Three Moats That AI Can't Commoditize

The strongest competitive advantage in software for over two decades was that software is hard to build. Nobody said it that plainly, but that was the actual moat. Switching costs, workflow embedding, data lock-in. Strip those to first principles and they all reduce to the same thing: rebuilding from scratch is expensive, so customers stay. That stopped being true about six months ago.

In February 2026, the market figured this out. The Nasdaq shed nearly $300 billion in software and data stocks in two days. By mid-March, the repricing had erased over $2 trillion in market cap across enterprise SaaS. The media called it the SaaSpocalypse. The market was more precise: it was repricing the entire per-seat licensing model as structurally broken.

The cause is straightforward. Agentic AI executes multi-step enterprise workflows end-to-end. When a single agent does the work of five humans, enterprises don’t buy 500 seats. They buy 100. Seat compression is now a line item in the 2026 budget of every major enterprise, as SaaStr documented. Oliver Wyman’s April 2026 analysis framed the repricing around three collapsed assumptions: software is no longer hard to build, seat expansion is no longer a durable monetization engine, and feature differentiation evaporates when agents interface directly with the software layer.

For the first time in a generation, public software trades at a discount to the S&P 500. That’s not a correction. That’s the market telling you the category’s economic model broke. Fifteen years ago, the prevailing thesis was that software would eat the world. It did. Now the world is watching software get eaten in turn.

Thiel Was Right. Just Not About Software.

Peter Thiel’s framework in Zero to One is simple: monopoly profits accrue to companies with durable competitive advantages. Competition is for losers. Build something so differentiated that the question “who’s your competitor?” doesn’t have a clean answer.

SaaS companies claimed exactly this moat for twenty years. Switching costs. Data lock-in. Workflow embedding. Network effects. The story held when building software required large teams and long cycles. AI collapsed that timeline. Cursor, Devin, and a dozen other tools mean a motivated team can rebuild a competitor’s core feature set in weeks vs years. The “it’s hard to build” moat is gone.

Chamath Palihapitiya posed the logical extreme of this in March: if AI makes every moat temporary, terminal values collapse and the entire valuation architecture breaks. He’s right about the question. I think he’s wrong about the answer. The moats Thiel described didn’t disappear. They migrated.

Where the moats actually are

If you’re allocating capital into the AI era, the question is simple: where does durable differentiation actually exist? I see three categories that pass the Thiel test. The real returns sit at the intersection of all three.

Money movement as a moat

Moving money is not a feature. It’s a regulated activity that requires bank partnerships, money transmitter licenses, PCI compliance, and institutional trust built over years. An AI agent can generate code to build a payment flow in an afternoon. It cannot obtain a money transmitter license in 49 states.

Stripe’s position makes this concrete. Its moat is not the API design (replicable) or the dashboard (commoditized). It’s the network of bank relationships, regulatory approvals, and the proprietary transaction data flowing through its pipes. That data alone is becoming a second-order moat: PYMNTS recently reported that payments firms are training foundation models on their proprietary transaction data, turning existing financial infrastructure into an AI advantage. Plaid’s value follows the same logic. The bank integrations require bilateral agreements that no model can shortcut.

Here’s what this looks like financially. Stripe’s take rate is roughly 2.9% + $0.30 per transaction which is a toll on economic activity that scales with GDP instead of headcount. When your revenue model is a percentage of money moved, seat compression is someone else’s problem. The SaaSpocalypse hit companies charging per user. It didn’t touch companies charging per dollar. That’s the difference between a software business and a financial infrastructure business, and the market is finally pricing it correctly.

Fintech moats compound. Every new bank partnership, every new regulatory approval, every additional dollar flowing through the system makes the next competitor’s path longer and more expensive. I look at the cost to replicate as the true measure of a moat. For a SaaS feature, that cost went to near zero. For a payments network with 50 state licenses and 200 bank partnerships, it’s still measured in years and tens of millions.

Compliance as a moat

Most founders avoid regulated industries because the compliance burden is painful. That’s exactly the point. Pain is a moat.

Healthcare (HIPAA, FDA). Financial services (SOX, BSA/AML, state-by-state licensing). Defense and government contracting (ITAR, FedRAMP, CMMC). These aren’t checkboxes. They require institutional knowledge, audit histories, ongoing relationships with regulators, and organizational muscle that takes years to build.

AI makes the software layer of these industries trivially easy to build, but does not make the regulatory infrastructure easier to obtain. As one recent analysis noted, SaaS companies investing in compliance-heavy financial services gain a defensible moat against competitors who can’t meet the requirements. A startup can spin up a HIPAA-compliant app in weeks. It cannot spin up the audit trail, the institutional credibility, or the payer relationships that make a healthcare business defensible.

I think about this in terms of time-to-compete. In unregulated software, AI compressed that from years to weeks. In regulated verticals where timelines are set by bureaucracies, it barely moved. A FedRAMP authorization still takes 12-18 months. A money transmitter license portfolio still takes 2-3 years and $5M+ in legal and compliance costs.

When every unregulated niche becomes a knife fight, the regulated verticals become the high ground. The companies already there have a structural advantage that widens as AI lowers barriers everywhere else.

Picks and shovels

The gold rush analogy is overused, but it keeps working because the underlying economics keep repeating. The miners mostly went broke. Levi Strauss sold jeans. The picks-and-shovels play works when the infrastructure layer has its own defensibility: technical depth, integration complexity, or switching costs that survive whatever happens in the application layer above.

In the AI era, this means the companies building the plumbing that agents, models, and AI-native applications depend on. The models are being rapidly commoditized and the application wrappers have become thin and vulnerable. The infrastructure between them are the data pipelines, identity systems, payment rails, compliance engines, and connectivity layers.

Bessemer’s data tells the story from the application side: AI-native upstarts are growing at ~400% and competing at ~80% of traditional SaaS ACV. That 400% growth means a flood of new companies, all of which need infrastructure. If you’re the pipes those upstarts depend on, you win regardless of which application layer prevails. You’re selling shovels to both sides of every competitive battle.

SK Hynix can charge a premium for HBM because its capacity is physically constrained and pre-sold through 2026. A server assembler cannot. The principle scales: any infrastructure component with genuine scarcity, deep integration, or a regulatory gate captures value as the layers above it churn. I look for structural infrastructure businesses where the customer’s cost-to-switch exceeds the customer’s annual contract value.

The trifecta

The most interesting companies aren’t in just one of these categories. They sit at the intersection.

Picture a company that provides financial infrastructure, operates in a heavily regulated vertical, and serves as essential plumbing for the broader ecosystem. That’s a triple lock. Customers can’t easily switch because of the financial integrations. Competitors can’t easily enter because of the regulatory requirements. The entire value chain depends on the infrastructure layer.

These exist today. Marqeta runs card issuing infrastructure for fintech companies and requires bank sponsorship agreements and compliance frameworks that take years to establish. Adyen processes payments across 30+ countries, each with its own regulatory regime, and its direct acquiring model means it owns the bank relationships rather than renting them. In government contracting, Palantir has FedRAMP, ITAR compliance, and data infrastructure so embedded in agency workflows that switching would cost more than the contract itself.

As an operator and investor, I now evaluate every new company and deal against this trifecta. Two out of three creates a durable advantage. All three create the kind of monopoly position Thiel described through structural advantages that get stronger the more the technology layer commoditizes.

Where this breaks

Every model is wrong, but some are useful.

The biggest risk to this thesis is regulatory disruption itself. If AI tools get good enough at navigating compliance, the regulatory moat erodes over a 5-10 year horizon and it’s plausible that the compliance burden shrinks enough to let new entrants through. The CFPB under the current administration is already signaling lighter-touch oversight for fintech. That helps incumbents now and it might help challengers later.

The second risk is vertical integration by the foundation model companies. If OpenAI or Anthropic decide to build payments infrastructure or compliance tools directly, they start with the AI advantage and work backward toward the regulatory moat. Google did this in maps. It could happen here. I don’t think it’s likely in the next 3-5 years because regulatory credentialing is genuinely slow and the foundation model companies have enough to do. But it belongs on the risk register.

I still bet on the trifecta because the failure modes require compounding unlikely events: regulators moving fast, foundation model companies diverting focus from their core business, and incumbents standing still. But I hold the positions knowing what would make me wrong.

What this means for capital

The SaaSpocalypse was a pricing correction. The structural shift is bigger: AI is revealing which businesses were actually differentiated versus which were riding the complexity of software development as a proxy moat. As Forbes framed it, AI didn’t kill software. It broke the SaaS growth story.

For capital allocators, the playbook follows from the analysis. Avoid pure-play feature businesses in unregulated verticals. Look for the trifecta: fintech economics, regulatory complexity, and infrastructure positioning. Underwrite the moat structure, since the technology will change every eighteen months. The bank partnerships, the FedRAMP authorization, the 49-state license portfolio.

Twenty years of SaaS investing trained everyone to ask “how good is the product?” The right question now is “what do you have that a great engineer with Cursor and a weekend cannot replicate?” If the answer is “nothing except our existing customer base,” the clock is already ticking.