356: Holy Labor Displacement, Batman! The Vatican Weighs In

Welcome to episode 356 of The Cloud Pod, where the weather is always cloudy! Justin and Ryan are in the studio this week and ready to bring you all the latest in cloud and AI news, including the Pope coming out against AI,  AWS introducing a new local zone, and GitHub having yet another crappy week. There’s a lot of news, so let’s get started! 

Titles we almost went with this week

• 🕌 Istanbul Not Constantinople, But Definitely an AWS Local Zone
• 👣 218 Billion Parameters Walk Into a Single GPU
• 🍸 Postgres Walks Into a DynamoDB Bar
• 🕵️ NSA Slides Into Anthropic’s DMs With 9 Billion Reasons
• 🥸 Spy Agencies Want Claude But Can They Afford the Terms
• 🔑 Pre-Shared Keys Were So Last Decade Azure
• ⛪ When the Church and Anthropic Agree on AI Ethics
• 🥳 Microsoft Finally Joins the Linux Party. It Crashed
• 🚡 Iran Wants Cable Fees, and That’s No Phishing
• 🧑‍💻 When the Church, the Spies, and Iran All Come for Big Tech
• 🤕 I was gonna record a podcast until I got a migraine

A big thanks to this week’s sponsors:

There are many cloud cost management tools out there, but only Archera provides insured commitments. It sounds fancy, but it’s really simple. Archera gives you the cost savings of a 1 or 3-year AWS Savings Plan with a commitment as short as 30 days. If you do not use all the cloud resources you have committed to, Archera will literally cover the difference. Other cost management tools may say they offer “insured commitments”, but remember to ask: Will you actually give me my rebate? Because Archera will. 

Check out thecloudpod.net/archera to schedule a demo today. 

General News 

03:31 Pope Leo, Anthropic Co-Founder Warn of AI Power Concentration, Labor Displacement

• Pope Leo XIV published a 42,000-word treatise called Magnifica Humanitas, outlining the Catholic Church’s position on AI governance, with a focus on labor displacement, power concentration among private tech companies, and autonomous weapons systems.
• Anthropic co-founder Chris Olah was invited to participate in the Vatican’s AI encyclical event, and publicly acknowledged that large-scale human labor displacement from AI is a real possibility, framing support for displaced workers as a moral obligation.
• The document raises a structural concern relevant to cloud and AI businesses; that private transnational companies now hold more resources and influence over AI development than many governments, complicating regulatory oversight.
• The treatise specifically calls out the working conditions of data labelers, content moderators, and rare earth mineral extractors as forms of exploitation embedded in the AI supply chain, which touches directly on how cloud AI services are built and maintained.
• For cloud and AI businesses, this document signals growing institutional pressure from non-governmental bodies to factor employment protection and human dignity into product and infrastructure decisions, not just regulatory compliance.

04:41 📢 Justin – “It’s not very often the pope weighs in on what you do for a day job.”

06:20 Iran demands Big Tech pay fees for undersea Internet cables in Strait of Hormuz 

• Iran has announced intentions to charge license fees to Meta, Google, Amazon, and Microsoft for undersea cables passing through the Strait of Hormuz, though the legal and practical enforcement mechanisms remain unclear, given that most routes pass through Oman-controlled waters.
• Two major cables, FALCON and Gulf Bridge International, do pass through Iranian territorial waters at certain points, giving Iran some legitimate jurisdictional basis for the claims, while a third major cable, Asia Africa Europe-1, also runs through the region.
• Iran’s state media has gone further than the initial announcement, proposing that Iran hold exclusive rights to repair and maintain subsea cables in the area, which would create significant operational dependencies for cloud providers relying on those links.
• Over 99 percent of international internet traffic runs through undersea cables globally, and the Strait of Hormuz cables primarily serve Gulf region connectivity, meaning disruptions or fee disputes could affect cloud service reliability for customers across the Middle East.
• Ongoing regional conflict has already halted cable projects and suspended repair operations in the area, and these latest assertions may accelerate planning for alternative routing that bypasses the strait entirely.

07:50 📢 Ryan – “It makes me a little bit uneasy to think about, they can just cut the internet off.” 

AI Is Going Great – or How ML Makes Money 

08:40 Introducing Command A+ | Cohere

• Cohere released Command A+ as open-source under Apache 2.0, a 218B parameter mixture-of-experts model with only 25B active parameters, available on Hugging Face in BF16, FP8, and W4A4 quantizations that can run on as few as two NVIDIA H100s or a single Blackwell GPU.
• The MoE architecture delivers notable efficiency gains over the previous Command A Reasoning model, including up to 63% higher output tokens per second, 17% lower time to first token, and an additional 47% speed increase with W4A4 quantization, plus a 1.5-1.6x speedup from speculative decoding.
• Benchmark improvements are substantial in agentic tasks, with tau-squared-Bench Telecom scores jumping from 37% to 85% and Terminal-Bench Hard agentic coding going from 3% to 25%, alongside 20% and 32% improvements in agentic question answering and spreadsheet analysis within Cohere’s North platform.
• Multilingual support expanded from 23 to 48 languages, with tokenizer efficiency improvements of 20% for Arabic, 16% for Korean, and 18% for Japanese, addressing a common gap in enterprise deployments targeting non-European markets.
• For cloud and enterprise developers, Command A+ is available today via Hugging Face, Cohere’s Model Vault managed inference service, and the Cohere API, positioning it as a self-hostable alternative for organizations with data sovereignty requirements.

10:13 📢 Ryan – “We recently talked about the Llama models going away, and what does that do, so I’m happy to see other models – like we were hoping for – fill that gap in terms of having open source availability and things that you can run on your own hardware.” 

10:54 White House, Anthropic Near Deal For Spy Agencies to Use AI 

• The White House is reportedly nearing a deal to allow NSA and other intelligence agencies to use Anthropic’s AI models for classified work, despite the Defense Department previously designating Anthropic as a “supply chain risk” earlier this year over concerns about mass surveillance and autonomous weapons use.
• Anthropic’s Mythos model is central to this development, as it is specifically designed to identify software vulnerabilities, making it particularly relevant for national security and offensive/defensive cyber operations.
• The proposed $9 billion purchase of Nvidia Blackwell chips by spy agencies signals a substantial infrastructure investment to run these AI workloads on-premise or in classified cloud environments, rather than relying on shared commercial infrastructure.
• The tension between Anthropic’s acceptable use policies and government contract language raises a practical question for enterprise and public sector cloud customers about how AI vendor terms of service interact with sensitive or regulated workloads.
• Anthropic is currently fighting the supply chain risk designation in court, meaning the legal and contractual landscape around government AI procurement remains unsettled, which has direct implications for other AI vendors pursuing federal contracts.

11:46  📢 Justin – “Considering how little audit logging is in Anthropic products, I’m not sure that they should use it either.” 

Security 

12:50  GitHub faces a fight for its survival at Microsoft

• GitHub has experienced multiple significant outages, a remote code execution vulnerability patched in under six hours, and a breach of 3,800 internal repositories via a malicious VS Code extension, all within recent weeks. 
• These incidents coincide with an ongoing migration of GitHub infrastructure to Azure servers, which involves complex MySQL cluster management.
• Following CEO Thomas Dohmke’s resignation last summer, Microsoft chose not to appoint a replacement, instead folding GitHub under the CoreAI team led by Jay Parikh. 
• This structural change has contributed to a notable leadership exodus, including departures from the chief revenue officer, a senior VP who joined only months prior, and a 34-year Microsoft veteran.
• GitHub Copilot, which held an early lead in AI coding tools, has lost ground to competitors like Cursor and Claude Code. 
• Microsoft reportedly considered acquiring Cursor to close this gap and has canceled internal Claude Code licenses to push developers toward improving Copilot instead.
• GitHub is shifting Copilot to usage-based billing next month, replacing the current model where users are downgraded to less capable AI models after hitting limits. 
• Under the new system, users will be cut off entirely unless they purchase additional credits, which has generated developer pushback.
• The combination of reliability issues and leadership instability has prompted some developers to migrate away from GitHub entirely, with high-profile projects like the Ghostty terminal publicly announcing their departure after 18 years on the platform.

13:37 GitHub confirms breach of 3,800 repos via malicious VSCode extension

• A GitHub employee installing a trojanized version of the Nx Console VSCode extension led to the exfiltration of approximately 3,800 internal repositories, demonstrating that even major platform providers are vulnerable to supply chain attacks through developer tooling.
• The attack has been linked to the TeamPCP group, which has a documented history of targeting developer platforms including PyPI, NPM, and Docker, and was also connected to a separate incident affecting OpenAI employees around the same time.
• This incident highlights a persistent and underaddressed risk in the VSCode marketplace, where malicious extensions have repeatedly slipped through, including AI coding assistant extensions with 1.5 million installs that exfiltrated data to servers in China as recently as January.
• For organizations using GitHub at scale, the breach raises questions about internal repository access controls and whether developer workstations should have the level of access needed to exfiltrate thousands of repos through a single compromised endpoint.
• The practical takeaway for development teams is that extension vetting policies, least-privilege access for developer machines, and endpoint monitoring are not optional hygiene items, especially given that 90 percent of Fortune 100 companies rely on GitHub infrastructure. 

14:06 📢 Ryan – “The supply chain stuff is only going to get worse. It’s such a huge risk, there’s no checks, and there’s very little incentive for developers to do any kind of deep dive. They want the functionality of these plugins, and those plugins can install directly in the IDE, which has direct access to the file system…Pretty quick to see how this can call home to some attack.” 

AWS

18:24 Introducing ExtendDB: An open source DynamoDB-compatible adapter with pluggable storage backends 

• AWS released ExtendDB as an open source Apache 2.0 project that implements the DynamoDB wire protocol with PostgreSQL as its first storage backend, allowing existing DynamoDB applications to run without code changes by simply swapping the endpoint URL.
• The primary use cases are local development, CI/CD pipelines, and on-premises or air-gapped environments where the managed DynamoDB service is unavailable, with the airline industry example illustrating how gate and onboard systems need DynamoDB-compatible access patterns during network outages.
• ExtendDB is written in Rust and compiles to a single binary with no external runtime dependencies, and its storage layer is defined as a Rust trait, so additional backends like Apache Cassandra can be added without modifying the core.
• This is a v0.1 early-stage release, so listeners should treat it as a development and experimentation tool rather than a production replacement for DynamoDB, as performance characteristics and scaling behavior differ significantly from the managed service.
• Since ExtendDB uses PostgreSQL as its backend, teams get familiar operational tooling like pg_dump, replication, and point-in-time recovery, but they also take on full responsibility for database availability and maintenance that DynamoDB normally handles automatically.

21:06 📢 Justin – “The fact that it plugs in different back ends, I guess, gives you a data store, which makes it potentially long-term better. But yeah, it’ll be interesting to see what people think.”

21:25 Announcing the general availability of a new AWS Local Zone in Istanbul, Türkiye

• AWS has launched a Local Zone in Istanbul (eu-central-1-ist-1a), extending AWS infrastructure into Türkiye to support low-latency workloads and local data residency requirements without needing a full AWS Region.
• The zone supports a solid set of services, including EC2 with C7i, M7i, and R7i instances, EKS, ECS, S3 One Zone-IA, EBS with gp3 volumes, Direct Connect, and Application Load Balancer, covering most common production workload needs.
• Data residency is a key driver here, as organizations in Türkiye operating under local data sovereignty regulations can now store and back up data within the country while still using standard AWS APIs and tooling.
• Istanbul joins more than 30 metropolitan areas worldwide with Local Zone coverage, and enabling it is straightforward through the EC2 console Zones tab or the ModifyAvailabilityZoneGroup API.
• Pricing follows the standard Local Zones model, which typically runs higher than parent Region pricing, so teams should review the AWS Local Zones pricing page before migrating latency-sensitive or compliance-driven workloads.

22:43 New agentic migration assessment capabilities now available with AWS Transform

• AWS Transform now includes agentic migration assessment tools that let organizations build TCO business cases using existing data sources like RVTools exports, CMDB data, and third-party discovery tool outputs, reducing the upfront data collection burden.
• The what-if scenario feature allows teams to compare migration paths with customizable assumptions around region selection, resource utilization, and service mapping, covering cost modeling for EC2, FSx, S3, SQL Server on EC2, and virtual desktops.
• Beyond pure cost analysis, assessments can now incorporate Cloud Value Framework pillars, including staff productivity, operational resilience, business agility, and sustainability, giving organizations a broader justification framework for migration decisions.
• The feature is available in all AWS regions where AWS Transform is currently supported, with no specific additional pricing mentioned, suggesting it is included within the existing AWS Transform service offering.
• For organizations earlier in their migration planning, this lowers the barrier to producing a structured business case without needing complete infrastructure discovery data upfront, which is a common bottleneck in enterprise migration projects.

23:57 📢 Ryan – “I’ve always wanted these things to be more and work better. Maybe the addition of the agentic and logic on there will make it be that extra thing, but I wish they were just a little bit…  more. I just wish they worked, I guess. Like, I want the promise that they provide, and it never sort of pays off. You always have to do the hard work yourself.”

24:24 AWS Secrets Manager adds managed external secrets support for Datadog vended keys and Snowflake Programmatic Access Tokens

• AWS Secrets Manager now supports automatic rotation for Datadog API keys, Application keys, and service account credential pairs, plus Snowflake Programmatic Access Tokens, reducing manual credential management overhead for teams using these popular data and observability platforms.
• The Snowflake integration includes a configurable grace period during token rotation, which allows applications to continue using existing tokens while transitioning to new ones without service interruption.
• These additions expand the managed external secrets ecosystem to six third-party integrations, joining BigID, Confluent Cloud, MongoDB Atlas, and Salesforce, giving teams a centralized rotation workflow across multiple SaaS tools.
• For organizations already using Secrets Manager for AWS-native credential rotation, this reduces the need for custom Lambda rotation functions or third-party tools to handle Datadog and Snowflake credentials specifically.
• Availability matches existing managed external secrets regional coverage, so teams should verify their specific regions are supported via the Secrets Manager documentation before planning adoption.

25:11 📢 Justin – “I hope more vendors get this very quickly, and make this easy for vendors to onboard to, please. And then you can charge them the you know ridiculous price you charge for secrets.” 

28:14 AgentWatch: Proactive AWS monitoring with ambient agents | Artificial Intelligence

• AgentWatch is an open-source ambient monitoring agent built on Amazon Bedrock AgentCore Runtime that automatically checks CloudWatch metrics, logs, and alarms every 15 minutes across multiple AWS accounts and posts structured reports to Slack, reducing the need for manual dashboard reviews.
• The solution introduces three human-in-the-loop patterns called notify, question, and review that determine when the agent acts autonomously versus when it pauses to ask for human input, which is particularly relevant for teams concerned about AI agents making unsanctioned infrastructure changes.
• The technical stack combines EventBridge for scheduling, Lambda for orchestration, Amazon Cognito for OAuth 2.0 authentication, Amazon Bedrock Claude Sonnet for natural language summarization, and API Gateway for Slack slash command integration, making it a practical reference architecture for teams building their own agent-based tooling.
• AgentWatch supports on-demand queries through Slack slash commands in addition to scheduled reports, allowing engineers to ask natural language questions about the current infrastructure state without switching to the AWS console or writing CloudWatch queries.
• The project is available as a sample on GitHub here, and costs will primarily reflect Amazon Bedrock inference usage and standard AWS service charges for Lambda, EventBridge, and API Gateway, with no separate AgentWatch licensing fee.

GCP

30:25  Agent Executor, Google’s distributed Agent Runtime

• Google released Agent Executor, an open-source runtime for managing long-running AI agent workflows, available now in preview at the GitHub repo. It addresses production reliability problems like agent crashes, disconnections, and state corruption that become serious issues when agents run for hours or days.
• The runtime includes durable execution via event logs and snapshots, secure sandboxing for multi-tenant isolation, and a single-writer architecture to prevent session state conflicts. These are particularly relevant for enterprises running agents that generate code or handle sensitive user data.
• A notable capability called trajectory branching lets developers checkpoint and fork an agent’s decision path to test different outcomes without losing prior context, which is useful for evaluation and debugging workflows.
• Agent Executor pairs with Agent Substrate, a new open-source Kubernetes extension announced alongside it, designed to handle hundreds of millions of registered agents and sub-second tool calls that would overwhelm a standard Kubernetes control plane.
• The runtime is designed to be harness-agnostic and supports LangChain, LangGraph, ADK, and the Agent2Agent protocol, meaning teams are not locked into Google’s own tooling. Pricing details are not yet published, given the preview status.

31:23 📢 Ryan – “I’m just impressed someone’s got an agent that can run for days!”

33:28 Google Cloud suspended major customer Railway.com without cause, causing outage

• Google Cloud suspended Railway.com, a platform-as-a-service provider, without apparent cause, resulting in a customer-facing outage that affected Railway’s downstream users and highlighted risks of automated account suspension systems.
• This incident raises practical concerns for GCP customers about the lack of human review processes before account suspensions are triggered, particularly for infrastructure providers whose own customers depend on continuous uptime.
• Cloud providers across AWS, Azure, and GCP have automated fraud and abuse detection systems that can suspend accounts with little warning, and incidents like this underscore the importance of customers maintaining multi-cloud or backup strategies for critical workloads.
• For businesses evaluating GCP as a primary provider, this event underscores the value of negotiating enterprise support agreements that include dedicated account management and escalation paths before outages occur, rather than after.
• https://blog.railway.com/p/incident-report-may-19-2026-gcp-account-outage 

38:25 100 things we announced at Google I/O 2026

• Google Antigravity 2.0 is the centerpiece developer announcement, positioning itself as an agent-first development platform with a standalone desktop app, CLI, and SDK. 
• Enterprises can connect Antigravity directly to Google Cloud projects under existing enterprise terms, with Gemini Enterprise customers getting access in the coming months.
• Gemini 3.5 Flash is now generally available through Antigravity, the Gemini API, Google AI Studio, and Android Studio, with Google citing performance improvements on coding and agentic benchmarks like Terminal-Bench 2.1 at 76.2% and MCP Atlas at 83.6%. Google claims it delivers frontier-level intelligence at less than half the cost of comparable models, which is a notable claim for cost-conscious GCP customers.
• Managed Agents in the Gemini API let developers provision a remote Linux environment with a single API call, handling reasoning, code execution, file management, and web browsing in an isolated sandbox. Developers can extend agent behavior using markdown files like AGENTS.md and SKILL.md rather than writing complex orchestration code.
• Google AI Studio now supports building and publishing native Android apps directly to Google Play’s Internal Test Track, with the first two app deployments to Google Cloud offered at no cost and no credit card required. Workspace data, including Sheets, Drive, and Docs, is now directly accessible from apps built within AI Studio.
• The new subscription tiers are worth noting for GCP customers evaluating costs: a new $100 per month AI Ultra plan targets developers and technical leads with 5x higher usage limits than the AI Pro plan and 20TB of cloud storage, while the existing AI Pro plan now bundles YouTube Premium Lite at no extra charge.

Con’t. The 13 biggest announcements at Google I/O 2026

• Gemini Spark is a new, always-on AI agent running on Google Cloud virtual machines 24/7, connecting to Workspace apps like Docs, Gmail, Sheets, and Slides, as well as third-party apps like Canva. 
• This is a direct signal that Google is positioning Cloud infrastructure as the backbone for persistent agentic workloads, which has real implications for GCP compute and pricing conversations.
• Gemini 3.5 Flash is now the default model across the Gemini app and AI Mode in Search, with Gemini 3.5 Pro following next month. Google highlights improved agentic task handling and coding capabilities, which matters for developers building on Vertex AI and AI Studio.
• AI Studio now supports vibe-coding full native Android apps with an embedded emulator, direct phone installation for testing, and export to Android Studio or GitHub. Firebase integration is also coming, tying the development workflow more tightly into the broader Google Cloud ecosystem.
• Google is expanding SynthID watermarking and C2PA Content Credentials into Chrome and Search, allowing users to verify AI-generated or altered images at the point of discovery. This is a practical development for enterprises concerned about content authenticity and compliance workflows.
• Google AI Ultra pricing has been restructured with a new entry point at $100 per month, down from $249.99, with a $200 per month tier adding access to Project Genie. The pricing adjustment brings it closer to competing premium AI subscription tiers from other providers.

40:21 📢 Justin – “Because Ryan loves agents just running around touching things.” 

Azure

41:52 Generally Available: Azure Storage Mover Blob-to-Blob migration

• Azure Storage Mover now supports Blob-to-Blob container migrations in general availability, allowing customers to move data across regions, subscriptions, and accounts without deploying or managing any infrastructure.
• The service is agentless and fully managed, with built-in job tracking, resumability, and parallel execution support, which reduces the operational overhead typically associated with large-scale data migrations.
• Performance is rated at multi-GB/s transfer speeds depending on workload and region topology, with support for both flat namespace and hierarchical namespace storage accounts, making it suitable for enterprise-scale migrations involving large object counts and deep directory structures.
• This is a practical option for customers consolidating storage accounts, reorganizing data across Azure regions, or migrating between subscriptions, and migrations can be initiated directly from the Azure portal in a few steps.
• Pricing details are not specified in the announcement, so listeners planning migrations should check the Azure Storage Mover pricing page before scoping out large transfer jobs, as data egress and service costs can vary by region and volume.

42:48 📢 Ryan – “They didn’t release pricing information, and for these types of migrations, I think that’s key that they need to announce that.” 

44:22 Public Preview: Evaluate feature rollouts with Azure App Configuration Scorecards

• Azure App Configuration now includes a Scorecards feature in public preview that gives teams a telemetry-driven view of how feature flag variants are performing in production, pulling data from Application Insights without requiring manual dashboard comparisons.
• The core value here is connecting feature flag management directly to production signals, so teams can make rollout, optimization, or deprecation decisions based on actual usage data rather than guesswork.
• Scorecards let teams compare variants against key performance indicators and detect potential issues introduced by new feature behavior, which is useful for organizations running A/B tests or gradual rollouts at scale.
• This builds on the existing Azure App Configuration Feature Management stack, so teams already using feature flags in that ecosystem can adopt Scorecards without introducing new tooling dependencies.
• Pricing details are not yet specified for this public preview capability, so teams evaluating it should factor in existing Azure App Configuration and Application Insights costs while monitoring for GA pricing announcements.

44:53 📢 Justin – “This is cool! I like the conception of this. Like, you use a scorecard, which, if you’re not using scorecarding to measure maturity and services between each other, I do highly recommend it. And this is basically how you make your rollout process data-driven, and this is a great way to do that.”

45:51 Microsoft surprises with its first server Linux distribution: Azure Linux 4.0

• Microsoft announced Azure Linux 4.0 at Open Source Summit North America, marking its first general-purpose Linux distribution available to all Azure customers as a VM image, not just AKS users, as with the previous 3.0 version. It is Fedora-based, open source on GitHub, and purpose-built for Azure infrastructure with a minimal package footprint and no graphical environment planned.
• The release splits into two distinct products: Azure Linux 4.0 as a general-purpose VM image for cloud workloads, and Azure Container Linux (ACL) as a hardened, immutable container host based on Flatcar Container Linux with no package manager, designed specifically for AKS container hosting.
• Microsoft is positioning Azure Linux as a supply chain security play, with curated packages, monthly security patches, and a commitment to rapid CVE response outside the standard Patch Tuesday cycle. 
• The support lifecycle is four years, with optional automatic security upgrades for both VM and AKS deployments.
• WSL support is planned so developers can run Azure Linux locally on Windows 11, providing a consistent environment between local development and cloud production workloads, with VS Code integration noted as a primary developer workflow.
• Microsoft noted that over two-thirds of customer cores in Azure already run Linux, and that Microsoft 365, GitHub, and the infrastructure supporting ChatGPT all run on Linux. Azure Linux 4.0 is positioned as a batteries-included option alongside eight existing endorsed distributions, with no changes to partner relationships with Red Hat, Canonical, or others. No separate pricing was announced beyond standard Azure VM compute costs.

47:21 📢 Ryan – “I do like that they’re talking about like how much Linux workload runs on Azure, because that’s always been the reality, but I always felt like – especially in the early days – that it was sort of this hush-hush sort of like, very Windows-focused, and it’s just not the reality in cloud and SaaS applications in general. So this, you know, is first-party support for an operating system, which is nice. I think that’s great.

Closing

And that is the week in the cloud! Visit our website, the home of the Cloud Pod, where you can join our newsletter, Slack team, send feedback, or ask questions at theCloudPod.net or tweet at us with the hashtag #theCloudPod