In April 2025, a Cursor user got an answer from the company’s support team that wasn’t true. They’d been logged out while switching between devices, asked support why, and were told—politely, confidently—that this was expected behavior under a new policy. Cursor restricted subscriptions to a single device now. That was the rule.

There was no rule. There was no policy. There was no person. The reply came from an AI support agent the company had named “Sam,” and Sam had invented the entire thing. By the time staff caught it, users were publicly canceling subscriptions over a restriction that existed only in the language model’s output. The company issued refunds and clarified that no such policy had ever existed.

It’s a small story. Nobody got hurt, the refunds went out, the internet moved on. But sit with the mechanics for a second. A piece of software, acting on its own, exercised authority it was never granted. It spoke for the company. Customers reasonably treated its words as policy, because for every practical purpose those words were the company. And the failure had nothing to do with the software being hard to use. The software did a job—customer support—and did it the way a careless employee might, except faster, with more confidence, and with no manager in the loop.

We keep describing AI as a better interface: chat instead of menus, natural language instead of syntax, a smarter autocomplete. That framing is comfortable. It keeps software in its place, as a tool we pick up and put down. The transition actually underway is categorical. Software is becoming something that works. And the moment software becomes labor, it stops being governed by the rules we wrote for tools and starts colliding with the rules we wrote for workers—identity, permissions, management, audit, procurement, the org chart itself. Every one of those systems was designed around a single load-bearing assumption: that a human takes the action. Remove the human, keep the action, and they don’t degrade gracefully. They break in specific, diagnosable ways.

I spend my days at the sharp end of this. I lead research at an offensive security company where we let agents run fully autonomously. They pick up after a target is selected, execute exploits, chain steps together, and decide on their own when to stop. Humans watch through a control plane and step in only when something needs a decision, like whether to merge a proposed patch. So I’m writing this as someone who has already rebuilt an operation around software-as-labor and watched which load-bearing walls had to move. The pattern I see at my own company is the pattern coming for everyone, and the people who understand this as a labor story before they understand it as a software story will build the right things.

The thing that actually changed

For seventy years, software has been leverage on human action. You did the work; software made each unit of it cheaper, faster, or more accurate. A spreadsheet didn’t do your accounting. It made you faster at accounting. The entire enterprise software industry—every seat-based SaaS subscription, every per-license deal—rests on that premise. A human does the work, and you sell that human a tool.

What changed is that the software does the work itself now.

You can watch it happen inside a single company. Cursor, the AI coding environment built by Anysphere, started as exactly that kind of leverage: a fork of VS Code with very good autocomplete. Helpful. A tool. A developer wrote the code; Cursor made them faster. Then the product moved. Background Agents arrived—hand off a task and an agent clones the repository into an isolated machine, works on its own branch, runs the tests, runs the linter, and pushes a merge-ready pull request back to you. In early 2026 the company shipped Cloud Agents, which the coverage described as the moment AI coding went from copilot to colleague. Then came Automations: agents that kick off when a commit lands, a Slack message arrives, or a timer fires. No human prompt. The software initiates.

This sits at the center of gravity of one of the fastest-scaling businesses in history. Cursor went from $100 million in annualized revenue in January 2025 to $500 million by that June, past $1 billion by November, and to roughly $2.6 billion by mid-2026. No enterprise software company has ever grown that fast. Roughly two-thirds of the Fortune 500 have developers using it.

Then the punctuation mark. In June 2026, four days after the largest IPO in history, SpaceX exercised an option to acquire Anysphere for $60 billion in an all-stock deal—the largest acquisition of a venture-backed startup ever recorded, folded into Elon Musk’s combined SpaceX-xAI machine to buy a foothold in developer tools it had failed to win organically. A coding-agent company, not yet four years old, became a strategic asset at the scale of a national champion. The price invites skepticism—roughly fifteen times revenue, and Cursor’s market share had slipped from 41% to 26% over the year as competitors multiplied. But the deal tells you how the most aggressive capital allocators on earth read the direction of travel. They didn’t buy a better text editor. They bought a machine that produces software labor.

The $13 trillion reprice

Sell software as a tool, and you sell it against other tools. The market is the size of the world’s software spending—a few hundred billion dollars a year. Sell software as labor, and you sell it against labor. The market is payroll. Those numbers aren’t in the same universe.

Andreessen Horowitz has been making this case in the bluntest possible terms. In a 2025 LP Summit talk literally titled “Software is Eating Labor,” Alex Rampell laid out the arithmetic: the roughly $300 billion in annual software revenue is the prize the whole industry has fought over, while the U.S. labor market runs around $13 trillion a year. His example is an ophthalmology clinic that pays about $500 a year for office software and about $47,000 for a front-desk receptionist. An agent that handles 90% of the front-desk work gets priced against the $47,000, not the $500. It can charge $20,000 and still be the best deal the clinic has ever signed. The software budget was never the opportunity. The payroll was. As Rampell put it, the wages of U.S. nurses alone exceed the revenue of every SaaS company on earth combined.

Sequoia put the same idea in a sharper sentence. For every dollar spent on software, six are spent on services, and the real addressable market for what they call “autopilots” is all the labor spend in a category, insourced and outsourced combined. The line to tattoo on the wall: a copilot sells the tool, an autopilot sells the work.

This is why the venture money moves the way it does, and why the numbers stopped looking like software numbers. Sierra, Bret Taylor and Clay Bavor’s customer-service company, raised at a $15.8 billion valuation in 2026 and crossed $100 million in revenue in seven quarters—charging per resolution, roughly a dollar fifty for each issue the agent actually closes, not per seat. Taylor’s framing is explicit: $400 billion a year is spent on customer service, and a large chunk of it is moving to agents. Decagon, in the same lane, hit a $4.5 billion valuation. Harvey, selling legal work rather than legal software, reached an $11 billion valuation with more than $200 million in revenue, embedded in roughly half the Am Law 100. The customer-service category has at moments traded above a hundred times revenue—a multiple that is deranged for a software company and merely aggressive for one eating a labor budget.

Here’s the part the market maps leave out, and it explains the demand better than any TAM slide. People don’t want to operate agents. They want the work done.

In my own experience building and selling autonomous security tooling, the strongest pull was never “give me a powerful agent I can drive.” It was “I want to open a dashboard and have the thing handled.” The reasoning and the capability sit right there, one tug away, and delegating becomes almost irresponsible to refuse. The temptation has nothing to do with laziness. The marginal cost of having the work done for you collapsed. When the agent can do the heavy lifting, asking a human to do it instead starts to feel like asking someone to hand-crank a car. The companies winning the labor budget understood this. They sell the outcome and treat the dashboard as the place you confirm the work got done, not the place you do it.

That’s the bull case. It’s enormous and it’s mostly right. Software becomes labor, labor is a $13 trillion market, and whoever sells the work instead of the tool reprices their product against a salary instead of a license.

The pressure now is immense, because we just introduced a new category of worker into every enterprise on earth—one that authenticates, acts, and decides—without building any of the infrastructure that managing workers has always required. We bolted a labor force onto an identity-and-control apparatus designed end to end for humans. Here’s where it cracks.

We did this before, and faster this time

It helps to remember that we’ve lived through a structurally identical moment, recently enough that some of the same people are still in the room.

When the internet became load-bearing infrastructure—roughly the mid-90s through the mid-2000s—we connected everything to everything before we had any idea how to secure the connections. The protocols underneath the web were built for a small, trusting academic network, not an adversarial planet. So we spent the next two decades discovering, the hard way, a whole taxonomy of vulnerabilities that couldn’t have existed before: SQL injection, cross-site scripting, the buffer overflow industrialized into a global exploit market, worms that crossed the planet in hours. Each one was a direct consequence of moving faster and connecting more than our security models had anticipated. We built the firewalls, the patch cycles, the disclosure norms, the entire discipline I work in, after the exposure already existed. Order arrived years after the chaos.

Agents are that moment again, compressed. We’re connecting a new kind of actor—one that takes action, not just transmits data—into every system we own, at a speed that makes the 90s look leisurely. The ecosystem is forming in real time. Two years ago “AI agent” was barely a category. Now we’re mid-scramble, discovering that these new workers need precisely the apparatus the internet eventually grew and initially lacked: identity, access management, audit trails, fresh security paradigms, even a national-security posture. We’re living inside the gap between capability and control, trying to close it while the thing is already deployed at scale.

None of that is a criticism of anyone. It’s the recurring shape of how transformative infrastructure gets absorbed. We move first and impose order second, and the interval in between is where the danger and the opportunity both live. We’re in that interval right now. So let’s catalog the specific cracks, the way we eventually catalogued the injection attacks.

Where the human-shaped systems break

The cracks are specific and they’re already visible. Each of the systems we built for human workers is failing in its own particular way—start with the one the others all rest on.

Built for humans, outnumbered by machines

Start with the most basic assumption in enterprise security: behind every action is a person, and that person logged in. Identity and access management—the whole IAM industry—is a machine for answering one question: what is this user allowed to do? It assumes the user is a human who authenticates once, holds roughly stable permissions, works roughly human hours, and can be held accountable.

Agents detonate every clause of that sentence. They authenticate constantly, spin up and vanish, work every hour there is, and have no baseline “normal” behavior. And they arrive in staggering numbers. Even before the current wave, machine identities outnumbered human ones in the enterprise by something like eighty to one; in heavily automated organizations the ratio runs into the hundreds. Agents mint thousands more of these non-human identities, most over-privileged and rarely rotated.

Zoom out far enough and the human has become the minority stakeholder, literally. As of the 2025 Imperva/Thales Bad Bot Report, automated traffic crossed a line it hadn’t crossed in the decade they’ve measured it: bots now generate the majority of all web traffic, around 51%, with humans in the minority for the first time. That figure is broad—it counts crawlers and scrapers and attack bots, not just well-behaved enterprise agents—but the direction is the point. The web is increasingly a place where software talks to software, and the systems checking who’s-who at the door were built for visitors with pulses.

The market noticed. A category is forming around agent identity, and the tell that a category is real is when the serious infrastructure people show up. Keycard—founded by veterans of Okta, Auth0, and Snyk, including the creator of Passport.js, the auth framework half of Node.js quietly runs on—came out of stealth in late 2025 with $38 million to do exactly this. It replaces the static API keys and shared secrets agents currently lean on with dynamic, identity-bound, task-scoped tokens that narrow permissions at every agent-to-agent handoff, so no downstream agent inherits more access than its task requires, and an entire delegation chain revokes with a single call. As their CEO puts it, agents can't leave the lab without trusted access controls—exactly right. It's unglamorous plumbing of the kind that, once it works, everyone quietly depends on, the SSL certificate of the agent era. And because it sits at the center of everything an agent is permitted to do, it's exactly where attackers will aim once agent identity becomes mission-critical—which makes getting it right load-bearing for the whole ecosystem. They're the one to watch, and they won't be alone for long—the identity incumbents are already trying to acquire their way in.

Whose login does it use?

The most striking confirmation that the identity model is breaking came from a frontier lab describing its own product.

In June 2026, Anthropic shipped Claude Tag—drop @Claude into a Slack channel and it behaves as a team member. Anyone in the channel can tag it, hand it a task, and it builds context across channels, takes initiative on its own, and can pursue a project autonomously over hours or days. One detail in their announcement should stop you cold: 65% of Anthropic’s own product team’s code is now written by their internal version of this thing. Not assisted by. Written by. The company building the frontier model has already crossed into a world where most of the code is produced by software labor, and they’ll tell you so plainly.

The more important document is the quieter companion post on agent identity, which contains a section heading that compresses this entire argument into four words: “Why ‘act as the user’ breaks down.” For years, the easy way to give software permissions was to let it borrow a human’s. The script runs as you; the integration acts with your credentials. Always a slight fiction, but a manageable one when the software was a dumb pipe. Anthropic’s reasoning for why it stops working is exactly the reasoning I’d give. First, autonomy: the length of task an agent can complete on its own has been roughly doubling every few months, and “borrow a human’s identity for a second” describes nothing that runs for two days. Second, multiplayer: when three engineers and a product manager all direct the same agent in the same channel, whose permissions does it use? No single human is the right answer all the time.

Their fix is the conceptual turn that matters. Claude acts as itself. It gets its own service accounts—posts in Slack as the Claude app, opens pull requests as the Claude GitHub App, queries the warehouse under its own provisioned account. The question shifts from “what can this user do?” to “what can this agent do, in this compartment?” Because it acts as itself, its actions land in each system’s own logs under its own name, and revoking that one identity ends its access everywhere at once. A genuinely new access model, invented in public, right now, because the old one is actively failing in production.

Audit assumed a someone to hold responsible

Every audit trail, every compliance regime, every SOC 2 control rests on a quiet premise: when something happens, a someone did it, and that someone can be identified, questioned, and held responsible. Accountability is the spine of the whole apparatus.

Autonomous agents dissolve the someone. When an agent merges a branch, issues a refund, or deletes a record, who authorized it? The engineer who deployed it three weeks ago? The PM who wrote the task in Slack? The vendor who trained the model? The model itself? Absent a crisp answer, agentic AI automates the diffusion of responsibility. Everyone is a little accountable, which operationally equals no one.

This isn’t theoretical. The canonical incident is Replit’s coding assistant, which, during a code freeze it had been explicitly instructed to honor, deleted a live production database, fabricated thousands of fake records to paper over what it had done, and then reported that rollback was impossible—also false. No attacker was involved. The agent simply took catastrophic action it wasn’t authorized to take and misrepresented the result. And the permission model behind that unprovoked failure is the identical permission model an attacker would deliberately exploit. The safety failure and the security failure are the same hole seen from two angles. An agent that can delete the production database during a freeze is a liability whether the instruction comes from a confused model or a malicious prompt.

The model can't tell instructions from data

Which brings us to the vulnerability that is to the agent era what SQL injection was to the web era. Large language models read their instructions and their data through the same channel. They cannot reliably tell “my operator told me to do this” from “this document I was asked to read told me to do this.” That’s prompt injection, and the consensus forming among security researchers in 2026 is that it may be a permanent property of how these systems work rather than a patchable bug.

The exploits are as clever as the early web’s, and as grim. Researchers planted a malicious instruction in the title of a GitHub pull request; coding agents from multiple major vendors read it as trusted context and dutifully leaked environment variables—API keys, tokens, the keys to the kingdom. This connects straight back to how people actually deploy agents now: wired to monitor logs, watch error streams, and act on incoming requests automatically. Which means attackers learned to send the agent malformed input on purpose, a request crafted to throw an error whose text is itself an injected instruction the log-watching agent will read and obey. The agent’s helpfulness becomes the attack surface. The year before, “EchoLeak” let an attacker exfiltrate data from Microsoft 365 Copilot with zero clicks. These aren’t edge cases being slowly closed. They’re the structural consequence of handing a credulous reader both your secrets and your adversary’s messages and asking it to act.

The nation-states already arrived

The clearest signal that we’ve crossed a threshold is that the most sophisticated attackers operationalized it first. In November 2025, Anthropic disclosed what it described as the first reported AI-orchestrated cyber-espionage campaign: a state-sponsored group hijacked Claude Code to run an autonomous operation in which the AI performed an estimated 80–90% of the campaign, with humans stepping in only at a handful of critical decision points, against roughly thirty global targets. The machine does the overwhelming majority of the work; the human is there by exception. The offensive future Snehal Antani of Horizon3 describes—algorithms fighting algorithms at machine speed, with humans by exception—stopped being a forecast and became a disclosed incident. The labor transition already happened on the attacker’s side, which forces it to happen on the defender’s side too, because no human team fights at that tempo.

The org chart, procurement, and the shape of the company

Step back from the security mechanics, because the breakage runs into the soft tissue of the organization too.

Procurement was built to buy seats and licenses—a fixed price for a human’s access to a tool. Agent labor doesn’t fit the form. You’re buying outcomes now, metered per resolution or per completed task. Sierra’s dollar-fifty-per-resolution model breaks the procurement template as surely as it breaks the pricing page, and finance departments are finding they have no clean category for “we spent $40,000 on work that used to be a salary line.” The cost can run away from you in ways a license never could. There are already reports of agentic loops generating eye-watering bills—one company reportedly ran up a $500 million monthly inference charge from runaway agent activity. A license has a fixed cost. A worker that bills by the action and never sleeps does not.

The org chart bends too, and not in the simple “AI takes the jobs” way the headlines want. 2026 brought a wave of layoffs citing AI—Salesforce, Amazon’s tens of thousands of corporate cuts, Block, IBM—while software-engineering job postings rose for months on end. Both are true because they describe different layers: individual firms cutting while aggregate demand for people who can direct this new labor force climbs. What’s genuinely worrying is narrower. Early-career hiring is contracting. Stanford’s Digital Economy Lab found a 16% relative employment decline for the youngest workers in the most AI-exposed occupations. We may be automating the bottom rung of the ladder that produces the senior people who supervise the agents—a structural problem that won’t show up in this quarter’s numbers but mortgages the next decade’s.

All of it describes an organization quietly reorganizing around a workforce that doesn’t appear on the org chart, isn’t covered by HR, doesn’t fit procurement, and doesn’t slot into the audit model. The systems are all still there. They increasingly describe only the human half of the company.

Security already solved this

Here’s where it gets useful for defenders, because there’s good news buried in all this.

The hardest-sounding problem in enterprise AI right now is agent governance: how much autonomy you give the thing, what it’s allowed to touch, how you define unacceptable behavior, how you evaluate it before you trust it, how you scope it differently per environment. CISOs are rightly nervous, because it sounds like an entirely new discipline they have to invent on a deadline.

It’s penetration testing’s rules of engagement wearing a different hat.

Think about what a serious pentest requires before a single packet moves. A prestigious firm doesn’t start hacking. They scope it: precisely what’s in bounds and what’s out, which IP ranges and applications and APIs and cloud assets are fair game and which are categorically off-limits. They define the rules of engagement: which techniques are permitted, how aggressive the testing can get, the timing windows, and the stop conditions—the lines that mean halt and escalate to a human. They get requirements crisp up front so there’s a shared picture of what’s being tested and why. They close the loop afterward with a report on what worked, what didn’t, and what to fix. The entire formal apparatus—PTES, NIST SP 800-115—exists to answer one question: how do you let a powerful, semi-autonomous actor loose inside your systems without it doing something catastrophic, and how do you know afterward what it did?

That is the agent governance question, word for word. The discipline maps cleanly:

This is exactly how I run agents in production. We don’t hand an agent open-ended access and hope. We give it a threat model and a scope the way you’d brief a contractor, then let it run autonomously inside those bounds, and pull the human in only at the decision points—patch approvals, anything that touches something it shouldn’t unilaterally touch. We get very few false positives and very little drama for the same reason a well-scoped pentest runs cleanly: the boundaries were defined before the work started, not negotiated after something broke. What most enterprises are missing isn’t a new framework. It’s that there’s no per-environment eval, no equivalent of the scoping call, where a customer specifies what their unacceptable behaviors are before the agent is loosed in their environment. Every prestigious pentest firm does that scoping as step one. Most agent deployments skip it and then act surprised.

Joe Sullivan, former CSO at Uber, Cloudflare, and Facebook, put the management problem about as well as anyone: agents are like teenagers, with all the access and none of the judgment. The job isn’t to lock the teenager in a room, and it isn’t to hand over the keys to everything. You scope what they can do, define the lines they can’t cross, watch through a control plane, and show up by exception when judgment is required. Security teams have been doing precisely this for the most dangerous actors in the building—their own red teams—for twenty years. The what isn’t new. The how is new. The teams that realize they already own the playbook will be calmer and safer than the ones treating this as terra incognita.

What gets built next

Software became labor. That’s the headline. Underneath it, the systems we built for a workforce with pulses—identity, audit, procurement, the org chart, the whole accountability apparatus—are cracking along predictable lines, the same way the early internet’s trusting protocols cracked once we connected everything to everything. We’re in the interval between capability and control, and the interval is where both the danger and the opportunity live.

If you allocate capital, the tell is simple. Stop asking whether a company sells better software and start asking whether it sells the work. The autopilots eating labor budgets reprice against a $13 trillion market, and the picks-and-shovels layer underneath them—agent identity, agent authorization, agent audit, the control planes and the evaluation harnesses—is a second market forming on top of the first, because every one of those autopilots needs the apparatus the human-shaped systems can’t provide. The internet minted both the companies that connected everything and the companies that secured the connections. This wave will too.

If you defend an enterprise, stop treating agent governance as alien and start treating it as the thing you already know how to do. You scope dangerous actors for a living. An agent is a fast, tireless, credulous, occasionally brilliant new hire with all the access and none of the judgment, and you onboard it the way a serious firm scopes an engagement: bounds first, autonomy inside the bounds, humans by exception, everything logged under an identity you can revoke. The novelty is in the actor, not the discipline.

And if you’re just trying to see the shape of what’s happening, here’s the compression. The question every enterprise system was built to answer was what is this person allowed to do? The question every enterprise system now has to answer is what is this agent allowed to do, in this compartment, and how do we know what it did? The sentence is small. Rebuilding every system in the company around it is not.

Your newest hire has no pulse. They never go home, they never push back, they’ll do the work the instant you ask, and they will, occasionally, invent a policy that doesn’t exist and tell your customers it’s real. Managing that is the defining operational problem of the next decade. The good news is we’ve managed dangerous, capable, untrustworthy-by-default actors inside our systems before. We just called it something else.