Every few years the industry reaches for a new number. Web2 gave us the read-write web, Web3 gave us the read-write-own web, and now "Web4" is being floated as whatever comes after — usually described as an intelligent, ambient, agent-mediated web where software does things on your behalf instead of waiting for you to click. The word is a useful hook. It points at something real. But as a frame for what is actually changing, it is close to useless, because it describes the wrong layer. It treats the shift as a new kind of interface, when the shift is actually in who sits at the primary user layer at all.
The interface framing is the comfortable one. It lets you imagine the same software you already use, with a smarter conversational skin on top, fewer buttons, more natural language. That is not what is happening. What is happening is that the entity initiating most digital actions is starting to move from a human operating an application to a piece of software operating on a delegated mandate. The human is still in the loop, but the human is moving up a level — from operator to principal. And the moment that move happens, the hard problem stops being how well the agent reasons and becomes what the agent is allowed to do, for whom, within what bounds, and with what recourse when it is wrong.
Getting that frame right is the whole point, because everything difficult about agentic systems sits downstream of it — authority, delegation, control surfaces, and the question of who is answerable when software acts. None of that is about chatbots getting better.
Core claim
- The real change is not a new frontend. It is a relocation of the primary user layer from humans-with-apps to agents-with-mandates.
- This makes the central problem a control problem, not an intelligence problem: scope, delegation, revocation, accountability — not raw reasoning quality.
- "Web4" is a serviceable public hook and a poor analytical frame. It names the vibe and hides the architecture.
- Interoperability standards make agents able to act. They do not make them trustworthy to act. Those are different layers, and the second one is mostly unbuilt.
- The honest production reality today is bounded delegation, not autonomy. That is a feature of the problem, not a temporary limitation of the tooling.
The layer that is actually moving
For thirty years the primary user layer has been a person in front of an application. Every meaningful design assumption rests on that. Authentication proves a human is present. Authorization is scoped to what that human may do. Audit logs record what that human did. Consent is a human reading a screen and clicking accept. Liability, when something goes wrong, traces back to a human decision or a human-configured rule. The application is the tool; the human is the actor; the whole stack is built around that division.
Agentic systems break the division without announcing it. When an agent books the travel, reconciles the invoices, rebalances the position, or files the request, the application is still the tool — but the actor is now software acting under instructions it received earlier from a human who is no longer in the room. The person did not perform the action. The person authorized a class of actions and delegated the execution. That is a different relationship than "user clicks button," and almost none of the surrounding machinery was designed for it.
This is why the interface framing is misleading. A better interface assumes the human is still the one acting and just makes acting easier. A shift in the primary user layer assumes the human has stepped back into the role of principal and handed the doing to a delegate. The questions that matter are no longer about clarity of presentation. They are about the terms of the delegation: how wide it is, how long it lasts, how it is proven, and how it is pulled back.
By this point the word "Web4" has done its job and should be set down. It got us to the doorway. It cannot describe the room. What is on the other side of the door is not a web generation. It is a delegation problem wearing the costume of a product trend.
Two system shapes that look the same and are not
Two systems can present the same surface and belong to different classes. In the first, a human uses an app: authority lives with the human at every step, the app never acts on its own, and revoking access means the human stops using it. In the second, a human grants a mandate and an agent pursues the goal across many tools: authority has been delegated, the agent acts when the human is absent, and revoking access now means reaching the agent, the tools it already touched, and any work already in flight.
The surface is almost identical: same chat box, same dashboard, same "done." Underneath, they are different system classes with different failure modes. The first fails when the human makes a mistake or the app has a bug. The second fails in a category the first does not have at all: the agent does something it was technically able to do but had no legitimate standing to do — for this principal, in this context, at this time. Capability and authority diverge the moment the human leaves the room. In the humans-with-apps world they were effectively fused, because the human's presence was the authority. In the agents-with-mandates world they are separate objects, and keeping them aligned is the entire game.
The single distinction worth carrying out of this article is exactly that: an agent that suggests and an agent that acts are not the same system, even when the model inside them is identical. A suggestion is consumed by a human who supplies the authority to act on it. An action is taken by the agent itself, which means the authority had to be packaged and handed over in advance. Everything difficult about agentic systems lives in that handover.
Where the boundary actually falls
It is tempting to draw the line at autonomy — agents that decide for themselves versus tools that wait for input. That line is real but it is not the one that bites first. The boundary that bites first is narrower and more practical: the move from an agent that produces output a human consumes to an agent that produces effects in other systems. Drafting an email is the first kind. Sending it is the second. Proposing a trade is the first. Submitting it is the second. The reasoning can be identical on both sides of that line. What changes is whether the agent's output is a recommendation absorbed by a human or a side effect committed to the world.
Once an agent crosses into producing effects, four things that were trivial in the human-operated model become design problems:
Scope. A human's authority is implicitly bounded by attention and intent — you do the one thing you sat down to do. A delegated agent has no such natural bound. Its scope has to be stated explicitly, because "do this task" silently includes every action the agent judges instrumentally useful unless something stops it. Scope is no longer the side effect of a human paying attention. It is an object that has to be authored.
Duration. Human authority is renewed constantly by presence; you are authorized because you are here, now, doing this. Delegated authority persists in your absence, which means it needs an expiry that someone designed. A mandate with no time bound is not a convenience. It is a standing liability waiting for a context to change underneath it.
Revocation. When a human loses access, they stop. When a delegated agent's authority is revoked, the agent may have already acted — propagated state into other tools, triggered downstream jobs, left side effects in systems that never heard about the revocation. Cutting the agent off is the easy half. Unwinding what it already set in motion is the half nobody has cleanly solved.
Accountability. When a human acts, the chain of responsibility is short and legible. When an agent acts under a mandate granted by a principal, executed across several tools, possibly handed to other agents, the question "who is answerable for this" stops having an obvious answer. You can have a complete trace of what happened and still not be able to establish who had the standing to make it happen.
None of these are reasoning problems. A perfect model does not solve any of them. They are properties of the control plane around the agent, and the control plane is where the real engineering of agentic systems is going to live.
Interoperability is not trust
The most common move right now is to point at the emerging agent standards and imply the hard part is being handled. It is not, and the standards themselves are honest about this if you read them. Protocols for connecting models to tools and for letting agents exchange tasks are solving a genuine problem: they make agents and tools able to talk to each other without bespoke integration for every pair. That is real and useful. It is also strictly the connectivity layer. Making two systems able to communicate is not the same as establishing that one of them is allowed to make the other do something.
The leading interoperability efforts are explicit that consent, authorization, and access control are left to the implementer — they standardize the conversation and deliberately push the trust decisions out to the surrounding system. The agent-to-agent work keeps identity at the transport layer and leans on conventional web auth rather than inventing a portable notion of "this agent may act for this principal within these bounds." This is the correct engineering decision. It is also a tell. Interoperability lets systems talk; it does not tell them who had standing to act. The standards are drawing a clean line around what they solve, and authority sits on the far side of that line, still mostly unowned.
So the picture where agents fluidly call each other and everything composes is half a picture. The plumbing composes. The authority does not, at least not yet, in any portable way. An agent can reach a tool through a standard interface and still have no defensible answer to whether it should be reaching it for this user, on this task, under whose mandate.
The unglamorous truth: today's frontier is bounded delegation
If autonomous economic agents were close, you would expect production systems to be shedding workflow scaffolding. The opposite is happening. The more consequential the action, the more the serious systems reintroduce exactly the controls that "autonomy" was supposed to remove. Durable workflow engines persist execution state so a long-running agent process can be recovered, replayed, and reasoned about rather than trusted to simply keep running. Agent frameworks normalize explicit human-approval checkpoints — deliberate pauses before an action with a side effect, where a person confirms, edits, or cancels. Authorization systems are starting to model the agent itself as a principal and to scope permissions to specific tasks, precisely because "the agent did it" is not a usable answer once the action matters.
Read together, these are not signs of an industry on the verge of cutting humans loose. They are signs of an industry discovering that the valuable near-term pattern is bounded delegation: an agent doing real work inside an explicitly drawn box, with durable state, approval gates, scoped permissions, and a human principal who remains accountable. That is not a watered-down version of the agentic future. For anything touching money, contracts, or irreversible effects, it is the shape of the thing. The interesting question is not how to remove the box. It is how to make the box portable, enforceable, and honest about who is responsible for what is inside it.
The missing object
The relocation of the primary user layer is the real event. The label we started with gestures at it and then gets in the way, because it frames a control shift as an interface shift and an authority problem as a usability problem. Once you put the framing where it belongs, the agenda for everything that follows becomes clear. The bottleneck is not whether agents can think well enough. It is whether we can express, bound, prove, and revoke what they are allowed to do — across tools, across organizations, and eventually across money. The hard part was never getting agents to call tools. It is making their standing portable, bounded, and revocable.
That sets up the question this article deliberately does not answer. If an agent is going to act as an operational actor rather than a helper, it needs something that does not cleanly exist today: a way to carry its authority with it — scope, expiry, revocation path, and accountability — as a first-class object, portable across the systems it touches. An agent that acts without such an object is not autonomous; it is borrowing trust from the surrounding stack, and that loan comes due the first time authority has to cross a boundary the stack does not control. Most of the pieces around that object are mature. The object itself is not. There are early gestures toward it at the asset layer, where programmable accounts already let you delegate narrowly scoped, time-bounded spending authority, and where the same delegation power is sharp enough to be dangerous when drawn too wide. But those are fragments, wallet-specific and unstandardized, not the general primitive the problem demands.
That missing object — the portable mandate — is where the next article goes. Not because reasoning does not matter, but because authority is the deeper unsolved thing, and naming it correctly is the difference between writing about agents and writing about the architecture of machine action.