The User-Agent, the thing you might refer to as the web browser, was supposed to be your loyal representative. Over time browser makers diluted its loyalty; incrementally first introducing features and components that restricted what the user could do with a browser in order to serve the rights of content owners. Then gradually they introduced behaviors that complicated the custodianship of the users’ data. How did this happen?
In the near future, you will encounter an objectively more chaotic creature – an AI powered user-agent. One that aggregates much more about you over time and one that aims to act much more broadly on your behalf. How do we negotiate trust with an entity whose behavior isn’t well understood even by its creators?
The User-Agent is the user’s loyal servant
The concept of a user agent dates back to the early days of the Internet. Every computer system that involves humans needs some mechanism to represent human intent. We can’t move electrons directly. So, we must interact with some device 1 within the computer system as a proxy. This device, which interfaces with the system on behalf of the human (i.e. user), is called the user agent.
Right from the start, the role of the user agent is to accurately represent the user’s intent, and to accurately reflect back the state of the system to the user.
In an email system, this user agent is called a mail user agent (MUA) (Tracy et al., 2002). For the web, it should be called a web user agent (WUA) (Yasskin & Capadisli, 2026). But because web user agents —which you might refer to as web browsers— are so dominant, people have dropped the superfluous “web” part.
MUTT(1) User Manuals MUTT(1)
NAME
mutt - The Mutt Mail User Agent
SYNOPSIS
mutt [-hNpRxZ] [-s subject] [-c cc-addr] [-a file] ...
[-F rcfile] [-H draft] [-i include] [-f mailbox]
[address] ...
DESCRIPTION
Mutt is a small but very powerful text-based MIME mail client.
Mutt is highly configurable, and is well suited to the mail
power user with advanced features like key bindings, keyboard
macros, mail threading, regular expression searches and a
powerful pattern matching language for selecting groups of
messages.
"All mail clients suck. This one just sucks less."
- me, circa 1995The Mutt Mail User Agent.
Over time, user agents have evolved from simple command-line interfaces to sophisticated graphical browsers and services. Modern user agents are versatile platforms integrating a wide array of advanced capabilities and protocols. (Wikipedia, 2025)
In the early days of the web, people took the user agent’s role very seriously, almost religiously. Unlike email, where the MUA does simple tasks like fetching and sending messages, the UA has a broader job. Technical requirements are so demanding that only a few well-resourced tech companies can build and maintain a full-featured UA from scratch. The standards documents for a compliant UA are thousands of pages long 2. These standards are not perfect or complete, but they have been crafted through person-millenia of effort to ensure security and correctness.
Beyond technical requirements, there is an increasingly important social contract.
The User-Agent must act on behalf of the user.
The UA must accurately render web pages as described by server responses and verify claims made by servers. For instance, when a user attempts to visit a suspicious or known phishing website, most modern browsers will steer them away from it (Mozilla, 2024).
The UA shouldn’t be sending data to random third parties unknown to the user, nor should it be furnishing information that the user hasn’t offered to share. All this while, each visited page triggers hundreds of network requests to dozens of third-party sites.
The User-Agent must act ONLY on behalf of the user.
With competing and conflicting interests for the user-agent to act on behalf of the user on the internet, it must act only on behalf of the user. But modern web technology is so complex that users cannot fully understand how their user agent interacts with the internet. Thus, they have no means of rigorously verifying that all the UA’s activity is aligned with the user’s interests and only the user’s interests.
This user-UA relationship depends on layers of implicit, non-negotiable trust, which are unverifiable.
It matters who makes the User-Agent.
Because of this functional opacity and implied trust, it matters greatly who owns and controls the UA. This control allows the maker to determine whether the UA’s priorities align with the user’s or the maker’s, and whether the makers can be held accountable if they fail to uphold their end of the social contract. In reality, the only way to force the UA makers to respect user intent is through legislation (Berjon & Yasskin, 2025).
However, this article is not about those UAs.
We only took that detour to explain what a UA is, the degree of trust, and the power imbalance. Now let’s look at yet another kind of user agent. It has even more information about you, must be trusted to act in your best interest, and its behavior cannot be verified.
User-Agents with AI superpowers …
I’m talking about the coming AI-powered user agents (referred to as AIUAs in this article). These do more than just fetch and present web pages for users. AIUAs are like traditional UAs, but far more powerful. They collect and interpret massive amounts of user data and perform actions on behalf of the user. By design, these agents must have access to deeply personal data (Yang et al., 2025).
… need to feed on your data …
Data sharing is a non-negotiable. For now, these AIUAs will rely on a remotely located brain 3. Hence, the logic applied to decisions affecting you will be unknowable. More distressingly, it may even be unknowable to the people who built them (Aysel et al., 2025). This opacity largely stems from the complexity of AI models, which involve numerous layers of computation, making their inner workings difficult to interpret. Additionally, a lack of comprehensive interpretability tools contributes to this issue, leaving both users and developers with a limited understanding of their decision-making processes (AryaXAI, 2025).
… but can’t swear any allegiance.
In the classic UA trust model, if you see a recommendation for a product, you know a handful of entities whose interests this recommendation or ad serves. With AIUAs, you will have no idea if a recommendation serves your best interest or someone else’s. It could try to help you but fail because its training data is biased toward someone else’s interests. This bias is difficult to detect. (Ryan, 2025)
They are opaque, even to those who make them.
Even with a relatively simpler system like the UA with well-defined trust boundaries, trust remains a difficult problem. We are moving towards indecipherable systems like AIUAs with even fuzzier trust boundaries. We don’t have thousands of pages of specifications for these AI systems. Instead, there are trillions of training tokens that only offer loose guidance. Not to mention basic attack vectors like prompt injection still haven’t been sufficiently mitigated 4. Nobody can guarantee where AIUAs’ allegiance lies. (OpenAI, 2025)
They are deceptively trustworthy …
AIUAs can easily gain people’s trust. Some people even fall in love with them (Demopoulos, 2025) or follow them to their deaths. Our politics, values, and consumption habits are easy pickings for a mildly motivated AIUA to manipulate. To make things even worse, people trust what AIUAs tell them about the world without checking. The more people choose AIUAs as the goggles with which they see the world, the more these agents can shape a convincing alternate reality.
… and difficult to align.
Perhaps the most interesting example of an intentionally modified foundational model is Grok, Elon Musk’s xAI chatbot. In July 2025, after Musk announced he had “improved” Grok to make it less “politically correct,” the chatbot began posting antisemitic content on X. This included praising Hitler and making false claims about Jewish people. (Siddiqui, 2025)
Grok isn’t an outlier. DeepSeek shocked the foundation model world when it came out. It was an open-weight model from China whose performance was comparable to the biggest foundation models at the time. Yet there was a problem: DeepSeek didn’t like to talk about Tiananmen Square. (Lu, 2025)
Trying to steer foundation models toward or away from bias often leads to outcomes that diverge from intentions. (Sun et al., 2025) While it sounds like self-sabotage, it’s not absurd to suggest that Google would comply with a request to politically “align” Gemini —hypothetically of course. Google scaled back its DEI hiring goals and other diversity programs in early 2025 after facing political and legal pressure. (Associated Press, 2025) Standing up for what’s right at the expense of profit seems an unrealistic expectation.
In summary,
- We see the world through complex yet predictable machines — called user agents. They are difficult to understand, but they do our bidding, more or less.
- We are moving towards handing over our agency to even more complex machines. But this time, they are unpredictable, poorly understood, and pretty much impossible to align with our interests in a verifiable way.
That’s terrifying. But what can we do about it? In the next part of this series, we will delve into practical strategies and explore cutting-edge research to address and mitigate the risks associated with AI-powered user agents. We’ll examine the role of transparency in AI development and look at how emerging frameworks could help ensure AI systems act in our best interests.
Google is scrapping some of its diversity hiring targets, joining a lengthening list of U.S. companies that have been abandoning or scaling back their diversity, equity and inclusion programs.
Privacy is an essential part of the web. This document provides definitions for privacy and related concepts that are applicable worldwide as well as a set of privacy principles that should guide the development of the web as a trustworthy platform.
Experts are concerned about people emotionally depending on AI, but these women say their digital companions are misunderstood.
The AI app soared up the Apple charts and rocked US stocks, but the Chinese chatbot was reluctant to discuss sensitive questions about China and its government.
Trust is no longer optional infrastructure.
Although value-aligned language models (LMs) appear unbiased in explicit bias evaluations, they often exhibit stereotypes in implicit word association tasks, raising concerns about their fair usage. We investigate the mechanisms behind this discrepancy and find that alignment surprisingly amplifies implicit bias in model outputs.
Electronic mail (e-mail) is a critical business application, but it is also a source of security risks. This publication provides guidelines for securing e-mail systems, including client and server security, as well as the infrastructure that supports e-mail.
NCSA Mosaic is a discontinued early web browser. It was the first browser to display images inline with text instead of in a separate window. It is often described as the first graphical web browser.
This paper presents the first large-scale field study of the adoption, usage intensity, and use cases of general-purpose AI agents operating in open-world web environments. Our analysis centers on Comet, an AI-powered browser developed by Perplexity, and its integrated agent, Comet Assistant. Drawing on hundreds of millions of anonymized user interactions, we address three fundamental questions: Who is using AI agents? How intensively are they using them? And what are they using them for?
-
I’m using the term “device” loosely here because the user agent often consists of an entire stack of hardware and software. In literature, you’ll find the terms “device,” “machine,” and “system” used interchangeably, depending on the context.arrow_upward
-
I worked on Google Chrome for over a decade on the networking stack, and briefly on the renderer. Calling it thousands of pages of standards is an understatement.
Modern UAs face so many quirks and misbehaviors that, in some areas, we have more code handling quirks than implementing the intended specifications. We can’t just refuse to talk to large portions of the internet or refuse to render millions of older web pages just because the code wouldn’t look good.arrow_upward
-
Not all large language models are “hosted,” which means that the model is actually stored far away in a server and you can only talk to it through a mediating service. There are powerful language models that you can store in your own computer. Currently there is a large performance gap between the so-called
open weights
models and their larger hosted counterparts. If that wasn’t a big deal, any language model that you can run on your machine is going to require some pretty hefty hardware. So tl;dr, it is possible to run a large language model on your computer. But that’s not an option for most (>99%) people.arrow_upward -
Prompt injection
refers to a security issue where someone can craft a malicious prompt or include some malicious text that when used with a large langauge model causes that model to misbehave.There are ongoing efforts that are trying to address these concerns. Researchers are exploring potential solutions, such as model auditing, to assess biases and decision-making processes within AI systems. Additionally, improving explainability is a key area of interest, as it would enhance our capability to interpret AIUA actions and decisions. Developing technical safeguards, such as robust encryption and secure access controls, could also serve as preventive measures against misuse. (“Balancing Explainability and Privacy in AI Systems,” 2025)arrow_upward