The W3C defines CAPTCHA as a "Completely Automated Public Turing Test," built to tell computers and humans apart. That framing made sense when the threat was a script trying to scrape a form or stuff a ballot box. Human or not. Binary gate.
Browser agents walk right through that binary. They click, scroll, and type across the same surfaces CAPTCHA was designed to police. Some operate on behalf of a real person with a real account. The checkbox has no way to know that, because it was never built to ask.
NIST's authentication guidance already treats cloud IPs and unusual geolocation as fraud signals rather than proof of anything. Cookies track sessions but aren't authenticators. Access tokens don't prove presence. The infrastructure around the gate has quietly moved past the question the gate still asks.
CAPTCHA is a witness who can tell you someone showed up. It can't say who sent them, what they're allowed to do, or whether anyone will account for what happens next.
Human? CAPTCHA's original job. Separate people from scripts through tasks assumed easy for humans, hard for bots.
Suspicious? NIST treats geolocation, timing, browser metadata, and IP reputation as fraud signals that may trigger controls, but they don't replace authentication.
Present? Cookies are session mechanisms, not authenticators. An access token alone doesn't prove the subscriber is there.
Allowed? OAuth token exchange (RFC 8693) already has vocabulary for this: a delegated actor retains its own identity while acting on behalf of another principal.
Recognized? The other side of the screen needs to accept the agent as a legitimate actor, not just a non-bot.
Recorded? Production systems need proof of mandate, action, and evidence. Passing a checkbox leaves no such trail.
CAPTCHA answers one of these six questions.