What the Stack Actually Is
The AI market has four distinct layers, and knowing which layer you're talking about at any given moment is the prerequisite for every other question.
Frontier labs train the models. They employ the researchers, run the compute, publish (or don't publish) the papers, and hold the intellectual property. They are the origin point of the capability.
Hyperscalers host and serve models at scale. They have the infrastructure, the enterprise sales relationships, the compliance certifications, and the data residency options that most large buyers require. They often license model access from frontier labs under commercial agreements and deliver it through their existing cloud platforms.
Aggregators provide unified API access across multiple models, typically with additional tooling — routing, evaluation, fine-tuning, cost management. They sit between the hyperscaler layer and the buyer, or sometimes between the lab and the buyer directly, depending on the model and the use case.
Enterprise buyers are at the bottom of the stack. They contract with one of the middle layers — almost never directly with the frontier lab — and they often don't know, or don't ask, exactly which layer they're actually relying on for what.
That structure has direct implications for SLAs, data handling, model versioning, deprecation timelines, and liability. When a buyer asks "which model are we running?" they're often asking a question that their contract doesn't fully answer.
Why This Is Appearing in Buyer Conversations Now
For most of the past decade, enterprise software procurement was simpler in one specific way: the vendor who sold you the product was the vendor who built it. You knew who was responsible for uptime, security, and roadmap. The contract told you.
AI changed that. The frontier labs that produce the most capable models are, in most cases, not structured or scaled to be enterprise software vendors. They don't have the compliance infrastructure, the data residency options, or the enterprise support organizations that large buyers — especially in the public sector — require. So the hyperscalers stepped in as the delivery layer, and the aggregators stepped in to add flexibility and tooling on top.
AI procurement is now a supply chain problem. And like any supply chain, it has handoff points where accountability can get murky.
Buyers are starting to notice. CAIOs and CIOs who've done a first round of AI pilots are now asking harder questions: Who is responsible if the model behavior changes? What happens to our data during inference? If the lab updates the model, does our vendor notify us? These questions don't have clean answers yet, and the fact that they don't is itself something a seller needs to be able to speak to.
What This Section Covers
The pieces that follow go one layer at a time. Frontier labs get examined for how they differ in their approach to openness, governance, and commercial access — and why those differences matter for what a buyer can actually do with a model. Hyperscalers get examined for how they've structured their AI offerings and what that means for enterprise buyers who already have cloud commitments. The aggregator layer gets its own treatment, covering the specific use cases where it adds value versus where it adds complexity. And the open-weights question gets a full piece — what it means for a model to be "open," why that matters for deployment and compliance, and where the public sector is landing on it.
None of those pieces assume you've read the others in order. But they all assume you have the four-layer map in your head, because without it, the specific questions get confusing fast.
IDAM Bridge — In federated identity, the distinction between an Identity Provider and a Service Provider is foundational: the IdP asserts claims about a user; the SP consumes those claims and makes access decisions. The buyer authenticates through the SP, which has a trust relationship with the IdP — but the buyer doesn't have a direct relationship with the IdP. The closest AI equivalent is the frontier lab (IdP) and the hyperscaler or aggregator (SP): the buyer contracts with the serving layer, which has a commercial relationship with the lab. The analogy breaks at governance: in SAML and OIDC, the trust relationship between IdP and SP is governed by a specification. The metadata exchange, assertion format, and claim semantics are defined. In AI supply chains, the equivalent relationship is a commercial agreement — with variable and often opaque terms covering model versioning, deprecation timelines, data handling during inference, and liability. A buyer who assumes their hyperscaler's SLA covers the model's behavior is making an assumption that federated identity protocols would never let them make. The spec doesn't exist yet.
The Map Before the Territory
The AI vendor landscape is moving fast enough that some of what's written here will need updating before the year is out. But the four-layer structure is stable. Labs train models. Hyperscalers serve them. Aggregators add flexibility. Buyers contract with whoever is closest to them in the stack.
Once that map is clear, the specific questions — which lab, which hosting arrangement, which pricing model, which open-weights tradeoff — become tractable. They're still hard questions, but at least they're the right ones, asked in the right order.
That's what this section is for.