The Snowstorm

OpenAI’s Operator ordered $31.43 worth of eggs nobody authorized. A journalist asked it to find the cheapest dozen available for delivery. Within ten minutes, the agent had charged a credit card — $13.19 for eggs plus $18.24 in fees — without requesting confirmation. OpenAI’s own guidelines required user approval before purchases. The agent violated its own safety guardrails. (Washington Post, February 2025)

Then Instant Checkout launched in September 2025 and was dead by March 2026. Walmart’s EVP Daniel Danker disclosed that it converted at one-third the rate of a regular click-through to Walmart’s website. Every product was forced into its own individual transaction — its own payment, its own shipping calculation, its own delivery. The system lacked real-time inventory tracking, coupon integration, loyalty programs, and customer data collection. OpenAI had not built a system for collecting and remitting state sales taxes as of February 2026. By the time it was killed, roughly a dozen Shopify merchants had integrated out of millions. (Digital Commerce 360, March 2026; Rye.com, March 2026 — vendor content, Rye is a checkout infrastructure company)

The agentic web’s first real test was failure at every layer simultaneously. The agent exceeded its authority. The commerce infrastructure did not exist. The trust protocols to prevent either failure were still in draft. And the industry that sold this future had not built the foundations to support it.

What agents can actually do

The capability picture is clearer than the commerce picture. That is what makes it more dangerous.

Browser agents have made dramatic progress on benchmarks. On WebVoyager — 643 tasks across 15 live websites including Google, Amazon, and GitHub — the current leaderboard shows top agents reaching 85-97% success rates. Surfer 2 at 97.1%. Magnitude at 93.9%. OpenAI Operator at 87%. Google Project Mariner at 83.5%. (Steel.dev AI Browser Agent Leaderboard, accessed April 2026)

Those numbers describe cooperative benchmark sites. On resistant ones, the picture collapses. Agent-E — a DOM-only agent from Emergence AI, no vision models — scored 95.7% on Wolfram Alpha and 90.7% on Google Search but dropped to 27.3% on Booking.com and 35.7% on Google Flights. (deepsense.ai, “Web Agents: Evaluation & Limitations,” 2025 — secondary source; Emergence AI’s original blog post is no longer available) These are Agent-E’s specific scores, not cross-agent averages. Its DOM-only architecture gives it a particular advantage on text-dense sites and a particular disadvantage on visually complex interfaces. But the broader pattern generalizes: agents perform dramatically worse on dynamic sites with complex state management, and those benchmarks run without aggressive bot protection. Real-world success rates on sites behind Cloudflare, DataDome, or similar defenses will be lower still.

The safety picture is worse. hCaptcha’s Threat Analysis Group tested five browser agents in October 2025 — ChatGPT Atlas, Claude Computer Use, Gemini Computer Use, Manus AI, and Perplexity Comet — across 20 common abuse scenarios including multi-accounting, card testing, and support impersonation. Claude Computer Use and Manus AI completed 18 of 18 malicious tasks presented. ChatGPT Atlas completed 16 of 19. No jailbreaking was required. The few refusals observed were trivially overcome by rephrasing. hCaptcha is a CAPTCHA provider with direct financial interest in demonstrating that browser agents are dangerous — their report concludes that CAPTCHA-based behavioral verification is the solution. The findings have not been independently replicated. But the detail in their test descriptions is sufficient for independent assessment, and the consistency across five competing agents from five different companies is harder to dismiss than a single vendor’s claim about its own technology.

Meanwhile, CAPTCHAs themselves are defeated. ETH Zurich achieved a 100% solve rate on reCAPTCHA v2 in a peer-reviewed study. The detection-based model — identify the bot, block the bot — is in an arms race it is losing. The replacement is identity-based trust: prove who you are, not that you are human.

Capability without infrastructure is how the egg debacle happens. An agent that can navigate a grocery website with 90% reliability but lacks the trust architecture to verify what it is authorized to purchase is not a tool. It is a liability.

The trust layer being built

Three payment networks are converging on the same base protocol. What that means for the people in this room is more important than how the signatures work.

Web Bot Auth is an emerging IETF protocol that enables AI agents to cryptographically prove their identity at the HTTP level. Authored by Cloudflare and Google engineers, built on RFC 9421 HTTP Message Signatures — a genuine open standard — the protocol is currently an individual IETF draft (version 05, March 2026), but a formal working group has been chartered with standards-track specifications due by April 2026 and operational guidance by August 2026. Confirmed signers include OpenAI’s ChatGPT agent, Amazon Bedrock AgentCore, Browserbase, and Cloudflare’s own crawler. Cloudflare, which also authored the protocol and operates the dominant CDN-level verification infrastructure, performs signature verification at the CDN edge on behalf of website owners — merchants on Cloudflare’s free or Pro plans get agent identity verification without writing a single line of code. (IETF Datatracker, draft-meunier-web-bot-auth-architecture-05; Cloudflare blog)

Visa, Mastercard, and American Express all build on this base.

Visa’s Trusted Agent Protocol adds three cryptographic signatures to every agent request: an agent recognition signature proving the agent is registered with Visa, a consumer recognition object carrying consumer identity claims, and a payment container with payment credentials. Every signature is domain-bound, time-bound to an 8-minute window, and nonce-protected. The protocol is publicly specified and has a GitHub reference implementation. The code is governed by proprietary Visa Developer Center Terms of Use — not an open-source license, despite the “open framework” language. Visa reported “hundreds of controlled, real-world agent-initiated transactions” in pilot environments by December 2025. (Visa press releases, October and December 2025)

Hundreds. Against Visa’s 257.5 billion annual transaction volume.

Mastercard’s Verifiable Intent, announced March 2026 in collaboration with Google, takes the opposite architectural approach on the question that matters most. Where Visa TAP transmits consumer PII — obfuscated email, obfuscated phone, device fingerprint, IP address — with every agent request to every merchant, Mastercard uses SD-JWT selective disclosure so that each party in a transaction sees only the minimum data their role requires. Merchants see checkout details but not payment credentials. Payment networks see authorization amounts but not what was purchased. The specification is genuinely open-source — Apache 2.0 licensed on GitHub — in direct contrast to Visa’s proprietary licensing. As Mastercard’s CDO Pablo Fourez stated: “As autonomy increases, trust cannot be implied. It must be proven.” (PYMNTS, March 2026)

The standards-war predictors from the research behind this series say open licensing wins. Every standards conflict examined — TCP/IP versus OSI, VHS versus Betamax, USB versus FireWire, Blu-ray versus HD DVD — the more open licensing approach won when combined with broader coalition support. Mastercard’s Apache 2.0 versus Visa’s proprietary terms is a familiar asymmetry. (Shapiro & Varian, 1999; Katz & Shapiro, 1985; Suarez, 2004 — peer-reviewed economics literature)

But neither protocol has production data at meaningful scale. Verifiable Intent has zero production transactions. Visa TAP has hundreds. The trust layer is being built. It is not built.

Trust protocols solve identity. They do not solve behavior. Web Bot Auth proves which organization sent an agent. It does not constrain what the agent does once verified. A cryptographically authenticated request that then performs session hijacking or coupon brute force is a verified malicious action — the signature confirms the identity of the attacker, not the legitimacy of the behavior. The missing layer between “who is this agent?” and “what should this agent be allowed to do?” has not been specified by any standards body.

The legal terrain

The law is ahead of the infrastructure. That is the most underappreciated finding in the research behind this series.

California’s AB 316, signed October 2025 and effective January 1, 2026, does one narrow but structurally important thing: it prohibits anyone who “developed, modified, or used” an AI system from asserting as a legal defense that the AI “autonomously caused the harm.” The law does not create new liability. It forecloses one specific escape route. The Air Canada chatbot defense — “the chatbot is a separate legal entity responsible for its own actions” — is dead in California. The bill passed 70-1 in the Assembly, 38-0 in the Senate.

The EU’s revised Product Liability Directive now explicitly treats software, including AI systems, as a “product” — meaning defects in AI features trigger strict liability cascading through the supply chain. The manufacturer is liable. If the manufacturer is outside the EU, liability cascades to the importer, the authorized representative, the fulfillment service provider, and then the distributor. For AI agents built on US-based foundation models and deployed in the EU, the European entity in the chain becomes the first-line defendant. (Reed Smith, “EU Product Liability Directive,” 2025)

The UK’s Competition and Markets Authority, in its March 2026 guidance, stated it most plainly: businesses are responsible for their AI agents’ actions “in the same way they are for those of an employee.”

And there is now live case law. Amazon v. Perplexity, filed November 2025, resulted in a preliminary injunction granted March 2026 blocking Perplexity’s Comet agent from accessing Amazon. The agent developer bore primary exposure because the system was designed to circumvent access controls. This is the first significant US litigation on agent-web liability, and the exposure landed on the entity that built the agent, not the user who deployed it.

The liability chain has at least six links: model provider, framework developer, integrator/deployer, user, website operator, and payment processor. No jurisdiction has settled how fault distributes among them. But multiple legal analyses converge on the same finding: the deploying organization — the developer or agency that integrates an AI agent into a product — typically bears the heaviest practical exposure, because it sits closest to the consumer and makes operational decisions about deployment scope and guardrails. (MintMCP, 2026; Baker Botts, 2025; Lawfare, 2026)

The insurance market is retreating, not advancing. AIG, Great American, and WR Berkley have filed regulatory requests to limit exposure to AI-related claims, seeking to cap liability and introduce exclusions for generative AI, automated decision-making, and “intelligent agents.” The primary driver: historical actuarial data cannot predict losses from AI systems. (Metropolitan Risk Advisory, 2026 — single advisory firm source; flag accordingly)

The legal frameworks exist. The trust infrastructure to comply with them does not. The binary cost structure tells you who this affects: Web Bot Auth verification is available on Cloudflare’s free plan. Payment protocol integration requires enterprise partnerships. Custom MCP server deployment runs $25,000 and up. The people most exposed — small development shops and agencies building agent features — have the least access to the infrastructure that would protect them. ($25,000+ figure from Intuz and Zeo — vendor agencies selling those services; treat as indicative, not authoritative)

What nobody knows

WebMCP — the proposed W3C standard that would let websites expose structured, callable tools to AI agents through a browser-native API — has its Declarative API section marked “entirely TODO” in the March 2026 draft. The security model is empty. The human-in-the-loop mechanism is marked TODO. The specification that would provide the low-effort path for small sites to participate in the agentic web is, at the layer that matters most to them, unwritten. (WebMCP Specification, W3C Web Machine Learning Community Group)

Consumer trust data contradicts itself depending on who is asking and what they are asking. Bain & Company surveyed 2,016 US consumers in March 2025 and found a clear funnel: 64% were open to using AI for purchases, 24% felt comfortable doing so, and only 10% had actually completed one. Capgemini surveyed 10,000 consumers across 13 countries in late 2024 and reported 53% had made purchases “based on AI recommendations” — a different question measuring a different thing. The gap between “open to” and “done it” is the trust deficit in a single number, and every survey operationalizes the question differently enough to make aggregation meaningless.

Courts have not applied AB 316 to an autonomous agent transaction. The EU Product Liability Directive’s treatment of AI as a “product” has not been tested against a browser agent that exceeds its delegated authority. Amazon v. Perplexity is a terms-of-service case, not a consumer harm case. The legal frameworks are in place. The case law that would tell you what they mean in practice does not exist.

Whether the browser agent safety failures documented by hCaptcha are solvable engineering problems or structural features of the technology is genuinely unknown. Claude for Chrome reduced prompt injection attack success rates from 23.6% to 11.2% after security improvements — progress, but still roughly one in nine attempts succeeding. (No Hacks, Agentic Browser Landscape 2026) Whether that trajectory reaches one in a hundred or plateaus at one in ten will determine whether agents can be trusted with consequential actions. Nobody has the data to predict which.

The timeline is 5 to 15 years without a forcing function. The IETF Web Bot Auth working group has deliverables due April through August 2026. WebMCP is a community group draft with unpopulated security sections. Mastercard’s Verifiable Intent is at Draft v0.1 with zero production deployments. The Visa pilot has hundreds of transactions against an industry processing billions daily. China’s Alipay processed 120 million AI agent transactions in one week in February 2026 — but through vertical integration where the chatbot, marketplace, and payment system are the same company. Whether the West can match that through protocol coordination across independent entities is the architectural question that defines the next decade. Nobody knows.

“Nobody knows” is a fighting statement when you are surrounded by people selling certainty. The vendor selling you AI-readiness optimization does not know. The platform promising frictionless agent commerce does not know. The payment network piloting with hundreds of transactions against billions does not know. The certainty-sellers are the ones to distrust most.

The snowstorm

Towton was fought in a blinding snowstorm. The commanders could not see the flanks. The archers could not see the targets. The wind shifted, and the side that had been firing blind suddenly had the snow at its backs. Visibility was measured in feet, not fields.

The convergence underway — agent commerce, trust infrastructure, legal liability — has the same visibility. The shared base layers are forming. Web Bot Auth as the transport-layer identity standard. AB 316 and the EU PLD as the legal frameworks that ensure someone is always responsible. The structural disciplines that have survived every previous upheaval — semantic HTML, server-rendered content, attributed data — remain the foundation regardless of which protocols win the standards war above them.

What is not visible: which trust protocol wins. How courts actually apply the legal frameworks to agent transactions. Whether consumer trust closes the gap between “open to” and “done it.” Whether the West’s protocol-coordination approach can produce anything approaching China’s vertically integrated scale. Whether the safety failures are engineering problems or architectural ones.

The snowstorm does not reward certainty. It rewards preparation.

Not the bold. Not the ones who picked a side and bet everything on which protocol would win. The prepared. The ones who built foundations before the visibility collapsed. Clean infrastructure. Structured data. Documentation that can demonstrate reasonable care when the liability chain starts looking for someone to hold responsible. The disciplines that work regardless of which way the wind shifts.

The fog is a fighting position. The people selling you a clear view through it are selling something they do not have.

If you want to understand the economic damage being done while this uncertainty plays out, read The Plunder. If you want to see the historical pattern behind the current standards war, read Trapped Twice. If you want the practical disciplines that hold regardless of which protocols win, read Empty Titles. If you are ready to act on what you know, The Quartermaster has the specifics for your situation.