The pitch for AI agents has always been seductive: stop typing prompts and just let the model do things for you. Book the flight. Fill the form. Send the email. OpenAI has been pushing this direction aggressively with its Operator product, and competitors including Anthropic and Google are building similar agentic pipelines. The assumption baked into all of it is that the hard part is capability. Get the model smart enough, and the rest follows.

That assumption is wrong.

Capability Arrived Before the Plumbing Did

Current frontier models are genuinely capable of stringing together multi-step browser tasks with reasonable success rates. That’s real progress. But deploying an agent that acts in the world on your behalf requires something models still lack entirely: a trustworthy, auditable permission layer that sits between the agent and your accounts, your data, and your money.

Right now, the practical implementation is crude. Users hand agents login credentials or OAuth access, and the agent goes off and does things. There’s no standardised way to scope what an agent can and cannot touch, no universal revocation mechanism, and no tamper-evident log you actually own. When something goes wrong - a double booking, a form submitted with wrong details, a purchase you didn’t sanction - the audit trail is thin and the recourse is unclear.

This isn’t a theoretical concern. Researchers at academic institutions have demonstrated prompt injection attacks where malicious content on a webpage hijacks an agent mid-task, redirecting its actions without the user’s knowledge. That attack surface grows in direct proportion to how much the agent is allowed to do.

The Industry Is Shipping Anyway

None of this has slowed deployment. OpenAI, Anthropic, Google, and a growing cluster of startups are racing to establish agent platforms as a category before the safety infrastructure catches up. The commercial logic is obvious: whoever owns the agentic layer owns the relationship between users and the web. That’s an enormous prize.

But the gap between capability and safety infrastructure isn’t closing fast enough to justify the current pace of rollout to general consumers. Enterprise deployments with dedicated IT oversight and scoped permissions are a different story. Giving a general-purpose agent broad access to a regular person’s digital life - email, calendar, payment methods - is a different risk profile entirely, and it’s being treated casually.

The Model Context Protocol, which Anthropic introduced and others have begun adopting, is a step toward standardised tool-use and permissions. It’s promising scaffolding. It is not, at this stage, a solved problem dressed up as a standard.

Agents will matter. The question is whether the companies building them are willing to slow down long enough to build the layer of trust the whole model depends on. So far, the evidence suggests they are not.