惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
The Hacker News
The Hacker News
AWS News Blog
AWS News Blog
Spread Privacy
Spread Privacy
T
Tenable Blog
C
CERT Recently Published Vulnerability Notes
Cisco Talos Blog
Cisco Talos Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Securelist
P
Privacy & Cybersecurity Law Blog
Know Your Adversary
Know Your Adversary
T
The Exploit Database - CXSecurity.com
Latest news
Latest news
D
Darknet – Hacking Tools, Hacker News & Cyber Security
I
Intezer
F
Fortinet All Blogs
Engineering at Meta
Engineering at Meta
Simon Willison's Weblog
Simon Willison's Weblog
The Register - Security
The Register - Security
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
L
Lohrmann on Cybersecurity
C
Cyber Attacks, Cyber Crime and Cyber Security
Microsoft Azure Blog
Microsoft Azure Blog
P
Proofpoint News Feed
H
Help Net Security
T
Threat Research - Cisco Blogs
D
DataBreaches.Net
S
Schneier on Security
Cyberwarzone
Cyberwarzone
Google DeepMind News
Google DeepMind News
P
Privacy International News Feed
S
Secure Thoughts
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recorded Future
Recorded Future
C
Cybersecurity and Infrastructure Security Agency CISA
MyScale Blog
MyScale Blog
M
MIT News - Artificial intelligence
Stack Overflow Blog
Stack Overflow Blog
IT之家
IT之家
人人都是产品经理
人人都是产品经理
NISL@THU
NISL@THU
博客园 - Franky
T
Tor Project blog
G
GRAHAM CLULEY
博客园 - 【当耐特】
Jina AI
Jina AI
Security Archives - TechRepublic
Security Archives - TechRepublic
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
A
About on SuperTechFans
Hacker News - Newest:
Hacker News - Newest: "LLM"

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
What is an AI Agent? (It’s not a workload)
Chris Hood · 2026-06-15 · via DEV Community

Ask ten technology leaders what an AI agent is, and you will get ten answers. Ask the same ten in six months, and the answers will have changed. The word has become the most contested term in the AI infrastructure conversation, and the lack of definitional clarity is compounding. Vendors sell against it. Standards bodies write specs around it. Boards approve budgets for it. Compliance teams write policies governing it. All of this is happening before the industry has settled on what the thing actually is.

The reason the question matters is that the definition is about to be baked into infrastructure that will run for a decade. The IETF is publishing drafts. The IAM industry is shipping products. The Kubernetes community is writing CRDs. Each of these encodes a definition. If the definitions are wrong, the systems built on top of them inherit the wrongness, and unwinding takes years.

There is a precise structural distinction that cuts through the noise. Workloads handle the known. Agents handle the unknown. The known set of tasks, fixed at deployment, executable by a process bounded in scope and time, is a workload. The unknown set of tasks, emerging at runtime, dynamically shaped by reasoning and negotiation, is the territory of an agent. Everything else in the definitional fight (the protocol primitives, the identity model, the governance envelope, the orchestration shape) follows from that single distinction.

This piece walks three lenses through that distinction. The past, where most things called agents are workloads in disguise. The present, where the real architecture for handling the unknown is starting to emerge. And the future, where the unknown expands, and the agent substrate must grow with it. The known/unknown line runs through all three.

Definition: An AI agent is a governed substrate with persistent identity, independent of any particular task, that compiles unknown work into structured task fabrics, orchestrates those fabrics across resources and counterparties, and executes them under continuous governance.

The past, and still today: macros wearing a costume

A macro is a workload. It executes a fixed sequence of steps, possibly with conditional branches, possibly with parameters. The task set is known when the macro is written. The execution is deterministic in the relevant sense: given the same input, the macro does the same thing. This is the textbook case of a workload, and the workload-identity primitives the industry has spent ten years refining (SVIDs, mTLS, deployment-bound credentials) handle it correctly.

A macro that gets called an “agent” is still a macro. Adding a model call in the middle of the sequence, sprinkling natural language descriptions across the steps, or putting a chat interface on the front changes the marketing but leaves the underlying artifact intact. The task set is still known at the time of deployment. The execution is still bounded by what the developer wrote. The branching is still hand-coded. Everything that made the artifact a workload before the agent label was applied remains true after.

This is what gets called agent washing, and it deserves to be named honestly. By my reading of the market, more than half (maybe 75%) of what is sold as an “AI agent” today is scripted automation with a model in the prompt loop. The seller has a strong incentive to use the agent label because it commands a premium. The buyer has little incentive to push back because they rarely see the implementation. The result is a product category that calls itself one thing while structurally being another.

A recent conversation with a leadership team at a major professional services firm illustrated the pattern. The firm had launched an “AI agent practice.” Several engagements were underway. The pitch decks were ambitious. When we drilled into what the agents actually did, the answer kept coming back the same way: they followed a fixed sequence of steps, branching on a handful of conditions, and calling out to a model for text generation at specific points. The task set was known.

The honest assessment is that yes, these are workloads. They handle the known. The IETF’s WIMSE working group, looking at this market and concluding that “agents are workloads,” is accurately describing this segment. The mistake is generalizing from here to all agents. The known case is real, and the workload-identity tools handle it. The unknown case is what the rest of the conversation is about, and the tools that handle the known break the moment the task set stops being knowable in advance.

The present: when the workload definition breaks

Strip away the agent washing market and look at what real agent systems are starting to do, and the known/unknown line becomes the structural boundary that nothing else explains.

A real agent receives a goal at runtime that the deployment never anticipated. It reasons about what tasks accomplish that goal. The task set was unknown a moment ago and now has to be discovered, structured, and committed to. Halfway through executing the discovered plan, the agent encounters conditions that change which tasks are needed. A counterparty becomes unavailable. A delegation opens up. A user changes their mind. The task set at minute thirty differs from the task set at minute zero, and the entity making decisions about what to add or remove is the agent itself.

This is the precise moment when the workload definition breaks down. A workload, by definition, has a bounded set of tasks knowable at deployment time. The agent’s task set is unknowable at deployment time because it depends on goals that arrive at runtime, reasoning that occurs at runtime, and conditions that evolve at runtime. The dimension that workload identity has never had to represent (the dynamic, adaptable, runtime-shaped task set) is the dimension that defines an agent.

The Compiler takes an unknown workload (a goal, a partial specification, a request that has yet to be decomposed) and turns it into a structured, addressable representation. It canonicalizes intent. It decomposes goals into atomic tasks. It surfaces ambiguity explicitly. It produces governance metadata about which constraints apply. The output is a Task Fabric: a verifiable, portable artifact that captures the currently best understanding of the unknown and is ready to be revised when new information arrives.

The Orchestrator takes the Task Fabric and turns it into an executable plan against currently available resources. It resolves dependencies. It delegates across agents through protocol primitives. It negotiates capabilities at runtime when available resources do not match the requested work. It inserts governance checkpoints. It can rewrite the fabric when execution returns signals about what is actually happening on the ground.

The Executor walks the plan and causes state change. It invokes tools and connectors. It manages local state and rollback. It emits attribution. It respects intervention hooks from the governance layer. It feeds results back into the Compiler and Orchestrator so the loop can adapt when the unknown reveals more of itself.

These three phases are inseparable from each other. None of them is the agent by itself. The agent is the substrate that runs the loop, with identity that exists independently of any particular workload the loop happens to be processing.

This is the framing that distinguishes a real agent from a glorified macro. A macro has the task set written into its code: the known case. A real agent has a task set that emerges from the loop: the unknown case. A macro’s identity is its deployment context, because the deployment is the entity. A real agent’s identity is its origin record, because the agent persists across whatever workloads it ends up processing. A macro produces audit logs as a side effect of running. A real agent produces signed attribution as a structural output, because attribution is the only way to make sense of an unknown task set after the fact.

The known/unknown line is what determines which set of primitives applies. Known task sets: workload identity, deployment-bound credentials, application-layer audit. Unknown task sets: persistent canonical identity, wire-level authority enforcement, cryptographic attribution. The two architectures are different, and trying to handle the unknown case with known-case tooling is the source of most failure modes that show up when real agents are deployed at scale.

The trajectory: more unknown, more substrate

The third lens is where the known/unknown line bends sharply away from the workload definition and stays there.

Agents are becoming more independent. They are running longer. They are taking on broader task surfaces. They are delegating to each other without continuous human supervision of each delegation. They operate across organizational boundaries, regulatory regimes, and model generations. The trajectory is unmistakable, and every step along it expands the unknown the agent must handle.

This is where the language has to be careful, because “independent” is often used as a synonym for “autonomous,” and the two differ in ways that matter.

An agent with independence of execution can handle more unknown without escalating to a human at every step. It can decompose new goals. It can negotiate with counterparties. It can adapt to drift. It can compose plans from emergent sub-goals. The value of an agent grows with how much unknown it can handle correctly, which is why the trajectory is toward more independence.

Agents are NOT autonomous. But by marketing definition "An autonomous agent," in the strong sense the word sometimes implies, would handle the unknown without any governance envelope at all. No accountable owner. No declared scope. No audit trail. No counterparty verification. This is the version of agent autonomy that doomer discourse worries about, and that careful infrastructure work should make structurally impossible.

These are different things. The trajectory points toward more independence, never toward autonomy from accountability. The protocol primitives have to make the distinction precise.

What this means for the substrate is counterintuitive at first and structurally obvious on reflection: as the agent handles more unknowns, the underlying governance has to become more rigorous, never looser. The Genesis record becomes more important, because it is the accountability anchor that survives the agent’s increasing operational latitude. The Owner-ID becomes more important, because someone has to remain accountable as the scope of unknown work expands. The Authority-Scope on every request becomes more important, because the scope is what keeps independence from sliding into unconstrained behavior. The Attribution-Record becomes more important because the audit trail is what lets a regulator, three years from now, reconstruct what an agent did with the unknown it was handed.

The known/unknown distinction is what makes all of this load-bearing. Workload primitives can govern the known case because the bounds are stated up front. They cannot govern the unknown case, because there is nothing to bound at deployment time. The agent substrate has to perform bounding at runtime, on every request, against an unknown that may have just appeared. The governance envelope has to be carried by the protocol, because there is no application-layer place to put it that survives the dynamism.

There is one more property of the trajectory worth naming. Agents are becoming ephemeral in execution while remaining persistent as entities. An agent might spawn thousands of ephemeral execution instances over its lifetime, each one short-lived, each one carrying a slice of the agent’s identity and scope. The persistent entity in the registry stays the same across all of those instances. The instances come and go. The entity remains. This is what makes the Genesis-derived canonical identity necessary: only a content-derived, infrastructure-independent identifier can keep the persistent entity stable across an arbitrary number of ephemeral instances handling an arbitrarily large, unknown number.

The future agent is independent enough to handle more unknown than today’s agent, ephemeral in execution against a persistent entity, and more deeply governed at the protocol layer than any application can deliver. None of those properties survive the workload definition. All of them follow directly from taking the unknown seriously.

The definition, in one sentence

An AI agent is a governed substrate with persistent identity, independent of any particular task, that compiles unknown work into structured task fabrics, orchestrates those fabrics across resources and counterparties, and executes them under continuous governance.

A workload is one part of that definition (the work the substrate happens to be doing right now, captured as a Task Fabric, in any given moment of the loop). The substrate that compiles, orchestrates, executes, and persists is the agent. The work it handles is unknown at deployment and known by the time it executes. The known/unknown line is exactly where the workload definition ends, and the agent definition begins.

Treating an agent as a workload throws away everything that makes it agentic. The dynamic task set. The runtime reasoning. The cross-organizational delegation. The emergent goal decomposition. The continuous governance envelope. The ephemeral execution against a persistent entity. Each of these exists because the agent is built to handle the unknown. None of them exist in the workload case because it has nothing unknown to handle.

The agent-washing market keeps producing macros called agents (workloads that handle the known) and asking the standards community to treat them as the canonical case. The real agent infrastructure is being built for something else (substrates handling the unknown), and the choice the next two years of standards work has to make is which case to design around.

AGTP is built for the unknown case. The compile-orchestrate-execute substrate runs inside it. The Genesis carries the persistent identity. The Authority-Scope constrains independence at the wire. The Attribution-Record produces the audit trail. The federation lets agents cross organizational boundaries. The trust tier carries credentialing depth that survives time.

This is what an AI agent is. A substrate built for the unknown, with everything that follows from that commitment. The macros wearing the costume are something else. The workloads being labeled as agents are something else again. The category that deserves the word is the one being built now, on the substrates the agent ecosystem will depend on for a decade.

Known versus unknown. Workload versus agent. The line is structural, and once you see it, everything else about the infrastructure conversation falls into place.