The Daily Brief · Thursday 28 May 2026

Today's Summary Squawk!

Two structural AI stories dominated today. First, the FT published a detailed analysis of how AI threatens the consulting industry's core business model — smaller, well-funded challengers using AI to undercut the Big Four on analytical work. That is not abstract: it is a direct description of the competitive environment every client in this brief operates in. Second, a critical vulnerability dubbed 'BadHost' was found in Starlette, an open-source package with 325 million weekly downloads used as the foundation layer for millions of AI agents. TeamPCP's supply chain poisoning campaign has been running for a week. Now there is a critical flaw in core agentic infrastructure on top of it. Enterprise AI deployments are running on genuinely compromised ground.

On the macro side, Iran deal signals moved markets in both directions on the same day. Iranian state TV broadcast details of a peace proposal including Hormuz reopening within a month, oil fell sharply, and the ASX recovered. But Iran's hardliners simultaneously attacked the negotiating team, and Trump told reporters it was 'solid 50/50' on deal or new strikes. Australian April inflation came in softer than expected, supporting an RBA hold in June — but that reprieve is entirely conditional on Hormuz. Salesforce delivered a weak outlook that rattled software investors already nervous about AI disruption, while Snowflake jumped 30% on a $6 billion Amazon deal. The software stack is splitting: platforms that have threaded AI into genuine revenue growth versus those that haven't.

For Australian strategy clients, today's most actionable signal is the news media bargaining code fight. US lobbyists are now formally claiming Australia's proposed News Bargaining Incentive violates the Australia-US Free Trade Agreement — a legal argument that, if it holds, would block the levy and reshape the entire framework for how platforms pay for content in this country. Separately, Telstra's own internal audit shows its learning platforms are failing to deliver the upskilling its Connected Future 30 strategy requires. A major Australian telco admitting publicly that its workforce transformation infrastructure isn't working is a rare and candid signal of how hard the execution problem actually is.

CONSULTING INSIGHT  ·  Critical

FT: AI Is Opening the Door for Smaller Challengers to Take Market Share from the Big Four

The Financial Times published a detailed examination of how AI is restructuring the consulting industry's competitive dynamics. The core argument: AI dramatically lowers the cost and time required to produce the analytical, research and synthesis work that has historically justified large consulting engagements. Well-funded boutiques and specialist firms can now replicate outputs that previously required teams of analysts, undercutting the Big Four and MBB on price and speed without sacrificing quality. The article identifies strategy, due diligence, market sizing and regulatory analysis as particularly exposed. Clients are increasingly capable of evaluating whether they need a large firm's brand and network, or simply need the output.

Point of view: This is the most directly relevant story for my practice this week. The FT is describing the structural threat to the business model I operate in. The response is not to pretend it isn't happening — it's to identify which parts of consulting genuinely require human judgment, relationship capital and contextual knowledge that AI cannot replicate, and ruthlessly shed everything that doesn't. For Australian clients building internal strategy capability, this is also an opportunity: the gap between what a well-equipped internal team can do and what they used to need external support for has narrowed significantly.

Sources: Financial Times

AI  ·  Critical

Critical 'BadHost' Vulnerability Found in Starlette — A Package Underpinning Millions of AI Agents

Ars Technica reports that a critical vulnerability called 'BadHost' has been discovered in Starlette, an open-source Python web framework that serves as a foundational component for a large proportion of AI agent deployments. The package has 325 million weekly downloads. The flaw allows attackers to potentially compromise AI agents built on top of it, with exposure spanning enterprise agentic workflows, autonomous coding assistants and customer-facing AI systems. The timing is bad: the TeamPCP supply chain poisoning campaign is already targeting open-source repositories. Organisations that have moved AI agents into production — including the Australian enterprises covered in recent days — should treat this as requiring immediate triage of their dependency chains.

Point of view: This is the security story that should land on every CTO's desk today. TeamPCP's supply chain campaign involved poisoned uploads. BadHost is different — it is a critical flaw in a widely trusted, legitimate package. Any enterprise that has deployed AI agents using Python-based frameworks should be auditing their Starlette version and dependency tree right now. For clients I work with who are accelerating agentic deployments, I am recommending a mandatory dependency audit as a pre-condition for any new production release until this is patched and verified.

Sources: Ars Technica

TRADE  ·  Critical

US Lobbyists Claim Australia's News Bargaining Incentive Violates the Australia-US Free Trade Agreement

Crikey reports that US technology industry lobbyists have formally argued that Australia's proposed News Bargaining Incentive — a 2.25% levy on digital platform local revenues designed to fund news organisations — breaches the Australia-US Free Trade Agreement. The argument centres on national treatment provisions that prohibit discriminatory levies targeting specific foreign industries. Google has separately criticised the scheme for excluding AI platforms. The exposure draft is already out; Labor has indicated it expects industry pushback. If the trade law argument gains traction in formal dispute resolution channels, it could block or substantially reshape the NBI before it reaches legislation, with flow-on implications for the model Canada has also adopted for streaming content.

Point of view: This is a materially new legal dimension to a story that has been running as a domestic policy debate. A formal AUSFTA challenge is a different category of threat to the NBI than industry lobbying — it engages treaty obligations and dispute resolution mechanisms that can operate independently of parliament. For media clients and for any business watching how Australia regulates platform economics, the immediate question is whether the government has sought DFAT advice on the trade law exposure. I would want to know that before advising anyone to build a commercial strategy around the levy being implemented as currently designed.

Sources: Crikey

AUSTRALIA  ·  Critical

Iran Peace Proposal Broadcast by State TV — Oil Falls, ASX Recovers, But Hardliners Undercut the Signal

Iranian state television broadcast details of a draft peace proposal on 28 May that would restore Strait of Hormuz shipping within a month. Oil prices fell on the news and the ASX, which had suffered a $90 billion single-day selloff earlier in the week when oil briefly surged past US$100 a barrel, recovered ground. Australian April inflation simultaneously came in softer than expected, supporting an RBA hold at the June meeting. But Iran's hardline conservative lawmakers publicly attacked the negotiating team for conceding too much, and Trump told reporters it was a 'solid 50/50' on deal or renewed strikes. Two contradictory signals are now in the market at the same time.

Point of view: The ASX's $90 billion one-day drop when oil spiked is the clearest demonstration yet of how directly the Hormuz situation transmits to Australian asset values and the rate path. The softer inflation print is genuinely good news for businesses carrying debt, but it is entirely contingent on oil staying contained. I am advising clients to model two scenarios in parallel: a deal framework that holds through June, and a scenario where hardliner resistance derails it and oil retests $100-plus. The RBA will not cut into a reopened inflation risk, and the energy cost pass-through to non-discretionary business inputs is already embedded regardless of what happens at the negotiating table.

Sources: Financial Times  ·  Financial Times  ·  SMH  ·  SMH

AI  ·  Watch

Salesforce Misses Outlook, Snowflake Jumps 30% — Enterprise Software Is Splitting on AI Execution

Salesforce gave a revenue outlook for the current quarter that fell short of analyst estimates, amplifying investor concern that AI disruption is already eating into its core CRM business. The stock fell on fears that agentic AI tools are beginning to substitute for workflow software that customers previously had to buy from Salesforce. On the same day, Snowflake jumped almost 30% after raising its annual outlook and announcing a $6 billion multiyear deal with Amazon for cloud services and AI chips — a direct demonstration of AI demand flowing to data infrastructure rather than traditional SaaS. Marvell Technology also gained on AI data centre chip demand exceeding forecasts.

Point of view: The Salesforce result is a significant data point for enterprise software strategy. The anxiety is specific: if AI agents can orchestrate CRM workflows directly, the case for paying per-seat SaaS licences weakens. Australian organisations running large Salesforce estates should be assessing whether their renewal negotiations in the next 12 months need to include explicit AI capability commitments from the vendor — and whether those commitments are credible. Snowflake tells the other side of the same story: data infrastructure that enables AI is attracting capital and growth, while application-layer incumbents are getting squeezed from below.

Sources: Bloomberg  ·  Bloomberg  ·  Bloomberg

AUSTRALIA  ·  Watch

Telstra's Learning Platforms Are Failing Its Connected Future 30 Workforce Strategy

iTnews reports that Telstra's internal learning and development platforms are not delivering the upskilling and reskilling outcomes required by its Connected Future 30 strategic plan. The company acknowledges that workforce capability transformation needs to happen at scale but that its current digital learning infrastructure is not fit for that purpose. This is a significant admission from Australia's largest telco, which has simultaneously restructured to reunite its IT and networks divisions under a single executive — a move that itself creates substantial retraining demands as previously siloed teams are integrated.

Point of view: Telstra publicly admitting its learning infrastructure is inadequate is a useful data point for every large Australian enterprise that has made bold AI and digital workforce commitments. Connected Future 30 is not a small internal initiative — it is the strategic frame for Telstra's entire technology transformation. If the platform layer supporting that transformation is failing, the capability targets embedded in the plan are not achievable on the current timeline. For clients making similar commitments, this is a concrete reminder that workforce transformation requires investment in learning infrastructure as a first-order priority, not an afterthought.

Sources: iTnews

AUSTRALIA  ·  Watch

NDIS Eligibility Changes Will Remove 241,000 Participants Over Four Years — Internal Government Modelling Revealed

The Guardian Australia reports that internal departmental modelling, released through the legislative process, projects that 241,000 current NDIS participants will no longer receive scheme supports by mid-2031 following new eligibility rules introduced before January 2028. The modelling also shows that cuts to social, civic and community participation funding will deliver the single largest saving in the government's NDIS containment package — a $36.2 billion budget measure over four years. The projected participant reduction is materially larger than any figure the government has publicly disclosed in its policy communications.

Point of view: This story cuts directly into the technology and services sectors. A reduction of 241,000 NDIS participants means a substantial contraction in demand for disability technology, assistive devices, support coordination software and service delivery platforms — a market that Australian healthtech and care technology companies have been building to serve. The funded demand base is now on a formally documented downward trajectory. The four-year timeline is long enough to plan around, but the gap between internal modelling and public statements warrants immediate review of any growth assumptions built on NDIS participant volume.

Sources: The Guardian

LEFT FIELD  ·  Signal

Websites Can Now Profile Visitors by Analysing SSD Activity Through the Browser — No Permissions Required

Ars Technica reports that researchers have demonstrated a browser-based fingerprinting technique that infers visitor identity and behaviour by measuring the timing patterns of SSD read and write activity, detectable using standard JavaScript without any user permissions or browser exploits. The technique works because different users have distinct patterns of background disk activity — from cached files, application state and prior browsing — that create a measurable and relatively stable fingerprint. It bypasses cookie-based tracking consent frameworks entirely and works across private browsing modes. No vulnerability is required; it uses legitimate browser timing APIs.

Point of view: This matters well beyond privacy circles. Australia's privacy law reform is still in progress, and the consent-based framework underpinning the entire adtech and first-party data ecosystem assumes that tracking requires some form of identifiable technical mechanism that can be disclosed and consented to. A passive, permission-free fingerprinting technique based on hardware behaviour sits entirely outside that framework. For any client building a compliance posture around the Privacy Act amendments, or any business whose consent management platform is central to their data strategy, the technical ground is shifting faster than the regulatory ground.

Sources: Ars Technica

Compiled from 38 curated sources  ·  Thursday, 28 May 2026