If you are Max Junestrand at Legora, Winston Weinberg at Harvey, Bret Taylor at Sierra, Arvind Jain at Glean, or George Sivulka at Hebbia, the one question every late-stage investor, every board member and every prospective enterprise customer eventually asks you is some version of:
“If Claude, or GPT, or Gemini, or whatever model is best in 18 months, keeps getting better at this pace, why won't you just be a feature inside Claude in two years?”
By mid-2026 that question is no longer rhetorical. Anthropic shipped Claude Code and crossed $1B ARR in six months. OpenAI shipped Codex against Cursor, ChatGPT Shopping against vertical commerce, and at DevDay 2025 framed ChatGPT as the operating system of your work life. Google's Stitch absorbed Galileo AI's UI-design product. The labs are visibly willing to compete with their own customers when revenue is on the table.
And yet. Harvey raised at $11B. Sierra crossed $100M ARR in seven quarters. Legora hit $5.6B. Glean is at $7.2B with a 93% adoption rate inside the Fortune 500. EvenUp doubled its valuation to over $2B. Rogo crossed $2B at Series D. The application layer is not collapsing. In absolute revenue terms it keeps accruing.
The harder read is that the labs are accruing faster. Anthropic crossed a $30B annualised run rate in April 2026, up from roughly $9B at the end of 2025, a tripling in four months and now ahead of OpenAI's reported $25B. SaaStr's read on the broader software slowdown is that as much as 70% of the deceleration at Salesforce, Snowflake and HubSpot is budget rotating into Anthropic and OpenAI. So the honest statement is narrower: the application layer is not collapsing, but in pure growth-rate terms the labs are pulling away. Holding share at the app layer now requires moats, not just product.
Both things are true at once, and that is the whole point. The application layer is real, but selective. Some moats hold. Most don't. The job is to understand which.
The investor consensus, and its limits
Before the taxonomy, here is where the smart money has actually landed. The investor view in 2026 is no longer wrappers versus models. It has broken into a clear majority position, value accrues at the app layer but only for apps with structural moats, and a vocal minority bear case, most wrappers are dead and the labs are eating their own customers.
Sequoia is the application-layer maximalist. Pat Grady's framing is that Sequoia invests an order of magnitude more in the application layer than in the foundational layer, even though the revenue from the application layer is comparatively less today. Sonya Huang's AI Ascent 2025 keynote went further: AI is going after the labour market, a profit pool at least an order of magnitude larger than previous technological transitions. Konstantine Buhler has been the most explicit on defensibility: the most durable moat is not technology but the depth of customer relationships and the simplicity of the path to outcome.
a16z is the moat-sceptic that ended up app-bullish anyway. Martin Casado has stayed remarkably consistent: models commoditise very quickly, anybody can kind of use them, there is no inherent endemic moat in the technology stack to AI other than just overcoming the bootstrap problem. In March 2026 the firm published Good News: AI Will Eat Application Software. David Haber put it plainly: the defensibility of a software product resides in owning the end-to-end workflow, becoming the system of record, having network effects, and deeply embedding within customers. AI is differentiation, not defensibility.
“What AI enables is not just a productivity enhancement but a tool that actually does the work. When you sell a 95% productivity improvement, the same end markets could be 10 to 50x larger than your software-model intuition would tell you.”
- Sarah Tavel, Benchmark
The bear case is still credible from inside the tent. Andrew Chen has argued state-of-the-art models only stay about six months ahead of open-source alternatives, so if the model is your product, you have a six-month moat. Ben Thompson's Aggregators and AI argues AI ends aggregation-theory economics. The empirical signal is OpenAI's behaviour: shipping Codex against Cursor, ChatGPT Shopping against vertical commerce, Agentic OS against vertical workflow apps.
Anthropic versus OpenAI is itself part of the moat story. Anthropic is closer to AWS for intelligence. Mike Krieger has said Anthropic ships first-party products only when they say something new. Around 86% of Anthropic's 2025 revenue came from API and enterprise. OpenAI is closer to the Apple of AI: ChatGPT as destination, the Agentic OS framing, direct competition with its own ecosystem. So the application-layer thesis is partly a bet on which lab wins distribution.
The eight moats, at a glance
Eight categories. For each, what the moat is, who claims it most credibly, the counter-argument, and a verdict on durability. The shape of the thing first.
Eight moats.
Most don’t hold.
Moat 1. Workflow depth and process IP
The claim. The model can generate output, but it doesn't know your firm's specific multi-step process. How a Centerview banker structures a credit memo. How a SoFi support agent navigates a refund policy with regulatory holds. How a magic-circle law firm runs M&A due diligence across 47 reviewers and three jurisdictions. The moat is encoding that process in software the customer cannot easily rebuild.
“Software is a stored process. It's not a neutral tool: it's an opinion for how a group of people should collaborate, encoded in a durable system. Foundation labs can't be opinionated in that way. Anthropic and OpenAI can't be opinionated about how the KKR credit team likes to structure things. That's just not their job. Our job at Hebbia is to know exactly that.”
- George Sivulka, Hebbia
Bret Taylor at Sierra says the atomic unit of AI productivity is a process, not a person. Winston Weinberg at Harvey: there is a gap between firms that have significant internal expertise and innovation teams, and those that don't. The goal is to provide something between self-build and off the shelf. Jesse Zhang at Decagon: AI becomes a system of intelligence that encodes complex business logic, creating moats for companies that implement it effectively.
The counter-argument. Process IP is real but it ages. Models that can plan, decompose and self-evaluate over long horizons reduce the value of pre-encoded workflows. Sivulka himself has hedged: software isn't a moat, skills are. Durability verdict: medium-to-high, but only when paired with another moat.
Moat 2. Proprietary data and the flywheel
The claim. The model is open-source. The data isn't. Customer-generated workflow data, vertical-specific corpora, telemetry from real production runs compound into a flywheel where each new customer makes the product better for the next, and the flywheel is structurally inaccessible to foundation models.
EvenUp is the strongest case. Lightspeed's investment memo: EvenUp's proprietary Piai model is trained on a dataset no competitor can match, hundreds of thousands of injury cases and millions of medical records, and with each case processed, its models grow more accurate, reinforcing a data flywheel that widens the gap between EvenUp and the rest of the market.
The counter-argument is unforgiving. Casado's Empty Promise of Data Moats argued that most data-pipeline moats don't survive scrutiny. Synthetic data and self-distillation are closing the gap on most domains. And customers refuse to let their data train your shared model, which kills the flywheel before it starts. Durability verdict: high, but only when the data is structurally inaccessible. Medical records, banker compensation, M&A documents, plaintiff-firm case archives. Where the data is scrapeable in two years, the moat is illusory.
Moat 3. Permission-aware governance
The claim. The model has zero idea who is allowed to see what inside an enterprise. Permission-aware retrieval, record-level access control, audit logging, SOC 2, ISO 27001, HIPAA, FedRAMP. These are 12 to 18-month engineering investments tied to enterprise procurement cycles. A foundation lab will not ship this as a default capability. It will route through companies that do.
“You need to build a permissions-aware governance and retrieval layer that brings the right information, but knowing who's asking that question so it filters by their access rights. LLMs don't understand your business. They don't know who different people are or what work you do. You have to connect model reasoning with company context.”
- Arvind Jain, Glean
The counter-argument. Anthropic's MCP standard, Microsoft's Copilot governance and Salesforce's Agentforce are all designed to make permission-aware retrieval a feature of the underlying platform. If MCP and equivalent standards mature, governance becomes a hyperscaler service and Glean's connector library becomes commodity middleware. Durability verdict: very high in the medium term. The longest lead time and the lowest substitutability today.
Moat 4. System of record and integrations
The claim. Once your product is the system of record, the place where the canonical data lives, the place other systems sync to, the place audit logs accrue, you are infrastructure, not an app. The cost to rip you out is not the cost of switching tools. It is the cost of disrupting every downstream system that depends on you.
Kareem Amin at Clay is explicit: we want to be the system of action. How you act on the data is going to be in Clay. Clay does not own the data. It owns the orchestration layer above CRMs and enrichment providers, which means it sits in the path of every GTM workflow and is hard to displace without re-routing everything downstream.
The counter-argument. Native MCP support across Anthropic, OpenAI and Google means the labs are commoditising the connector layer itself. The defensibility moves from having the integration to being trusted to broker it. Durability verdict: high. Pure connector libraries with no usage flywheel above them are not.
Moat 5. Compliance, regulation, trust
The claim. Some industries, healthcare, banking, law, defence, public sector, will never adopt a horizontal AI endpoint as their primary workflow tool because of liability, indemnification, audit and regulatory exposure. The moat is being the vendor that has done the certifications, has the indemnification clauses, has the bar-association approvals. A contract-and-paperwork moat, not a model-quality moat, and that is precisely why foundation labs are structurally bad at competing for it.
EvenUp in plaintiff law: 200,000+ cases resolved and $10B+ in damages secured is the moat made concrete. Rogo's Forward Deployed Bankers, ex-bankers embedded inside customer institutions, is a services-led moat in regulated finance, modelled on Palantir's FDE pattern. Harvey's BigLaw Bench, a proprietary eval suite, is itself a compliance artefact for regulated buyers.
The counter-argument. Microsoft Copilot is layered with enterprise-grade indemnification. Google Vertex has VPC-SC and customer-managed encryption keys. The labs deliver compliance through enterprise SKUs. Durability verdict: very high in pure regulated industries. The cleanest moat in the taxonomy.
Moat 6. Distribution and the enterprise sales motion
The claim. The enterprise sales motion is its own moat. Once you are on the Cigna preferred-vendor list, the Citi InfoSec approved-vendor registry, or the Magic Circle innovation panel, the procurement, security and legal review you have already cleared is a structural advantage the next entrant has to repeat.
“Legora has built the kind of distribution moat that vertical-AI investors have been searching for since 2023.”
- Sonali De Rycker, Accel
Harvey's three-year head start into the world's largest law firms. Sierra's logo list: SoFi (NPS +33), Cigna, ADT, Discord, Ramp, Rivian, SiriusXM, Tubi. Rogo at 35,000 users across 250+ institutions including JPM, BofA, Rothschild, Jefferies, Lazard, Moelis and Nomura. Each one cost a year of enterprise sales work. Sarah Tavel's warning still applies: the floor keeps rising on any company's ability to build new software. Durability verdict: high in the medium term, eroding in the long term.
Moat 7. Outcome-based pricing
The claim. When you charge per resolved support ticket, per closed case, per signed contract, rather than per seat, you are not selling software at all. You are selling work, and your unit economics align with the customer's. A foundation lab selling tokens cannot price that way at scale because it would have to take on operational risk it has no information advantage on.
“We think outcome-based pricing is the future of software. With AI we finally have technology that isn't just making us more productive but actually doing the job. It's actually finishing the job.”
- Bret Taylor, Sierra
Decagon's outcomes-led contracts with Chime reduced contact-centre costs by more than 60% and doubled NPS. EvenUp charges on case settlements, not seats. The counter-argument: outcome-based pricing is a marketing posture more often than a real economic model. Procurement teams can't get outcome models past finance. Durability verdict: medium. A signal, not a moat by itself.
Moat 8. Surface ownership
The claim. Whoever owns the surface, the IDE, the editor, the canvas, the inbox, the dashboard, captures attention, habit and the path of every workflow that runs through it. A foundation model accessed via chat is one interface. An IDE, a CRM or a creative canvas is a deeper one.
“The market we are in mirrors search at the end of the 90s where the product ceiling is really high. Enterprise software markets have a low ceiling for core value and lots of lock-in. Our market doesn't have that.”
- Michael Truell, Cursor
Cursor is the most interesting case because Truell explicitly rejects traditional lock-in moats and bets on relentless innovation and surface ownership instead. Cursor is a VS Code fork, not an extension. Every magic moment in Cursor involves a custom model. The counter-argument is that surface ownership is the most foundation-model-eats-them-exposed moat in this taxonomy. If Anthropic ships a first-class IDE, the surface lead can collapse fast. As of April 2026 SpaceX holds an option to acquire Cursor for $60B roughly thirty days after its IPO, folding it into the SpaceX-xAI stack, which is itself the strongest possible market signal that a pure-surface bet needs a lab behind it. Durability verdict: medium, with high variance.
The cross-company map
Apply the taxonomy to the leading vertical AI players. More dots, the company emphasises that moat more. The pattern is immediate.
The companies most insulated from Claude stack three or more. Glean: permissions plus system of record plus compliance plus distribution. Sierra: workflow plus permissions plus compliance plus distribution plus outcomes. Rogo: workflow plus data plus compliance plus distribution. EvenUp: data plus compliance plus outcomes. The companies most exposed lean on one. Cursor on surface only. Hebbia on workflow only, by its founder's own admission. The middle ground, Harvey, Legora, Decagon, stacks workflow plus distribution but is racing against model-side improvements that could close the gap.
Where the bear case bites and where it doesn't
Most exposed. Cursor: Truell himself rejects traditional moats and bets on innovation speed. The 46.9% context-cutting and custom inline models are real, but model-side advances can collapse the gap, which is exactly the read behind SpaceX taking a $60B option on the company post-IPO. Hebbia: Sivulka's own admission that software isn't a moat, skills are, is striking. The Matrix UX is elegant, but Claude Projects plus native MCP file ingestion is converging fast. Harvey, mid-bear: BigLaw Bench is impressive but model-agnostic, and frontier labs will catch up on legal evals.
Least exposed. Glean: permission-aware retrieval, 100+ enterprise connectors, a knowledge graph that takes 12 to 18 months to mature. Labs will route through Glean. EvenUp: proprietary case and medical-records corpus plus state-specific demand-letter conventions plus plaintiff-firm distribution. Claude has no path to those datasets. Sierra: outcome-based pricing aligns incentives in a way a horizontal API can't. Rogo: Forward Deployed Bankers plus bank-internal data integrations plus regulated auditability. Decagon: system-of-record integration into CX stacks plus brand-voice and policy encoding per enterprise.
The unifying frame
Across every founder and investor quoted, the implicit formula by mid-2026 is this.
“The model is the commodity. The workflow, the data, the trust and the distribution are the durable assets.”
You build a vertical AI company by stacking moats. Never one, always three or more. The companies winning today have done that. The companies on the wrong side of the bear case are leaning on a single moat, usually surface ownership or model fine-tuning, and racing the labs.
The strategic question that matters for any application-layer CEO, and the one any new entrant in a vertical needs to answer before raising, is this. Which moats am I stacking, on what timeline, and which of them will still be defensible when Claude, GPT and Gemini are three generations more capable? If the answer is fewer than three, or none of them are structural, the bear case is correct for you specifically.
The application layer is real, but selective. Some moats hold. Most don't. The job is to understand which, and the taxonomy is now well enough understood that there is no excuse for getting it wrong.
