How to Build an AI Business That Survives Model Churn
The model you build on is the most volatile dependency in your company. Here is how to architect a business that treats it as a swappable input instead of a foundation.
In the first week of June 2026, four frontier models reshuffled the same leaderboard. GPT-5.5 shipped. Gemini 3.1 Pro landed with a bigger context window. A Claude preview posted a 94.6 on GPQA Diamond. A coding model most founders had never heard of took the top spot on a live token-usage board. Microsoft, the company that put ten billion dollars into OpenAI, used the same week to ship its own in-house models so it could lean on OpenAI less.
That is the part nobody says out loud. The single most important component in your AI product is one you do not own, cannot control, and did not build. It changes under you on a schedule set by someone else. In January, OpenAI gave developers about two weeks of warning before pulling a model from the API. Migrating to the replacement meant a price jump from five dollars per million input tokens to fifteen. Three times the cost, on a deadline, for a model you did not choose to change.
Most founders treat this as an engineering annoyance. It is not. It is the central strategic question of building anything on top of AI: if the foundation moves every few weeks, where do you pour the concrete? This is the durable version of the model-churn story, the part that will still be true after GPT-5.5 and Gemini 3.1 are themselves deprecated. Your model is rented. Your defensibility cannot live in a rental.
I have built two companies where AI does most of the work, and I have made the rookie mistake more than once: wiring the product so tightly to one vendor that a routine model update turned into a fire drill. This is what I learned to do instead.
What this playbook covers
- Why the model is your most dangerous dependency
- The framework: the Model Churn Timeline
- Where you actually sit: the Model-Independence Map
- The four model risks, with real receipts
- Where defensibility relocates
- Why model churn is accelerating, not settling down
- Building the swap layer without over-building it
- The contrarian take: model-agnostic is not the goal
- What to do this quarter
- FAQ
Why the model is your most dangerous dependency
Every business runs on inputs it does not control. You rent office space, you depend on a payment processor, you ship on a cloud provider. What makes the model different is the rate of change and the direction of the change.
Your cloud bill does not triple overnight because a region got smarter. Your payment processor does not email you to say the rails you built on will stop working in fourteen days. The model does both, and it does them while also quietly building a product that competes with yours.
The shutdown lists make the cost concrete. Through 2025 and into 2026, the category of startup dying fastest was the thin wrapper: a clean interface over GPT or Claude with no proprietary data and no owned workflow. One analysis put it bluntly, that a thin layer over a frontier model with nothing underneath it compresses to zero margin inside twelve months. The reason is simple. If your entire product is a prompt and a nice screen, your vendor can ship the same thing as a feature, your competitor can clone it in a weekend, and the next model release can make your careful prompt scaffolding pointless. You are not a business. You are a demo with a Stripe account.
Meanwhile the orgs that survive are spreading their bets. By 2026, 37 percent of organizations were running five or more models in production, up from 29 percent the year before. Gartner moved AI gateways, the proxy layer that lets you swap models, from optional tooling to critical infrastructure. The market already figured out that single-vendor dependency is a liability. The question is what you build on the other side of that realization, because swapping models is necessary but nowhere near sufficient. You can be perfectly model-agnostic and still have no business.
There is also an asymmetry that founders consistently underestimate. The vendor optimizes for the vendor. When a provider deprecates a model, raises a price, or ships a competing feature, it is doing the rational thing for its own business, and it is doing it with far more information than you have. The provider sees aggregate usage across thousands of products, including yours, so it knows which use cases are popular before you know your category is crowded. You are negotiating with a counterparty that can see your cards. That is not a reason to avoid building on AI. It is a reason to never let the relationship be the only thing standing between you and ruin.
So there are two separate problems hiding inside model churn. The first is operational: can you change models without a rewrite? The second is strategic: is there anything in your company that a model change cannot touch? Most founders only solve the first one and wonder why their margins keep collapsing. The framework below is built to solve both.
The framework: the Model Churn Timeline
Start by accepting that churn is not an event, it is a schedule. Over the life of any model you build on, you will hit the same five markers, in roughly the same order. I draw it as a timeline because founders keep treating each marker as a surprise, when the whole sequence is predictable from day one.
Marker one is the day you ship on a given model. Everything feels great. The model is the best available, your demo sings, and you build fast because you are building directly against one clean API.
Marker two is repricing. The vendor changes what a token costs, almost always when forcing you onto a newer model. The DALL-E image API went from four cents to six cents an image on its way out. The forced text migration I mentioned tripled the input price. If your unit economics assumed the old price, your margin just moved without your permission. I wrote a whole separate piece on why cost is a product decision you make at launch, not a finance problem you defer, and repricing is exactly why.
Marker three is deprecation. The model you built on gets a removal date. In the friendly version you get six months. In the 2026 version, OpenAI gave developers roughly two weeks before pulling a popular snapshot from the API. Two weeks to re-tune prompts, update your interface, re-test every edge case, and ship, or your product breaks.
Marker four is the capability jump that should be good news but often is not. A new model is so much better that the elaborate prompt chain, the retry logic, and the guardrails you built around the old model’s weaknesses are now dead weight. The work you were proud of becomes the work you have to rip out. Founders who treated clever prompting as their product feel this one hardest.
Marker five is verticalization, the one that ends companies. Your vendor ships the product you were selling. OpenAI’s move toward memory, custom GPTs, agent orchestration, and the Responses API is explicitly designed to make it the workflow layer, not just a model behind a call. When the layer you rent decides to become the layer you sell, your only defense is everything you built that does not live in that layer.
Where you actually sit: the Model-Independence Map
The timeline tells you what is coming. The next question is whether you are exposed to it. Two things decide that. First, how much of your product’s value actually lives in the model itself versus in things you own. Second, how hard it would be to swap models if you had to. Plot those two and you get four kinds of company.
The Commodity Reseller can swap models easily but has nothing else. The model is the product, so even with perfect portability the margin races to zero. The Accidental Lock-in is the opposite mistake: not much value lives in the model, yet the team wired itself so tightly to one vendor that leaving is painful anyway. That is pure self-inflicted risk, lock-in with no upside.
The Hostage is the dangerous corner. A lot of the product’s value is the model’s behavior, and switching is hard, so every marker on the timeline lands directly on you. Repricing hits the margin, deprecation triggers a fire drill, and verticalization is an extinction event. The Durable Business sits in the opposite corner. The model is a swappable input, and the value that makes customers pay lives in things the founder owns. When a model changes, this company shrugs and routes to a different one.
The uncomfortable part is that capability and position are unrelated. You can have the smartest model in your category and still be a Hostage. You can have a mediocre model and be a Durable Business. Where you sit is an architecture and strategy choice, not a function of which model you picked. And since you cannot trust the leaderboard to tell you which model is even best, a point I made in detail in the benchmark contamination playbook, betting the company on one model’s superiority was never a safe bet to begin with.
The four model risks, with real receipts
Abstractions are easy to nod along to and easy to ignore. Here are the four risks with the actual 2025 and 2026 events that prove each one is already happening, plus what protects you from each.
| Risk | What happens | Receipt | What protects you |
|---|---|---|---|
| Repricing | Token or image price changes, usually upward on forced migration. | Forced migration tripled input price ($5 to $15 per million). DALL-E images rose from 4 to 6 cents. | Margin buffer in pricing, routing cheaper models for easy tasks, value-based pricing not cost-plus. |
| Deprecation | Your model gets a removal date and you must migrate or break. | OpenAI pulled a popular API snapshot with about two weeks notice in early 2026; GPT-4o, 4.1, and o4-mini retired in February. | A model abstraction layer plus a private eval so a swap is a config change, not a rewrite. |
| Capability shift | A better model makes your scaffolding and prompt tricks obsolete. | Four frontier models reshuffled the same board in one week of June 2026. | Keep product logic out of prompts; treat the model as a component you can upgrade behind a stable interface. |
| Verticalization | Your vendor ships the product you were selling. | OpenAI’s Responses API, memory, and agent orchestration push it to be the workflow layer, not just a model. | Owned data, deep workflow integration, and the customer relationship that the vendor cannot reach. |
Risk 1: Repricing quietly moves your margin
The cleanest way to lose money in AI is to let someone else set your costs while you set your prices a year ago. When a vendor forces a migration to a pricier model, your gross margin changes overnight, and you find out from a billing dashboard, not a board meeting. The protection is partly architectural, route cheap models for the 80 percent of requests that do not need a frontier model, and partly commercial, price on the value you deliver rather than a thin markup over token cost. If a 3x input price increase would sink you, you were running on a margin you did not own.
The trap is that repricing rarely arrives as a price increase you can argue with. It arrives bundled inside a migration you were already forced to make, so the cost change hides behind the deprecation. You think you are just moving from an old model to a new one, and three weeks later you notice the unit economics quietly inverted. The defense is to model your margin against the assumption that your main model’s price can double, and to make sure the buffer is in your pricing before you need it. Founders who price cost-plus on token spend are effectively letting their vendor set their margin, and a vendor under its own pressure to reach profitability is not going to set it generously.
Risk 2: Deprecation turns a Tuesday into a fire drill
Two weeks of notice is not enough time to safely re-tune prompts, validate outputs, and ship, unless you built for it in advance. The teams that shrug at a deprecation notice are the ones that put a thin abstraction between their code and the model provider, kept a small private eval that tells them within an hour whether a replacement model is good enough, and never let a single vendor’s quirks bleed into their core logic. The teams that panic are the ones who hard-wired one model’s exact behavior into a hundred places. Production reliability and swap-readiness are the same discipline seen from two angles.
Risk 3: Capability jumps punish clever prompting
This is the counterintuitive one. A model getting dramatically better can hurt a company whose product was the workaround. If your value was a long prompt chain that coaxed a weak model into doing something, a strong model does that thing in one call, and your moat evaporates. The lesson is to keep your durable logic, your business rules, your data handling, your quality gates, outside the prompt. Let the model improve underneath a stable interface, so a capability jump is an upgrade you absorb rather than a teardown you survive. I go deep on keeping that line clean in the internal AI stack for solo founders.
Risk 4: Verticalization is the extinction event
Every platform eventually looks at the most successful things built on it and asks why it should not just build those itself. The model providers are no exception, and they have a structural advantage: they see aggregate usage, they own the layer you depend on, and they have more capital than you will ever raise. When the vendor decides your category is worth owning, no amount of prompt cleverness saves you. The only thing that survives is what the vendor cannot copy: the proprietary data your customers generated, the workflow you embedded into their operations, and the trust you earned. Which is the whole point of the next section.
There is a sharper name for this now: vendor lock-out, the flip side of lock-in. Lock-in is when leaving the vendor is hard. Lock-out is when the vendor decides it no longer needs you in the middle and serves your customer directly. You can be perfectly portable, able to swap models in a minute, and still be locked out, because the threat was never your inability to leave. It was the vendor’s ability to make you unnecessary. The model providers are visibly moving from selling raw capability toward selling finished workflows, which means the founders most exposed are the ones whose product is closest to a thin layer of orchestration the vendor can absorb. The further your value sits from what the model does and the closer it sits to what your specific customer needs, the safer you are.
Where defensibility relocates
If the model cannot be your moat, something else has to be. The good news is that the model layer getting commoditized actually pushes value down to layers you can own. The bad news is that most founders are still pouring their effort into the one layer that is being rented out from under them.
Proprietary data is the first and strongest relocation. A model trained on the public internet has no access to the specific, messy, real-world data your customers generate inside your product. Every correction a user makes, every labeled outcome, every edge case your workflow surfaces, that is a dataset no vendor and no competitor has. It is also exactly what makes your AI outputs better than a raw model call. This is the same argument I made in the data moat playbook: the model is shared, the data is yours, so the data is where the defensibility goes.
Embedded workflow is the second. A model answers questions. A business runs a process. When your product is wired into how a customer actually operates, the approvals, the records, the handoffs, the integrations with their other tools, then ripping you out means rebuilding their operation, and a slightly smarter model in a competitor’s product does not justify that pain. Depth of integration is switching cost, and switching cost is a moat the model layer cannot supply.
The customer relationship is the third and most durable. The vendor sells a model to anyone. You sell an outcome to a specific customer you know by name, whose problems you understand, whose trust you have earned over months. That relationship is the one asset in your company that no model release can deprecate. Founders who built an audience and a relationship before they built the product, the approach I lay out in the audience-first playbook, have a head start here that no amount of vendor capital can buy back.
Notice the pattern across all three. The model is the only layer that gets worse for you over time, through churn, repricing, and verticalization, while every owned layer gets stronger the longer you operate. Your data grows, your workflow integration deepens, your customer trust accrues. This is the real reason to relocate your moat: not just safety from churn, but the compounding only happens in the layers you own. Effort spent perfecting your prompts is effort spent on an asset that depreciates. Effort spent on a feedback loop that improves your outputs is effort spent on an asset that appreciates. Same hours, opposite curves.
Why model churn is accelerating, not settling down
A reasonable founder might hope this is a temporary turbulence that calms once the model market matures. The evidence points the other way, and planning around the hope is the most expensive mistake in this whole topic.
Releases are speeding up, not slowing. Where a major model launch used to be a quarterly event, by 2026 the leading labs were shipping capable new models within weeks of each other, and even the snapshot versions inside a single model family were being deprecated within months of release. The cadence of change you have to absorb keeps shortening.
Capabilities are also converging, which sounds reassuring but is not. As the top models cluster on raw capability, the providers stop competing on intelligence and start competing on lock-in: proprietary orchestration, memory, agent frameworks, and workflow features that are sticky by design. So the model layer commoditizes while the platform layer around it gets stickier and more dangerous to depend on. The honest read is that the pressure to verticalize goes up, not down, as the underlying models become interchangeable, because finished workflows are the only place left for a provider to differentiate and capture margin.
The market has already voted with its architecture. By 2026 well over a third of organizations ran five or more models in production, and the gateway layer that makes that possible moved from a nice-to-have to standard infrastructure. The teams treating single-vendor dependency as a serious risk are not being paranoid. They are reading the same trend you should be reading, and acting before a deprecation notice forces them to.
Building the swap layer without over-building it
Now the operational half. To be a Durable Business you need to actually be able to swap models, which means a thin layer between your product and any single provider. The market has standardized on this. LLM gateways and routers like LiteLLM, OpenRouter, Portkey, and Cloudflare’s AI Gateway exist precisely so you call one interface and decide behind it which model serves the request. The goal is that changing models is a configuration change a junior engineer ships on a Tuesday, not a project the whole team dreads.
Here is what coupling versus abstraction looks like across the parts of an AI product that tend to get welded to one vendor.
| Layer | Coupled (fragile) | Abstracted (swappable) |
|---|---|---|
| Model client | Vendor SDK called directly in a hundred places. | One internal interface or a gateway; provider chosen by config. |
| Prompts | Tuned to one model’s quirks, business rules baked in. | Logic lives in code; prompts are versioned templates per model. |
| Eval suite | None, so you cannot tell if a new model is safe to ship. | 50 to 200 of your own examples; a swap candidate passes or fails in an hour. |
| Vendor-only features | Built on one provider’s proprietary orchestration and memory. | Used only where the lock-in is worth it, and known to be lock-in. |
| Pricing | Cost-plus markup over one model’s token price. | Value-based, with a margin buffer that absorbs a repricing. |
The eval suite is the keystone, and it is the part most teams skip. Without 50 to 200 of your own labeled examples, you cannot answer the only question that matters during a forced migration: is this replacement model good enough for my product? A private eval turns that from a week of nervous manual testing into an hour of automated scoring. It is also the thing that lets you ignore the leaderboard entirely and decide based on your task.
The contrarian take: model-agnostic is not the goal
Here is where I disagree with most of the advice being written right now. The popular conclusion from model churn is “go model-agnostic,” abstract everything, never depend on one provider. That is half right and quietly dangerous, because it treats portability as the destination when it is only the on-ramp.
Two problems. First, perfect model-agnosticism has a real cost. If you only ever use the lowest common denominator of features that every provider supports, you give up the genuinely useful capabilities a leading model offers, and you can spend so much engineering effort on the abstraction that you out-engineer your actual product. I have watched founders build a beautiful multi-provider routing system for a product that had no customers. That is not risk management. It is procrastination with a clean diagram.
Second, and more important, being model-agnostic does not give you a business. It removes one risk. The Commodity Reseller on the map is perfectly model-agnostic and still dies, because swappability is not value. A thin wrapper that can call any model is still a thin wrapper. If your entire response to model churn is “I can switch providers,” you have solved the operational problem and ignored the strategic one.
The named enemy here is the belief that the abstraction layer is the moat. It is not. The abstraction layer is plumbing, and plumbing is necessary but never differentiating. The real move is to spend the minimum on portability that lets you sleep at night, and then pour everything else into the owned layers: the data, the workflow, the relationship. Be portable enough to survive churn, and proprietary enough to be worth keeping.
There is a useful test for how much abstraction is enough. Ask what would actually happen if your primary provider tripled its price or pulled your model tomorrow. If the answer is a quiet config change and a one-hour eval run, you have enough portability and should stop building plumbing. If the answer is a multi-week scramble that puts the product at risk, you have too little, and that is where the next dollar of engineering belongs. Anything past the point where the answer is already “a config change” is effort stolen from the layers that actually compound.
To be fair to the other side, there are cases where deep, deliberate lock-in to one vendor is the right call, when a provider’s unique capability is genuinely core to your product and no alternative comes close. Lock-in is not always a mistake. But it should be a decision you made on purpose, with eyes open, not a place you drifted into because writing one vendor’s SDK everywhere was easy.
What to do this quarter
This is the Monday-morning version. You can run the whole thing inside one quarter, and the order matters because each step de-risks the next.
Week 1: Locate yourself on the map. Honestly answer the two questions. How much of your value lives in the model, and how hard would a swap be today? If you are anywhere but the Durable Business corner, you now know which direction to move.
Week 2: Audit the coupling. Grep your codebase for direct vendor SDK calls. Count how many places would need to change to swap models. That number is your deprecation fire-drill size. Most teams are shocked by it.
Weeks 3 to 4: Build the thin abstraction. Put one internal interface, or an off-the-shelf gateway, between your product and any provider. Do not gold-plate it. The bar is that swapping the default model is a one-line config change.
Weeks 5 to 6: Build a private eval. Collect 50 to 200 real examples from your own product with known-good answers, including your nastiest edge cases. Wire them to a pass or fail score. Now a new model can be evaluated for your task in an hour, and the leaderboard becomes irrelevant.
Weeks 7 to 8: Move one moat down a layer. Pick the single highest-payoff owned asset, usually capturing a proprietary feedback loop from your users, and ship the mechanism that starts compounding it. Even one is a real shift away from the rented layer.
Week 9: Reprice for a buffer. Check whether a 2x to 3x input price increase on your main model would break your unit economics. If it would, move toward value-based pricing and route cheaper models for easy requests before the next forced migration does it for you.
Weeks 10 to 12: Pressure-test and document. Run a fire drill. Actually swap your default model to a competitor for a day and watch the eval. Whatever breaks is your remaining coupling. Fix it, write down your model policy, and put a recurring calendar item to re-run this every quarter, because churn is not going to slow down.
If you want the wider operating context this fits inside, the cost loop, the build-versus-buy calls, the whole solo-founder machine, start with the AI-native founder playbook. Model risk is one dependency in a system that has to hold together under real load.
FAQ
What is model churn?
Model churn is the constant change in the AI models you build on: new versions shipping every few weeks, older models being deprecated and removed, prices changing on migration, and capabilities jumping in ways that can make your existing setup obsolete. It is the normal operating condition of building on top of AI in 2026, not an occasional disruption, which is why your architecture has to assume it from day one.
How do I make my AI product model-agnostic?
Put a thin abstraction between your product and any single provider, either an internal interface you control or an off-the-shelf LLM gateway like LiteLLM, OpenRouter, or Portkey. Keep your business logic in code rather than baked into prompts, version your prompts per model, and maintain a private eval so you can verify within an hour that a replacement model meets your bar. The goal is that swapping models is a configuration change, not a rewrite.
Is it bad to rely on a single AI provider?
Relying on one provider is a risk, not automatically a mistake. The danger is single-vendor dependency you drifted into by accident, where a price increase or deprecation can hurt you and you have no quick way out. Deliberate dependence on one provider can be the right call when its unique capability is genuinely core to your product. The test is whether you chose the dependency on purpose and could exit if you had to, not whether you use one provider.
What happens when OpenAI deprecates a model I use?
You get a removal date, sometimes with only a couple of weeks of notice, after which the model stops responding through the API. You have to migrate to a replacement, which can mean code changes, prompt re-tuning, edge-case re-testing, and often a different price. If you built an abstraction layer and a private eval ahead of time, this is a config change you validate in an hour. If you hard-wired one model everywhere, it is a fire drill that can take your product down.
Where should an AI startup’s moat actually live?
Not in the model, which is rented and shared by everyone. The durable moats live in three owned layers: proprietary data and feedback your customers generate inside your product, deep workflow integration that makes you expensive to rip out, and the customer relationship and trust you build over time. These are the layers a model change cannot touch and a vendor cannot copy, and unlike the model they compound the longer you operate.
Does building a model abstraction layer slow me down early on?
A thin one does not, and it pays for itself the first time a model is deprecated or repriced. The mistake is over-building it: spending weeks on a sophisticated multi-provider routing system for a product that has not found customers yet. Early on, build the minimum abstraction that makes a swap a one-line change, then put your real effort into the product and the owned layers. Portability is insurance, not the product.
How is model risk different from normal vendor risk?
Two things make it sharper. The rate of change is far higher, with models shipping and being retired on a cadence of weeks rather than years, and the direction of change can turn your supplier into your competitor, since model providers can and do ship products that compete with what their customers built. A cloud provider rarely launches a startup to compete with you. Your model provider increasingly does, which is why defensibility has to live where the provider cannot reach.
Should I wait for the model market to stabilize before building?
No. The model market is not going to stabilize on any timeline useful to you, and waiting just means competitors build the owned layers, the data, the workflow, the relationships, while you watch. The correct response to instability is not to delay, it is to architect for churn from the start: a swappable model, a private eval, and your scarce effort spent on the assets that compound. Build now, but build so the foundation can move.
Want the rest of the machine this connects to? Pair this with the cost-first AI product launch playbook and the data moat playbook. Model risk, cost, and data defensibility are three faces of the same question: what in your AI business do you actually own?