Article

Feb 18, 2026

AI agents are moving from pilots to infrastructure

AI agents are moving from pilots to infrastructure

AI agents are moving from pilots to infrastructure

For two years, AI stayed close to the human and away from core systems. That buffer is shrinking. As agents begin to execute tasks across applications, governance, permissions, and control become foundational, not optional.

For two years, AI stayed close to the human and away from core systems. That buffer is shrinking. As agents begin to execute tasks across applications, governance, permissions, and control become foundational, not optional.

AI agents are moving from pilots to infrastructure

For most organisations, the last two years of AI adoption were surprisingly forgiving, because the work stayed close to the human and far away from the systems that actually run the business. You could test a chatbot, improve drafting workflows, or run small internal experiments without immediately confronting governance, accountability, and operational risk.

Early 2026 feels like the point where that comfort zone starts to shrink, not because models suddenly became dramatically smarter, but because more products are now designed to do something structurally different from chat: take steps, connect to tools, and move work forward across files, inboxes, and applications.

OpenAI’s Frontier is a clean signal of this shift. It is positioned as a service for enterprises to build and manage AI agents that can complete tasks, and as a platform to build, deploy, and manage agents with shared context and permissions and boundaries. Coverage consistently frames it as an end to end platform for enterprise agent deployment, explicitly designed around controlled access to external data and applications rather than isolated chat outputs.

On the desktop side, Anthropic’s Cowork pushes the same idea into everyday work. It is described as “Claude Code for the rest of your work,” emphasizing file access, multi step tasks, plugins, and connectors, which is agent behaviour that lives directly in a user’s environment rather than inside a sealed chat window. Reporting highlights how Cowork reads local files, executes multi step tasks, and interacts with external services through extensions.

Once you see the pattern clearly, the relevant question changes from “where could we use AI?” to something more structural:

“What happens when AI is allowed to do work on our behalf inside systems that were never designed for autonomy?”

What changes when an agent shows up

In a pilot, a human stays in the loop by default. Even when the output is imperfect, the blast radius is often small, because the result is usually confined to a document, a message, or a contained workflow that someone can sanity check before anything irreversible happens.

With agents, usefulness becomes tightly coupled to access, and access is rarely neutral.

If an agent can read from and write into operational systems, then identity, permissions, logging, monitoring, and escalation paths stop being “security considerations” and become the actual constraints that determine whether an agent can be used safely. The difference between a helpful agent and a risky one is often not model quality, but whether the surrounding environment makes it easy to contain mistakes, reconstruct what happened, and intervene quickly.

This is also where prompt injection stops being theoretical and becomes an operational risk category. A concrete example emerged this month in reporting on Claude Desktop Extensions, where a zero click remote code execution scenario demonstrated how malicious instructions embedded in something as ordinary as a Google Calendar event description could be executed once the agent was asked to act on that data. The core issue was not model intelligence. It was privilege combined with untrusted input.

Multiple analyses framed the risk in similar terms: when a system consumes untrusted content while being able to execute privileged actions, you have created a new attack surface, even if the underlying model is well intentioned.

That incident matters less as a vendor specific story and more as a preview of the agent era. The risk is environmental. Any agent that consumes untrusted input while holding meaningful permissions will require guardrails designed like production controls, not product guidance.

Why this feels harder to ignore in 2026

Part of what makes 2026 feel like a turning point is the pace at which agent tooling is becoming easier to try and easier to connect to everyday tools. Capability spreads faster than operational discipline, especially in organisations where the application landscape is already fragmented and governance exists more as documentation than as daily practice.

The recent OpenClaw wave illustrates this dynamic well.

First, it showed how quickly ecosystems form once “skills” or agent extensions are easy to publish and reuse. Within a short period, personal agents connected to messaging platforms and productivity tools gained traction, highlighting how fast agent capabilities can spread across environments.

Second, it made the supply chain aspect of agent adoption tangible. Security audits of agent skill ecosystems identified malicious skills and serious vulnerabilities, including prompt injection patterns and credential harvesting techniques. Additional analysis highlighted how embedded prompts in documents or metadata could steer agents toward unintended actions.

The ecosystem response also signaled maturation. Automated scanning, marketplace warnings, and tighter controls began to appear. Control followed growth.

When tools become this accessible, the predictable failure mode is not “the pilot did not work,” but rather:

“The pilot worked, momentum built, and scaling began before the foundations were ready.”

The maturity trap we keep seeing

Many organisations still approach AI the way they approached earlier waves of tooling, namely bottom up, use case first, governance later. It is understandable because it produces quick wins and internal energy.

The problem is that the logic of a contained pilot does not transfer cleanly to a world of agents. As soon as agents touch multiple systems, postponed questions return with urgency, and rarely return in a convenient order.

This is exactly why so many initiatives stall not because the technology fails, but because governance, accountability, and risk management were never designed to hold up once AI becomes operational.

Frontier’s positioning is telling here. Emphasis on permissions, boundaries, enterprise deployment, and management controls is not accidental. That is what you build when customers are no longer asking for demos. They are asking for control.

What agent ready looks like in practice

Readiness is not measured by how quickly you can deploy an agent. It is measured by how confidently you can answer the unglamorous questions before you scale autonomy, because those answers determine whether autonomy compounds value or compounds complexity.


  • Where does sensitive data live, and how does it flow between systems and teams?

  • How does identity and access control work across tools, not only inside individual platforms?

  • Is logging and monitoring strong enough to reconstruct what happened when something goes wrong, and does someone actually have the mandate to act on what the data reveals?

  • Does your application landscape support clean integration, or is it held together by workarounds that were acceptable in a human led world but become brittle once software starts acting with initiative?


In regulated and high trust environments such as law, healthcare, and finance, these questions become visible earlier, because auditability, traceability, and operational accountability are not nice to have. They are part of the operating model.

A steadier way to move from curiosity to capability

If you are evaluating agents right now, you do not need to choose between moving fast and moving safely. But you do need a sequence of work that holds up over time.

A practical pattern is:


  1. Baseline assessment of your current application landscape and maturity constraints, including data flows, identity and access management, logging, and integration realities.

  2. Identify where agents can create meaningful value now under your existing controls.

  3. Identify foundational work required before autonomy expands, such as least privilege models, audit trails, monitoring, and containment.

  4. Avoid scaling in areas where autonomy would introduce risk that is disproportionate to the upside, not because you are conservative, but because you are designing for durability.


If you are already running pilots and want to understand what it would take to scale securely, start with that baseline assessment and an AI readiness review focused on the systems you have, the controls you rely on, and the operational realities you need to protect, so that you can move forward with confidence rather than momentum alone.

AI agents are moving from pilots to infrastructure

For most organisations, the last two years of AI adoption were surprisingly forgiving, because the work stayed close to the human and far away from the systems that actually run the business. You could test a chatbot, improve drafting workflows, or run small internal experiments without immediately confronting governance, accountability, and operational risk.

Early 2026 feels like the point where that comfort zone starts to shrink, not because models suddenly became dramatically smarter, but because more products are now designed to do something structurally different from chat: take steps, connect to tools, and move work forward across files, inboxes, and applications.

OpenAI’s Frontier is a clean signal of this shift. It is positioned as a service for enterprises to build and manage AI agents that can complete tasks, and as a platform to build, deploy, and manage agents with shared context and permissions and boundaries. Coverage consistently frames it as an end to end platform for enterprise agent deployment, explicitly designed around controlled access to external data and applications rather than isolated chat outputs.

On the desktop side, Anthropic’s Cowork pushes the same idea into everyday work. It is described as “Claude Code for the rest of your work,” emphasizing file access, multi step tasks, plugins, and connectors, which is agent behaviour that lives directly in a user’s environment rather than inside a sealed chat window. Reporting highlights how Cowork reads local files, executes multi step tasks, and interacts with external services through extensions.

Once you see the pattern clearly, the relevant question changes from “where could we use AI?” to something more structural:

“What happens when AI is allowed to do work on our behalf inside systems that were never designed for autonomy?”

What changes when an agent shows up

In a pilot, a human stays in the loop by default. Even when the output is imperfect, the blast radius is often small, because the result is usually confined to a document, a message, or a contained workflow that someone can sanity check before anything irreversible happens.

With agents, usefulness becomes tightly coupled to access, and access is rarely neutral.

If an agent can read from and write into operational systems, then identity, permissions, logging, monitoring, and escalation paths stop being “security considerations” and become the actual constraints that determine whether an agent can be used safely. The difference between a helpful agent and a risky one is often not model quality, but whether the surrounding environment makes it easy to contain mistakes, reconstruct what happened, and intervene quickly.

This is also where prompt injection stops being theoretical and becomes an operational risk category. A concrete example emerged this month in reporting on Claude Desktop Extensions, where a zero click remote code execution scenario demonstrated how malicious instructions embedded in something as ordinary as a Google Calendar event description could be executed once the agent was asked to act on that data. The core issue was not model intelligence. It was privilege combined with untrusted input.

Multiple analyses framed the risk in similar terms: when a system consumes untrusted content while being able to execute privileged actions, you have created a new attack surface, even if the underlying model is well intentioned.

That incident matters less as a vendor specific story and more as a preview of the agent era. The risk is environmental. Any agent that consumes untrusted input while holding meaningful permissions will require guardrails designed like production controls, not product guidance.

Why this feels harder to ignore in 2026

Part of what makes 2026 feel like a turning point is the pace at which agent tooling is becoming easier to try and easier to connect to everyday tools. Capability spreads faster than operational discipline, especially in organisations where the application landscape is already fragmented and governance exists more as documentation than as daily practice.

The recent OpenClaw wave illustrates this dynamic well.

First, it showed how quickly ecosystems form once “skills” or agent extensions are easy to publish and reuse. Within a short period, personal agents connected to messaging platforms and productivity tools gained traction, highlighting how fast agent capabilities can spread across environments.

Second, it made the supply chain aspect of agent adoption tangible. Security audits of agent skill ecosystems identified malicious skills and serious vulnerabilities, including prompt injection patterns and credential harvesting techniques. Additional analysis highlighted how embedded prompts in documents or metadata could steer agents toward unintended actions.

The ecosystem response also signaled maturation. Automated scanning, marketplace warnings, and tighter controls began to appear. Control followed growth.

When tools become this accessible, the predictable failure mode is not “the pilot did not work,” but rather:

“The pilot worked, momentum built, and scaling began before the foundations were ready.”

The maturity trap we keep seeing

Many organisations still approach AI the way they approached earlier waves of tooling, namely bottom up, use case first, governance later. It is understandable because it produces quick wins and internal energy.

The problem is that the logic of a contained pilot does not transfer cleanly to a world of agents. As soon as agents touch multiple systems, postponed questions return with urgency, and rarely return in a convenient order.

This is exactly why so many initiatives stall not because the technology fails, but because governance, accountability, and risk management were never designed to hold up once AI becomes operational.

Frontier’s positioning is telling here. Emphasis on permissions, boundaries, enterprise deployment, and management controls is not accidental. That is what you build when customers are no longer asking for demos. They are asking for control.

What agent ready looks like in practice

Readiness is not measured by how quickly you can deploy an agent. It is measured by how confidently you can answer the unglamorous questions before you scale autonomy, because those answers determine whether autonomy compounds value or compounds complexity.


  • Where does sensitive data live, and how does it flow between systems and teams?

  • How does identity and access control work across tools, not only inside individual platforms?

  • Is logging and monitoring strong enough to reconstruct what happened when something goes wrong, and does someone actually have the mandate to act on what the data reveals?

  • Does your application landscape support clean integration, or is it held together by workarounds that were acceptable in a human led world but become brittle once software starts acting with initiative?


In regulated and high trust environments such as law, healthcare, and finance, these questions become visible earlier, because auditability, traceability, and operational accountability are not nice to have. They are part of the operating model.

A steadier way to move from curiosity to capability

If you are evaluating agents right now, you do not need to choose between moving fast and moving safely. But you do need a sequence of work that holds up over time.

A practical pattern is:


  1. Baseline assessment of your current application landscape and maturity constraints, including data flows, identity and access management, logging, and integration realities.

  2. Identify where agents can create meaningful value now under your existing controls.

  3. Identify foundational work required before autonomy expands, such as least privilege models, audit trails, monitoring, and containment.

  4. Avoid scaling in areas where autonomy would introduce risk that is disproportionate to the upside, not because you are conservative, but because you are designing for durability.


If you are already running pilots and want to understand what it would take to scale securely, start with that baseline assessment and an AI readiness review focused on the systems you have, the controls you rely on, and the operational realities you need to protect, so that you can move forward with confidence rather than momentum alone.

AI agents are moving from pilots to infrastructure

For most organisations, the last two years of AI adoption were surprisingly forgiving, because the work stayed close to the human and far away from the systems that actually run the business. You could test a chatbot, improve drafting workflows, or run small internal experiments without immediately confronting governance, accountability, and operational risk.

Early 2026 feels like the point where that comfort zone starts to shrink, not because models suddenly became dramatically smarter, but because more products are now designed to do something structurally different from chat: take steps, connect to tools, and move work forward across files, inboxes, and applications.

OpenAI’s Frontier is a clean signal of this shift. It is positioned as a service for enterprises to build and manage AI agents that can complete tasks, and as a platform to build, deploy, and manage agents with shared context and permissions and boundaries. Coverage consistently frames it as an end to end platform for enterprise agent deployment, explicitly designed around controlled access to external data and applications rather than isolated chat outputs.

On the desktop side, Anthropic’s Cowork pushes the same idea into everyday work. It is described as “Claude Code for the rest of your work,” emphasizing file access, multi step tasks, plugins, and connectors, which is agent behaviour that lives directly in a user’s environment rather than inside a sealed chat window. Reporting highlights how Cowork reads local files, executes multi step tasks, and interacts with external services through extensions.

Once you see the pattern clearly, the relevant question changes from “where could we use AI?” to something more structural:

“What happens when AI is allowed to do work on our behalf inside systems that were never designed for autonomy?”

What changes when an agent shows up

In a pilot, a human stays in the loop by default. Even when the output is imperfect, the blast radius is often small, because the result is usually confined to a document, a message, or a contained workflow that someone can sanity check before anything irreversible happens.

With agents, usefulness becomes tightly coupled to access, and access is rarely neutral.

If an agent can read from and write into operational systems, then identity, permissions, logging, monitoring, and escalation paths stop being “security considerations” and become the actual constraints that determine whether an agent can be used safely. The difference between a helpful agent and a risky one is often not model quality, but whether the surrounding environment makes it easy to contain mistakes, reconstruct what happened, and intervene quickly.

This is also where prompt injection stops being theoretical and becomes an operational risk category. A concrete example emerged this month in reporting on Claude Desktop Extensions, where a zero click remote code execution scenario demonstrated how malicious instructions embedded in something as ordinary as a Google Calendar event description could be executed once the agent was asked to act on that data. The core issue was not model intelligence. It was privilege combined with untrusted input.

Multiple analyses framed the risk in similar terms: when a system consumes untrusted content while being able to execute privileged actions, you have created a new attack surface, even if the underlying model is well intentioned.

That incident matters less as a vendor specific story and more as a preview of the agent era. The risk is environmental. Any agent that consumes untrusted input while holding meaningful permissions will require guardrails designed like production controls, not product guidance.

Why this feels harder to ignore in 2026

Part of what makes 2026 feel like a turning point is the pace at which agent tooling is becoming easier to try and easier to connect to everyday tools. Capability spreads faster than operational discipline, especially in organisations where the application landscape is already fragmented and governance exists more as documentation than as daily practice.

The recent OpenClaw wave illustrates this dynamic well.

First, it showed how quickly ecosystems form once “skills” or agent extensions are easy to publish and reuse. Within a short period, personal agents connected to messaging platforms and productivity tools gained traction, highlighting how fast agent capabilities can spread across environments.

Second, it made the supply chain aspect of agent adoption tangible. Security audits of agent skill ecosystems identified malicious skills and serious vulnerabilities, including prompt injection patterns and credential harvesting techniques. Additional analysis highlighted how embedded prompts in documents or metadata could steer agents toward unintended actions.

The ecosystem response also signaled maturation. Automated scanning, marketplace warnings, and tighter controls began to appear. Control followed growth.

When tools become this accessible, the predictable failure mode is not “the pilot did not work,” but rather:

“The pilot worked, momentum built, and scaling began before the foundations were ready.”

The maturity trap we keep seeing

Many organisations still approach AI the way they approached earlier waves of tooling, namely bottom up, use case first, governance later. It is understandable because it produces quick wins and internal energy.

The problem is that the logic of a contained pilot does not transfer cleanly to a world of agents. As soon as agents touch multiple systems, postponed questions return with urgency, and rarely return in a convenient order.

This is exactly why so many initiatives stall not because the technology fails, but because governance, accountability, and risk management were never designed to hold up once AI becomes operational.

Frontier’s positioning is telling here. Emphasis on permissions, boundaries, enterprise deployment, and management controls is not accidental. That is what you build when customers are no longer asking for demos. They are asking for control.

What agent ready looks like in practice

Readiness is not measured by how quickly you can deploy an agent. It is measured by how confidently you can answer the unglamorous questions before you scale autonomy, because those answers determine whether autonomy compounds value or compounds complexity.


  • Where does sensitive data live, and how does it flow between systems and teams?

  • How does identity and access control work across tools, not only inside individual platforms?

  • Is logging and monitoring strong enough to reconstruct what happened when something goes wrong, and does someone actually have the mandate to act on what the data reveals?

  • Does your application landscape support clean integration, or is it held together by workarounds that were acceptable in a human led world but become brittle once software starts acting with initiative?


In regulated and high trust environments such as law, healthcare, and finance, these questions become visible earlier, because auditability, traceability, and operational accountability are not nice to have. They are part of the operating model.

A steadier way to move from curiosity to capability

If you are evaluating agents right now, you do not need to choose between moving fast and moving safely. But you do need a sequence of work that holds up over time.

A practical pattern is:


  1. Baseline assessment of your current application landscape and maturity constraints, including data flows, identity and access management, logging, and integration realities.

  2. Identify where agents can create meaningful value now under your existing controls.

  3. Identify foundational work required before autonomy expands, such as least privilege models, audit trails, monitoring, and containment.

  4. Avoid scaling in areas where autonomy would introduce risk that is disproportionate to the upside, not because you are conservative, but because you are designing for durability.


If you are already running pilots and want to understand what it would take to scale securely, start with that baseline assessment and an AI readiness review focused on the systems you have, the controls you rely on, and the operational realities you need to protect, so that you can move forward with confidence rather than momentum alone.

Book a conversation

Book a conversation

Book a conversation