Margin of Safety #31: So are you actually behind on AI agents?

There is a lot of agentic FOMO. We hope you are not pushed into panic building.

Talking to folks over the last week, we’ve heard two very different themes. On one hand, there’s a ton of buzz (and an undeniable fear of missing out, or FOMO) around agentic capabilities. On the other hand, we are not yet seeing evidence for the broad adoption of rich agentic capabilities, and we’re certainly seeing some evidence (e.g., the MIT report) against such adoption. So if you’re a leader who hasn’t yet agentified everything, how should you think about your current position? Are you behind the pack, or are you just skipping over some marketing hype?

We think it’s at least partially hype. Very few companies’ marketing materials understate their AI efforts, and we suspect overstatement is a norm. Such behavior would naturally lead to a skewed public perception of the level of AI deployed at the average company; in light of that, we suspect laggards are probably less lagging than they think (at least outside of their marketing team).

The necessary response to agentic FOMO is not a sprint to catch up to competitor announcements, but the creation of a strategic framework that defines where you must lead and where you can afford to exercise patience. This demands a clear differentiation between the technological hype and the commercial or practical realities.

The Build-versus-Buy Choice

The decision to adopt any new technology is highly dependent on that tech’s proximity to your core competitive advantage. We think this is best viewed through a Build-versus-Buy framework, which are (as always) the two main options for technological adoption.

Category 1: Build (The Strategic Core)

The cost and complexity of building solutions in-house is primarily warranted when those solutions are fundamental to your competitive moat. This includes capabilities that must rely on proprietary, inaccessible data; directly inform a core product or service offering; or require 100% custom control over the underlying model, data privacy protocols, and intellectual property. For example, a specialized financial institution’s proprietary, data-intensive underwriting agent would merit at least some level of build; the resulting superior underwriting would form a key source of sustained commercial value.

Category 2: The Buy Rationale (Commoditized Enablement)

Conversely, this category is reserved for solutions that address common, non-differentiating capabilities where an off-the-shelf vendor solution will offer sufficient functionality.

The objective here is to minimize TCO and initial capital expenditure by leveraging a vendor’s scale and expertise. This is appropriate for functions such as generic IT helpdesk agents or standard data entry automation. For these systems, the primary concern shifts from innovation to scrutinizing data privacy assurances, vendor reliability, and clarity on failure modes. Who bears the risk if the agent messes up, and how serious is that risk?

For many tech and tech-adjacent companies, a blended approach may be required. Your team may want to build differentiating agents while responsibly procuring commoditized solutions for non-core functions.

Startup vs Enterprise Adoption

The anxiety of being “late” is often fueled by the aggressive maneuvers of startups and technology behemoths, which, crucially, operate under different risk profiles than most established firms.

Startups Versus Established Enterprises

Startups are effectively “default dead,” and so have no choice but to embrace risk and lean in aggressively to achieve disruptive ends. They have very little to lose. Larger enterprises, by contrast, are understandably more risk-averse. It is not irrational if newer agentic tools that introduce additional process risk are deemed inappropriate for a mature business model where stability is paramount. This doesn’t mean they’re AI laggards exactly; instead, it means they’re rationally waiting for technology to be appropriate for their level of risk aversion. The critical task for enterprises is then to maintain awareness of AI capabilities’ maturity, ready to integrate as soon as appropriate, and aware that a successful integration may depend on a certain level of technical fluency from your own organization. The key thing: you should be looking to adopt as soon as tools get to your place on the maturity scale. Assessing tools’ actual maturity, especially in a hype-heavy environment, likely requires some degree of experimentation.

Tech giant incentives are their own

At first glance, giants like Microsoft may seem like counterexamples to this. They’re huge multinationals, yet they’re issuing broad mandates (link) around aggressive AI adoption. However, these mandates have to be taken in the context of Microsoft’s business. A huge share of revenue, ranging from Azure cloud to Microsoft’s office productivity tools to (potentially) its omnipresent enterprise identity layer is potentially threatened by the adoption of AI. This makes it uniquely critical that Microsoft stay ahead of the curve, since the functionality passes the ownership test throughout its business. Meta has central advertising revenue streams that are similarly ripe for AI-driven disruption.

Considering those revenues, AI adoption at these companies mandates a multi-purpose strategic choice that may not be appropriate for all smaller businesses. Within the context of Meta or Microsoft, an AI mandate is designed to develop employee expertise, generate critical unencumbered feedback on their own products (especially those sold under enterprise licenses that restrict training on customer data), and rapidly enhance their proprietary AI product creation muscle.

If a firm is not betting the house on AI product sales, it can afford to let the tech giants pay the initial, substantial cost of employee re-skilling. And with time, basic AI fluency may become more ubiquitous and thus less expensive. However, it is prudent to have enough in-house expertise to be able to tell a high-leverage use case from a commodity one.

Deciding if you’re really missing out

We’re a proponent for a few pointed tests to decide if you’re really missing out on AI.

1. Does your organization have appropriate latitude to experiment with AI or evaluate AI-based vendor solutions and, as a result, understand current capabilities?
2. Do you know which, if any, capabilities would pass the ownership test for you?
3. For capabilities you ultimately want to build, do you have a team that can commit to delivery (and which you will trust to do so)?
4. For capabilities you ultimately want to buy, are you prepared to evaluate the efficacy of a solution?

Competitive marketing may be useful to prompt reevaluation of one or more of these answers. For example, if you hear compelling evidence that someone has fully automated a capability you have tried and failed to automate, it’s a reason to re-evaluate your own assessment of that area. But there may be good reasons why you correctly settle on a different level of automation than other players in the space, and we don’t believe that’s necessarily a problem.

Reach out to us if you are building in the space of AI & security. We have some thoughts!
Kathryn Shih – kshih@forgepointcap.com
Jimmy Park – jpark@forgepointcap.com

This blog is also published on Margin of Safety, Jimmy and Kathryn’s Substack, as they research the practical sides of security + AI so you don’t have to.