Anyone can physically sign a document. You pick up a pen, you move your hand, ink appears. The motion is trivial. What makes a signature consequential is everything the motion doesn't contain: the authority to bind, the scope of what's being bound, the organizational recognition that this person, in this role, at this moment, could commit resources on behalf of others. The pen doesn't know any of that. The pen just writes.
The agent ecosystem is building very sophisticated pens.
Standardized verbs have converged fast. MCP gives agents tools/call. A2A defines task states: submitted, working, completed. Browser automation frameworks have spent years refining what it means for an element to be "actionable." Benchmarks measure whether an agent successfully finished a workflow. Call, click, discover, retrieve, complete. The verbs are getting reliable.
And reliable verbs feel like progress, because they are. When a tool call works every time, when a task reaches "completed" without error, when a benchmark shows 95% success, the natural conclusion is that the hard problems are behind you. The action happened. The workflow finished. What else is there?
Everything that makes the action legible to the organization it happened inside. When an agent calls a tool, nothing in the call schema says under whose mandate. A task that reaches "completed" carries no record of who can contest the outcome. A browser action that succeeds says nothing about whether the entity driving the browser had approval to commit what it just committed. The verbs record that something was done. They are silent on whether the doing constitutes an act anyone is prepared to stand behind.
Mandate, delegation scope, approval record, dispute linkage, remedy path. These are the nouns, and they're missing. They're the concepts that make an action recognizable as an organizational act, and they're absent from the infrastructure. Without them, you have execution without an accountability surface.
People are working on pieces of this. A couple of early IETF drafts attempt delegation-provenance and intent tokens. OpenTelemetry records agent IDs and operation types. Authorization standards carry richer structured data than they used to. But no shared organizational object yet lets one system's completed act be legible to another system's dispute process. The nouns haven't hardened into something portable.
The gap hasn't produced its defining incident yet. No public post-mortem where an agent completed a workflow correctly and the outcome was later challenged in a way that exposed the missing authority evidence. Dispute infrastructure still routes contested transactions through existing categories. The moment where someone asks "who authorized this?" and discovers the system recorded every click, every API call, every state transition, everything except the answer to that question, hasn't clearly arrived in the open record. But the architecture of that absence is already in place.
Verbs scale faster than nouns because verbs are engineering problems and nouns are institutional ones. Calling a function is a matter of interface compatibility. Knowing whether that call constituted an authorized act, within a defined scope, subject to specific contestability rules, requires organizational ontology that no single protocol owns.
The ecosystem is getting very good at doing things. What any of it means to the organizations where those things land remains, so far, unspecified.
- Identical logs, different authority: A June 2026 preprint argues that standard audit logs can be structurally identical under incompatible delegation assignments, meaning more observability alone won't close the noun gap.
- Task completion isn't safe handling: An AI Safety Institute evaluation found that agents achieving correct task completion often simultaneously mishandled data through unnecessary access or inappropriate disclosure, separating the "did it work" verb from the "was it acceptable" noun.
- Benchmarks approaching final-state evidence: Tau-bench introduced pass^k to measure agent reliability across multiple trials, and its experiments showed state-of-the-art agents succeeding on less than 50% of tasks with retail pass^8 below 25%.
- 40% of MCP servers wide open: A May 2026 measurement study of 7,973 live remote MCP servers found that 40.55% exposed tools without any authentication, a concrete instance of verbs deployed before the nouns of identity and authorization arrive.

