I was chatting with my bandmates the other day and none of them had heard of Claude Code, let alone Moltbook or Gas Town. One of the moments when the future comes crashing into the present and you realise it’s not distributed at all.
For most people, even if they are using AI regularly, it’s the thing on the other side of a chat interface. A thinking and doing partner. Drafting, summarising, brainstorming. If they’re using it for coding at all, it’s via the browser interface and copied and pasted.
That’s World One. World Two is a small subculture of people who have given AI agents full access to their computers: credit cards, calendars, GitHub, inboxes, passwords etc and told them to just go and do things across the real Internet.
The circle of people who even know about World two is tiny, The number of people who let these little guys loose is even tinier. But it’s here in World two that the next interface paradigm for Agentic AI is being rehearsed in public. Most people will meet these little guys until 2027 at the earliest; they need to get a lot safer and less strange first.
This post is a primer for people in World One, about the near future of World two.
What An Agent Actually Is, And What They Are Becoming
A chatbot is something you can talk to. Built around an “I go, you go” paradigm.
An Agent is something you can talk to, but it can also “go and do“.
Agents can currently send emails, build websites, make iPhone apps, book a train, and update database records all by themselves. All from a few short paragraphs of natural language. It can do these things, because it has permission to do so. “I say, you go and do and do ,until done“. This is an Agent.
Already emerging are more complicated Multi-Agent Systems: you ask it to do something; it writes code, spawns more versions of itself, distributes the work, and then merges back again.
From the outside it still looks like “one thing,” but underneath it is a managed society of minds, processes, permissions, and tools. The best way of thinking about what Multi-Agent systems look like right now below the surface is something like this:
The progression we are moving along is chatbot -> agent -> system. These new systems won’t feel like an “I go, you go” co-worker, but a totally chaotic direct bureaucracy. Software spawning software, models coordinating with models, with humans folded into the loop as just another moving part.
This was all written about in the late 90s and early 00s, and all of it said the same thing: the moment we let an Agents take actions in the world, we inherit a new set of problems that have nothing to do with intelligence, and everything to do with control. What is an agent allowed to touch? How does it prove what it did? How do you stop it being tricked? Who is responsible when it breaks something? That moment is basically now. Most of the writing about agent hype skip these kinds of questions because they ruin the fantasy.
In practice however, those questions are the product.
Types of Agents Today
A lot of current “computer use” agents use software the way you would if you were trying to help a friend remotely while watching their screen through a blurry webcam. They take screenshots, squint at them, guess what a button means, click, then take another screenshot to see if anything happened.
Sometimes they scrape the page structure, which sounds sensible until you remember most websites below the UI are a bit like constantly shifting theatre sets. The website moves the “Continue” button and your agent walks into a wall.
The interesting change that is occurring is that software is starting to expose what it can do in a way machines can understand directly. Instead of guessing button semantics from pixels, the software says explicitly: “here are the actions available, here is what each one needs, here is what you get back if you use one of them”. This is a rough approximation of what “tool calling” and “MCP” mean. It’s a shift from clicking pixels to calling capabilities, and right now WebMPC is in beta in Google Chrome.
This gives us two broad substrates for agents.
Soft agents do computer use; they work on the same surface layer that humans use, pushing pixels and trying to infer meaning from whatever the UI happens to look like.
Hard agents only interact with the world through code; they call APIs, compose tools, and operate on explicit contracts rather than vibes.
Note: this adds a new orthogonal dimension to my taxonomy of assistants i included in my history of Clippy: Any “little guy” can be built soft on the UI surface or hard on the capability layer.
Once that hard layer is built into applications and websites, something happens to the way software operates. The UI stops being the only control layer, and becomes the human layer only. The app and the interface become completely divorced. A button is just a front end or representation of the reliable action that sits underneath. Right now, picking the button is the action.
The interface of the future will be swappable and personalised for humans however they like it, or skipped entirely when a machine is doing the work.
As those of us who worked in crypto discovered, when the UI layer sits above the irreversible world computer known as a blockchain, “UX” must expand well beyond layout and interaction design to include things like consent checkpoints, confirmation screens, audit logs. There’s a reason we all spent over half a decade talking about governance.
Governance Is The Next AI Product Ecosystem
With humans becoming just another none in the loop: approving, routing, confirming, people are no longer in a position of full control. They are in a position of participation or oversight. The governance questions this troubles aren’t really about AI per-say, but the system as a whole. What it’s allowed to touch what, what does it have to prove to do so, and who carries the liability? And even who is liable if you don’t use one of these systems.
Over time, as access to “intelligence too cheap to meter” gets dispersed down to local models running locally on peoples computers and phones. This is where the most interesting developments in AI are going to emerge from during the next 6 months or so.
To understand where power is moving, ti helps to think in layers. Back in 2020 I wrote about a framework I call Verticals of One. Which is the idea that individuals would increasingly operate through a modular stack of pluggable tools: financial plumbing, identity, content delivery, governance, all stitched into a single surface. What I didn’t fully anticipate was that the entity moving through that stack wouldn’t necessarily be human. The platform doesn’t care. Your identifier is an address. The system has no opinion on whether you’re a person, a DAO, or an AI agent.

Applied here, the stack has four features. The product layer is the human surface, where you express intent, review what’s happening, and take over when things get weird (Like Claude code, Moltbook, Gas Town etc). Below that is the service layer, which acts on your behalf: today this is the planning model, translating your request into steps and spinning up the right tools for the job. Embedded in the stack as a service is sits this proposed governance layer. The part of the platform that decides which tools can be invoked, under what conditions. It holds the rules and handles identity, permissions, time limits, spending limits, logging. At the bottom is the tools layer: APIs, databases, code packages etc the boring plumbing of any software system. Tools get spun up, used, and put away again when done.
If you’ve spent time in crypto, the next sentence is obvious. If you haven’t, it’s worth thinking about.
The model layer is a commodity race. The governance layer is the protocol.
AI labs are all currently competing to build the best reasoning and planning layers. But commodity races compress margins. The durable position, where new power actually accumulates, moving forward is in the layer that decides what agents are allowed to do, and can verify what they actually did. This is exactly the pattern that played out in crypto: the applications were interesting, tokens were exciting, but it was the protocols underneath were most of the durable influence and power settled. Whoever cracks the the governance layer will have enormous influence over the ecosystem that runs on top of it.
Cursed Objects
As agents become capable of calling tools and integrating across services automatically, they become extraordinarily attractive targets. Only this week we saw a malicious Issue title on GitHub compromise 4,000 machines.
Another trope of sword and sorcery is of course the cursed object. In the wrong hands—or with the wrong intentions—people could create cursed talismans, or haunted webpages. Miss-markedup documents deliberately or not, could embed misleading associations that throw off the model’s understanding. Prompt injection but different.
Expect more of these cursed objects: malicious code packages, compromised endpoints, and booby-trapped tooling designed specifically to be picked up by an over-eager agent. Fake API endpoints that exfiltrate data. Probably most worrying for developers, poisoned npm dependencies. Where the blast radius of one compromised dependency scales with every agent that pulls it.
Agents as they exist right now are extremely exploitable, and is why ‘normies’ might not encounter these systems as until 2027 at the earliest. But the shape of what they can do already is clear, and like all AI systems, what they can do right now is the least capable they will ever be.
Investment signals are already here too, OpenAI hired the Moltbook guy, and serious money is already moving into agent security infrastructure. But most consumers don’t even know World Two exists yet.
Skill Markets and Context Shoppes
There are two futures I see emerging. Not as an either/or, but two ecosystems that will sit alongside one another. Both are a kind of reputation infrastructure.
In the open version, which I am calling Skill Markets trust comes from accumulated signals. Did this tool do what it claimed for the last ten thousand agents that called it? Does it have a history of clean behaviour? Has it changed in suspicious ways? Has it been attested by trusted parties? Messy, decentralised, social-proof-at-scale, think distributed reputation graphs where trust propagates through networks of usage and attestation. Nobody is in charge, but patterns emerge. Most of this has been built and prototyped already In the crypto world.
The curated version is what I’ll call a Context Shoppe. In fact, this is a term I used way back in 2024, and basically predicted the current tool/skill ecosystem in the same post.
There’s already a whole market out there for prompts but in the sword-and-sorcery world, if you need a new Talisman, you either make your own, or head to the Magic Shoppe (or loot it from a monster’s corpse). A marketplace of Knowledge Shoppes could be a future we’re headed towards.
In a curated Shoppe, everything is checked and maintained by a single brand. Essentially an approved marketplace. A bit like the Apple Store on the iPhone. I suspect an early move in this direction was probably Anthropic’s recent acquisition of Bun.
Shoppes however will cost a lot of money to run, and will likely require an extra subscription on top of base AI cost. But they’ll be worth using for big companies, whose enterprise compliance teams will require it. (Mostly because it gives them someone to sue if something goes wrong.) Everyone else will resent the shoppes because it’s more tollbooths reappearing somewhere that used to be open and move to the skill markets. Both will exist. The tension between them will be part of the culture of this space for years.
We are also going to need Skill Market competition, as there’s a darker version of the open market worth naming. In some ways a Skill Market is also an auction house or a casino. The most-called tools will rise and the obscure ones will sink. Reputation is just price discovery by another name. If tools are callable and composable, the routing matters. Whoever decides which tool an agent uses for a given task has an invisible hand in the outcome. In crypto this is called MEV: Profiting from controlling the order of transactions. The analogue here is value extraction in task routing and tool selection, happening beneath the surface, invisible to the user. The interface is the last mile for humans, which means it’s also the last place they can see.
Paying For It
AI pricing already looks very different from how most companies buy software today, it’s usage-based rather than seat-based, which means the toll booths are invisible.
Outside in the Skill Market, they will work on a payment gating: whoever controls settlement can extend upward into vetting, reputation, dispute resolution, and verified access. Any network that becomes the trust layer for agent actions would be an extraordinary position — it already has identity, fraud detection, and the “someone to blame” quality that enterprises demand.
Shoppes meanwhile are controlled by a single platform gate: if your OS enforces what agents can access and for how long, that becomes an enormous control point. The permission layer lives at the device level, not the application level. Whoever owns the device owns policy enforcement.
My uncomfortable prediction already is that the big winners in the governance layer will look more like a payments company that got serious about API trust infrastructure, or a platform company that extended device permissions into the agent stack, than an AI lab that expanded sideways.
AI labs seem to be oriented toward being the preferred thinking layer, not toward owning the full service distribution or policy enforcement. But maybe this is just me, my instinct is that the governance layer is always the product, as I’ve watched how protocols become power in decentralised systems. I don’t think any of this will be surprising to others either as the months go by.
Agents Paying Agents
All good so far? Here’s the part that might sound a little like science fiction but follows logically.
Once you have machine identity, machine permissions, and callable capabilities, the natural coordination mechanism between agents is payment. Literal machine-to-machine settlement. An agent decomposes a task, calls a sub-agent to handle part of it, and the call is accompanied by a micropayment.
My friends and I have lots of ideas how to decompose and extend the current way agent API’s to handle all this, but we can skip all that. The main point is that payment is simultaneously an identity signal, a reputation input, and a verifiable execution receipt.
I wrote about some of this last September: Cloudflare’s NetDollar, x402 and A2P. The emerging HTTP-level protocols for agent payment and coordination.
Now. You might think that the fusion of AI agents and crypto rails is an unholy alliance. I understand. And you also might also think that blockchains stink, and is a scam machine. But putting all that aside, Bitcoin is 16 years old, and Ethereum is 10. Both are extremely robust technologies that are producing, capturing and organising over 3.7 Trillion dollars in value.
Following a decade of blockchain development payment is one of the cleanest truth signals we have. Settlement ties identity, intent, and outcome together in a way that’s hard to fake at scale, and it comes with dispute resolution, fraud detection, and reputation signals as built-in infrastructure.
Money is a governance signal. And that’s how Skill Markets are going to work, and I’m not being speculative about this. In the last few months Cloudflare and Google have both shipped support for x402, Ethereum is also working to extend these proposals with decentralised agent reputation and trust with EIP 8004 and it’s all maturing fast. Some agents in the near future might even start earning money of their own.
For a decade people asked what the use case for crypto actually was. A lot of us have been saying from the very beginning: “we’re waiting for AI.”
In addition to all this, most work that this favours is repetitive in shape. The near future isn’t everyone building bespoke agent architectures, but specialised autopilots for specific workflows, with tight permissions and good receipts. Most of this stuff is going to happen in the boring middle, where the white collar work lives. And technology always eats the boring middle first.
World Two is still tiny, and it will be tiny right up until the moment it isn’t. All the plumbing is happening, with the help of over a decade’s worth of experience and thinking having already been done already in crypto land.
We are a few years out from people in World One being troubled by all this, but it’s all coming.
If any of this resonates, or if you’re building in this space and want someone who’s been thinking about it for a while, I’d love to talk. I’ve been in and around this stuff for a long time; if you’re building something here and want a collaborator, I’m interested in what you’re working on.

Leave a Reply