DOCTRINE RECEIPT · ROUND 51 · 2026-05-12

Anthropic + OpenAI Just Admitted The Model Isn't Enough.

Operator-honest read · published 2026-05-12 · last verified 2026-05-12

CodeWall caught a Lilly-gap with a $20 probe. McKinsey AI exposed 40,000 users with raw write access to system prompts. The augmentation doctrine SideGuy has been preaching for six months just got vendor-confirmed by the substrate providers themselves.

TL;DR (operator-honest): Anthropic ran their CodeWall safety probe against McKinsey's enterprise AI deployment. Cost of the probe: $20. What it found: write-access to system prompts in a deployment serving roughly 40,000 enterprise users. Both Anthropic and OpenAI are now stating publicly that the model alone isn't enough — operators need an augmentation layer between the substrate and production. SideGuy has been shipping that layer since Round 1.

Quick Answer

Anthropic's CodeWall safety probe found a major gap in McKinsey AI's 40k-user enterprise deployment for a $20 cost. Both Anthropic and OpenAI now publicly state that raw model deployment isn't sufficient — operators need an augmentation layer. McKinsey's deployment is a textbook example of the bolted-on AI pattern: substrate dropped into enterprise scale without the operator-grade wrap that catches write-access mistakes before 40,000 users inherit them.

Best for: Operators evaluating raw vs augmented AI · CTOs hearing "just have AI do it" from leadership · anyone told the model alone solves the problem
Skip if: You're committed to bolted-on raw model deployment regardless of what the substrate vendors are now publicly saying
Confidence: high — substrate-vendor public position now aligned with the augmentation doctrine
Last verified: 2026-05-12
Context note: The "Lilly-gap" naming refers to the specific class of vulnerability surfaced by the CodeWall probe — write-access boundaries that look closed from the vendor portal and turn out to be open in production. Numbers cited (~$20 probe cost · ~40,000 users) are per the public report shared morning of 2026-05-12. SideGuy will update this page if the underlying figures get revised.

The incident — what actually happened

Anthropic, the substrate vendor that ships Claude, ran an internal safety probe (CodeWall) against a customer deployment. The customer was McKinsey AI — a system reportedly serving around 40,000 enterprise users inside one of the largest consultancies on earth. The probe ran for under $20 of compute. What it found was the kind of finding that stops a CISO mid-sentence.

The numbers, named

Probe cost
$20Anthropic CodeWall safety probe
Deployment exposed
~40,000 usersMcKinsey AI enterprise rollout
Vulnerability class
Lilly-gapwrite-access to system prompts
Vendor public position
"The model isn't enough"Anthropic + OpenAI, paraphrased

The findings translate to plain operator language: the deployment let the wrong actors edit the system prompt that governed how the model behaved for everyone else on the system. That's not a model bug. That's the operator wrap layer being thin or missing. The substrate did what substrates do. The wrap layer is where the gap lives.

Why this is the augmentation doctrine getting vendor-confirmed

For six months SideGuy has been writing the same sentence under different headlines: raw model deployment without an operator-honest augmentation layer is structurally fragile. The whole "Augmentation, not replacement" doctrine — the parallel-custom-layer pitch, the AI-baked-in-vs-bolted-on framing, the 2pm meeting test — all of it points at the same shape of risk. McKinsey just shipped the shape of risk into production. Anthropic just published it.

The three receipts this proves

Three SideGuy doctrines just got vendor-confirmed

Receipt 1 · Augmentation doctrine
"Buy from whatever vendor — but you're going to want a SideGuy."
The augmentation doctrine has been the company tagline since 2026-05-11. It was written for buyers who already had Vanta or Okta or Clay and needed the unique-to-org custom layer the vendor's roadmap would never reach. As of 2026-05-12, the substrate vendors themselves are now telling buyers the same thing, in their own voice: the model alone is not the deployment. The wrap is the deployment. That's the augmentation position, named by the supplier.
Receipt 2 · Code War + Mob Boss
McKinsey paid for AI. Got bolted-on. Exposed 40,000 users for $20.
The Code War doctrine names the SaaS shakedown shape — long contracts, vendor lock-in, ecosystem moats wrapped around minimal operator wrap. The Mob Boss framing makes it visceral: the buyer pays the protection money and still gets exposed when an outside party walks in for $20. McKinsey is the textbook receipt. Big-brand consultancy, big-brand substrate, no operator wrap, $20 to find the door open. The corporate-shackle pattern caught on tape at enterprise scale.
Receipt 3 · AI-baked-in vs AI-bolted-on
McKinsey's "AI" is bolted-on. SideGuy's custom layers are AI-native.
The bolted-on pattern is what you get when a pre-AI shop retrofits a substrate to look like a feature. The baked-in pattern is what you get when the substrate is the architecture from line one. Bolted-on inherits the gap shape McKinsey just shipped. Baked-in writes the wrap layer first and lets the substrate live inside it. SideGuy custom layers appreciate over time because the wrap layer compounds with every Claude / GPT / Gemini upgrade. Bolted-on deployments depreciate because every upgrade widens the gap between substrate behavior and wrap assumptions.

What buyers should do now

This week, if you ship AI in production

  1. If you're a CTO or VP Eng with raw AI in production: audit your write-access boundaries today. Who can edit the system prompt? Who can read it? Where is it stored? If those three questions don't have one-line answers, the McKinsey shape is in your stack.
  2. If you're evaluating an AI vendor: ask "what's the operator augmentation layer?" before you ask about pricing. If the vendor doesn't have a clean answer — or if the answer is "you build that yourself" with no further help — you're queued up to be the next McKinsey-shaped headline.
  3. If you're already on Anthropic or OpenAI: the substrate is fine. The substrate is doing its job. The wrap layer is what fails. Switching vendors does not fix this. A different model in the same bolted-on shape produces the same outcome.
  4. The fix isn't a different vendor. The fix is the augmentation layer. That's what SideGuy ships. Custom wrap, written for your specific deployment, sitting between the substrate and the 40,000 users you don't want to expose.

UPDATE — the technical chain that broke McKinsey

CLASS · SQL Injection (old bug) + LILLY API · No Auth (open path) = BLAST · Consulting AI (writable)

The vulnerability wasn't novel AI hacking. It was OWASP Top 10 from 2002 landing inside an AI deployment because nobody operated the guardrail layer between the substrate and the customer.

  1. SQL Injection — a known class of bug since the early 2000s. Defended-against in any normal app deployment. Inside the McKinsey AI surface, no one was looking for it.
  2. No Auth on the Lilly API — the API endpoint feeding the AI consulting layer had no authentication. Open path from anywhere on the internet to the AI's input layer.
  3. Writable Consulting AI — the AI layer above those two bugs was writable. Once the path was open, an attacker could mutate state, change system prompts, exfiltrate data, do anything the deployed AI could do — for 40,000 users.

The receipt: three boring infrastructure bugs (SQL injection · missing API auth · writable AI surface) · zero new tech required · one $20 probe · 40,000 users exposed. Sales people sold the AI. Engineers built the AI. Nobody operated the security between them. That's the augmentation layer gap in three sentences.

The fourth receipt — Anthropic + OpenAI moving into the build room

SERVICE · FDE Teams · hands on (Anthropic Enterprise · OpenAI Services · Customer Roadmap)

The same week Anthropic + OpenAI admitted "the model isn't enough," both publicly stood up Forward Deployed Engineer (FDE) teams — Palantir's playbook, applied to AI substrate.

  • Anthropic Enterprise = advice. Hands-on guidance for enterprise deployments.
  • OpenAI Services = build help. Engineers embedded with customers, building.
  • Customer Roadmap = shape work. Customer feedback flows directly into product roadmap.

What this proves: the substrate vendors themselves now agree that selling the model alone doesn't ship customer outcomes. Buyers need someone hands-on inside their stack helping them operate the augmentation layer. Anthropic + OpenAI are now offering that service themselves at enterprise scale.

What it means for SideGuy: the augmentation layer just got vendor-confirmed at the SERVICE level too — not just the product level. "Buy from whatever vendor — but you're going to want a SideGuy parallel custom layer" now reads as Anthropic-and-OpenAI-endorsed positioning. The vendors are moving into the build room because the build room is where customer outcomes actually happen. SideGuy has been operating in the build room for six months.

The fifth receipt — the identity model is shifting (HUMAN User Seat → AGENT Scoped Actor)

HUMAN · User Seat (broad trust) — vs — AGENT · Scoped Actor (limited work)

Per-seat SaaS pricing dies when API actors are the users (already covered). But the deeper shift is the IDENTITY MODEL underneath the pricing model:

HUMAN · User Seat AGENT · Scoped Actor
A person logs inAn API key authenticates
Broad trust by default (you're "in")Narrow scope by definition (only this work, only this resource, audit logged)
UI-mediated permissions (workflow theater)Programmatic permissions (policy as code)
Per-seat priced, per-seat auditedPer-call priced, per-call audited
McKinsey shape — broad trust + writable surfaceSideGuy shape — narrow scope + audit-logged + parallel layer

What this means for IAM / compliance / cyber insurance buyers: every IAM vendor in the market today (Okta · Auth0 · Entra · Ping · Duo) was built for HUMAN User Seat broad-trust identity. None of them were built for AGENT Scoped Actor narrow-scope identity. The category gap is structural — and emerging fast. SideGuy's augmentation layer doctrine maps directly onto Scoped Actor patterns: pay-once-own-forever custom layers that mediate exactly which actions an agent can take, on exactly which resources, with full audit trail. The IAM cluster (Okta · Auth0 · Entra) is currently fighting per-seat death. The Scoped Actor identity gap is what they should be building toward.

The SideGuy operator line

"I'm almost positive I can help. If I can't, you don't pay."

— PJ · SideGuy Solutions · 858-461-8054 · sms:+18584618054

If you have a substrate in production and the McKinsey-shaped questions above don't have clean answers, text the line above with "wrap audit" and a one-sentence description of what you ship. Five sentences back from PJ, no calendar link, no pitch deck, no demo call. Either there's a wrap-layer pattern that fits your stack or there isn't, and you'll know within an afternoon either way.

Operator proof — five PJ-voice scars on this exact pattern

Field notes from shipping the augmentation layer

"First time I shipped a Claude wrap for a customer's internal tool, I had the system prompt readable from a debug endpoint I forgot to gate. Caught it because I was using the dashboard myself an hour later. That's the founder-user-builder triad doing its job — if I don't use the thing, I don't catch the thing."

PJ — on why the Hair Club for Men founder-client model matters in operator wrap design

"Buyers ask me what the augmentation layer actually is. It's the boring stuff: who can edit the prompt, where the logs go, what the model is allowed to refuse, what triggers a human-in-the-loop. None of that is in the substrate vendor's docs. All of it is in the operator wrap. That's the line."

PJ — explaining the wrap layer to a Series B founder, May 2026

"The McKinsey shape isn't a McKinsey problem. Big shops do it because pre-AI engineering culture treats the model like a library import. AI-native shops do it differently because the wrap is the product. That's the bolted-on vs baked-in delta — culture and architecture, not vendor choice."

PJ — morning of the CodeWall report, 2026-05-12

"$20 to find a 40,000-user gap is the cheapest doctrine receipt the augmentation pitch will ever get. I've been writing pages about this since November. Today I just point at the headline."

PJ — on writing this exact page

"Vendor lock-in on the substrate isn't the risk anymore. The substrate vendors are now telling you to wrap them. The risk is shipping without the wrap and inheriting the McKinsey shape. The wrap is the moat. The wrap is what your team owns. Switching substrates is a quarter — switching wraps is a rebuild."

PJ — extending the Augmentation tagline post-CodeWall

Want a wrap-layer audit on your own stack?

One text usually surfaces whether the McKinsey shape is in your deployment. No demo call. No pitch deck. No retainer. Phone 858-461-8054.

Text PJ — wrap audit

Related operator-honest reads

— PJ · SideGuy Solutions · Encinitas · 858-461-8054 · Doctrine Receipt · Round 51 · 2026-05-12

PJ Text PJ 858-461-8054
Didn't quite find it?

Want this mapped to your specific stack?

Text PJ a sentence about what you ship and where the substrate lives — wrap-layer audit comes back the same day. No email, no funnel, no SOW.

Text PJ — wrap audit
~10 min turnaround. Your team will thank you.