The Great AI Retreat Has Begun
OpenAI kills Sora after six months, Google moves up quantum doomsday, and the federal government calls Microsoft's cloud 'a pile of shit.' Welcome to 2025's reality check.
OpenAI just pulled the plug on Sora after six months of public availability.
Let that sink in. A company that’s raised billions to democratize AI decided their video generation tool was too dangerous, too expensive, or too something to keep running. The official story mentions user safety and computational costs, but I’ve been around long enough to smell a panic shutdown when I see one.
This isn’t happening in isolation. Google just moved up their “Q Day” deadline — the point when quantum computers will crack current encryption — from sometime in the 2030s to 2029. That’s not a minor adjustment. That’s an “oh shit, we’re moving faster than we thought” revision that should have every CISO updating their LinkedIn profile.
Meanwhile, federal cybersecurity experts are calling Microsoft’s cloud infrastructure “a pile of shit” while approving it anyway for government use. And we’re seeing supply chain attacks hit fundamental security tools like the Trivy scanner, while self-propagating malware specifically targets Iran-based machines.
Something fundamental is shifting in the tech ecosystem. The endless optimism of the past few years is colliding with some hard realities about security, sustainability, and control.
The Sora Shutdown: More Than Meets The Eye
When OpenAI announced they were shutting down Sora, the immediate reaction was predictable conspiracy theorizing. Was this a data grab? Did they collect enough face uploads to train something more sinister?
I think the reality is both simpler and more concerning. Running AI video generation at scale is brutally expensive, and the use cases weren’t justifying the compute costs. Every second of generated video burns through GPU cycles that could be used for ChatGPT queries that actually make money.
But there’s something else happening here. The industry is starting to realize that not every AI capability should be productized immediately. Sora could generate convincing fake videos of real people — exactly the kind of technology that creates more problems than it solves in 2025’s political climate.
This represents a shift I haven’t seen since the early days of facial recognition technology. Back then, around 2011-2012, several startups quietly pivoted away from consumer facial recognition not because the technology didn’t work, but because they realized the societal implications were a minefield.
Photo by Robert Stokoe / Pexels
The question now is whether this is just OpenAI being cautious, or if we’re about to see a broader pullback on AI-generated video tools. My read: other companies are watching this closely. If OpenAI can’t make the economics work, that’s a warning shot for everyone else burning money on video generation.
YouTube CEO Neal Mohan’s recent comments about creators “never leaving their home” take on new meaning in this context. Maybe the future of content creation isn’t AI-generated videos, but highly produced human content that can’t be easily replicated by algorithms.
Quantum Doomsday Moves Up The Timeline
Google’s announcement that Q Day is now expected by 2029 is the kind of news that should be front-page everywhere, but it’s getting buried under AI hype cycles and political noise.
For context: Q Day is when quantum computers become powerful enough to break RSA and elliptic curve cryptography — the mathematical foundations that secure everything from your bank account to military communications. We’ve known this day was coming, but most experts were betting on the mid-2030s.
Moving that deadline up by 5-6 years isn’t just an academic adjustment. It’s a fundamental shift in how quickly we need to deploy quantum-resistant cryptography. The National Institute of Standards and Technology only finalized their post-quantum cryptography standards in 2024. Now we have maybe four years to retrofit the entire internet.
Think about how long it took to migrate from SHA-1 to SHA-256, or from HTTP to HTTPS. Those were relatively simple changes compared to rebuilding the cryptographic foundation of modern computing. And we’re trying to do it while nation-states are actively probing our infrastructure and supply chains.
The timing couldn’t be worse. We’re seeing sophisticated supply chain attacks hit security tools themselves. The Trivy scanner compromise shows that attackers are going after the very tools we use to secure our systems. It’s like poisoning the well while the village is already on fire.
The Microsoft Problem Everyone Knows About
Here’s the most damning headline in this entire batch: federal cybersecurity experts called Microsoft’s cloud “a pile of shit” and approved it anyway.
This perfectly encapsulates the impossible situation we’ve created for ourselves. Microsoft’s Azure Government Cloud has had more security incidents than anyone wants to count. The SolarWinds hack, the Exchange Server vulnerabilities, the recent Azure AD compromises — the pattern is clear.
But what’s the alternative? Migrate the entire federal government to AWS? Build a government-only cloud from scratch? Both options are politically and technically impossible in any reasonable timeframe.
So we end up with experts who understand the risks perfectly, calling out the problems explicitly, and then signing off on the very systems they know are compromised. It’s bureaucratic nihilism at its finest.
This is what happens when you let one company become too big to fail in critical infrastructure. Microsoft isn’t just a software vendor anymore — they’re a strategic dependency for the federal government. That dependency creates a moral hazard where security concerns get overridden by practical necessities.
Photo by UMA media / Pexels
The European Union seems to be recognizing this problem. Their recent push for cloud service providers to reinstate VMware partner programs isn’t just about competition — it’s about creating viable alternatives to the Microsoft ecosystem. When you only have one viable option, that option doesn’t need to be particularly good.
I’ve seen this movie before. In the 1990s, Internet Explorer became so dominant that Microsoft stopped caring about standards compliance or security. It took Firefox and Chrome over a decade to break that monopoly. Now we’re seeing the same dynamic play out in cloud infrastructure, but with much higher stakes.
Supply Chain Attacks Go Mainstream
The attacks on Trivy scanner and the self-propagating malware targeting Iranian systems represent a new phase in supply chain warfare. We’re not just seeing nation-states go after high-value targets anymore — they’re poisoning the entire software ecosystem.
Trivy is used by thousands of organizations to scan container images for vulnerabilities. Compromising it means attackers can hide their own vulnerabilities while potentially identifying targets through the scanning data. It’s like corrupting the smoke detectors while setting fires.
The self-propagating malware targeting Iran-based machines is even more concerning. This suggests we’re seeing automated, geographically-targeted attacks that can spread without human intervention. The malware identifies Iranian systems and wipes them, presumably as part of ongoing cyber warfare operations.
This is infrastructure-level conflict playing out through open source software repositories and security tools. Every npm package, every Docker image, every security scanner becomes a potential weapon.
The old model of cybersecurity — building walls around trusted systems — is completely inadequate for this threat landscape. When the tools you use to build the walls are compromised, the entire concept breaks down.
What This All Means
I think we’re seeing the end of the “move fast and break things” era in a very literal sense. The things that are breaking now — encryption, trust in software supply chains, faith in cloud infrastructure — are too important to treat as acceptable collateral damage.
The Sora shutdown is particularly telling because it represents a company voluntarily pulling back from a technological capability. When was the last time you saw a major tech company do that? Usually they push forward regardless of consequences and deal with the fallout later.
But in 2025’s environment, that approach is becoming untenable. The regulatory pressure is increasing, the security landscape is getting worse, and the economic realities of running these systems at scale are becoming clear.
We’re entering a period where technological capability and technological deployment are going to diverge significantly. Just because we can build something doesn’t mean we should ship it. Just because we can scale something doesn’t mean we should run it indefinitely.
This is actually healthy, if uncomfortable. The industry needed a reality check about sustainability, security, and responsibility. The question is whether we can navigate this transition without breaking the systems we depend on.
Photo by Monstera Production / Pexels
The quantum timeline acceleration forces everyone to get serious about post-quantum cryptography now, not later. The supply chain attacks mean we need to rethink how we trust and verify software dependencies. The Microsoft situation highlights how dangerous it is to have single points of failure in critical infrastructure.
These aren’t separate problems — they’re all symptoms of an ecosystem that prioritized growth and convenience over resilience and security. Now the bill is coming due.
My prediction: we’re about to see a lot more shutdowns like Sora. Companies are going to start pulling back from capabilities that seemed like obvious wins just a year ago. The economics don’t work, the security implications are too scary, or the regulatory environment is too uncertain.
This isn’t necessarily bad for innovation — constraints often drive creativity. But it’s going to feel like a significant shift after years of “AI will solve everything” optimism.
The companies that thrive in this environment will be the ones that can build secure, sustainable, and economically viable systems. The ones that can’t will join Sora in the graveyard of promising technologies that couldn’t survive contact with reality.
What I’m Watching
-
Post-quantum cryptography deployment timelines from major cloud providers — If Google’s 2029 Q Day estimate is accurate, we should see accelerated migration plans from AWS, Microsoft, and Google Cloud by mid-2025. Any delays here will signal that the industry isn’t taking the threat seriously enough.
-
More AI tool shutdowns or pivots in Q1 2025 — Sora won’t be the last. I’m watching for other compute-intensive AI applications to either shut down or dramatically change their business models. Video generation tools are the obvious candidates, but large language model APIs could be next if economics don’t improve.
-
Supply chain security requirements from federal contractors — The government is going to respond to these attacks with new requirements for software bill of materials, dependency verification, and security scanning. Companies that get ahead of this will have competitive advantages in federal contracting.
-
European Union’s response to the Microsoft cloud dependency problem — The EU has been more aggressive about technology sovereignty than the US. If they mandate alternatives to Microsoft’s ecosystem, it could create viable competition that benefits everyone. Watch for policy announcements around digital sovereignty in the first half of 2025.
The party’s over, but the real work is just beginning.