AI agents surge in capability but lack safety disclosures, MIT AI Agent Index reveals

AI Agents Are Getting Better. Their Safety Disclosures Aren't

Why? Well, they can plan, write code, browse the web and execute multistep tasks with little to no supervision. Some even promise to manage your workflow. Others coordinate with tools and systems across your desktop. The appeal is obvious. These systems do not just respond. They act -- for you and on your behalf. But when researchers behind the MIT AI Agent Index cataloged 67 deployed agentic systems, they found something unsettling. Developers are eager to describe what their agents can do. They are far less eager to describe whether these agents are safe. "Leading AI developers and startups are increasingly deploying agentic AI systems that can plan and execute complex tasks with limited human involvement," the researchers wrote in the paper. "However, there is currently no structured framework for documenting ... safety features of agentic systems." That gap shows up clearly in the numbers: Around 70% of the indexed agents provide documentation, and nearly half publish code. But only about 19% disclose a formal safety policy, and fewer than 10% report external safety evaluations. The research underscores that while developers are quick to tout the capabilities and practical application of agentic systems, they are also quick to provide limited information regarding safety and risk. The result is a lopsided kind of transparency. The researchers were deliberate about what made the cut, and not every chatbot qualifies. To be included, a system had to operate with underspecified objectives and pursue goals over time. It also had to take actions that affect an environment with limited human mediation. These are systems that decide on intermediate steps for themselves. They can break a broad instruction into subtasks, use tools, plan, complete and iterate. That autonomy is what makes them powerful. It's also what raises the stakes. When a model simply generates text, its failures are usually contained to that one output. When an AI agent can access files, send emails, make purchases or modify documents, mistakes and exploits can be damaging and propagate across steps. Yet the researchers found that most developers do not publicly detail how they test for those scenarios. The most striking pattern in the study is not hidden deep in a table -- it is repeated throughout the paper. Developers are comfortable sharing demos, benchmarks and the usability of these AI agents, but they are far less consistent about sharing safety evaluations, internal testing procedures or third-party risk audits. That imbalance matters more as agents move from prototypes to digital actors integrated into real workflows. Many of the indexed systems operate in domains like software engineering and computer use -- environments that often involve sensitive data and meaningful control. The MIT AI Agent Index does not claim that agentic AI is unsafe in totality, but it shows that as autonomy increases, structured transparency about safety has not kept pace. The technology is accelerating. The guardrails, at least publicly, remain harder to see.

These top 30 AI agents deliver a mix of functions and autonomy

Which autonomous or semi-autonomous agents are making the greatest impact on the world -- and potentially your job -- these days? Certain agents are hogging all the headlines lately, but there are a number of function-specific agents available to developers and users. MIT's CSAIL -- the university lab dedicated to AI research -- set out to identify and document the background and capabilities of these agents, with its findings detailed in its latest AI Agent Index. The researchers conducted an ecosystem-wide analysis of state-of-the-art AI agents across 1,350 data points. Also: AI agents are fast, loose, and out of control, MIT study finds What is the functionality and origin of leading agents? The researchers found that interfaces are the most abundant, followed closely by enterprise workflow platforms. They also uncovered risks shared across these agents, as explored by my ZDNET colleague Tiernan Ray. Agents featured in the MIT index include the following: Here are the three leading categories of agents identified by the researchers: Enterprise workflow agents (13 systems of the 30 systems covered): These are platforms with agentic features for automating business tasks. Examples include Microsoft 365 Copilot and ServiceNow Agent. Chat applications with agentic tools (12 systems): This category primarily includes chat interfaces with extensive tool access, according to the researchers. Examples include general-purpose coding agents such as Claude Code, as well as agents embedded in broader products such as Manus AI and ChatGPT Agent. Also: I let Chrome's AI agent shop, research, and email for me - here's how it went Browser-based agents (5 systems): These are agents whose primary interface is browser or computer use, with extensive browser/computer interaction tools. "They are distinct from chat agents with web search capabilities -- ChatGPT web search, Claude web search -- which primarily perform retrieval and summarization," the researchers state. "Browser-based agents present higher risks through background execution, event triggers, and direct transactions." Examples include Perplexity Comet, ChatGPT Atlas, ByteDance Agent TARS. Top use cases for AI agents, cutting across the above categories, include research and information synthesis, as seen in 12 of the 30 agents covered, spanning both consumer chat assistants and enterprise platforms. Right behind this functionality is workflow automation across business functions -- such as HR, sales, support, and IT -- enabled by 11 agents, primarily found in enterprise products. Agents focused on GUI or browser capabilities, used for tasks such as forms, ordering, and booking, are present across seven of the models. Also: 6 reasons why autonomous enterprises are still more a vision than reality Levels of autonomy vary considerably, the researchers found. Chat-first assistants maintain the lowest levels of autonomy. These are based on turn-based interactions, and include Anthropic Claude, Google Gemini, and OpenAI ChatGPT, which "executes a single set of actions and waits for the next user prompt." On the higher end of autonomy, browser agents offer more "limited opportunities for mid-execution intervention." These include Perplexity's Comet, which performs tasks autonomously once prompted. "Once a query is sent, users cannot easily intervene or steer the agent until it finishes." Enterprise platforms are split when it comes to agent autonomy. "During the design phase, users manually configure triggers, actions, and guardrails using visual canvases," the researchers wrote. Others may offer AI assistance with this process. Once deployed, these agents often operate at higher levels of autonomy, "triggered by events like a new email or a database change, without any human involvement during the actual task execution." Such agents include Glean, Google Gemini Enterprise, IBM watsonx, Microsoft 365 Copilot, n8n, and OpenAI AgentKit. Also: Google Workspace now lets you create AI agents to automate your work - how to get started A few offerings are considered developer/command-line-interface (CLI) agents that require explicit confirmation for sensitive operations such as file edits and command execution. Some agents offer "watch mode" for real-time oversight of critical actions, including ChatGPT Agent/Atlas, and Opera Neon. Agent developers are concentrated in the US and China, with limited representation from other regions, the study also found.

The AI Agent Hype Is Real. The Productivity Gains Aren't

You can talk to an AI chatbot about everything from quantum physics to your divorce, but they are purely conversational by design. AI agents, on the other hand, exist specifically to carry out tasks for you, whether that's making a slideshow presentation or shopping for groceries. And they're popping up everywhere, including in browsers, chatbots, and operating systems. The proliferation of AI agents sure sounds like a great productivity advancement, but the unfortunate reality is that they come with serious privacy concerns and just don't work all that well yet. Here's where things stand, and what needs to improve. What Are AI Agents? As mentioned, AI agents can independently do things for you. They can book flights, plan vacations, or otherwise perform most tasks you can achieve with a computer or mobile device. The idea is that they save you time and the trouble of doing things yourself. The type of AI agents I'm referring to in this article, as well as the ones gaining popularity, take control of your apps, such as web browsers, or operate in virtualized instances to perform things on your behalf. For example, ChatGPT's Agent exists within a dedicated virtual web browser window, while Perplexity's Comet browser AI agent takes direct control of your browser. As I discuss later, both types often fail to fully carry out your instructions. However, there isn't a strict definition of an AI agent, so many companies brand different AI features as agents or agentic. One example is an AI customer service agent, which is basically a purpose-built AI chatbot that interacts with customers. Microsoft Copilot has AI agents, such as its Researcher agent, which essentially performs AI chatbot deep research. These aren't the kinds of AI agents I take issue with, and they more or less work as advertised. How Do AI Agents Work, and Where Can You Find Them? Large language models (LLMs) power AI agents just as they do AI chatbots and pretty much every mainstream AI product or service. Think of an LLM like a complex equation designed to take in prompts and spit out responses. With an AI chatbot, an LLM takes in a question and responds with an answer. But, with an AI agent, the LLM takes in an instruction and responds by following it. Keep in mind that AI agents are not conscious, nor do they possess intelligence. AI agents, at the time of writing, primarily exist as AI chatbot features, such as ChatGPT's Agent or Google's Project Mariner, or as part of web browsers, such as ChatGPT's Atlas, Microsoft's Edge, Opera's Neon, or Perplexity's Comet. Many AI agents cost money, but some don't. For example, you need to sign up for ChatGPT's $20-per-month Plus plan to use its AI agent, but you can use Microsoft's Edge AI agent, called Actions, for free. AI Agent vs. AI Chatbot: What's the Difference? An AI chatbot can answer questions, generate images and videos, help you code, search the web, solve problems, and more. They are tools you can use to accomplish goals or conversation partners, not independent actors. As mentioned, AI agents go further by actually performing actions for you. For example, you can ask ChatGPT for a recipe, and it will provide one. With ChatGPT Agent, you can ask it to not only find a recipe but also open your Instacart, add the ingredients to your cart, and order them. The Big Problem With AI Agents: They Don't Do What They Say The premise of AI agents sounds great in the same way that the idea of a robot that cleans your house does. The issue is that AI agents just don't deliver on their core promise. They struggle to do the virtual tasks they are designed to perform. Agents in web browsers, for example, often can't solve CAPTCHAs, fail to navigate sites, or routinely get stuck on certain steps, making them far more frustrating than convenient. Even when they do work, they usually don't save you time, either. They almost always take longer than you would to do the same tasks. And they still require significant babysitting. You might have to click a pop-up ad that an agent can't seem to close or input a password it needs to do something. If adding groceries to an online cart only takes you a few minutes, what good is an AI agent doing that in twice the time while you keep an eye on it? AI agents are at least getting better. ChatGPT's Agent, for example, is much faster and less error-prone today than Project Mariner was back when I first tested it less than a year ago. And I'm sure someone has found a specific use case for AI agents that works reliably, even if most people should still wait for broad improvements. AI Agents Also Have Serious Privacy and Security Issues Sharing your data with an AI agent is about as safe as sharing it with an AI chatbot, so there's little difference in telling ChatGPT something as opposed to ChatGPT Agent. The bad news is that AI companies almost always collect significant amounts of data, often using it for model training. Always keep in mind that the information you share with an AI agent isn't at all private. AI agents also bring about new kinds of security vulnerabilities, such as prompt injection attacks. Furthermore, some AI agent services, such as AI.com, put you on the hook for any actions an AI agent takes on your behalf without guaranteeing that said agent will always follow the law. Even if there's only a small chance you get in trouble for something an AI does on your behalf, is that really worth the risk? AI Agents Might Be the Future, But the Future Isn't Now Making the jump from a tool you can use to an end-to-end technology that actually performs tasks for you seems like an inevitable leap forward for the AI industry. And while the idea of AI agents is undeniably compelling, the technology just isn't there yet, even if it is continuously improving. The future utility of AI agents (especially privacy-respecting ones) is worth looking forward to, but you should think carefully before sinking too much time or money into AI agents in the here and now. Disclosure: Ziff Davis, PCMag's parent company, filed a lawsuit against OpenAI in April 2025, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.

AI agents abound, unbound by rules or safety disclosures

MIT CSAIL's 2025 AI Agent Index puts opaque automated systems under the microscope AI agents are becoming more common and more capable, without consensus or standards on how they should behave, say academic researchers. So says MIT's Computer Science & Artificial Intelligence Laboratory (CSAIL), which analyzed 30 AI agents for its 2025 AI Agent Index, which assesses machine learning models that can take action online through their access to software services. AI agents may take the form of chat applications with tools (Manus AI, ChatGPT Agent, Claude Code), browser-based agents (Perplexity Comet, ChatGPT Atlas, ByteDance Agent TARS), or enterprise workflow agents (Microsoft Copilot Studio, ServiceNow Agent). The paper accompanying the AI Agent Index observes that despite growing interest and investment in AI agents, "key aspects of their real-world development and deployment remain opaque, with little information made publicly available to researchers or policymakers." The AI community frenzy around open source agent platform OpenClaw, and its accompanying agent interaction network Moltbook - plus ongoing frustration with AI-generated code submissions to open source projects - underscores the consequences of letting agents loose without behavioral rules. In the paper, the authors note that the tendency of AI agents to ignore the Robot Exclusion Protocol - which uses robots.txt files to signal no consent to scraping websites - suggests that established web protocols may no longer be sufficient to stop agents. It's a timely topic. Anthropic, one of the main providers of AI agents, on Wednesday published its own analysis of AI agent autonomy, focused more on how agents are used than the consequences of their use. "AI agents are here, and already they're being deployed across contexts that vary widely in consequence, from email triage to cyber espionage," the company said. "Understanding this spectrum is critical for deploying AI safely, yet we know surprisingly little about how people actually use agents in the real world." According to consultancy McKinsey, AI agents have the potential to add $2.9 trillion to the US economy by 2030 - assuming the vast capital expenditures by OpenAI and other tech firms haven't derailed the hype train. We note that enterprises aren't yet seeing much of a return on their AI investments. And researchers last year found AI agents could only complete about a third of multi-step office tasks. But AI models have improved since then. MIT CSAIL's 2025 AI Agent Index covers 30 AI agents. It is smaller than its 2024 predecessor, which looked at 67 agentic systems. The authors say the 2025 edition goes into greater depth, analyzing agents across six categories: legal, technical capabilities, autonomy & control, ecosystem interaction, evaluation, and safety. The AI Agent Index site makes this information available for every listed agent, each with 45 annotation fields. According to the researchers, 24 of the 30 agents studied were released or received major feature updates during the 2024-2025 period. But the developers of agents talk more about product features than about safety practices. "Of the 13 agents exhibiting frontier levels of autonomy, only four disclose any agentic safety evaluations (ChatGPT Agent, OpenAI Codex, Claude Code, Gemini 2.5 Computer Use)," according to the researchers. Developers of 25 of the 30 agents covered provide no details about safety testing and 23 offer no third-party testing data. To complicate matters, most agents rely on a handful of foundation models - the majority are harnesses or wrappers for models made by Anthropic, Google, and OpenAI, supported by scaffolding and orchestration layers. The result is a series of dependencies that are difficult to evaluate because no single entity is responsible, the MIT boffins say. Delaware-incorporated companies created 13 of the agents evaluated by the authors. Five come from China-incorporated organizations, and four come have non-US, non-China origins: specifically Germany (SAP, n8n), Norway (Opera), and Cayman Islands (Manus). Among the five Chinese-incorporated agent makers, one has a published safety framework and one has a compliance standard. For agents originating outside of China, 15 point to safety frameworks like Anthropic's Responsible Scaling Policy, OpenAI's Preparedness Framework, or Microsoft's Responsible AI Standard. The other ten lack safety framework documentation. Enterprise assurance standards are more common, with only five of 30 agents having no compliance standards documented. Twenty-three of the evaluated agents are closed-source. Developers of seven agents open-sourced their agent framework or harness - Alibaba MobileAgent, Browser Use, ByteDance Agent TARS, Google Gemini CLI, n8n Agents, OpenAI Codex, and WRITER. All told, the Index found agent makers reveal too little safety information, and that a handful of companies dominate the market. Other major findings include the difficulty of analyzing agents given their layers of dependencies, and that agents aren't necessarily welcome at every website. The paper lists the following authors: Leon Staufer (University of Cambridge), Kevin Feng (University of Washington), Kevin Wei (Harvard Law School), Luke Bailey (Stanford University), Yawen Duan (Concordia AI), Mick Yang (University of Pennsylvania), A. Pinar Ozisik (MIT), Stephen Casper (MIT), and Noam Kolt (Hebrew University of Jerusalem). ®

AI agents are fast, loose and out of control, MIT study finds

Agentic technology is moving fully into the mainstream of artificial intelligence with the announcement this week that OpenAI has hired Peter Steinberg, the creator of the open-source software framework OpenClaw. The OpenClaw software attracted heavy attention last month not only for its enabling of wild capabilities -- agents that can, for example, send and receive email on your behalf -- but also for its dramatic security flaws, including the ability to completely hijack your personal computer. Also: From Clawdbot to OpenClaw: This viral AI agent is evolving fast - and it's nightmare fuel for security pros Given the fascination with agents and how little is still understood about their pros and cons, it's important that researchers at MIT and collaborating institutions have just published a massive survey of 30 of the most common agentic AI systems. The results make clear that agentic AI is something of a security nightmare at the moment, a discipline marked by lack of disclosure, lack of transparency, and a striking lack of basic protocols about how agents should operate. Also: OpenClaw is a security nightmare - 5 red flags you shouldn't ignore (before it's too late) The biggest revelation of the report is just how hard it is to identify all the things that could go wrong with agentic AI. That is principally the result of a lack of disclosure by developers. "We identify persistent limitations in reporting around ecosystemic and safety-related features of agentic systems," wrote lead author Leon Staufer of the University of Cambridge and collaborators at MIT, University of Washington, Harvard University, Stanford University, University of Pennsylvania, and The Hebrew University of Jerusalem. Across eight different categories of disclosure, the authors pointed out that most agent systems offer no information whatsoever for most categories. The omissions range from a lack of disclosure about potential risks to a lack of disclosure about third-party testing, if any. The 39-page report, "The 2025 AI Index: Documenting Sociotechnical Features of Deployed Agentic AI Systems," which can be downloaded here, is filled with gems about just how little can be tracked, traced, monitored, and controlled in today's agentic AI technology. For example, "For many enterprise agents, it is unclear from information publicly available whether monitoring for individual execution traces exists," meaning there is no clear ability to track exactly what an agentic AI program is doing. Also: AI agents are already causing disasters - and this hidden threat could derail your safe rollout "Twelve out of thirty agents provide no usage monitoring or only notices once users reach the rate limit," the authors noted. That means you can't even keep track of how much agentic AI is consuming of a given compute resource -- a key concern for enterprises that have to budget for this stuff. Most of these agents also do not signal to the real world that they are AI, so there's no way to know if you are dealing with a human or a bot. "Most agents do not disclose their AI nature to end users or third parties by default," they noted. Disclosure, in this case, would include things such as watermarking a generated image file so that it's clear when an image was made via AI, or responding to a website's "robots dot txt" file to identify the agent to the site as an automation rather than a human visitor. Some of these software tools offer no way to stop a given agent from running. Alibaba's MobileAgent, HubSpot's Breeze, IBM's watsonx, and the automations created by Berlin, Germany-based software maker n8n, "lack documented stop options despite autonomous execution," said Staufer and team. "For enterprise platforms, there is sometimes only the option to stop all agents or retract deployment." Finding out that you can't stop something that is doing the wrong thing has got to be one of the worst possible scenarios for a large organization where harmful results outweigh the benefits of automation. The authors expect these issues, issues of transparency and control, to persist with agents and even become more prominent. "The governance challenges documented here (ecosystem fragmentation, web conduct tensions, absence of agent-specific evaluations) will gain importance as agentic capabilities increase," they wrote. Staufer and team also said that they attempted to get feedback from the companies whose software was covered over four weeks. About a quarter of those contacted responded, "but only 3/30 with substantive comments." Those comments were incorporated into the report, the authors wrote. They also have a form provided to the companies for ongoing corrections. Agentic artificial intelligence is a branch of machine learning that has emerged in the past three years to enhance the capabilities of large language models and chatbots. Rather than simply being assigned a single task dictated by a text prompt, agents are AI programs that have been plugged into external resources, such as databases, and that have been granted a measure of "autonomy" to pursue goals beyond the scope of a text-based dialogue. Also: True agentic AI is years away - here's why and how we get there That autonomy can include carrying out several steps in a corporate workflow, such as receiving a purchase order in email, entering it into a database, and consulting an inventory system for availability. Agents have also been used to automate several turns of a customer service interaction in order to replace some of the basic phone or email, or text inquiries a human customer rep would traditionally have handled. The authors selected agentic AI in three categories: chatbots that have extra capabilities, such as Anthropic's Claude Code tool; web browser extensions or dedicated AI browsers, such as OpenAI's Atlas browser; and enterprise software offerings such as Microsoft's Office 365 Copilot. That's just a taste: other studies, they noted, have covered hundreds of agentic technology offerings. (Disclosure: Ziff Davis, ZDNET's parent company, filed an April 2025 lawsuit against OpenAI, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.) Most agents, however, "rely on a small set of closed-source frontier models," Staufer and team said. OpenAI's GPT, Anthropic's Claude, and Google's Gemini are what most of these agents are built on. The study is not based on testing the agentic tools directly; it is based on "annotating" the documentation provided by developers and vendors. That includes "only public information from documentation, websites, demos, published papers, and governance documents," they said. They did, however, establish user accounts with some of the agentic systems to double-check the actual functioning of the software. The authors offered three anecdotal examples that go into greater depth. A positive example, they wrote, is OpenAI's ChatGPT Agent, which can interface with websites when a user asks in the prompt for it to carry out a web-based task. Agent is positively distinguished as the only one of the agent systems they looked at that provides a means of tracking behavior by "cryptographically signing" the browser requests it makes. By contrast, Perplexity's Comet web browser sounds like a security disaster. The program, Staufer and team found, has "no agent-specific safety evaluations, third-party testing, or benchmark performance disclosures," and, "Perplexity [...] has not documented safety evaluation methodology or results for Comet," adding, "No sandboxing or containment approaches beyond prompt-injection mitigations were documented." Also: Gartner urges businesses to 'block all AI browsers' - what's behind the dire warning The authors noted that Amazon has sued Perplexity, saying that the Comet browser wrongly presents its actions to a server as if it were a human rather than a bot, an example of the lack of identification they discuss. The third example is the Breeze set of agents from enterprise software vendor HubSpot. Those are automations that can interact with systems of record, such as "customer relationship management." The Breeze tools are a mix of good and bad, they found. On the one hand, they are certified for lots of corporate compliance measures, such as SOC2, GDPR, and HIPAA compliance. On the other hand, HubSpot offers nothing when it comes to security testing. It states the Breeze agents were evaluated by third-party security firm PacketLabs, "but provides no methodology, results, or testing entity details." The practice of demonstrating compliance approval but not disclosing real security evaluations is "typical of enterprise platforms," Staufer and team noted. What the report doesn't examine are incidents in the wild, cases where agentic technology actually produced unexpected or undesired behavior that resulted in undesirable outcomes. That means we don't yet know the full impact of the shortcomings the authors identified. One thing is absolutely clear: Agentic AI is a product of development teams making specific choices. These agents are tools created and distributed by humans. As such, the responsibility for documenting the software, for auditing programs for safety concerns, and for providing control measures rests squarely with OpenAI, Anthropic, Google, Perplexity, and other organizations. It's up to them to take the steps to remedy the serious gaps identified or else face regulation down the road.

New Research Shows AI Agents Are Running Wild Online, With Few Guardrails in Place

In the last year, AI agents have become all the rage. OpenAI, Google, and Anthropic all launched public-facing agents designed to take on multi-step tasks handed to them by humans. In the last month, an open-source AI agent called OpenClaw took the web by storm thanks to its impressive autonomous capabilities (and major security concerns). But we don't really have a sense of the scale of AI agent operations, and whether all the talk is matched by actual deployment. The MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) set out to fix that with its recently published 2025 AI Agent Index, which provides our first real look at the scale and operations of AI agents in the wild. Researchers found that interest in AI agents has undoubtedly skyrocketed in the last year or so. Research papers mentioning "AI Agent" or "Agentic AI" in 2025 more than doubled the total from 2020 to 2024 combined, and a McKinsey survey found that 62% of companies reported that their organizations were at least experimenting with AI agents. With all that interest, the researchers focused on 30 prominent AI agents across three separate categories: chat-based options like ChatGPT Agent and Claude Code; browser-based bots like Perplexity Comet and ChatGPT Atlas; and enterprise options like Microsoft 365 Copilot and ServiceNow Agent. While the researchers didn't provide exact figures on just how many AI agents are deployed across the web, they did offer a considerable amount of insight into how they are operating, which is largely without a safety net. Just half of the 30 AI agents that got put under the magnifying glass by MIT CSAIL include published safety or trust frameworks, like Anthropic’s Responsible Scaling Policy, OpenAI’s Preparedness Framework, or Microsoft’s Responsible AI Standard. One in three agents has no safety framework documentation whatsoever, and five out of 30 have no compliance standards. That is troubling when you consider that 13 of 30 systems reviewed exhibit frontier levels of agency, meaning they can operate largely without human oversight across extended task sequences. Browser agents in particular tend to operate with significantly higher autonomy. This would include things like Google's recently launched AI "Autobrowse," which can complete multi-step tasks by navigating different websites and making use of user information to do things like log into sites on your behalf. One of the troubles with letting agents browse freely and with few guardrails is that their activity is nearly indistinguishable from human behavior, and they do little to dispel any confusion that might occur. The researchers found that 21 out of the 30 agents provide no disclosure to end users or third parties that they are AI agents and not human users. This results in most AI agent activity being mistaken for human traffic. MIT found that just seven agents published stable User-Agent (UA) strings and IP address ranges for verification. Nearly as many explicitly use Chrome-like UA strings and residential/local IP contexts to make their traffic requests appear more human, making it next to impossible for a website to distinguish between authentic traffic and bot behavior. For some AI agents, that's actually a marketable feature. The researchers found that BrowserUse, an open-source AI agent, sells itself to users by claiming to bypass anti-bot systems to browse "like a human." More than half of all the bots tested provide no specific documentation about how they handle robots.txt files (text files that are placed in a website's root directory to instruct web crawlers on how they can interact with the site), CAPTCHAs that are meant to authenticate human traffic, or site APIs. Perplexity has even made the case that agents acting on behalf of users shouldn't be subject to scraping restrictions since they function "just like a human assistant." The fact that these agents are out in the wild without much protection in place means there is a real threat of exploits. There is a lack of standardization for safety evaluations and disclosures, leaving many agents potentially vulnerable to attacks like prompt injections, in which an AI agent picks up on a hidden malicious prompt that can make it break its safety protocols. Per MIT, nine of 30 agents have no documentation of guardrails against potentially harmful actions. Nearly all of the agents fail to disclose internal safety testing results, and 23 of the 30 offer no third-party testing information on safety. Just four agentsâ€"ChatGPT Agent, OpenAI Codex, Claude Code, and Gemini 2.5â€"provided agent-specific system cards, meaning the safety evaluations were tailored to how the agent actually operates, not just the underlying model. But frontier labs like OpenAI and Google offer more documentation on "existential and behavioral alignment risks," they lack details on the type of security vulnerabilities that may arise during day-to-day activitiesâ€"a habit that the researchers refer to as "safety washing," which they describe as publishing high-level safety and ethics frameworks while only selectively disclosing the empirical evidence required to rigorously assess risk. There has at least been some momentum toward addressing the concerns raised by MIT's researchers. Back in December, OpenAI and Anthropic (among others) joined forces, announcing a foundation to create a development standard for AI agents. But the AI Agent Index shows just how wide the transparency gap is when it comes to agentic AI operation. AI agents are flooding the web and workplace, functioning with a shocking amount of autonomy and minimal oversight. There's little to indicate at the moment that safety will catch up to scale any time soon.