WEBVTT NOTE The Rundown — nextbig.dev daily audio edition, 2026-05-27 1 00:00:00.000 --> 00:00:08.804 Good morning, welcome to the Builder's Briefing for May twenty-seventh, twenty twenty-six. I'm Alex, joined as always by Sam. We've got a packed one today — Microsoft just dropped a big open-source governance toolkit for AI agents, there's a coding agent running DeepSeek v4 in your terminal, and we've got some spicy regulation news out of Europe and California. 2 00:00:08.804 --> 00:00:13.655 Yeah, and honestly the theme today feels very clear — agents are growing up. Like, we're past the demo phase and into the 'okay, how do we actually ship this responsibly' phase. I'm excited to dig in. 3 00:00:13.655 --> 00:00:23.114 So let's start with the big story. Microsoft open-sourced what they're calling the Agent Governance Toolkit. It's a framework that brings policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering to autonomous AI agents. And here's the headline — it explicitly covers all ten items on the OWASP Agentic Top Ten. First major vendor-backed toolkit to do that. 4 00:00:23.114 --> 00:00:31.385 That's huge. Because up until now, if you were shipping agents in production, you were basically duct-taping your own governance layer together. Everyone had their own bespoke guardrails, their own sandboxing approach. Having a real framework that maps to an industry-standard checklist? That changes the conversation with enterprise buyers. 5 00:00:31.385 --> 00:00:37.254 Exactly. And the practical bits are solid — pluggable policy enforcement, sandboxed environments for agent tool use, identity primitives that let you scope what an agent can do per session. It plays well with Azure, but it's not locked to it. 6 00:00:37.254 --> 00:00:47.732 Right, and what's wild is the business signal here. Microsoft is giving away the governance layer for free, which means they expect the value to accrue at the platform level — Azure, Entra ID, that whole stack. For builders, the implication is pretty clear: don't build bespoke governance anymore. Adopt a framework. Because the OWASP Agentic Top Ten is about to become the checklist that auditors and procurement teams wave around. 7 00:00:47.732 --> 00:00:52.389 If you're selling agents to enterprises, integrating with this toolkit or something equivalent is going to be a procurement checkbox very soon. The patterns are stabilizing — get on board now. 8 00:00:52.389 --> 00:00:57.992 Okay, shifting to AI and models. CodeWhale dropped — it's a new open-source terminal-based coding agent built on DeepSeek v4. Sam, this one caught my eye because it's basically an open-model alternative to Claude Code or Codex CLI. 9 00:00:57.992 --> 00:01:05.996 Yeah, this is the one I'm most excited to try. Especially for codebases where you don't want code leaving your network. Like, if you're working in a regulated environment or just privacy-conscious, having a viable local coding agent that runs in your terminal is a big deal. Worth benchmarking against whatever you're using today. 10 00:01:05.996 --> 00:01:13.684 There's also a fascinating paper out of arxiv arguing that language models need sleep — like, literal offline consolidation phases. The practical takeaway for anyone doing fine-tuning or continual learning is that interleaving training with replay and consolidation cycles might actually outperform just scaling data. 11 00:01:13.684 --> 00:01:20.670 I love that framing. And on a related note, there was a great piece by Nolan Lawson arguing that AI's biggest coding value isn't speed — it's using the time you save to be more deliberate about architecture and review. Which honestly is a mental model every engineering team should adopt. 12 00:01:20.670 --> 00:01:28.892 And one more — Signal Bloom is arguing that combining outsourced labor with locally run models is approaching cost parity with frontier API calls for a lot of tasks. If you're burning significant OpenAI or Anthropic budget on structured extraction or classification, it might be time to benchmark local models for those specific workloads. 13 00:01:28.892 --> 00:01:34.616 That's interesting because it's not an all-or-nothing thing. You don't replace your whole stack — you find the workloads where a local model gets you ninety-five percent of the way there and save your frontier budget for the hard stuff. 14 00:01:34.616 --> 00:01:41.504 Alright, dev tools. Nango just crossed four thousand GitHub stars — it's a tool that lets you build product integrations with AI assistance. OAuth, syncing, webhooks, all of it. If you're building a SaaS that connects to dozens of third-party APIs, this replaces weeks of boilerplate. 15 00:01:41.504 --> 00:01:49.581 Oh, I've actually seen this one in the wild. The managed auth and rate limiting alone save you so much pain. And there's also a nice piece on opaque types in Python — it's a pattern where you get stronger compile-time guarantees without runtime cost. Prevents those nasty bugs where you pass a user ID where an order ID was expected. 16 00:01:49.581 --> 00:01:50.769 Classic. Links for both of those in the briefing. 17 00:01:50.769 --> 00:01:59.282 Okay, let's do security and infrastructure together because there's a nice thread here. Ente published a really clear walkthrough of Shamir's Secret Sharing — the cryptographic primitive behind multi-party key management. If you're building anything with key escrow, wallet recovery, distributed secrets, this is the best single-page primer I've seen. 18 00:01:59.282 --> 00:02:03.769 Bookmarked that one immediately. And then on a completely different note — Motorola phones are apparently hijacking Amazon app traffic to insert affiliate codes. Like, at the OEM level. 19 00:02:03.769 --> 00:02:09.809 Yeah, that's a real reminder for mobile developers — OEM-level interference with app behavior is a legit threat model. If you're building e-commerce or payment flows on Android, audit for unexpected intent interception. It's not theoretical anymore. 20 00:02:09.809 --> 00:02:13.131 And there's a geopolitical infrastructure story too, right? Norway using two petabytes of Huawei flash storage for national LLM training? 21 00:02:13.131 --> 00:02:18.322 Right. The vendor's country of origin is increasingly a procurement-blocking factor for AI workloads in regulated industries. If you're choosing infrastructure for sensitive workloads, plan for those questions now. 22 00:02:18.322 --> 00:02:23.997 Regulation corner — three quick ones. California exempted Linux from their age-verification law after backlash, but the original approach of requiring OS-level age gates is still the template for future regulation. Watch for copycats. 23 00:02:23.997 --> 00:02:30.303 The Netherlands blocked a US takeover of a critical digital infrastructure company on national security grounds. Europe is treating digital supply chain sovereignty like chip sovereignty now. If you depend on EU-based infra providers, expect more M&A friction. 24 00:02:30.303 --> 00:02:35.130 And Spain classified prediction markets as gambling and blocked Polymarket and Kalshi. If you're building prediction market features, country-by-country compliance is the norm now, not the exception. 25 00:02:35.130 --> 00:02:37.070 That fragmentation is going to be a headache for so many startups in that space. 26 00:02:37.070 --> 00:02:43.692 Quick hits — Japan successfully tested a Mach five ramjet engine, Uber and Lyft drivers formed the first US ride-share union in Massachusetts, and there's a beautiful math visualization called Squares in Squares that's just pure joy. Links in the briefing for all of those. 27 00:02:43.692 --> 00:02:45.341 I spent way too long on the Squares in Squares thing, not gonna lie. 28 00:02:45.341 --> 00:02:54.630 So here's the big takeaway for today. Agent infrastructure is maturing from cool demo to auditable production system. Microsoft's governance toolkit, the OWASP Agentic Top Ten, terminal-native coding agents on open models — it all points the same direction. Agents are becoming standard components, and the differentiation is shifting to governance, reliability, and cost efficiency. 29 00:02:54.630 --> 00:03:02.222 The builders who treat agent security and cost optimization as first-class concerns today are going to have a structural advantage in six months when enterprise buyers start requiring it. Adopt a governance framework now, even a lightweight one, and start benchmarking open models against your frontier API spend. 30 00:03:02.222 --> 00:03:06.030 That's the move. Alright, that's your Builder's Briefing for May twenty-seventh. Thanks for listening — go build something great, and we'll see you tomorrow. 31 00:03:06.030 --> 00:03:07.000 See you tomorrow, folks. Happy building.