TL;DR: The open web was built for humans, not machines, and AI agents now need to click, scroll, extract, and act across it to complete work, according to WorkOS. The shift makes agent-ready access, protocol design, and governance assumptions central to identity security rather than a niche integration concern.
At a glance
What this is: This interview argues that AI agents are becoming a primary way machines interact with the open web, which changes how organisations think about access, automation, and machine-readable infrastructure.
Why it matters: For IAM teams, the issue is not just browser automation but who or what is authorised to act on behalf of the organisation when machines increasingly become the operational users.
👉 Read WorkOS's interview on AI agents, web infrastructure, and TinyFish
Context
AI agent web automation is emerging as a governance problem, not just an infrastructure trick. The article’s core claim is that the web was built for human interaction, while agents now need to perform human-like actions to complete work at runtime.
That matters for identity programmes because machine-driven web access blurs the line between scraping, automation, and delegated action. When agents can browse, extract, and act across public or semi-public systems, teams have to decide how much trust, scope, and accountability to attach to those machine identities.
Key questions
Q: How should security teams govern AI agents that interact with public websites?
A: Treat them as delegated machine identities, not as ordinary scripts. Define what the agent may read, what it may change, and which targets are in scope. Require traceability for each session, because browser-based action can blur who initiated the work and whether the machine stayed within its authorised purpose.
Q: Why do human-designed websites create governance problems for AI agents?
A: Because most websites assume a human user can interpret context, handle ambiguity, and pace actions manually. AI agents can imitate that behaviour, but imitation does not create native accountability. Security teams then lose clear boundaries for authorisation, audit, and approval when the machine is effectively acting as the operator.
Q: What breaks when agents use human-style browsing instead of APIs?
A: Governance becomes harder to enforce because the access path looks like normal user activity, even when a machine is doing the work. That weakens policy precision, complicates monitoring, and makes it harder to distinguish legitimate delegation from misuse. It also pushes risk into the session layer rather than the integration layer.
Q: How can organisations decide when an AI agent needs higher controls?
A: Escalate controls when the agent moves from retrieving information to taking operational action. A machine that clicks, submits, or triggers workflows should have tighter scope, stronger logging, and clearer ownership than one that only observes. The decision point is not model sophistication, but whether the agent can change state on behalf of the business.
Technical breakdown
Why browser automation is not the same as agentic access
Browser automation has existed for years, but AI agents change the operational model because they decide when to act, what to inspect, and how to sequence tasks across a session. That makes the question less about whether a script can run and more about whether a machine identity can safely behave like an operator on the open web. The technical challenge is not only page interaction, but unstructured state, unpredictable content, and action sequences that evolve as the agent reasons. This is where standard bot controls and static allowlists become incomplete.
Practical implication: classify agent web access separately from ordinary automation and define explicit identity, scope, and logging controls for it.
Protocol gaps between human websites and machine workflows
The article points to emerging ideas such as machine-friendly endpoints and protocols, but the deeper issue is that most web properties still assume human pacing, human rendering, and human intent. An agent can work around that by behaving like a user, yet that creates a governance gap because the system receiving the traffic may not know whether the actor is a person, a bot, or a delegated agent. In identity terms, the absence of machine-readable pathways pushes agents toward human impersonation patterns, which weakens both accountability and policy enforcement.
Practical implication: identify which external services are being reached through human-style interaction and decide where explicit machine access paths are needed.
Agent-ready infrastructure and the machine identity boundary
Agent-ready infrastructure is really about recognising where a machine identity becomes the primary operator rather than a background automation layer. In those cases, access control is no longer just about authentication to a service. It also includes action authorization, session traceability, and whether the agent is allowed to take live steps on behalf of the organisation. For IAM teams, the important distinction is that the machine is not merely retrieving data. It is performing work, which changes the risk model for delegation and oversight.
Practical implication: require a clear delegation model for agents that move beyond read-only access into live operational actions.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI agent web access is becoming an identity problem before it becomes a protocol problem. The article frames the web as infrastructure for machines, but the governance implication is more specific: organisations are starting to authorise agents to act in places originally designed for human intent and human pacing. That means access decisions, auditability, and scope control now matter at the level of individual agent sessions. The practitioner conclusion is that agent web use should be governed as delegated machine action, not generic automation.
Human-designed websites create a machine identity mismatch. The web’s default interaction model still assumes a person who can interpret prompts, click through ambiguity, and adapt to changing layouts. AI agents can imitate that behaviour, but imitation does not create native governance. The result is a mismatch between how access is exercised and how most organisations model control, tracing, and approval. Practitioners should treat this as a structural gap in machine identity management, not just a usability limitation.
Agent-ready infrastructure will force organisations to separate retrieval from action. The article shows that the valuable use case is not simply collecting information but completing tasks on the web on someone’s behalf. That distinction matters because retrieval can often be governed as data access, while action requires task-level authorisation and stronger accountability. The field needs a cleaner boundary between machines that read and machines that decide to do something with what they read. Practitioners should design for that split now.
Named concept: delegated web action is the real control boundary for AI agents. The article’s strongest implication is that agent governance should not stop at whether a system can browse. It should ask whether the machine is authorised to transform web access into operational action, including clicks, form submissions, and downstream automation. That boundary is where identity policy, operational risk, and accountability intersect. Practitioners should define delegated web action explicitly in policy and architecture.
Access models built for human users do not scale cleanly to machine operators. The article shows a future where many external systems will remain human-first while agents still need to use them. That forces security and IAM teams to think about consent, traceability, and blast radius across a delegation chain that may no longer include a human in the loop at execution time. The practical conclusion is to govern the machine operator, not just the browser session.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to the 2026 Infrastructure Identity Survey.
- For a deeper model of how machine and agent identities should be governed, see Ultimate Guide to NHIs , 2025 Outlook and Predictions.
What this signals
With 70% of organisations already granting AI systems more access than human employees, the governance gap is structural rather than incidental. The useful next question is not whether agents should be allowed onto the web, but which delegated actions belong in policy, logging, and approval workflows. For teams formalising this boundary, the OWASP Agentic AI Top 10 is a practical companion to identity governance.
Delegated web action: that is the control concept this conversation is really about. Once a machine can click, submit, and continue a workflow on its own behalf, identity teams need to separate browsing from authorisation and ensure the delegation chain is visible end to end. This is where agentic AI governance intersects with the NIST AI Risk Management Framework and with internal machine identity policy.
As agent use spreads across external services that were never designed for machine-first access, access reviews alone will not be enough. Teams will need operational guardrails for session traceability, target-domain scoping, and explicit state-changing permissions. The practical signal is simple: if your programme cannot distinguish read-only agent traffic from agent actions that alter records, your governance model is already behind.
For practitioners
- Define delegated web action as a governed identity pattern Create a policy class for agents that perform clicks, submissions, and multi-step web tasks. Distinguish those identities from read-only crawlers and log the task objective, target domains, and approval model for each use case.
- Separate read access from act access Map every agent workload to the point where it stops observing and starts changing state. Require a higher control tier once an agent can submit forms, trigger workflows, or alter records in external systems.
- Inventory human-style automation paths Find places where machines currently access sites by imitating users, especially through browsers and session-based workflows. Flag those paths for explicit machine identity review because they often bypass clearer API-based governance.
- Require traceability for agent sessions Capture which agent initiated the interaction, what data it consumed, and what action it took. Without that chain, incident response cannot separate normal delegation from misuse when the same agent can act across many sites.
Key takeaways
- AI agent web automation is not just an integration problem. It is a machine identity and delegated action problem that changes how organisations scope access and accountability.
- The article points to a growing mismatch between human-first websites and machine operators that need to browse, decide, and act across sessions.
- Security teams should classify agent web activity by what it can change, not only by what it can read, because state-changing action is where governance must tighten.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agent-driven web actions create classic agentic AI governance and tool-use risk. | |
| NIST AI RMF | The article is fundamentally about governing autonomous machine behaviour and accountability. | |
| NIST CSF 2.0 | PR.AA | Identity and access administration must distinguish read versus act permissions for agents. |
Define allowed actions, targets, and approval boundaries for agents before letting them touch live web workflows.
Key terms
- Delegated Web Action: A delegated web action is a machine-performed task that changes state on a website or web application on behalf of an organisation. It goes beyond retrieval because the identity is not just reading information. The governance issue is who authorised the action, what scope applied, and how the session was traced.
- Agent-Ready Infrastructure: Agent-ready infrastructure is a service or website designed to be usable by machine operators as well as humans. In practice, that means clear machine-access paths, predictable workflows, and controls that preserve accountability when an AI agent is the one navigating, extracting, and acting within the environment.
- Machine Identity: Machine identity is the credentialed identity of a non-human system that authenticates and acts in an environment. For AI agents, the definition extends beyond simple login to include delegated action, session traceability, and scoping, because the machine may decide and execute work rather than merely call an API.
Deepen your knowledge
AI agent web governance and delegated machine action are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agents that act on the open web, it is a strong fit for your programme.
This post draws on content published by WorkOS: Homer Wang on building TinyFish and the future of AI agents. Read the original.
Published by the NHIMG editorial team on 2026-04-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
