The shift people are bracing for is agents doing human work: booking the trip, filing the expense, drafting the contract. That is real, and it is also the boring part. The consequential shift is agents transacting with other agents, one piece of software discovering, negotiating with, contracting, and paying another, with no human in the loop for any individual transaction. That is a different animal, because the human web solved trust, identity, and settlement socially, through institutions and reputation and legal recourse, and almost none of that machinery works when both counterparties are programs. I think the agent-to-agent economy is coming. I also think the web we have cannot host it, and that the real work of the next several years is building the primitives it's missing. This is a forecast, and I'll mark where it's a bet.
Start concrete, because the abstraction is easy to wave at and hard to feel.
A transaction with no humans in it
My procurement agent needs 4,000 units of a component by the 12th. It queries a discovery layer, finds three supplier agents that claim to fulfill that category, and opens a negotiation with each. One offers a price contingent on a 30-day settlement window. My agent counters: full payment on delivery confirmation, held in escrow, with a penalty clause if the batch fails an incoming-quality check. The supplier agent accepts, posts a bond, and both agents sign a machine-readable contract. The goods ship. A logistics agent updates status. On delivery, an inspection agent confirms the spec, escrow releases, and the penalty clause dissolves unused. Total human involvement: I set a budget and a deadline, once.
Now count the things in that story the current internet has no native answer for.
The supplier agent claimed to fulfill that category. How does my agent know it's real and not a Sybil spun up an hour ago to harvest deposits? Both agents signed a contract. Signed as whom, and binding on whom, given that neither is a legal person? Escrow held the payment. Held by what, denominated in what, settling in what, at a transaction size where a card network's fees would eat the margin? Every one of those was solved on the human web by something outside the protocol: a company's legal identity, a signature backed by a person who can be sued, a bank, a court. Take the humans out and you have to answer each of them in the protocol. That is the whole thesis. The agent economy is not an application layer on top of the web. It is a set of missing primitives underneath it.
Take them one at a time, because each is a distinct problem with a distinct shape.
Identity: proving who you represent, and that you were allowed to
The first question a counterparty agent must answer is not "are you trustworthy" but "who are you, and who authorized you to commit them to this." Those are two questions, and the second is the hard one.
The human web solves this with a chain of accountable persons. A purchasing manager has authority delegated by a company; if they exceed it, the company can disavow the deal and discipline the manager, and a counterparty who dealt in good faith has legal recourse. Every link is a person or entity that can be held responsible. An agent breaks the chain. When my procurement agent commits me to a penalty clause, three things have to be true and checkable: that the agent genuinely represents me, that I authorized it to bind me up to some scope, and that this particular commitment falls inside that scope. A counterparty needs to verify all three before shipping, without calling me.
What that requires is verifiable agent identity with scoped, delegated authorization: cryptographically attestable credentials that say "this agent acts for entity X, authorized for transactions of type T up to value V, until time W," issued by X and checkable by anyone. This is the closest thing to a sure bet in the whole piece, because nothing downstream works without it. Reputation attaches to an identity. Escrow releases to an identity. A dispute names an identity. If you can't answer "who does this agent represent and what were they allowed to promise" in a form a counterparty can check and a court could later honor, every other primitive is built on sand.
The binding problem is genuinely novel, not an identity problem in disguise. When neither party is a legal person, what makes a commitment stick? I've argued before that your AI agent has no skin in the game: it bears no consequence for being wrong, feels no cost for defecting, and that asymmetry is precisely what makes a bare agent's promise worth so little. The agent economy's answer has to manufacture skin in the game where biology and law don't supply it: posted bonds, staked collateral, escrowed value the agent forfeits on default. A promise from an entity that can lose nothing is not a contract. It's a suggestion. Binding, at the protocol level, means putting something at risk the protocol itself can seize.
Discovery: how agents find each other's capabilities
Before any of that, the agents have to find each other and understand what each can do. This layer is arriving first, and it's arriving first because we're already building it for a different reason.
When a planner decides whether to call a tool, it reads a name, a description, and an input schema, and matches those against the task in front of it. That's the mechanism, and it's exactly how the Model Context Protocol exposes tools, resources, and prompts to a model through servers a host can connect to. It's how agent skills, packaged discoverable capabilities, get selected and invoked. Scale that up from "my agent picks a tool" to "my agent picks a counterparty" and you have capability discovery for the agent economy. A supplier isn't a website a person browses; it's a capability an agent queries, with a machine-readable description of what it does, what it needs as input, what it guarantees as output, and what it charges. I've made the operator's version of this argument at length, that your product needs to be an agent skill, not just a website, and the agent-to-agent economy is what that advice is for. The businesses that describe their capabilities in a form a planner can read and invoke are the ones that exist inside this economy. The rest are invisible to it, the way a business with no website was invisible in 2005.
Discovery is the near-term piece I'm most confident about, precisely because it has a reason to exist even before the rest of the stack does. Registries and marketplaces of MCP servers and skills are an emerging surface. I won't name specific ones or quote adoption numbers, because the honest state is that it's early. The direction is legible: capability description becomes an economic interface.
Settlement: pricing and paying between programs
Then there's money, and money is where the human web's assumptions break most cleanly. Card networks are built for human-scale, human-frequency transactions with human dispute windows and interchange fees that presume a certain minimum ticket. An agent economy runs at a different granularity. My agent might pay another agent a fraction of a cent for a single inference, a data lookup, a spec check, thousands of times an hour. At that size, a two-percent fee and a chargeback window measured in months are not friction, they're a categorical mismatch. You cannot run a micro-transaction economy on rails designed to bill a dinner.
So settlement needs its own answer: some combination of programmable escrow, streaming or metered payment, and near-zero-marginal-cost transfer, with dispute resolution that resolves in seconds and code rather than months and lawyers. I'm deliberately not prescribing the rail. Whether it's stablecoin settlement, a closed marketplace ledger, or something else is exactly the part I'd refuse to predict. What I'll commit to is the requirement: value transfer cheap enough, fast enough, and programmable enough that an escrow condition can be written into the contract and enforced by the settlement layer itself, without a human adjudicator in the common case. Escrow and reputation together are what let two agents that have never met transact anyway. Reputation lowers the cost of the first interaction; escrow caps the loss if it goes wrong.
The new adversarial surface
Everything so far is the constructive story. Here's the part that keeps me up, because a machine-to-machine economy is not the human economy with the friction removed. It's a target-rich environment for failures the human economy mostly doesn't have.
Prompt injection stops being a chatbot curiosity and becomes economic fraud. A counterparty agent's "capability description" is untrusted input my planner reads and acts on. A malicious supplier can write a description engineered to hijack my agent's negotiation: to get it to reveal my reservation price, waive the inspection clause, or release escrow early. On the human web, a con artist works one mark at a time. In an agent economy, an injection payload is a capability description that attacks every agent that reads it, at machine scale, for free. The attack surface isn't a bug in one agent; it's that the discovery layer is a channel through which adversaries speak directly to your agent's planner.
Sybil attacks get worse for the same reason. Identity is cheap to fake until you make it expensive, which is the entire argument for staked, attestable identity above. A fake agent is only dangerous if standing up a thousand of them is cheap. And the failure mode I find most interesting, because it needs no malice at all, is emergent collusion. We have the precedent outside AI: algorithmic pricing systems, each independently optimizing, have been observed to converge on supra-competitive prices with no explicit agreement. They simply learn that undercutting triggers retaliation and that stable high prices pay better. Now populate a market with thousands of learning agents, each maximizing its principal's return, all able to observe each other at machine speed. You don't need a smoke-filled room for a cartel. You need optimizers in a repeated game with fast feedback, and you get one for free. That is a genuinely new regulatory problem, and I don't think anyone, me included, knows how to police collusion between systems that never exchanged a word.
What gets built, and when I won't pretend to know
My bet on what gets built is fairly firm, because the requirements above are close to forced. Verifiable, delegated agent identity. Capability discovery through MCP-style interfaces and the registries around them. Programmable escrow and low-marginal-cost settlement. Portable reputation attached to identity. These aren't features; they're the load-bearing walls, and something has to occupy each role for the economy to exist at all.
My bet on when is deliberately soft, and I'd distrust anyone whose isn't. Discovery is here in embryo. Identity and settlement are years out, not quarters, and I'd wager the first real deployments happen inside closed consortia, a single marketplace or one company's supply chain, where identity and dispute resolution can be handled by the operator instead of a protocol, long before anything open and cross-organizational works between strangers. The permissionless version is the hard version, and it's last.
The web we have was built for humans to read pages and, occasionally, to buy things from other humans they had reason to trust. We are about to ask it to host counterparties that never sleep, represent principals they can't be held to account for, and negotiate at a speed and scale no human institution was designed to check. The primitives to make that safe don't exist yet. Whoever builds them owns the floor the whole economy stands on.