Useful walk-through, and the "what was missing, what landed, what's at parity" frame is the right way to read 460 sessions. The thread I'd surface: the consequential launches aren't the models, they're the isolation and governance primitives, and they answer a problem the rest of the stack creates.
Once you have hosted agents running arbitrary code, managed memory they write to, and MCP/A2A endpoints, failures stop being SRE-shaped and turn trust-boundary-shaped: untrusted execution, write paths into memory, tool calls with authority. So the untrusted-code sandboxes, the least-privilege Execution Containers SDK, and the Gateway logging every tool call are what I'd lead with, defense-in-depth as product. Two boundary questions in that spirit: does memory's "remember/forget" CRUD go through a verification gate or can the agent mutate its own memory freely (unconstrained writes are how persistent memory rots silently), and does Gateway model-fallback flag that it fails over to a different trust profile, different refusals and blind spots, making routing a security decision, not just uptime.
Worth pressing because you've got a great posture, agent-as-untrusted by default, and those are the two seams where it either holds or quietly leaks. The parity read is the most clarifying I've seen on where Azure sits now.