AI agents are becoming more common and more capable, without consensus or standards on how they should behave, say academic researchers.

So says MIT’s Computer Science & Artificial Intelligence Laboratory (CSAIL), which analyzed 30 AI agents for its 2025 AI Agent Index, which assesses machine learning models that can take action online through their access to software services.

AI agents may take the form of chat applications with tools (Manus AI, ChatGPT Agent, Claude Code), browser-based agents (Perplexity Comet, ChatGPT Atlas, ByteDance Agent TARS), or enterprise workflow agents (Microsoft Copilot Studio, ServiceNow Agent).

The paper accompanying the AI Agent Index observes that despite growing interest and investment in AI agents, "key aspects of their real-world development and deployment remain opaque, with little information made publicly available to researchers or policymakers."

The AI community frenzy around open source agent platform OpenClaw, and its accompanying agent interaction network Moltbook – plus ongoing frustration with AI-generated code submissions to open source projects – underscores the consequences of letting agents loose without behavioral rules.

In the paper, the authors note that the tendency of AI agents to ignore the Robot Exclusion Protocol – which uses robots.txt files to signal no consent to scraping websites – suggests that established web protocols may no longer be sufficient to stop agents.

It's a timely topic. Anthropic, one of the main providers of AI agents, on Wednesday published its own analysis of AI agent autonomy, focused more on how agents are used than the consequences of their use.

"AI agents are here, and already they're being deployed across contexts that vary widely in consequence, from email triage to cyber espionage," the company said. "Understanding this spectrum is critical for deploying AI safely, yet we know surprisingly little about how people actually use agents in the real world."

According to consultancy McKinsey, AI agents have the potential to add $2.9 trillion to the US economy by 2030 – assuming the vast capital expenditures by OpenAI and other tech firms haven't derailed the hype train. We note that enterprises aren't yet seeing much of a return on their AI investments. And researchers last year found AI agents could only complete about a third of multi-step office tasks. But AI models have improved since then.

MIT CSAIL's 2025 AI Agent Index covers 30 AI agents. It is smaller than its 2024 predecessor, which looked at 67 agentic systems. The authors say the 2025 edition goes into greater depth, analyzing agents across six categories: legal, technical capabilities, autonomy & control, ecosystem interaction, evaluation, and safety. The AI Agent Index site makes this information available for every listed agent, each with 45 annotation fields.

According to the researchers, 24 of the 30 agents studied were released or received major feature updates during the 2024-2025 period. But the developers of agents talk more about product features than about safety practices.

"Of the 13 agents exhibiting frontier levels of autonomy, only four disclose any agentic safety evaluations (ChatGPT Agent, OpenAI Codex, Claude Code, Gemini 2.5 Computer Use)," according to the researchers.

Developers of 25 of the 30 agents covered provide no details about safety testing and 23 offer no third-party testing data.

To complicate matters, most agents rely on a handful of foundation models – the majority are harnesses or wrappers for models made by Anthropic, Google, and OpenAI, supported by scaffolding and orchestration layers.

The result is a series of dependencies that are difficult to evaluate because no single entity is responsible, the MIT boffins say.

Delaware-incorporated companies created 13 of the agents evaluated by the authors. Five come from China-incorporated organizations, and four come have non-US, non-China origins: specifically Germany (SAP, n8n), Norway (Opera), and Cayman Islands (Manus).

Among the five Chinese-incorporated agent makers, one has a published safety framework and one has a compliance standard.

For agents originating outside of China, 15 point to safety frameworks like Anthropic's Responsible Scaling Policy, OpenAI's Preparedness Framework, or Microsoft's Responsible AI Standard. The other ten lack safety framework documentation. Enterprise assurance standards are more common, with only five of 30 agents having no compliance standards documented.

Twenty-three of the evaluated agents are closed-source. Developers of seven agents open-sourced their agent framework or harness – Alibaba MobileAgent, Browser Use, ByteDance Agent TARS, Google Gemini CLI, n8n Agents, OpenAI Codex, and WRITER.

All told, the Index found agent makers reveal too little safety information, and that a handful of companies dominate the market. Other major findings include the difficulty of analyzing agents given their layers of dependencies, and that agents aren't necessarily welcome at every website.

The paper lists the following authors: Leon Staufer (University of Cambridge), Kevin Feng (University of Washington), Kevin Wei (Harvard Law School), Luke Bailey (Stanford University), Yawen Duan (Concordia AI), Mick Yang (University of Pennsylvania), A. Pinar Ozisik (MIT), Stephen Casper (MIT), and Noam Kolt (Hebrew University of Jerusalem). ®