When Code Gets Cheap, Scarcity Moves

Why AI broke SaaS defensibility and where real moats moved.

The strongest competitive advantage in software for over two decades was that software is hard to build. Nobody said it that plainly, but that was the actual moat. Switching costs, workflow embedding, data lock-in. Strip those to first principles and they all reduce to the same thing: rebuilding from scratch is expensive, so customers stay. That stopped being true about six months ago.

In February 2026, the market figured this out. The Nasdaq shed nearly $300 billion in software and data stocks in two days. By mid-March, the repricing had erased over $2 trillion in market cap across enterprise SaaS. The media called it the SaaSpocalypse. The market was more precise: it was repricing the entire per-seat licensing model as structurally broken.

The cause is straightforward. Agentic AI executes multi-step enterprise workflows end-to-end. When a single agent does the work of five humans, enterprises don’t buy 500 seats. They buy 100. Seat compression is now a line item in the 2026 budget of every major enterprise, as SaaStr documented. Oliver Wyman’s April 2026 analysis framed the repricing around three collapsed assumptions: software is no longer hard to build, seat expansion is no longer a durable monetization engine, and feature differentiation evaporates when agents interface directly with the software layer.

For the first time in a generation, public software trades at a discount to the S&P 500. That’s not a correction. That’s the market telling you the category’s economic model broke. Fifteen years ago, the prevailing thesis was that software would eat the world. It did. Now the world is watching software get eaten in turn.

The moat wasn’t the software, it was the cost of building it

The durable-moat frame from Zero to One is familiar to most founders and investors: monopoly profits accrue to companies with advantages competitors cannot replicate. SaaS companies claimed exactly that moat for twenty years on the basis of switching costs, data lock-in, workflow embedding, and network effects.

That story held when building software required large teams and long cycles. AI collapsed that timeline. Cursor, Devin, and a dozen other tools mean a motivated team can rebuild a competitor’s core feature set in weeks instead of years. Which means a lot of what looked like a moat was really a byproduct of software being expensive to build. The “it’s hard to build” moat is gone.

Chamath Palihapitiya posed the logical extreme of this in March: if AI makes every moat temporary, terminal values collapse and the entire valuation architecture breaks. He’s right about the question. I think he’s wrong about the answer. The moats Thiel described didn’t disappear. They migrated.

Moat type	Pre-AI strength	Post-AI strength	Why it holds or breaks
Product UX	Strong	Weaker	Agents flatten interface advantage and replicate workflows faster
Feature breadth	Strong	Weaker	Multi-step functionality is easier to copy once the logic is visible
Distribution	Moderate	Moderate	Still matters, but no longer protects a weak underlying product forever
Compliance	Moderate	Stronger	AI helps with documentation, but not with audits, approvals, and institutional trust
Regulatory approvals	Strong	Strong	Time and process remain externally gated
Bank and institutional relationships	Strong	Stronger	Bilateral trust networks cannot be generated on demand
Proprietary transaction data	Moderate	Stronger	Existing flows become training and underwriting advantage
Infrastructure embed	Strong	Stronger	Deep integrations survive feature-level commoditization

The old software moat was mostly product complexity. The new moat is everything around the product that does not compress with better code generation.

Where the moats actually are

If you’re allocating capital into the AI era, the question is simple: where does durable differentiation actually exist? I see three categories that pass that test: money movement, compliance, and infrastructure. The real returns sit at the intersection of all three, and the rest of this piece builds that screen.

Money movement as a moat

Moving money is not a feature. It’s a regulated activity that requires bank partnerships, money transmitter licenses, PCI compliance, and institutional trust built over years. An AI agent can generate code to build a payment flow in an afternoon. It cannot obtain a money transmitter license in 49 states.

Stripe’s position makes this concrete. Its moat is not the API design (replicable) or the dashboard (commoditized). It’s the network of bank relationships, regulatory approvals, and the proprietary transaction data flowing through its pipes. That data alone is becoming a second-order moat: PYMNTS recently reported that payments firms are training foundation models on their proprietary transaction data, turning existing financial infrastructure into an AI advantage. Plaid’s value follows the same logic. The bank integrations require bilateral agreements that no model can shortcut.

Here’s what this looks like financially. Stripe’s take rate is roughly 2.9% + $0.30 per transaction which is a toll on economic activity that scales with GDP instead of headcount. When your revenue model is a percentage of money moved, seat compression is someone else’s problem. The SaaSpocalypse hit companies charging per user. It didn’t touch companies charging per dollar. That’s the difference between a software business and a financial infrastructure business, and the market is finally pricing it correctly.

Fintech moats compound. Every new bank partnership, every new regulatory approval, every additional dollar flowing through the system makes the next competitor’s path longer and more expensive. I look at the cost to replicate as the true measure of a moat. For a SaaS feature, that cost went to near zero. For a payments network with 50 state licenses and 200 bank partnerships, it’s still measured in years and tens of millions.

Compliance as a moat

Most founders avoid regulated industries because the compliance burden is painful. That’s exactly the point. Pain is a moat.

Healthcare (HIPAA, FDA). Financial services (SOX, BSA/AML, state-by-state licensing). Defense and government contracting (ITAR, FedRAMP, CMMC). These aren’t checkboxes. They require institutional knowledge, audit histories, ongoing relationships with regulators, and organizational muscle that takes years to build.

AI makes the software layer of these industries trivially easy to build, but does not make the regulatory infrastructure easier to obtain. As one recent analysis noted, SaaS companies investing in compliance-heavy financial services gain a defensible moat against competitors who can’t meet the requirements. A startup can spin up a HIPAA-compliant app in weeks. It cannot spin up the audit trail, the institutional credibility, or the payer relationships that make a healthcare business defensible.

I think about this in terms of time-to-compete. In unregulated software, AI compressed that from years to weeks. In regulated verticals where timelines are set by bureaucracies, it barely moved. A FedRAMP authorization still takes 12-18 months. A money transmitter license portfolio still takes 2-3 years and $5M+ in legal and compliance costs.

Category	Pre-AI time to credible competition	Post-AI time	What did not compress
Unregulated SaaS	18-24 months	1-3 months	Distribution and customer trust, but not feature replication
Payments infrastructure	24-36 months	24-30 months	Licenses, bank partnerships, compliance stack
FedRAMP / defense software	18-24 months	12-18 months	Authorization process, procurement cycles, audit burden
Healthcare compliance software	18-24 months	18-20 months	Audit history, payer relationships, regulatory credibility

These are directional ranges, not precision claims. The important point is that code got cheaper while licenses, audits, and institutional relationships did not.

Time to credible competition collapsed in unregulated software. It did not collapse in regulated infrastructure.

When every unregulated niche becomes a knife fight, the regulated verticals become the high ground. The companies already there have a structural advantage that widens as AI lowers barriers everywhere else.

Picks and shovels

The gold rush analogy is overused, but it keeps working because the underlying economics keep repeating. The miners mostly went broke. Levi Strauss sold jeans. The picks-and-shovels play works when the infrastructure layer has its own defensibility: technical depth, integration complexity, or switching costs that survive whatever happens in the application layer above.

In the AI era, this means the companies building the plumbing that agents, models, and AI-native applications depend on. The models are being rapidly commoditized and the application wrappers have become thin and vulnerable. The infrastructure between them are the data pipelines, identity systems, payment rails, compliance engines, and connectivity layers.

Layer	What AI changed	What got commoditized	Where value moved
App layer	Faster build cycles and cheaper iteration	Standalone features and interface polish	Away from thin wrappers
Workflow layer	More automation and orchestration	Basic workflow software	Toward systems with deep embedded usage
Infrastructure / rails	More demand from AI-native applications	Very little	Toward payment rails, data pipes, identity, and connectivity
Compliance / trust layer	More tooling around process	Very little	Toward approved, audited, institutionally trusted operators

When the feature layer becomes easier to copy, value shifts toward the rails and regulated systems underneath it.

The durable value moves toward systems that combine real operational embed with regulatory or institutional barriers.

Bessemer’s data tells the story from the application side: AI-native upstarts are growing at ~400% and competing at ~80% of traditional SaaS ACV. That 400% growth means a flood of new companies, all of which need infrastructure. If you’re the pipes those upstarts depend on, you win regardless of which application layer prevails. You’re selling shovels to both sides of every competitive battle.

Infrastructure with genuine scarcity, deep integration, or a regulatory gate captures value as the layers above it churn. I look for structural infrastructure businesses where the customer’s cost-to-switch exceeds the customer’s annual contract value.

The trifecta

The most interesting companies aren’t in just one of these categories. They sit at the intersection.

Picture a company that provides financial infrastructure, operates in a heavily regulated vertical, and serves as essential plumbing for the broader ecosystem. Customers can’t switch because of the financial integrations. Competitors can’t enter because of the regulatory requirements. The entire value chain depends on the infrastructure layer.

These exist today.

Company	Money movement	Regulatory complexity	Infrastructure position	Trifecta score
Stripe	Strong	Strong	Strong	3/3
Plaid	Moderate	Moderate	Strong	2.5/3
Adyen	Strong	Strong	Strong	3/3
Marqeta	Strong	Strong	Strong	3/3
Palantir	Weak	Strong	Strong	2/3

Illustrative framework, not a diligence view. The point is how the moat structure stacks.

Marqeta runs card issuing infrastructure for fintech companies and requires bank sponsorship agreements and compliance frameworks that take years to establish. Adyen processes payments across 30+ countries, each with its own regulatory regime, and its direct acquiring model means it owns the bank relationships rather than renting them. In government contracting, Palantir has FedRAMP, ITAR compliance, and data infrastructure so embedded in agency workflows that switching would cost more than the contract itself.

As an operator and investor, I now evaluate every new company and deal against this trifecta. Two out of three creates a durable advantage. All three create the kind of structural position that gets stronger the more the technology layer commoditizes.

Where this breaks

Every model has a failure mode. This one does too.

The biggest risk is regulatory disruption itself. If AI tools get good enough at navigating compliance, the regulatory moat erodes over a 5-10 year horizon and it’s plausible that the compliance burden shrinks enough to let new entrants through. The CFPB under the current administration is already signaling lighter-touch oversight for fintech. That helps incumbents now and it might help challengers later.

The second risk is vertical integration by the foundation model companies. If OpenAI or Anthropic decide to build payments infrastructure or compliance tools directly, they start with the AI advantage and work backward toward the regulatory moat. Google did this in maps. It could happen here. I don’t think it’s likely in the next 3-5 years because regulatory credentialing is genuinely slow and the foundation model companies have enough to do. But it belongs on the risk register.

I still bet on the trifecta because the failure modes require compounding unlikely events: regulators moving fast, foundation model companies diverting focus from their core business, and incumbents standing still. But I hold the positions knowing what would make me wrong.

What this means for capital

The SaaSpocalypse was a pricing correction. The structural shift is bigger: AI is revealing which businesses were actually differentiated versus which were riding the complexity of software development as a proxy moat. As Forbes framed it, AI didn’t kill software. It broke the SaaS growth story.

For capital allocators, the playbook follows from the analysis. Avoid pure-play feature businesses in unregulated verticals. Look for the trifecta: fintech economics, regulatory complexity, and infrastructure positioning. Underwrite the moat structure, since the technology will change every eighteen months. The bank partnerships, the FedRAMP authorization, the 49-state license portfolio.

Twenty years of SaaS investing trained everyone to ask “how good is the product?” The right question now is “what do you have that a great engineer with Cursor and a weekend cannot replicate?” If the answer is “nothing except our existing customer base,” the clock is already ticking.