impact.

Ten years ago you were supposed to pick one. Impact or profitability, not both.

This generation doesn’t seem to buy that. Whether they work in climate tech, healthcare, education, community organizations, or finance, a lot of them are building things meant to produce economic and social value at once.

That matters here specifically, because most of Canada’s biggest problems are too big for either government or business to fix on its own.

5. Leadership Is Spreading Out

The old innovation story was Toronto, Vancouver, Montreal, and not much else.

Those cities still matter, but leadership is now coming out of every region. Remote work, better digital collaboration, and easier access to capital and networks mean talented people can build careers and companies from almost anywhere.

Canada’s innovation economy is getting less centralized. I think that ends up being one of our real advantages, not a footnote.

6. Reputation Beats Job Title

A lot of these emerging leaders are not only executives or founders. They teach.

They write newsletters, host podcasts, contribute to open source, speak in public, post on LinkedIn, and build communities around what they know.

Influence is increasingly earned through being visible, credible, and useful, rather than through a spot on an org chart. The effect is a group of leaders whose reach goes well past their formal job.

The One That Stuck With Me: The Translators

After going through the whole list, one pattern sat with me more than the rest.

These leaders are translators. They turn technology into business outcomes. They turn policy into action. They turn data into decisions. They take complicated ideas and make them usable.

In a working world built around specialization, the ability to connect disciplines is starting to look like one of the more valuable things a leader can do. The advantage seems to be moving away from the person who knows the most about one subject and toward the person who can stitch a few of them together.

That is what I see in this year’s list. If these leaders are any signal, Canada’s next decade gets shaped by people who can move between technology, business, government, and society and actually get something built.

Worth a browse if you want to form your own read: The Peak’s 2026 Emerging Leaders.

I’m already curious what next year’s list will say.

Frequently Asked Questions

What is The Peak’s Emerging Leaders list?

The Peak’s Emerging Leaders list is an annual Canadian roundup of next-generation leaders across sectors. Startup operators, public-service builders, climate-tech founders, healthcare and finance professionals, community builders, and policy people. Read as a body, it’s a useful snapshot of which skills and industries the Canadian economy is currently rewarding.

Why read an Emerging Leaders list as an economic signal instead of a profile collection?

The individuals are interesting, but the patterns across the cohort are more interesting still: which sectors get the most representation, which roles (founder vs operator vs public-sector) get celebrated, where leaders are physically based, and how they describe their work. That mix tells you what investors, institutions, and the broader economy are valuing right now.

What does “AI has become plumbing” mean in this context?

It means most of the recognized AI-adjacent leaders aren’t building AI. They’re deploying it inside healthcare, finance, public services, education, and climate work. The economy has moved from rewarding “Who can create AI?” to “Who can actually deploy it against a real problem?” That’s the signature of a technology shifting from frontier to infrastructure.

Why are operators getting as much attention as founders in 2026?

Canada has shown it can start companies, the harder problem is scaling them, keeping them alive, and reshaping existing institutions. Operators, product leaders, growth executives, and community builders are the people who actually deliver on that. The 2026 list recognizing them feels overdue rather than novel, given how long execution has been the weak link.

What is the “translator” pattern in emerging Canadian leadership?

Translators are leaders who move fluently between disciplines. Turning technology into business outcomes, policy into action, data into decisions, and complex ideas into usable plans. In a working world organized around specialization, the ability to stitch together technology, business, government, and society is becoming one of the most valuable leadership skills, and it shows up everywhere in the 2026 cohort.

What does this list say about where Canada’s economy is heading?

Six signals together: AI is deployment infrastructure, not a research frontier; operators are getting their due; government has become a serious career destination; purpose and profit are converging; leadership is decentralizing geographically; and reputation is starting to beat formal job title. Taken as a snapshot, Canada’s next decade looks like it gets shaped by translators who can move across technology, business, government, and society to actually get things built.

The post What Canada’s Emerging Leaders Tell Us About Where the Economy Is Heading appeared first on Colin Smillie.

The 2026 FIFA World Cup was supposed to be a tourism goldmine for the United States.

Forecasts projected millions of visitors, packed hotels, sold-out flights, and billions in economic impact, with 11 of the tournament’s 16 host cities in the United States, the expectation was simple: America would be the main beneficiary of the largest World Cup ever staged.

Two weeks before kickoff, the data tells a messier story.

A recent post from Sherpa flagged a striking trend. U.S. ESTA applications are reportedly down nearly 40% year over year, while Canadian eTA applications are up more than 35%, with a lot of that coming from British and French travellers.

If that holds up, it’s more than a travel story. It’s a signal that international visitors may be rethinking where they enter North America.

So the obvious question:

Is Canada stealing the World Cup?

Right now the answer seems to be no, not really, but something odd is going on.

What We Know

Several independent datasets suggest World Cup tourism demand is weaker than a lot of industry forecasts assumed.

An April survey from the American Hotel & Lodging Association found that nearly 80% of hotels across U.S. host cities reported bookings below expectations. In some markets, like Kansas City, the figure was closer to 90%. Hotel operators in Dallas, Houston, Los Angeles, Seattle and other host cities have reported booking levels that look like a normal summer, not a once-in-a-generation event.

Some industry observers have called the World Cup a “non-event” for many hotel markets so far. FIFA has reportedly released large room blocks that were originally held back for tournament demand.

Broader U.S. tourism trends have softened too.

Statistics Canada reports that Canadian travel to the United States has been falling for more than a year. January 2026 trips were down 22% year over year, February trips were down another 12.5%, and that fits a fourteen-month pattern. RBC Economics has documented similar declines, and mobile location analysis suggests visits by Canadians to U.S. metro areas may be down as much as 42%.

Put it together and the United States went into the World Cup period with a weaker international tourism market than expected.

The Case For Canada

This is where Sherpa’s observation gets interesting.

If international travellers are still coming to North America but steering around the United States, Canada should be seeing stronger inbound demand.

The reported jump in Canadian eTA applications, especially from Britain and France, points that way. Toronto and Vancouver host 13 World Cup matches, including knockout rounds, which makes them logical entry points for European visitors.

For a lot of travellers, flying into Canada and catching matches there might feel simpler or cheaper than building a trip centred on the United States.

The theory is plausible. The evidence is thin.

The Missing Data

We haven’t actually seen proof that Canada is blowing past expectations.

To back up Sherpa’s thesis, you’d want to see things like big increases in international arrivals at Toronto Pearson and Vancouver airports, hotel occupancy in Toronto and Vancouver running ahead of forecasts, more transatlantic passenger traffic into Canada, and strong growth in visitor spending in Canadian host cities.

None of those numbers have shown up publicly yet.

And some analysts point to rising flight bookings and solid ticket sales across multiple host markets, which suggests the demand exists but may just be arriving later than people expected.

The More Interesting Possibility

There’s a third explanation worth taking seriously.

Maybe Canada isn’t stealing the World Cup from the United States. Maybe neither country is getting the surge that was forecast.

Today’s data supports a simpler read: World Cup demand is real, but smaller, more cautious, and more spread out than organizers planned for.

Some visitors are probably choosing Canada, some are choosing Mexico, some are booking late, and some are just staying home.

My Take

The strongest thing today’s data actually supports isn’t that Canada is stealing the World Cup.

It’s that the United States isn’t getting the tourism boom a lot of people expected.

Whether Canada ends up being the winner of that shift should be clear over the next 30 to 60 days.

The indicators to watch are pretty straightforward: Toronto Pearson international arrivals, Vancouver international arrivals, hotel occupancy in both cities, U.S. host city hotel performance, and cross-border travel between Canada and the United States.

If those move sharply in Canada’s favour, Sherpa may be right. If they don’t, 2026 might end up being a reminder that even the biggest sporting event on earth can’t guarantee a tourism boom.

Sometimes the story isn’t where people decide to go. It’s where they decide not to.

Frequently Asked Questions

How many 2026 World Cup matches are being played in Canada?

Canada is hosting 13 matches across Toronto and Vancouver, including knockout-round games. The 2026 tournament has 16 host cities in total across Canada, the United States (11), and Mexico, making it the largest World Cup ever staged.

Are US ESTA applications really down ahead of the World Cup?

Per Sherpa, US ESTA applications are reportedly down close to 40% year over year, while Canadian eTA applications are up more than 35%, with a meaningful share of that increase coming from British and French travellers. Those numbers haven’t been independently confirmed by federal data yet, but they’re consistent with broader US inbound tourism softness.

What does the hotel data say about US World Cup demand?

An April American Hotel & Lodging Association survey found nearly 80% of hotels across US host cities reported bookings below expectations, with markets like Kansas City closer to 90% below. FIFA has reportedly released large held-back room blocks. Operators in Dallas, Houston, Los Angeles, and Seattle describe the booking pace as a normal summer, not a once-in-a-generation event.

Is Canada actually seeing more inbound World Cup demand?

Possibly, but the public evidence is thin. To confirm the thesis you’d want to see Toronto Pearson and Vancouver international arrivals running ahead of forecasts, host-city hotel occupancy outperforming, more transatlantic capacity, and stronger visitor spending. None of those numbers have shown up publicly yet.

Why has Canadian travel to the US been declining?

Statistics Canada has tracked a fourteen-month decline in Canadian trips to the US. January 2026 down 22% year over year, February down a further 12.5%. RBC Economics has documented similar trends, and mobile-location analysis suggests Canadian visits to US metro areas may be down as much as 42%. The result is that the US entered the World Cup window with a weaker international tourism baseline than forecasters assumed.

What indicators will tell us whether Canada is actually winning the tourism shift?

Five to watch over the next 30 to 60 days: Toronto Pearson international arrivals, Vancouver international arrivals, hotel occupancy in both Canadian host cities, US host-city hotel performance, and cross-border travel volume between Canada and the United States. If those move sharply in Canada’s favour, the “Canada is stealing the World Cup” thesis gets real support. If they don’t, the more likely read is that the surge simply didn’t materialize anywhere.

The post Is Canada Stealing the 2026 World Cup From the United States? appeared first on Colin Smillie.

Looking at the current Pan-Canadian AI Strategy and the signals coming out of 2026, here’s how I’d describe where things stand. (For the original predictions this post is scoring, see Prediction: Canada’s Next AI Strategy Will Be About Compute, Sovereignty, and Trust.)

The 2017 Strategy: Build the Brain

The first strategy was a research and talent play, full stop. The goals were to keep world-class AI researchers in Canada, build research clusters around Toronto, Montreal, and Edmonton, train graduate students, stand up the Canada CIFAR AI Chairs program, and back Mila, the Vector Institute, and Amii.

On its own terms, it worked. Canada became one of the densest sources of AI talent in the world, pulled in corporate AI labs, and built a research reputation people actually recognize.

The catch is that we got very good at inventing AI while most of the economic value got captured somewhere else. (I dug into this gap in Industrializing AI: Canada’s Next Challenge After Research Leadership.)

The Current Strategy (2022 to 2026): Expand the Reach

The second phase bolted on three pillars: commercialization, standards, and continued talent and research.

The money started flowing past researchers and into industry adoption, standards work, compute infrastructure, and the institutes. That’s already a move away from pure research.

But the center of gravity hasn’t really shifted. The current strategy still leans hard on academic talent, research excellence, and building out the field, the recent $24M for more Canada CIFAR AI Chairs is more of the same.

Scoring My Own Predictions

My article called five shifts. Here’s how they’re holding up.

Sovereign compute. This is the one I got most right. Government investment in compute is already climbing, and you can’t sit in a serious Canadian AI conversation now without GPUs, data centres, energy supply, and national infrastructure coming up within ten minutes. Compute is being treated like strategic infrastructure, not lab equipment. I’m confident this ends up as a core pillar. (Background reading: Canada’s AI Compute Landscape. What I Found When I Tried to Build on It.)

Canadian AI champions. Mostly right. The 2017 strategy optimized for researchers, and the obvious next question is “so where are the Canadian companies?” Policy talk has moved toward commercialization, adoption, productivity, and growth. The direction is correct, but I doubt government will openly pick winners. Expect procurement preferences, commercialization funding, scale-up programs, and cluster money instead of anyone naming a national champion out loud.

Standards over regulation. Right, and underrated. The current strategy already carries a standards pillar through the Standards Council of Canada. The governance conversation keeps circling risk management, assurance, transparency, and testing rather than some sweeping new regulatory regime. That tracks with how enterprises actually govern AI day to day.

Agents and MCP infrastructure. Half right, and this is where I’d walk myself back a bit. Canada will move past chatbot talk, yes, but governments don’t write strategies around specific technical architectures. Nobody in Ottawa is going to say “we need MCP.” The language will be productivity, autonomous systems, AI-enabled services, public sector transformation, digital infrastructure. All of that enables agents without ever naming the plumbing. Right direction, wrong level of specificity.

Trusted AI country. Right, and probably our best shot. Canada already has the pieces: early work on AI ethics, CIFAR, responsible AI research, the new Canadian AI Safety Institute, a reasonably high level of public trust, and an international reputation for governance. Recent safety investments suggest trust is becoming a real differentiator. We won’t beat the U.S. on capital or China on scale. Trust might be the one lane where we can actually lead.

The Prediction I Missed

There’s a sixth shift I left out: data sovereignty and data supply chains.

A chunk of Canadian policy thinking is now arguing that compute alone doesn’t get you there, the next round of competitiveness depends on access to trusted data, public datasets, data-sharing frameworks, privacy-preserving exchanges, and Canadian-owned data assets. More commentators are calling data supply chains the missing pillar.

If I were rewriting the article today, I’d add it as prediction six: the next strategy will fold in a national data strategy welded tightly to AI.

Scorecard

• Sovereign compute: 9/10
• Canadian AI champions: 8/10
• Standards over regulation: 9/10
• Agents / MCP infrastructure: 6/10
• Trusted AI positioning: 8/10
• Data sovereignty (the missing pillar): 8/10

The real gap between 2017 and whatever comes next is one question.

2017 asked: how do we build world-class AI research?

The next strategy is asking: how do we capture the economic value while keeping Canadian control over the infrastructure, talent, data, and trust that make it possible?

Frequently Asked Questions

What was the 2017 Pan-Canadian AI Strategy?

The 2017 Pan-Canadian AI Strategy was a research-and-talent play led by CIFAR. It funded the Canada CIFAR AI Chairs program, backed Mila, the Vector Institute, and Amii, and built research clusters in Toronto, Montreal, and Edmonton. On its stated goals it worked. Canada became one of the densest AI talent pools in the world and pulled in corporate AI labs.

What is the current Pan-Canadian AI Strategy focused on (2022 to 2026)?

The second phase added commercialization, standards, and continued talent and research as pillars, with money flowing into industry adoption, standards work, compute infrastructure, and the institutes. The center of gravity is still academic, though, the recent $24M top-up for more Canada CIFAR AI Chairs is consistent with that.

Which predictions about Canada’s next AI strategy held up best?

Sovereign compute (9/10) and standards over regulation (9/10) scored highest. Compute is being treated as strategic national infrastructure in policy conversations, and the Standards Council of Canada angle is doing more of the governance work than any new sweeping AI law. Canadian AI champions (8/10), Trusted AI positioning (8/10), and the agents/MCP call (6/10) all held up directionally, with agents needing reframed language for government audiences.

Why was the agents and MCP prediction only “half right”?

The direction is correct. Canada will move past chatbot framing toward systems that take action, but governments don’t write national strategies around specific technical architectures like MCP. The official language will be productivity, autonomous systems, AI-enabled public services, and digital infrastructure. The plumbing is right; the vocabulary in the prediction was too engineer-specific for the policy audience.

What is the sixth pillar. Data sovereignty and data supply chains?

Compute alone doesn’t produce Canadian economic value if the trusted data, public datasets, data-sharing frameworks, privacy-preserving exchanges, and Canadian-owned data assets aren’t there to feed it. A growing share of Canadian policy thinking is treating data supply chains as the missing pillar, and the next strategy will likely weld a national data strategy directly into the AI strategy.

What is the single biggest shift between the 2017 strategy and what comes next?

The question changed. 2017 asked how Canada could build world-class AI research, the next strategy is asking how Canada captures the economic value while keeping domestic control over the infrastructure, talent, data, and trust that produce it. That moves the strategy from research policy to industrial policy.

The post Scoring My Canada AI Strategy Predictions: Plus the Sixth Pillar I Missed appeared first on Colin Smillie.