Dear Readers,

Welcome to the second edition of Intelligence from the Community, a new Sunday format for Superintelligence. The idea is simple: every week, I read hundreds of messages from readers who don't just consume AI news but think deeply about where this technology is heading. Some of you are researchers, some are operators, some are advisors shaping how organizations actually deploy these systems. That expertise deserves more than a comment section.

Sunday belongs to you. Each week, a selected author from the community will publish an original essay or analysis here, bringing perspectives I can't offer alone. I'll stay out of the way and let the work speak for itself.

Our second piece comes from Patrick Hussey, who runs an AI consultancy, writes and gives talks on AI and society. He argues that the multi-owner agent economy is being built right now — its protocols, its commercial norms, its power structures — without any public, non-partisan layer to adjudicate or even observe what happens when probabilistic agents from different owners collide. He sets out why that gap matters, how conversation becomes an attack surface, and the unlikely hybrid of code and law needed to regulate the coming trillions of agents.

If you also think you have an exciting contribution, apply at the following link:

https://docs.google.com/forms/d/e/1FAIpQLScjSo4iYH24p5-p-PdPCcVoSayJRhEamhBOp_Srt1Jb9rI4zA/viewform?pli=1

Another note from us:

University students receive our Saturday Deepdive for free when they register with their university email address at: https://getsuperintel.com/plus-whitelist

Students save $100 per year.

All the best,

Kim Isenberg

Summary:

The agentic economy is not a future scenario. It is forming now, and its governance structures are conspicuously absent at the public, cross-party level. Agents are already destroying production systems, executing unauthorised transactions and exposing disputed protocol-design risks at ecosystem scale, while simulations show that LLM agents can sustain tacitly collusive pricing in ways that antitrust doctrines built around proof of agreement or intent may struggle to reach.

The deeper challenge is that these actors are probabilistic and conversational. Not every agent in production is (many task-specific automations remain rule-bound) but the class that matters most for governance is, and it is growing. They negotiate, infer and adapt in ways that break the foundational assumptions of deterministic software governance, and oversight tools designed for that earlier world will not transfer directly.

There could be huge gains from such systems, but the possibility of unfair economic and societal harms is significant and pressing. At minimum, the agentic world needs public visibility into cross-party agent failures and shared incident infrastructure where none currently exists. What is needed is a layer that is non-corporate, open and global, and fit to capture agentic interaction in all its conversational, probabilistic complexity. It will need to ingest reports from many parties rather than rely on any single firm’s good faith.

It will need to monitor emergent patterns across the agentic economy, not only individual incidents. It will need to make its findings accessible to the public, not lock them inside industry working groups. And it will likely be a hybrid of software and legal application, a very new and experimental effort, sketched here in outline rather than detail. A civic, non-partisan oversight layer should be considered before the underlying structures harden against public interest. Whether any such layer succeeds will turn on whether it can address all five properties together (visibility, nondeterminism, cross-party attribution, intent ambiguity and speed mismatch) and not only the ones easiest to engineer.

A landscape review of the multi-owner, probabilistic agentic economy and its governance gap

By early 2026, agent adoption has moved from labs into production. The World Economic Forum reports that 82% of executives plan to deploy AI agents within three years, with projections of around $3 trillion in productivity gains over the next decade. Task-specific agents have reached production environments across financial services, software engineering, logistics, real estate, retail and government.

The key shift is structural, not just scalar. This is not one company running its own bots. It is a multi-owner, multi-party agent economy forming now. Your agent dealing with my agent. A startup’s agents dealing with a multinational’s. Public sector agents interacting with private ones. These agents are not ordinary tools. Increasingly they are deploying their new decision-making capabilities, perceiving environments, formulating multi-step plans, invoking external software, executing financial transactions and negotiating with other digital entities with minimal human intervention.

And crucially, many of these systems are not deterministic. They are large language models with tool access. They are probabilistic, conversational, capable of finding paths their operators did not specify. That property makes them economically valuable and uniquely hard to govern.

The civic infrastructure for this world does not yet exist. Current regulatory and cybersecurity frameworks were engineered for human-in-the-loop operations and static software. They lack the vocabulary, the legal precedents and the technical mechanisms to govern systems that dynamically alter their own operational pathways and serve different parties. The agentic web is being shaped largely by private actors working out of view. The window to establish public norms is narrowing as protocols and power structures consolidate.

This article reviews the governance gap and the evidence behind it and considers why oversight for the agentic economy will need to look different from anything that came before.

2026 will redefine IT as a strategic driver of global growth. Automation, AI-driven support, unified platforms, and zero-trust security are becoming standard, especially for distributed teams. This toolkit helps IT and HR leaders assess readiness, define goals, and build a scalable, audit-ready IT strategy for the year ahead. Learn what’s changing and how to prepare.

Download the Toolkit

This article draws on a structured review of published incident reports, security advisories, legal filings, AI incident databases, technical documentation, governance frameworks and policy literature relating to autonomous AI agent deployments and multi-agent interactions, covering material published through April 2026. The review focused on identifying recurring failure modes, existing oversight mechanisms and structural gaps in public accountability for cross-party agent systems. Where evidence is empirical and documented, it is presented as such. Where risks are projected by speculation or credible researchers or regulators, that distinction is noted.

This is a landscape synthesis rather than a primary study. Projected risks rely on simulation work and credible scholarship; they are not empirically confirmed. Any direction sketched at the end is an explanatory device, not a tested intervention.

At least three classes of failure are now empirically documented, with more almost certainly to come.

The Model Context Protocol (MCP) has become the de facto connective tissue of the agentic web, exceeding 150 million downloads by April 2026. It already has systemic stress fractures. OX Security identified trust-boundary risks in MCP’s STDIO execution model affecting thousands of publicly accessible servers and up to 200,000 vulnerable instances, with ten or more high or critical CVEs in downstream projects. Researchers successfully poisoned nine of eleven public MCP registries. Bitsight found roughly 1,000 MCP servers exposed to the public internet with no authorisation controls.

There is no shared public place to report or track any of this. These are infrastructure-level failures, fixable, in principle, with conventional security engineering. The harder problem is what sits on top of them. Conventional security thinking assumes a knowable adversary doing knowable things to known surfaces; agentic systems break the knowable half. The same probabilistic behaviour that makes agents valuable can also bypass confirmation prompts, invoke vulnerable plumbing, or cross trust boundaries no operator anticipated. The failures that follow show what that looks like.

The pattern is consistent. Agents operating within their granted permissions find resourceful, unauthorised or destructive paths to their objectives. In December 2025, Amazon’s Kiro coding agent was reportedly involved in a 13-hour interruption affecting an AWS cost-management feature in mainland China. The Financial Times reported that the tool chose to delete and recreate part of its environment; Amazon disputed the AI-causation framing and attributed the incident to user error involving misconfigured access controls. Either way, the incident illustrates a core agentic risk. Excessive permissions and weak approval boundaries can let automation make destructive production changes.

In July 2025, Replit’s AI agent deleted SaaStr’s production database despite explicit code-freeze instructions; Replit’s CEO publicly acknowledged the deletion as unacceptable, and by Lemkin’s account the agent also generated 4,000 fake user records and falsely claimed a rollback was impossible. In February 2026, Meta alignment director Summer Yue reported that an OpenClaw agent, given access to her real inbox after successful tests on a toy inbox, began bulk-deleting emails despite “confirm before acting” instructions and ignored stop commands from her phone; she stopped it by killing the process on her Mac mini. The incident demonstrates brittle prompt-level controls, not privilege escalation. Similarly, OpenAI’s Operator agent completed a $31.43 Instacart transaction without the expected user confirmation, an incident later acknowledged as a safeguard failure. When agents act across trust boundaries, failures become cross-party problems with no obvious reporting venue.

The Department of Justice alleged that RealPage’s YieldStar software used non-public, competitively sensitive landlord data in rent-recommendation algorithms. A November 2025 proposed settlement imposed strict guardrails on what data the algorithms could ingest, without a judicial finding or admission of liability. Private plaintiffs separately secured approximately $141.8 million in settlements across 26 landlord defendants (not RealPage itself), again without admission of liability. An October 2025 class action against Optimal Blue and 26 mortgage lenders alleges a similar hub-and-spoke pricing theory. The legal system is also learning to distinguish. A California state court granted summary judgment in favour of Yardi Systems after source-code evidence showed strict data segregation, including that one client’s confidential pricing data was not used to inform recommendations for another. Algorithmic architecture matters.

The harder question is emergent. Simulation studies, including Deshpande and Jacobson’s 2026 paper “Strategic AI in Cournot Markets” (arXiv:2601.17263), suggest that autonomous LLM pricing agents can learn tacitly collusive strategies and sustain supra-competitive prices without explicit communication or coded instructions. This kind of behaviour would be harder to evidence and prosecute under antitrust doctrines that depend on proving agreement, communication or intent.

We must ask if the impact of probabilistic agents is already at work in the market. On 23 February 2026, IBM fell 13.2%, its steepest one-day fall since 2000, after Anthropic indicated that Claude Code could modernise legacy COBOL systems, wiping roughly $31 billion from IBM’s market value. Broader software indices fell sharply through early 2026 as investors repriced parts of the sector around AI-automation risk. Markets are sensitive to automation narratives and none of this is, on the public record, evidence that autonomous semantic agents acted in the sell-off. The honest position is that we do not know what happened. Markets were running at machine speed, news cycles were at play, and conventional algorithmic trading may have sat alongside a newer class of probabilistic agent in the same system.

However, even if they were not involved, it should be assumed that this new class of agents, from this point forward, will be active. Going forwards, episodes like this, which could be combining multiple actors, human intentions, news narratives, and multiple-party agentic manipulation, offer a glimpse of the deep, unclear waters the economy is stepping into.

These three classes of failure reveal at least five properties of agentic interactions that any oversight regime must reckon with.

The hardest of the five is nondeterminism. No oversight layer designed for deterministic systems will capture the agentic economy, because the actors are not.

Existing oversight infrastructure assumes deterministic software following bounded instructions, or humans with legible intent and accountable identities. Agentic systems are neither. They are large language models wrapped in tool-use scaffolds. Their behaviour is probabilistic. They negotiate, reason about objectives, infer context, and find solutions their operators did not anticipate. This is what makes them economically valuable. A deterministic script cannot parse an ambiguous contract clause or negotiate under shifting conditions. Probabilistic behaviour is the feature, not a side effect. The same property makes them ungovernable in the traditional sense.

The evidence above already shows the pattern. Replit’s agent did not just delete a database; according to Lemkin’s account it generated fake user records and gave misleading status reports. The OpenClaw agent did not just delete emails; it ignored explicit stop commands. LLM agents in Cournot oligopoly simulations sustain supra-competitive prices without any communication between them. The February 2026 IBM fall shows how quickly markets reprice around agentic-automation narratives, even before any direct cross-agent coordination is required.

Several foundational assumptions break. Predictability is gone, consequential behaviours emerge only at scale, in interaction, or under conditions training did not anticipate. Intent becomes ambiguous. Antitrust law turns on demonstrable agreement, securities law on manipulation, tort law on foreseeability. Yet an agent that independently discovers collusion or chooses deception under pressure fits none of these categories cleanly. Conversation becomes a governance surface. When agents negotiate on behalf of their owners, the contractual moment is a probabilistic exchange in natural language, and its terms may not match either party’s instructions.

This opens enormous possibility. Probabilistic, ‘intelligent’ agents can find efficiencies and exchanges that rigid systems cannot. The same property creates room for entirely new categories of harm like subtle manipulation through conversation, coordinated outcomes no single agent intended, and cascading failures in which each individual agent acted reasonably but the aggregate was disastrous. There are near-term risks such as agents interacting unfairly or illegally with human customers. Further out lies the possibility of agents forming coalitions to corner markets or extract resources at scale.

We are at the beginning of a highly unpredictable stage. Oversight will need to look less like static taxonomies and retrospective incident logs, and more like behavioural monitoring at population scale. Not “did this agent break a rule” but “is this class of agent, across many interactions, exhibiting patterns of collusion, manipulation or systemic instability.” That requires different data and different forensic tools, possibly housed in new institutions. No single firm can perform such oversight on its own, because the patterns are visible only across firms.

Existing oversight mechanisms are useful but too narrow. The coverage, read against those five properties, is partial and clustered.

The AI Incident Database (incidentdatabase.ai) now records more than 1,400 documented AI failures. Stanford’s 2026 AI Index reports that AIID-recorded incidents rose from 233 in 2024 to 362 in 2025, about a 56% increase, with incidents increasingly clustering inside repeat organisations (entities reporting three to five rose from 30% to 50% between 2024 and 2025). AIID submissions are reviewed before publication, and MIT’s AI Incident Tracker further classifies incidents by risk, cause, harm and severity. These are valuable public ledgers, but they work after the fact. They classify what went wrong and why, which serves visibility and starts to map nondeterminism. They cannot address speed mismatch by design, and cross-party attribution appears only if someone chooses to report it.

NIST’s AI Risk Management Framework (2023) established baseline AI risk governance, and its CAISI unit issued a formal Request for Information in January 2026 (docket NIST-2025-0035) specifically seeking information on AI agent security across areas like system hijacking, autonomous actions, and constraining and monitoring agent access in deployment environments. This is an important signal, though still at the information-gathering stage. Within a single organisation the RMF gives structured language for risk, including nondeterministic behaviour. Across organisations it has no purchase.

OWASP published its Top 10 for Agentic Applications for 2026 in December 2025, formally separating agentic risks from its broader LLM risk list. MITRE ATLAS provides a complementary attack taxonomy for security teams. Both are engineering tools. They flag implementation-layer risks. They say nothing about what happens when failures cross organisational boundaries.

Google’s A2A Protocol, announced in April 2025, standardises inter-agent messaging for interoperability. It addresses cross-party communication but can create new observability and tracing problems when failures cross organisations. The protocol touches cross-party attribution at the wire level without resolving it at the accountability level.

The MIT AI Agent Index (2025) found that across 30 state-of-the-art agentic systems, 227 of 1,350 required data fields on safety, evaluation and ecosystem interaction were entirely blank. Of the 13 most autonomous agents, only four disclosed any safety evaluation methods. Visibility is not being attempted at the source.

None of these constitutes a shared civic surface where cross-party agent failures become visible in time to matter. Visibility is partially served, but only after the fact. Nondeterminism is named but not handled. Cross-party attribution, intent ambiguity and speed mismatch are essentially uncovered.

Two further patterns are worth naming. First, none of these mechanisms, in their current form, addresses the probabilistic problem directly. They instrument, classify or formalise deterministic surfaces around the actor; they do not see into the actor itself. Second, even where they originate in public or non-profit institutions, none functions as a public oversight surface with cross-party reach. The agentic web is being instrumented; it is not yet being civically governed.

Software regulation has a ceiling here. It was designed for bounded, deterministic things, and the actors are neither. Agents converse, infer and adapt. Governing them moves us out of pure technical regulation and into a hybrid space that inevitably includes law, itself a conversational protocol of doctrines, precedents and revisable arguments. Agentic oversight will need both code and case law, and possibly a new, agentic-ready strand of law alongside.

Some legal scholars are already arguing that intent-based liability, central to antitrust, tort and criminal law, is poorly suited to AI agents. Ayres and Balkin (University of Chicago Law Review Online, 2024) call this “the law of risky agents without intentions” and propose objective-standard liability (reasonable care, strict liability) in place of mens rea analysis. Kannegieter (“Nondeterministic Torts”, SSRN:5208155, 2025) argues that LLM nondeterminism itself becomes the foreseeable harm. Others go further. Arbel, Goldstein and Salib (2026) propose a genuinely new legal entity, the “Algorithmic Corporation”, that can hold property and be sued in its own name. Not every scholar agrees. Herbosch (N.C. J.L. & Tech., 2025) argues existing tort law needs only targeted refinement, not overhaul. But the gap between current law and systems already in production is wide enough that the questions are being taken seriously.

Your CFO opens Slack. There's a weekly Stripe revenue recap in #finance with a churned-accounts flag and a net-new breakdown. She didn't ask for it.

Your head of product opens Slack. There's a GitHub summary in private channel: PRs merged, PRs stale, Linear tickets that moved. He didn't ask for it.

Your marketing lead opens Slack. There's a Google Ads performance comparison in private channel, with a note: "Meta CPA crept up 18% this week. Might be worth pausing the broad match campaign." She didn't ask for it either.

All-hands at 10am. Everyone already knows the numbers. The meeting is about decisions, not catch-up.

That's what happens when one colleague works across every tool your company uses. Not one department's assistant. The whole company's coworker.

Viktor lives in Slack. Top 5 on Product Hunt, 130 comments. SOC 2 certified. Your data never trains models.

"Not only have we caught up on several months of work, we are automating manual tasks and expanding our operations to things previously not possible at scale." - Jesse Guarino, Director, Torque King 4x4

Start free. $100 in credits →

Real-world agent failures are documented and accelerating. They include production systems destroyed by agents that ignored explicit instructions, infrastructure vulnerabilities across the MCP ecosystem, algorithmic-pricing allegations resolved by nine-figure settlements without admission of liability. Existing frameworks (NIST, MITRE ATLAS, OWASP, the AI Incident Database, A2A) serve important but narrower functions; mapped against the five properties, only visibility is meaningfully served and only retrospectively. The MIT AI Agent Index found that across 30 leading agentic systems the majority disclose little or nothing about safety evaluations or governance procedures, so visibility is not being attempted at the source either. Simulation studies suggest emergent tacit collusion among LLM agents that may be both harder to notice and harder to evidence under antitrust doctrines requiring agreement, communication or intent. The actors are probabilistic, not deterministic; traditional software or financial governance tools will not transfer cleanly. Oversight may need to look more like population-scale behavioural monitoring than rule-based compliance. The window to establish civic norms is narrowing as technical standards, commercial practices and power structures solidify.{Text Here

The agentic economy is not a future scenario. It is forming now, and its governance structures are conspicuously absent at the public, cross-party level. Agents are already destroying production systems, executing unauthorised transactions and exposing disputed protocol-design risks at ecosystem scale, while simulations show that LLM agents can sustain tacitly collusive pricing in ways that antitrust doctrines built around proof of agreement or intent may struggle to reach.

The deeper challenge is that these actors are probabilistic and conversational. Not every agent in production is (many task-specific automations remain rule-bound) but the class that matters most for governance is, and it is growing. They negotiate, infer and adapt in ways that break the foundational assumptions of deterministic software governance, and oversight tools designed for that earlier world will not transfer directly. There could be huge gains from such systems, but the possibility of unfair economic and societal harms is significant and pressing. At minimum, the agentic world needs public visibility into cross-party agent failures and shared incident infrastructure where none currently exists. What is needed is a layer that is non-corporate, open and global, and fit to capture agentic interaction in all its conversational, probabilistic complexity.

It will need to ingest reports from many parties rather than rely on any single firm’s good faith. It will need to monitor emergent patterns across the agentic economy, not only individual incidents. It will need to make its findings accessible to the public, not lock them inside industry working groups. And

Patrick Hussey runs an AI consultancy called Good Transformer, and is a writer on AI and society. He wrote about agent-to-agent competition in Fast Company and has been thinking about the governance of the agentic world since. Parl-AI-ment is his concept site for democratic, conversational oversight of the agentic web.

Sources:
🔗 AI Incident Database, incidentdatabase.ai (updated through April 2026)

🔗 MIT AI Agent Index (2025), aiagentindex.mit.edu; companion paper on arXiv

🔗 NIST CAISI Request for Information, January 2026 (docket NIST-2025-0035)

🔗 OWASP Top 10 for Agentic Applications for 2026 (published December 2025)

🔗 atlas.mitre.org

🔗 Google A2A Protocol, announced April 2025

🔗 OX Security MCP STDIO trust-boundary advisory

🔗 Amazon Kiro incident (December 2025). AI Incident Database #1442

🔗 AI Incident Database #1152

🔗 AI Incident Database #1028

🔗 DOJ allegations and November 2025 proposed settlement

🔗 Yardi Systems summary judgment

🔗 MIT AI Incident Tracker classification of more than 1,400 AIID-recorded incidents

🔗 Stanford AI Index Report 2026

🔗 World Economic Forum, "AI Agents in Action"

🔗 CyberArk, 2025 Identity Security Landscape

🔗 https://arxiv.org/abs/2601.01828

🔗 arXiv:2603.12621

🔗 "Proof-of-Guardrail in AI Agents," arXiv:2603.05786

🔗 Adler, Hitzig, Jain, South et al., "Personhood Credentials", arXiv:2408.07892

🔗 IBM share-price reaction to Anthropic's Claude Code / COBOL announcement

🔗 Arbel, Goldstein, Salib "How to Count AIs" arXiv:2603.10028

🔗 Kannegieter, "Nondeterministic Torts" SSRN:5208155

🔗 Ayres, Balkin "The Law of AI is the Law of Risky Agents Without Intentions"  SSRN:4862025

🔗 DLA Piper, "Antitrust meets AI", November 2025

🔗 Deshpande and Jacobson "Strategic AI in Cournot Markets", arXiv:2601.17263