You've watched an agent demo that made you lean forward. An agent navigates a website, finds the right product, fills in shipping details, checks out. Or it discovers three other agents via A2A, delegates subtasks, assembles a report. The tools work. The capability is real. And something in you knows this isn't going to production next quarter.
That instinct has a structural explanation, and it's worth naming.
Two kinds of infrastructure
Capability surfaces are expanding fast. MCP gives agents a standard way to discover and invoke tools. A2A lets agents find and coordinate with other agents. Browser automation frameworks like Playwright have spent years making web interaction programmatically reliable. The set of things an agent can reach grows every month.
Consequence surfaces are the infrastructure that accounts for what happens after an agent acts. Authorization chains that prove the agent was allowed to do what it did. Audit records durable enough for a dispute six months later. Verification that the final state matches what was intended. Evidence of who approved what, when, and with what scope.
The demo-to-deployment gap lives in the distance between these two surfaces. Capability surfaces are protocol problems. Consequence surfaces are institutional problems. They develop on very different timescales.
Where the gap becomes concrete
Payment flows make this visible because chargebacks generate structured complaints demanding structured records. Visa's agent-enabled payment flow wraps every transaction in consequence infrastructure: spending limits, approval steps, merchant restrictions, fraud monitoring, and dispute-handling mechanisms. Every one of those exists because someone, someday, will need to reconstruct what happened and determine whether it should have. Payments matured consequence infrastructure early because disputes forced the issue.
The capability side tells a different story. MCP's authorization specification is optional. A May 2026 measurement study of nearly 8,000 live remote MCP servers found roughly 41% exposed tools with no authentication at all. Among the OAuth-enabled servers the researchers tested, every single one had at least one flaw. The protocol can carry authorization. In practice, it mostly doesn't yet.
Regulated industries already have names for these requirements. Audit trails, authority checks, automatic event logging, verified completion states. Agent infrastructure will need to meet equivalent demands across a much broader set of domains, and the vocabulary for doing so is still being written.
A more useful question
Most agent evaluations center on capability: what can this agent do? That will always produce an impressive answer.
The question worth sitting with longer: what can the surrounding system account for? Can it prove authorization? Reconstruct the decision sequence? Produce evidence for a dispute? Verify the final state independently?
The distance between those two answers is where demos stall on their way to deployment.
-
Payments as forcing function: AP reported in June 2026 that Visa embedded its payment network inside ChatGPT with spending limits, approval steps, merchant restrictions, and fraud monitoring — the clearest public example of consequence-surface infrastructure being built alongside capability.
-
Agent behavioral fingerprinting: A May 2026 preprint introducing FP-Agent found that browser fingerprints alone couldn't distinguish agents from humans, but behavioral signals like typing and scrolling patterns could separate agents from humans and from each other — raising hard questions about recognition and delegation on the live web.
-
MCP authorization in practice: The MCP authorization spec requires audience-bound tokens and resource indicators to prevent confused-deputy attacks, but a separate March 2026 preprint found most MCP servers rely on persistent authorization states and fail to enforce authentication at the per-tool level.
-
Scaled agent adoption remains narrow: McKinsey's November 2025 State of AI survey reports that while 62% of respondents are experimenting with AI agents, only 23% report scaling an agentic system, and no individual business function has more than 10% reporting scaled use.

