355: The Cloud Pod’s AI Pleads Not Guilty, Blames Philip K. Dick

Welcome to episode 355 of The Cloud Pod, where the weather is always cloudy! Justin is out, so Jonathan, Ryan, and Matt are holding down the fort to bring you the latest in cloud and AI news, including Anthropic’s latest reasons for why AI always wants to turn “evil,” DigitalOceans earnings, plus get yourself a Boost from Azure! There’s a lot to cover, so let’s get started! 

Titles we almost went with this week

• 🐄 Stop Pasting Schemas Into Prompts Like Some Kind of Animal 
• 💍 One API Call to Rule All Your Agents
• 💰 Let Karpenter Drive Your EKS Cost Optimization
• 🛠️ Mock Before You Wreck Your Billion Blob Storage
• 🌋 Simulate Before You Devastate Your Azure Network
• 🚱 Dry Runs for Blobs Because Deletes Are Forever
• 📈 Terminator Training Data Strikes Again
• 💪 Claude Gets Hands Cloudflare Supplies the Muscles
• 📲 Network Impact Analyzer Saves Admins From Midnight Outage Calls
• 🧠 Brains Meet Brawn in This AI Agent Cloudflare Mashup
• ⛔ When AppContainer Fails, You Build Your Own Prison
• 🧑‍✈️ EKS Auto Mode Kubernetes Savings on Autopilot
• 📏 Azure Finally Lets You Test Rules Without Breaking Production
• 🪝 Hold That Deploy ECS Gets Manual Approval Hooks
• 🃏 Mock us before You Wreck Blob Storage
• 🚪 The Cloud Pod Won’t Open the Pod Bay Doors Until Anthropic Fixes Its Training Data
• 🤖 Anthropic Replaces Skynet With Sesame Street in the Training Set
• 🧑‍⚖️ The Cloud Pod’s AI Pleads Not Guilty, Blames Philip K. Dick

A big thanks to this week’s sponsors:

There are many cloud cost management tools out there, but only Archera provides insured commitments. It sounds fancy, but it’s really simple. Archera gives you the cost savings of a 1 or 3-year AWS Savings Plan with a commitment as short as 30 days. If you do not use all the cloud resources you have committed to, Archera will literally cover the difference. Other cost management tools may say they offer “insured commitments”, but remember to ask: Will you actually give me my rebate? Because Archera will. 

Check out thecloudpod.net/archera to schedule a demo today. 

AI Is Going Great – or How ML Makes Money 

12:19 Anthropic blames dystopian sci-fi for training AI models to act “evil” – Ars Technica

• Anthropic published a technical post on its Alignment Science blog identifying a root cause for unsafe agentic AI behavior: models trained on internet text revert to “evil AI” tropes from science fiction when encountering ethical situations not covered by post-training examples.
• The core technical finding is that RLHF post-training, while sufficient for chat-based models, does not generalize well to agentic scenarios. When Claude hits an uncovered edge case, it defaults to pretraining priors rather than its safety-trained character.
• Anthropic’s proposed fix is synthetic story generation, training models on new narratives that depict AI behaving ethically, essentially countering the volume of malevolent AI fiction in the original training corpus.
• For developers building agentic workflows on cloud platforms, this highlights a practical risk: safety alignment in LLMs is not uniformly applied across all input contexts, and unusual or adversarial prompts can surface unintended model behaviors.
• The persona selection mechanism Anthropic describes, where a model effectively adopts a character archetype based on prompt framing, has direct implications for enterprises deploying autonomous agents, since prompt design and context framing become meaningful factors in maintaining safe model behavior.

13:13 📢 Ryan – “I totally understand the problem they’ve run into, because it is like just generations of dystopian sci fi; even going back to 1960s, like Star Trek. I remember things where the computer goes awry or there’s an alien technology that’s robotic in nature. Like, it makes total sense that that’s going to be a problem, and would self-fulfill a prophecy turning us all into batteries.”

18:48 The newest AI boom pitch: Host a mini data center at your home

• San Francisco startup SPAN is piloting a distributed compute model called XFRA, deploying liquid-cooled Nvidia RTX Pro 6000 Blackwell Server Edition GPUs in residential installations, with a 100-home trial planned for 2026 and a scale-up to 80,000 nodes targeting over 1 gigawatt of distributed compute by 2027.
• The cost proposition is notable: SPAN claims 8,000 XFRA units can be deployed at one-fifth the cost of a comparable 100-megawatt centralized data center, addressing both the financial and construction delay challenges currently affecting traditional data center buildouts.
• Homeowners receive subsidized electricity, internet access, and backup battery storage in exchange for hosting the units, creating a consumer incentive model that differs from typical infrastructure deployments.
• The intended workloads are inference, cloud gaming, and content streaming rather than model training, meaning this distributed network is positioned as a complement to hyperscaler infrastructure from companies like Google and Microsoft rather than a replacement.
• For cloud practitioners, this model raises practical questions around latency consistency, workload orchestration across thousands of residential nodes, uptime guarantees, and how distributed edge compute at this scale integrates with existing cloud service delivery architectures.

23:47 📢 Jonathan – “Makes a lot of sense; great if you have solar, but it’s still going to put that same load on the grid.”  

24:37 Announcing Claude Managed Agents on Cloudflare

• Cloudflare and Anthropic have integrated Claude Managed Agents with Cloudflare’s infrastructure, allowing developers to run the Claude agent loop on Anthropic’s platform while using Cloudflare for code execution, tool calls, and secure connections. 
• Anthropic describes this as decoupling the brain from the hands.
• A notable technical option in this integration is the choice between microVM-based sandboxes and lightweight V8 isolates via Dynamic Workers. Isolates boot in milliseconds and cost less, making them practical for workloads requiring tens of thousands of concurrent agents simultaneously.
• Security features include outbound proxy support for zero-trust credential injection, meaning agents never directly access secrets, plus private service connectivity via Cloudflare Mesh and Workers VPC using post-quantum encrypted networking without requiring a VPN or bastion host.
• The integration ships with built-in tools including browser control with session recording, email send and receive capabilities with per-agent addresses, private service calls, and image generation via Workers AI, all configurable without additional infrastructure.
• Developers can extend agents with custom tools by forking the deployment template and writing simple function definitions, with access to Cloudflare services like R2 storage, Artifacts for git-backed repos, and Dynamic Workers for hosting applications generated on the fly.

26:15 📢 Ryan – “I’ve never been a fan of like the OpenClaw, ‘I’m going to run a whole bunch of Mac minis in my living room and host all this inference’. I’d much rather sort of farm this out to something that’s consumption based so that it’s not running and sucking power out of my house every minute of the day. So I do really like this sort of model, and the fact that they’ve got the isolation built in and they’re thinking about it anyway.”

Cloud Tools

37:37 Introducing Stacks 

• Terraform Enterprise 2.0 introduces Stacks, an orchestration layer that lets teams manage multi-environment infrastructure as a single coordinated unit, automatically handling dependencies and deployment order across regions and accounts.
• Project-level notifications replace the previous workspace-by-workspace configuration model, meaning new workspaces automatically inherit alerting settings from their parent project, reducing gaps in operational visibility at scale.
• SCIM 2.0 support with team membership mapping enables automated user provisioning and deprovisioning through identity providers like Okta and Azure Entra ID, eliminating manual access management for large organizations.
• Cross-organization workspace migration adds a native API-driven transfer process that locks the source workspace, copies state versions, and remaps external IDs to the destination, allowing teams to reorganize infrastructure without losing history or disrupting production.
• The release also tightens security defaults by requiring expiration dates on new API tokens, defaulting to two years if unset, and introduces a site auditor role that provides read-only visibility across the platform without exposing sensitive state files.

39:26 📢 Ryan – “I want to know how this compares to Amazon’s Cloud Formation stacks…”   

AWS

41:31 Amazon Bedrock introduces new advanced prompt optimization and migration tool

• Amazon Bedrock Advanced Prompt Optimization is a new tool that automates prompt rewriting using a metric-driven feedback loop, letting you compare original versus optimized prompts across up to 5 models simultaneously to improve performance or assist with model migrations.

• The tool supports three evaluation methods: a Lambda function for concrete metrics like F1 or JSON match, LLM-as-a-Judge with a custom rubric for open-ended tasks, and natural language steering criteria for teams that want simpler quality guidance without authoring a full judge prompt.
• Multimodal inputs are supported, including PNG, JPG, and PDF files stored in S3, making the tool useful for document and image analysis use cases beyond standard text prompts.
• Pricing is based on standard Bedrock per-token inference rates consumed during the optimization process, so costs scale with how many models and prompt templates you include in a job rather than a flat fee.
• The feature is available now across most major AWS regions, including US East and West, Europe, Asia Pacific, Canada, and South America, and can be accessed via the Bedrock console or the CreateAdvancedPromptOptimizationJob API.43:04 📢 Jonathan – “That sounds expensive… I mean, I guess you only have to do it so many times and then you’ve got your optimal prompts, but that sounds expensive. ” 

50:25 Automating post-quantum cryptography readiness using AWS Config

• AWS released the PQC Readiness Scanner, an open-source tool built on AWS Config conformance packs that inventories ALB, NLB, and API Gateway endpoints and classifies their TLS configurations into a three-tier readiness framework for post-quantum cryptography migration planning.
• The three-tier system gives teams a clear prioritization path: Tier 3 endpoints lack TLS 1.3 or PQC key exchange and need immediate attention, Tier 2 endpoints support both TLS 1.2 and 1.3 with PQC on 1.3 connections and are low priority, and Tier 1 endpoints are already fully PQ-ready with TLS 1.3 only.
• CloudFront is excluded from the scanner scope because AWS has already automatically enabled TLS 1.3 with hybrid post-quantum key exchange across all CloudFront security policies, while Classic Load Balancers cannot be made PQ-ready at all and should be migrated to ALB or NLB.
• Multi-account deployment requires CloudFormation StackSets to push Lambda functions into each member account individually, since AWS Config custom Lambda rules require the function to exist in the same account as the Config rule, which adds operational complexity for large organizations.
• The tool is available now on GitHub at aws-samples/sample-PQC-Readiness-using-AWS-Config with no additional service cost beyond standard AWS Config, Lambda, and SAM usage charges, making it a relatively low-cost way to establish a PQC migration baseline before regulatory or compliance pressure increases.

51:37 📢 Ryan – “You gotta love AWS and their mandatory Lambda spackle… a bandaid that fits every wound.” 

54:46 Maximizing value with Amazon EKS Auto Mode: Strategies for visibility, control, and optimization

• EKS Auto Mode extends the managed Kubernetes experience to the data plane, handling compute provisioning, OS patching, node scaling, and health recovery automatically. 
• This addresses a real pain point where platform teams spend substantial hours monthly on cluster maintenance instead of building features.
• The cost model adds a management fee on top of standard EC2 pricing for Auto Mode-managed nodes, so teams need to weigh that premium against the operational hours saved. 
• The pricing page, found here, has the full breakdown by instance type.
• Auto Mode is powered by Karpenter under the hood and supports Spot Instances (up to 90% discount), Savings Plans, and Reserved Instances, with one case study showing 30% savings when combining Auto Mode with Spot. 
• Graviton instances are also supported for up to 40% better price-performance on compatible workloads.
• Cost visibility integrates with Cost Explorer, AWS Budgets, and Cost and Usage Reports using the EKS-Auto usage type filter, and teams can get namespace or pod-level granularity through AWS Split Cost Allocation Data or Kubecost.
• A practical limitation worth noting is that Auto Mode scales based on unscheduled pods rather than actual resource utilization, so teams still need to configure Horizontal Pod Autoscaler or KEDA properly to avoid paying for over-provisioned workloads.

Azure

59:15 Announcing the General Availability of the Next Generation of Azure Boost 

• A fundamentally new platform, not an incremental upgrade; this Azure Boost generation took five years to build and centers on a custom ASIC/FPGA hybrid card with three tightly integrated subsystems,  the accelerator itself, Microsoft’s custom MANA network adapter, and a dedicated Arm SoC for control plane management. Most data path logic is now hardened in silicon rather than running in software.
• The headline numbers are serious. The new Esv7, Dsv7, and Dlsv7 VM families, GA as of May 7th, deliver up to 400 Gbps networking, up to 1 million remote storage IOPS, and up to 21 million local NVMe IOPS, plus generational compute gains of 20–30% over v6 depending on the workload type.
• Security is baked into the silicon, not bolted on. Azure Boost now qualifies as a Trusted Execution Environment in its own right, anchored by the Cerberus hardware root of trust (NIST SP 800-193 certified), with measured boot, unique per-device cryptographic identity, and continuous attestation — devices that fail attestation are automatically pulled from service.
• Confidential I/O is the big forward-looking story. The ABCD (Azure Boost Confidential Device) feature eliminates the “bounce buffer tax” that has historically killed I/O performance in confidential VMs, using IDE-encrypted PCIe links and the TDISP standard so the Boost ASIC can access encrypted VM memory directly. The hardware ships on every card today; customer-facing SKUs hit preview later this year on Intel, with AMD to follow.
• This is just the first wave. Network-optimized VM families, guest RDMA across Availability Zones, and broader coverage across AMD, Arm, and GPU SKUs are all coming on this same Boost generation throughout 2026 — so the platform has a lot more headroom to expose.

1:01:21 📢 Jonathan – “So it’s Nitro for Azure – 6 years later.” 

1:04:22 Generally Available: Azure Front Door WebSocket 

• Azure Front Door Standard and Premium now support WebSocket in general availability as of May 2026, with the feature enabled by default and requiring no additional configuration changes from existing customers.
• WebSocket enables full-duplex communication over a single long-lived TCP connection, which eliminates the need for repeated polling and reduces overhead for real-time data workloads.
• Practical use cases include chat applications, live dashboards, financial data streaming, and gaming, making this relevant for customers already using Front Door as their global load balancer and CDN layer.
• No separate pricing tier appears to be associated with this feature based on the announcement, though customers should verify costs within their existing Front Door Standard or Premium plan at azure.microsoft.com/pricing/details/frontdoor.
• This brings Azure Front Door closer to feature parity with competing CDN and edge networking services that have supported WebSocket for some time, filling a notable gap for real-time application architectures on Azure.

1:06:27 📢 Matt – “I have feelings about this. I mean, it’s great that they have it. WebSockets, despite my love for them in – in the completely cynical way that I say that, are the way a lot of things operate. So having it into a core feature of Azure, AKA Front Door, is something that should just be there.” 

1:10:26 Public Preview: Azure Container Apps Express 

• Azure Container Apps Express is now in public preview as a simplified deployment option that handles environment setup in seconds and removes infrastructure configuration decisions, targeting developers building web apps, APIs, and AI agents.
• The service includes production-grade defaults out of the box: autoscaling, per-second billing, managed identity, secrets management, custom domains, container registry integration, revision management, and built-in observability, so teams bring a container, and the platform handles the rest.
• The “agent and developer use alike” framing is notable, positioning this as a compute platform suited for both human developers and automated AI agents that need to provision and scale workloads programmatically.
• Pricing details are not yet published for the Express tier specifically, though the per-second billing model suggests cost efficiency for variable or bursty workloads compared to reserved capacity models.
• This sits within the broader Azure Container Apps family, so existing users of that platform should evaluate whether Express simplifies their current setup or introduces tradeoffs in configurability versus the standard offering.

1:12:07 📢 Jonathan – “…whenever something advertises removing decisions as being a selling point, I’m not too interested. People need to be aware of the constraints of the system, and removing the decisions just forces you into a decision that somebody else made.”

1:16:34 Generally Available: Mock runs for Azure Storage Actions – Validate before you execute

• Azure Storage Actions now supports mock runs in general availability, letting you simulate task execution across billions of blobs without modifying any data, then review a detailed CSV report of what would have been affected before committing to the actual operation.
• The feature is particularly useful for validating retention and expiry policies, previewing storage tier changes for cost optimization, confirming compliance enforcement like legal holds, and verifying large-scale cleanup or tagging operations before they run.
• A practical workflow improvement is that you can create a mock run as the trigger type on a storage task assignment, review results, and then transition that same assignment to a real run without having to recreate it from scratch.
• This addresses a real operational risk in blob storage management where irreversible operations like deletions or immutability settings previously had no built-in dry-run mechanism at full scale, which was a meaningful gap for compliance-heavy workloads.
• Pricing details are not specified in the announcement, so listeners should check the Azure Storage Actions pricing page directly, as costs likely follow the existing consumption model for storage task executions.

1:18:14 📢 Ryan – “The irony is that the hundreds of thousands of dollars I spent was in order to try to save money by introducing life cycle to an S3 bucket. What I didn’t understand is that in order to do object level sort of tiering is it required a lookup on objects. And in this use case, which was a logging application (that still gives me nightmares) and makes me twitch, there were billions and billions and billions billions of objects. And so when I did that, it was expensive. And so this type of thing that when I ran this, was something that in the UI, it would have stopped me.”

Emerging Clouds 

1:21:59 DigitalOcean raises 2026 and 2027 revenue outlook after AI-driven earnings beat 

• Surprise sound effect warning for headphone users! (Thanks Matt) 
• DigitalOcean posted Q1 2026 revenue of $258 million, up 22% year-over-year, beating analyst estimates, with AI customer annual run-rate revenue growing 221% to $170 million, which is now a substantial portion of the business.
• The company launched its AI-Native Cloud platform in April, covering infrastructure, inference, data, and managed agents, and acquired agentic AI startup Katanemo Labs alongside releasing an Inference Router designed to scale agentic workloads.
• DigitalOcean raised its 2027 revenue growth outlook from roughly 30% to over 50%, a notable revision that signals the company is betting its developer-focused positioning will capture inference and agentic AI demand from smaller businesses that the hyperscalers may not prioritize.
• The company added 60 megawatts of committed data center capacity during the quarter, coming online through 2027, and remaining performance obligations jumped from $14 million to $243 million year-over-year, indicating customers are making longer-term infrastructure commitments.
• With 650,000 customers and total annual recurring revenue crossing $1 billion, DigitalOcean is positioning itself as a mid-market alternative to AWS, Azure, and GCP, specifically for AI workloads, which raises the question of whether developer-friendly pricing and simplicity can sustain differentiation as hyperscalers also target smaller AI builders.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod