Agentic AI - models that don’t just answer questions but take actions on your behalf - has been the dominant pitch from OpenAI and Anthropic for the past year. The demos are convincing: the model books a restaurant, files a form, browses a site, clicks the right buttons. It looks like delegation. It functions more like liability transfer.
OpenAI’s Operator feature, available to ChatGPT Pro subscribers, lets the model interact with websites as if it were the user. Anthropic’s Claude has a similar computer use capability. The framing from both companies is productivity: stop doing repetitive tasks yourself. What gets glossed over is the trust architecture underneath.
When an AI agent fills out a form on your behalf, submits a purchase, or interacts with your email, the action is yours in every legal and practical sense. The model doesn’t own the account. If it clicks the wrong thing - confirms a subscription instead of canceling one, sends a draft email, accepts terms you didn’t read - there is no clear recourse. OpenAI’s usage policies explicitly note that users are responsible for how Operator is used and for any outputs or actions taken. That’s not unusual boilerplate. It’s a meaningful shift of risk onto the person who understood the least about what the system was doing.
This isn’t a hypothetical concern. Prompt injection - where a malicious webpage embeds hidden instructions that redirect an AI agent mid-task - is a documented attack vector. Researchers have demonstrated it repeatedly in controlled settings. An agent browsing the web on your behalf is a target in a way that a chatbot simply isn’t.
The incentive structure doesn’t favor caution
OpenAI has a strong commercial reason to make agentic features sound straightforward. The more capable the model appears, the more justified the Pro subscription price. Friction - warnings, confirmation screens, detailed explanations of what the agent is about to do - works against that narrative of effortless automation.
So the features ship with some guardrails, but the mental model sold to users is closer to “trust it” than “verify it.”
Power users who understand the constraints can use these tools carefully and get real value from them. That’s not most of the people signing up. Most will interact with Operator the same way they interact with any app: assume it works as advertised, and discover the edge cases when something breaks.
The capability is real. The accountability gap is just as real, and considerably less discussed.