Enterprises are in danger of sleepwalking into the next great technology lock-in cycle. This time, it may happen faster than cloud lock-in, and it may be harder to unwind.
That is one of the bigger stories running through Open Source Summit North America 2026 this week in Minneapolis. The Linux Foundation has positioned this year’s event around the next era of AI infrastructure, security and open ecosystems, with sessions focused on AI agents, software supply chain security, embedded and edge innovation, and the open technologies that increasingly sit underneath modern infrastructure. That is not just conference programming. It is a map of where the next infrastructure fight is headed.
The familiar version of lock-in was easy enough to understand. A company picked a cloud provider. Over time, it adopted more of that provider’s databases, identity services, networking services, observability tools, serverless functions and deployment models. Five years later, the company discovered that “cloud-first” had quietly become “cloud-dependent.” Escaping was possible, but it was expensive, slow and disruptive.
AI lock-in is shaping up differently. It is not waiting for the stack to mature. It is forming while the stack is still being invented.
That is what makes this moment so important for open source, and why the conversations at Open Source Summit matter beyond the normal community gathering. The fight is not really about whether enterprises should use open models or closed models, though that debate matters. It is not just about where the GPUs live, or which hyperscaler has the better AI service catalog this quarter. The deeper issue is control over the infrastructure layer that will route, execute, govern, observe and secure AI-driven work.
That layer is still taking shape. It includes agent orchestration, MCP servers, tool interfaces, workflow engines, memory and context systems, policy frameworks, governance controls, enterprise data connectors, execution environments and audit trails. Those sound like plumbing details. They are not. They are the control points.
Whoever owns those control points owns the way AI work gets done inside the enterprise.
That is why the open source response to AI matters. Projects and standards efforts around MCP, open orchestration, agent interoperability, open execution layers and open governance are not side stories. They are attempts to prevent the next enterprise infrastructure layer from being captured before most enterprises even realize there is a layer to capture.
This is not ideology. This is control.
The Linux Foundation’s Agentic AI Foundation is one clear sign of that shift. The foundation has been framed around open standards and shared infrastructure for agentic AI systems, including the way agents connect, coordinate and operate across tools, models and platforms. Its MCP Dev Summit earlier this year was explicitly built around protocol evolution, conformance testing, security research and production deployment lessons. In other words, the boring stuff that decides whether a technology becomes enterprise infrastructure or just another demo layer.
Open source has always had an ideological wing, and that is fine. Some people believe deeply in openness as a principle. But the enterprise case for open source has usually been more practical. Open source gives users leverage. It gives enterprises the ability to inspect, extend, integrate, move, fork, govern and negotiate. It does not eliminate vendors. It prevents any single vendor from owning the whole game.
That was the real lesson of Kubernetes. The point was not that Kubernetes became popular because everyone suddenly became an open source purist. Kubernetes gave enterprises a common control plane for cloud-native infrastructure. It gave them a way to manage containers without surrendering every architectural decision to one vendor’s proprietary stack. Kubernetes did not make cloud lock-in disappear, but it changed the leverage equation.
AI needs its own version of that leverage.
Right now, there is a lot of attention on models. That is understandable. Models are visible. They are easy to compare. They have benchmarks, leaderboards and press releases. But enterprise AI is not going to be built on models alone. The real enterprise challenge is turning AI into a repeatable, governed, secure operational system.
That means agents need to call tools. They need to access data. They need to move through workflows. They need permissions. They need identity. They need policies. They need guardrails. They need telemetry. They need auditability. They need rollback models, or at least containment models, when they do the wrong thing. They need to operate across SaaS applications, internal systems, cloud platforms, security tools and business processes.
In other words, AI needs infrastructure.
The question is whether that infrastructure becomes open enough for enterprises to control, or proprietary enough that enterprises simply rent their own future back from a handful of vendors.
This is where MCP and related open interoperability efforts become more interesting than the usual protocol discussion. MCP is not magic. It will not solve governance by itself. It will not make agents safe by default. It will not turn messy enterprise data into clean, reliable business context overnight. But the idea behind it matters because it recognizes a real problem: agents need a common way to discover and use tools without every integration becoming a proprietary snowflake.
That matters. The tool layer is one of the places where lock-in can hide.
Microsoft’s own Open Source Summit messaging makes the point directly. In discussing the Agentic AI Foundation, Microsoft described open standards for agent-to-agent communication, agent runtimes and agent orchestration as necessary because customers do not want to bet their agentic future on a single vendor’s stack. That is the lock-in argument in plain English, coming from one of the largest platform vendors in the world.
A vendor can say, “Use our agent platform because it connects to everything.” That sounds helpful until the enterprise discovers that the connections, policies, routing logic, permissions model and audit trail all live inside that vendor’s platform. At that point, the enterprise has not adopted an AI tool. It has adopted an operating model.
The same issue applies to agent orchestration. Today, orchestration often sounds like a feature. Tomorrow, it becomes the place where business logic lives. It decides which agent acts, which workflow runs, which approval gate applies, which data source is accessed, which exception path gets triggered and which system of record gets updated. That is not a minor layer. That is where operational control accumulates.
If that orchestration layer is proprietary, enterprises will find themselves in a familiar place. They will have built critical workflows around a platform they do not fully control, cannot easily inspect and cannot easily replace. Only this time, the workflows may not be simple application workflows. They may be AI-mediated workflows that touch customer service, software delivery, security operations, finance, supply chain, marketing, HR and compliance.
That is a lot of leverage to hand over without thinking hard about the exit doors.
Platform engineering teams should be paying close attention. For the last several years, platform engineering has been about reducing friction for developers and operators. Internal developer portals, golden paths, infrastructure automation, Kubernetes abstraction and self-service environments were all part of that movement. The goal was to make the right thing easier to do.
AI changes the job again.
As agents move into software delivery and business operations, platform teams are likely to become the people who decide how those agents are exposed, governed and trusted. They will need to think about AI systems the way they already think about infrastructure: access control, service boundaries, dependencies, observability, policy, lifecycle management and failure modes.
That means platform engineering cannot afford to treat AI tooling as a collection of disconnected experiments. The decisions being made now will harden into standards, contracts and dependencies later. A quick proof of concept today can become the enterprise architecture nobody remembers choosing.
That is how lock-in usually happens. Not with one big decision. With a hundred convenient small ones.
This is why Open Source Summit is a useful moment to make the argument. The event is not only about celebrating open source. It is about deciding which parts of the next infrastructure stack remain open enough for enterprises to influence. AI agents, open governance, security, observability, edge systems and software supply chain integrity are all converging because enterprise AI cannot run safely as a loose collection of clever bots. It needs an operating model.
The Linux Foundation and the broader open source ecosystem see this pattern because they have seen it before. Infrastructure starts as innovation. Then it becomes a platform. Then it becomes a control plane. Then it becomes a tax. By the time the tax is obvious, the switching costs are already baked into the business.
The open source AI infrastructure story is really an attempt to interrupt that cycle early.
Open governance matters because enterprises need policy models they can understand and adapt. Open execution layers matter because AI work should not be trapped inside one vendor’s runtime. Open orchestration matters because routing and workflow logic will become central to enterprise operations. Agent interoperability matters because no serious enterprise will run on one model, one agent framework or one vendor’s view of the world. Open connectors matter because enterprise data access is too important to become a proprietary tollbooth.
None of this means proprietary vendors have no role. They absolutely do. Enterprises will buy managed services, commercial support, security layers, compliance tooling and higher-level platforms. That is how the market works. The issue is not whether vendors make money. The issue is whether customers retain control.
There is a big difference between paying a vendor for value and being trapped because the vendor owns the only usable path forward.
That distinction is going to matter more as AI moves from pilots to production. In pilot mode, teams optimize for speed. They grab the easiest service, the most polished interface, the fastest integration and the flashiest demo. In production, the questions change. Who owns the logs? Where does the context live? Can we change models? Can we move workloads? Can we inspect the policy decisions? Can we prove what the agent did? Can we replace the orchestration layer without rebuilding the business process?
Those are not philosophical questions. They are boardroom questions. They are compliance questions. They are procurement questions. They are platform engineering questions.
The uncomfortable truth is that many enterprises are not asking them yet.
They are still treating AI as an application feature, a productivity tool or a model selection exercise. That is too narrow. AI is becoming an infrastructure layer. Once agents start taking action across systems, the infrastructure underneath them becomes as important as the agents themselves.
The open source community has a window right now. It can help define the interfaces, execution models, governance patterns and interoperability layers before the market calcifies around proprietary defaults. That window will not stay open forever.
Once enterprise workflows are built around closed orchestration systems, once data connectors are tied to proprietary policy engines, once agent memory and context live inside vendor-specific runtimes, the conversation changes. At that point, openness becomes a migration project instead of an architecture principle.
We have seen that movie. It is expensive.
Shimmy’s Take
The real AI lock-in fight is not about whether one model is better than another. Models will change. Prices will change. Leaders will change. The deeper fight is about who controls the operating layer for AI inside the enterprise.
That layer is where agents meet tools, data, policy, workflows, identity, governance and execution. It is where AI stops being a demo and starts becoming how work gets done.
That is the deeper Open Source Summit story. The Linux Foundation is not just hosting another open source gathering in Minneapolis. It is helping frame the next enterprise infrastructure question: Will agentic AI be built on open standards and shared control points, or will enterprises wake up in three years and discover that the agent layer has already been captured?
If that layer becomes proprietary by default, enterprises will spend the next decade complaining about AI lock-in the same way they spent the last decade complaining about cloud lock-in. The only difference is that this time, the dependency may sit closer to the business process itself.
Open source has a chance to prevent that. Not because open source is morally superior. Because open infrastructure gives enterprises leverage.
The next infrastructure layer is being formed right now. The question is whether enterprises will help shape it, or wake up later and discover someone else owns it.
