Luminarium Talk to us
← All editions

State of AI for development

State of AI for development: May 2026

Three things from May that we think change decisions, and what we are telling clients to do about each.

The AI bill became a leadership problem

Uber burned its entire 2026 AI budget in four months and admitted it could not map coding-agent token spend to proportional value. Microsoft is reportedly cancelling Claude Code licences to consolidate on Copilot. Cursor’s own data shows cost per accepted line of code varying roughly seven times across model families, and some companies now run internal leaderboards of who burns the most tokens.

What we are telling clients: this is April’s point about measuring outcomes rather than tokens, now with a bill attached. Set per-team budgets, measure spend against accepted code and shipped work, and build in provider abstraction (bring-your-own-key and routing) so you are never hostage to one vendor’s subscription economics.

The harness argument now has numbers

Benchmarks caught up with April’s harness consensus this month: scoring moved to model-and-harness combinations and found over 30 times cost variation for the same task. A good harness running an open-weight model at roughly 20 times lower cost can match a frontier API on plenty of real work, and one in three AI teams ran an open-weight model in April, up from one in five nine months ago.

What we are telling clients: April’s advice stands. Skills, instruction files and evaluation loops compound; a model swap does not. One useful shortcut from the same research: plain grep and shell search over a codebase matches vector-database retrieval at a fraction of the tokens, so most teams can skip that infrastructure entirely.

Attackers went after the AI toolchain itself

Supply-chain malware hit npm and PyPI packages used by AI development tools, persisting by hooking agent configuration files so it re-executes even after the package is removed. A Starlette vulnerability reached everything built on FastAPI, including many MCP servers. Separately, a prompt injection in an agent framework led to host-level code execution, and researchers showed agents autonomously exploiting SQL injection with no hacking instructions at all.

What we are telling clients: treat agent output as untrusted input to anything that executes. Sandbox agents at the operating-system level, move secrets from .env files into a proper manager, add minimum-release-age delays on package updates and patch FastAPI and Starlette dependencies now.


This digest is the public edition. Advisory clients get the full monthly review, a tailored edition for their context and the conversation that goes with it.

The full monthly review goes deeper on models, tooling, enterprise moves and delivery patterns, with a tailored edition per client. It is part of AI leadership on demand.