When Agents Run Everything, What Software Still Matters?

@ugocatry
INGLÉShace 1 mes · 03 jun 2026
191K
21
1
3
23

TL;DR

This article explores the shift from human-driven SaaS to agentic software, identifying three defensive moats—trust, workflow authority, and liability—that separate future winners from commodity wrappers.

SaaS is taking two hits at once, and the market is pricing the wrong one. The loud one, coding agents that rebuild software in a weekend, is real but survivable. The hit that matters is quieter, and it decides who still gets paid.

Software itself is changing from something a person drives to something an agent runs: instead of a user clicking through a deterministic tool, an agent acts inside it, approving the refund, filing the claim, moving the money. A deterministic product gives the same answer every time; a probabilistic one can get it wrong. Once your agentic software acts on its own, what customers pay for narrows down to trust: the right to act inside their systems, and your willingness to pay when the action is wrong. A coding agent can copy the surface of that, but it cannot stand behind it.

We ran the 200 largest public software companies through that test: when your software’s own decision is wrong, do you pay for it in cash? Two do. When a TurboTax calculation error triggers an IRS penalty, Intuit pays the penalty and interest, uncapped, for the life of the return, because fifty years of filings told it exactly how often its math is wrong. ADP makes the same move inside payroll, covering the penalties traceable to its own filing errors. Neither set out to do it; decades of loss data backed them into one of the most defensible positions in software. Cyber vendors like CrowdStrike and SentinelOne look similar but aren’t: their capped warranties pay when the product fails to stop an outside attacker, not when the software’s own decision is wrong. That distinction is the whole point, and the next cohort of AI-native apps will go after it deliberately.

The Wrapper Anxiety, Reframed

Calling a product a "GPT wrapper" is how you say "OpenAI will ship this on a slow Tuesday" without hurting anyone's feelings. But "wrapper" describes a symptom, not the underlying problem. Almost everything will wrap a model, whether it's a closed Frontier model, an open-source one, or your own. The question is whether anything defensible sits beneath the wrapper once the model itself is a commodity. That forces a simple split in this new AI era between three things: intelligence, context, and agency.

Of the three, intelligence is the one that keeps getting cheaper. The raw ability to generate plausible text, code, and plans keeps improving and spreading. It shows up everywhere by default: productivity suites, IDEs, browsers, support tools. If a product’s core value is “we can produce a smart answer,” that product won’t hold its price for long.

Context is where the difficulty actually lives. It means operational reality more than abstract “knowledge.” It is system state, policies, permissions, the entities and history a workflow actually runs on. The messy truth spread across half a dozen systems that don’t fully agree with each other. The risk is rarely that the agent can’t generate code. The real risk is that it generates plausible changes that violate unstated business rules and system contracts. Demos feel magical and production rollouts stall for the same reason: in the demo, context is hand-fed; in production, it’s missing, inconsistent, or locked behind permissions no one can assume.

Agency stays locked down the longest. The moment you move from “suggest” to “do,” the conversation stops being about capability and starts being about trust. Now the questions are about permissions and accountability: who is allowed to write back and under what policy, whether there is an audit trail, what the system does at an edge case, and who gets paged when it breaks.

Strip the wrapper label down and the question underneath is who gets to act inside the customer’s systems.

The New Baseline: Universal Agent

Today, the baseline for “AI software” is no longer a chatbot UI. It’s a capable agent wired into the rest of the stack. It is connected to the underlying systems, fenced in by guardrails, and aimed at a real task. That baseline can already do a lot and, in many workflows, enough to make a standalone app feel redundant.

The catch is where that baseline stops. If a general-purpose agent can handle 70–80% of the job, the remaining 20% is where the business actually lives. And that 20% has little to do with prompt craft or orchestration tricks. It covers everything that makes software safe to trust once it’s allowed to act: governance, exception handling, and reliability under real conditions. You can’t fully spec it up front, and customers punish you for getting it wrong.

The market is already sorting on that 20%, and you can see the line it draws. The software repricing hardest is the software that only ever sold the 80%, the smart output a general-purpose agent now generates by default. The software holding up sells the 20% an agent has to call through to do anything at all: the runtime that governs it and the consumption surface it bills on. Analytical and creative SaaS is down because customers can rebuild the output. Infrastructure and cybersecurity stay flat to up because every new agent in the wild means more endpoints they police and more calls they meter. Systems of record sit in between. They own the workflow logic that the 20% runs on, but only if they expose it on agent-native terms. Any quarterly tape shows the category-level winners and losers. The harder question is which moats survive the transition, and we count three.

The Three Gating Moats in Agentic Software

In a multi-model world, where you switch LLMs with one click, the model itself is rarely the moat. The moat is the right to operate in production without breaking things.

Once you accept the universal-agent baseline, we think defensibility resolves into three gating moats, and we think they’re sequential. Gate One is largely settled: the security and compliance table stakes that every serious vendor has already passed or is about to. Gate Two is where enterprise budgets and switching costs concentrate today. Gate Three is where we think the most interesting opportunities are forming, and where almost nobody is yet. Each gate is necessary but not sufficient: passing Gate One gets you into the building, but it won’t keep you there. If you’re building or investing and want the practical version, each gate below ends in a field test, a question you can ask about a specific company. But the gates have to come first.

Gate 1. The Enterprise Airlock (Trusted Execution Habitat)

Enterprises don’t “deploy agents.” They approve regulated environments. Ask anyone who watched OpenClaw go viral what happens when they don’t.

The first moat is owning the execution habitat where an agent is allowed to run. That means least-privilege permissions and an audit trail, plus the deterministic fallbacks that catch the agent when it goes off-script. These are the controls a risk committee actually signs against. This is what turns pilots into production. Without it, you stay stuck in demos and experiments.

What you’re selling is a permissioned runtime that makes automation safe enough for a risk committee to sign off, not raw intelligence.

Don’t confuse the airlock with the harness. “The harness is everything” is trendy right now: your real edge is your internal orchestration, how you chain agents, route tasks, and manage model outputs. The harness is real engineering with measurable performance consequences. But it is not a moat. Every serious team converges on the same design, and convergent engineering is infrastructure. Watch the direction of travel: as models get better, the harness needs more glue code to keep up while the moat itself gets simpler. The airlock governs whether you’re allowed inside the customer’s systems at all. The harness only governs how you run once you’re already there. That is useful work, but it happens behind the gate rather than at it.

Here is the question to ask of any specific company: if a lab shipped something tomorrow that competed with you head-on, would the customer still need you? If yes, you’ve cleared what a risk committee actually signs off on (permissioning, audit, the controlled environment the agent runs inside) and the lab that shipped the feature hasn’t or won’t bother to. The engineering hour spent learning one customer’s escalation paths is worth less to a lab than capability that generalizes across every customer. If the answer is no, you’re a feature sitting on someone else’s system, and features get bundled.

Gate 2. Workflow Authority (Write-Back + Exception Handling)

The second moat is being in the execution path of a real workflow, with governed write-back, where the agent actually updates the customer’s systems of record rather than only reading from them, and strong handling of edge cases. You don’t just recommend. You write to fields and trigger actions, you route cases, and then you reconcile the conflicts and work the long tail of exceptions when the happy path breaks.

This is where budgets land when companies move from “assist” to “do.” The switching cost is operational dependence: deep integrations, replaced processes, and exception playbooks the business now runs on. Permissions, data mappings, business rules, sources of truth that conflict with each other: this is the execution reality that the phrase “tool-calling” quietly skips over.

Gate Two is where the addressable market multiplies several times over, and the reason is a budget shift most pricing conversations miss. Every company has a tool budget (software licenses) and a work budget (the people or firms that do the job). For most enterprise functions, the work budget is 3–6 times larger. A product that only assists the worker competes for the tool budget — a seat license, maybe some consumption fees. A product with real workflow authority competes for the work budget, which is the fully loaded cost of the task it replaces. In healthcare revenue cycle, that is the difference between selling a coding copilot to the billing team and processing the claims directly: the customer stops buying a tool for the worker and starts buying the worker’s output. The line item shifts from software budget to services budget.

For Gate Two the test is different: how many steps does the work take, and how forgiving is the failure mode? A chatbot answering FAQs is one step against one tool with a soft failure. A CX agent resolving a billing dispute pulls the account history, checks it against the refund policy, issues the credit, updates the case, and escalates when the amount runs past its authority. That is dozens of steps across many systems, and every one of them hits the customer’s ledger. Both look like “an agent doing work.” Only one takes a focused team years to engineer, and only that one is safe from a horizontal lab platform.

Gate 3. Engineered Determinism (Bounded Failure as a Product)

The third moat is the ability to take a probabilistic system and bound its failure distribution tightly enough to sell against the outcome. Insurance, warranties, accuracy guarantees, SLAs, and outcome pricing are how the capability shows up commercially. The moat itself is the engineering and operational discipline that makes any of them survivable.

The architecture is visible enough now to describe. Pure agents reasoning from scratch on every call don’t survive the cost or the error rate; rigid workflows break the moment reality gets messy. The Gate Three architecture sits between them. A workflow supplies repeatability and keeps costs and audits under control. The agent absorbs the variability and recovers when the happy path breaks, while a human stays in the loop wherever a judgment call carries real accountability. Underneath, a feedback loop in production turns every escalation and exception into a signal that tightens the system. Over time the workflow stops being a script and becomes the customer’s operating memory, encoded in your product. That loop is what the labs cannot reach structurally: they don’t sit inside any one customer’s production long enough to learn why a risk was declined.

Once the capability exists, the guarantees and the pricing follow. The cleanest outside proof so far is ElevenLabs: its voice-agent actions are insurable under an AIUC-1 certification, earned by running more than 5,000 adversarial simulations against the system. That is the empirical risk profiling that builds the loss tables Gate Three runs on, attested by a third party rather than by the company itself. But the certificate isn’t the moat, and the bar is already spreading to competitors. The loop underneath is what holds up over time; the certificate is just the visible marker of it.

Pricing shows the same thing from the inside. What a company is willing to charge against tells you what it believes it can control. No one prices against an outcome they can’t. Sierra is the fullest example we know of a company engineering for Gate Three from day one, pricing against the outcome by default and bending its failure curve down quarter over quarter. Sierra can underwrite that pricing because it has measured its own failure distribution on production traffic and reserved against it.

The objection from outcome-pricing skeptics is that anyone can write an outcome contract. True, but anyone who does without Sierra’s loop won’t survive the long-tail cases where token spend blows past the payout. What differentiates a survivor is the production exposure that lets you price the contract correctly, plus the architecture that keeps your error rate inside the price.

The frequency of failure matters far less than its shape. A probabilistic system fails in correlated ways a human workforce doesn’t: one bad change hits thousands of cases before anyone catches it. That fat tail is what makes naive outcome pricing uninsurable. Surviving it takes a narrowing error rate plus controls that cap the blast radius of any single failure: staged rollouts, changes you can reverse, and a circuit breaker that trips when behavior goes anomalous. Done right, one bad change never becomes a portfolio loss. Pricing the average case is easy; what defends the moat is pricing the tail and living through it.

What makes Gate Three interesting as a defensible moat and investment thesis is that the capability can now be diagnosed before the guarantee exists. You don’t have to wait for a warranty to identify a Gate Three company. You can read it off the architecture: whether there is a real production loop with exceptions feeding back into it as training signal, whether the failure distribution is actually narrowing over time, and whether the customer pays against a line item the CFO would defend in a budget review. All of that is observable from the outside. The bear case here isn’t that Gate Three is wrong. It’s that Gate Three is early. Suppose engineered determinism arrives late: reliability plateaus, enterprises stay unwilling to let software act unsupervised on decisions that carry real cost, and few guarantees get written for another five years. Then Gate Two holds every dollar of return for the rest of the decade, and a fund overweight on Gate Three has paid up front for an option that expires before it pays.

Gate Three has its own field test, like the gates before it: is the ROI measurable, attributable to you, and tied to a line item the CFO can defend? A productivity copilot promises “30% faster,” a number nobody reconciles at quarter-end, and a claim a cheaper tool can match next week. A claims agent priced per clean claim, a CX agent priced per resolved ticket, a contract agent priced per executed NDA: those land on a line the CFO already tracks, with the vendor on the hook for the number. A lab will match your output the week it ships, but it won’t stand behind your customer’s number in cash. Absorbing that liability is the one move it has the least incentive to make, and the reason a cleared Gate Three can’t be bundled away.

Who Is Actually at Gate Three?

We ran the top 200 publicly traded software companies through it with Claude Code. If Gate Three is the most durable moat in the agentic era, how many incumbents actually have it? The vast majority, 142 companies worth over $4 trillion in market cap, hold real workflow authority but stop short of standing behind the outcome; call that Gate Two. Another 11 are mostly orchestration that gets weaker as models improve: scaffolding risk. And 43 have cleared the security and compliance bar (Gate One) but show no real workflow authority yet. Only two stand behind their own software’s decisions with cash, Intuit and ADP, and they got there through decades of industry-specific loss data, not engineered determinism. A wider set of cyber vendors writes capped warranties too, but those pay for failing to stop an outside attacker, not for a verdict the software itself reached. The gate exists, but the two that cleared it stumbled in rather than setting out to build it.

The two share one move. Intuit reserves against the IRS penalties it pays when a TurboTax calculation is wrong, sized to an error rate fifty years of returns let it measure to the dollar. ADP does the same inside payroll. The IRS still holds the employer ultimately liable, so what ADP backstops is its own mistake, not your tax obligation. Both price a failure distribution they read off their own data, on the decision their software actually makes, and give the guarantee away as a confidence signal rather than selling it as a policy. The cyber vendors invert all three: CrowdStrike, SentinelOne, and others sell a capped, conditional, often surcharged policy that pays when the product fails to stop an attacker. It is a real warranty, but on an intrusion, not on a decision the software reached on the customer’s behalf.

Two is a small number, but we are not surprised by it. A moat like this can only be confirmed once a decade of loss data and a paid-out warranty exist, so by the time it is obvious it is also old. What is new is that you can now read the pattern early, in a failure rate that keeps tightening, a feedback loop that turns exceptions into training data, and a price set only against a measured outcome, well before any guarantee makes it official.

The opportunity is to engineer on purpose what the incumbents stumbled into. The next cohort builds bounded failure in from day one, compressing into a few years what took the incumbents thirty. They won’t come from the incumbents’ domains, where decades of loss data give an advantage no startup can replicate — they’ll come from two openings outside them, where no incumbent has loss data because there was nothing to have it on.

The first is workflows that had no pre-agent analog at all, things like agent-to-agent negotiation, autonomous procurement, and algorithmic contract generation. The categories didn’t exist before agents created them, so the actuarial clock starts at zero for everyone.

The second is abandoned work: tasks no one ever staffed because they were never economical. An enterprise negotiates hard with its top 20 suppliers and ignores the long tail, where contract leakage runs 2–5% of procurement spend with no one minding the gap. An agent that captures it walks into a space with no incumbent and no existing budget line to displace, so the wedge is found money. These are Gate Two companies from day one, but they skip the hardest part of enterprise sales: displacing an entrenched vendor. They create the workflow and the budget simultaneously, and on that blank page the startup’s structural agility matters more.

The Crossing: Margins, Headless, and Who Survives

The real moats compound the longer they operate. A product that's already passed through the airlock (Gate One) and is executing within the workflow (Gate Two) becomes the default for every adjacent use case, because enterprises standardize on what’s already trusted and approved rather than re-clearing a new vendor. Embedded in day-to-day execution, the product accumulates operating feedback (overrides, exception handling, downstream outcomes) that improves reliability and lowers rework over time. This isn’t a generic “data moat.” It’s the kind of advantage you only earn by sitting in the line of fire.

These moats build fastest at Gates One and Two today. Gate Three, if it materializes, would create the most durable lock-in of all, because absorbing liability is the one thing a general-purpose agent platform has the least incentive to do.

But none of that helps if you run out of cash before it kicks in, and the economics of the transition put that cash at risk. Agents don’t occupy seats the way employees do. When one agent replaces the work of ten people, the seat model stops making sense, and the industry reprices toward consumption and outcome economics, with margins closer to 35–50% than the 75–85% that built SaaS valuations. In Gate Three, pricing proved the moat existed. In the transition, that same pricing is the hazard you have to cross to reach it. The same outcome pricing that signals a Gate Three moat is, in aggregate, a margin reset the whole sector has to survive.

Gate One companies face the deepest valleys: platform bundling destroys differentiation and pricing power at once, and they reprice downward from SaaS margins into a market that treats them as infrastructure. Gate Two and Three companies cross in the opposite direction, because switching costs and native outcome pricing give them room to reprice, so they enter at service-economy margins and improve toward software economics as automation scales. Which side of Gate Two you sit on largely decides whether the transition is a threat to survive or an opening to exploit.

Survival turns on architecture more than on which category a company sits in. The public tape shows it. Infrastructure and security names hold up (Datadog, Cloudflare, CrowdStrike, Palo Alto), while analytical and creative names trade down ~50% year-to-date (Atlassian, Figma, GitLab). The survivors already sell consumption and already run headless, meaning their product is driven through APIs by other software rather than by a human logging into a screen. Every new agent in the wild sends them more endpoints, telemetry, and API calls. The crossing every Gate Two incumbent has to make is the same: expose the system so agents can drive it directly, make the UI optional, and reprice from seats to API calls and agent actions.

Going headless without governance is the trap, because a bare data store invites whichever agent vendor bundles a free version of you. The position that lasts pairs data gravity with the things only the workflow owner can offer: an audit trail of intent and outcome, a governance layer that decides what each agent may read or write, and permissioning built for thousands of non-human actors at once. That is Gate Two reborn for the agent era, and it is why Datadog and CrowdStrike hold up. Incumbents reach it from the legacy-SaaS side by going headless; startups reach it from the agentic side by building the system of action the workflow runs through. Both land in the same place: write-back into a system of record they own, governance they own, consumption economics underneath. That convergence is why the kill zone is narrower than the SaaSpocalypse panic suggests, and most software with real workflow authority can cross. What carries it across is cash: switching cost and pricing power to fund the crossing, and an architecture that charges as infrastructure once across.

What This Means for Founders and Investors

If you’re building an AI application, the strategic question is no longer “how good is the output?” It’s: what part of the workflow will customers trust you to own, and what happens when an agent platform tries to absorb everything else? The three field tests above answer it: the airlock you cleared (Gate One), the workflow depth a lab can’t replicate without sitting inside it for years (Gate Two), and the booked line item the customer won’t re-defend to swap you out (Gate Three). And running underneath all three, the one test that decides whether any gate compounds: repeatable deployment. If every customer is a bespoke integration project, you aren’t building a moat at all. You’re running a services business that happens to ship software, and no gate you clear will compound until that changes.

But clearing the tests is not the same as surviving the crossing. The margin reset is the part founders underprice: when seats give way to consumption and outcome pricing, gross margins compress toward 35–50% before workflow depth earns them back. The valley is real, and workflow depth does not help if you run out of cash inside it. The way across is to fund the crossing from Gate Two cash, the switching costs and write-back authority that already command a work-budget line item, rather than from the promise of a Gate Three guarantee you have not earned yet. Gate Three is an option you accrue by sitting in production, not something you can raise a round to start with. Founders who invert that order, pricing against outcomes before their failure distribution can survive the long tail, burn the runway that was supposed to carry them to the moat.

For investors underwriting against the same framework, the diligence question runs the other way. Most VCs still talk about data moats or network effects. In the agent era, we think the question that matters is how far up the liability stack an AI app is willing to climb. We start by asking what the company owns beyond the universal-agent baseline, and we look for evidence at each gate rather than claims: reusable governance artifacts, write-back measured in systems-of-record outcomes rather than “assistant engagement,” and the production exposure that lets a company survive an outcome promise. And running through all three, repeatable deployment, because if every customer is a bespoke integration project, the product isn’t building a moat regardless of which gates it has cleared.

Whether an AI application lasts or disappears into the platform comes down to three things: who owns the context, who is trusted to act on it, and who is on the hook when the action goes wrong. Interface-first software that does none of these gets bundled into whatever platform comes along. The software customers trust to act is the software that stays.

Guardar con un clic

Lee artículos virales en profundidad con IA en YouMind

Guarda la fuente, haz preguntas concretas, resume el argumento y convierte un artículo viral en notas reutilizables en un único espacio de trabajo con IA.

Explora YouMind
Para creadores

Convierte tu Markdown en un artículo de 𝕏 impecable

Cuando publicas tus propios textos largos, dar formato en 𝕏 a imágenes, tablas y bloques de código es un fastidio. YouMind convierte un borrador completo en Markdown en un artículo de 𝕏 impecable y listo para publicar.

Prueba Markdown a 𝕏

Más patrones por descifrar

Artículos virales recientes

Explorar más artículos virales