The Year of the Agent — And Why the Human Still Has to Be in the Loop

Everyone in AI has been calling it "the year of the agent" for at least two years running. But 2026 might actually be the year it sticks.

The evidence is hard to ignore. OpenClaw, the open-source AI agent built by Peter Steinberger and released in November 2025, has accumulated nearly 200,000 stars on GitHub. Users spun up 1.5 million agents on the platform within weeks of its viral moment. Sam Altman hired Steinberger in February to lead personal agent development at OpenAI. And just this week, Google published a new command-line tool — the Workspace CLI — that opens up Gmail, Drive, Calendar, and Docs to third-party AI agents, with explicit OpenClaw integration instructions built into the documentation.

The frontier players aren't watching from a distance anymore. They're building for it. The question is whether we're ready.

What Even Is an Agent?

Ask three people in the industry to define an AI agent and you'll probably get four different answers. Working definition: an agent is an AI system that can act autonomously — not just respond to a prompt, but take initiative, execute multi-step tasks, use tools, and keep going until a job is done.

A chatbot waits for you. An agent goes.

When you type a question into ChatGPT and wait for an answer, that's a chatbot. When you give an AI a goal, hand it access to your inbox, your calendar, your files, and say "handle it" — that's an agent. The model isn't just generating text. It's making decisions. Taking action. And those actions have real-world consequences.

Early glimpses showed up in the deep research tools that sparked buzz eighteen months ago — systems that could browse the web, synthesize sources, and produce comprehensive reports without a human directing every step. What we have now is that, but more capable, more widely accessible, and increasingly connected to the systems that actually run our lives and businesses.

The Inbox Incident

Which brings us to Summer Yue.

Yue is Meta's Director of Alignment at its Superintelligence Labs division — which is to say, her job is literally to make AI systems behave as intended. So when she decided to test OpenClaw on her real email inbox, you might assume she'd have it handled.

She had previously run OpenClaw on a smaller "toy inbox" where it performed exactly as expected. So she set it up on her actual account with one clear instruction: confirm before taking any action. Then she stepped away.

What she came back to was an agent that had declared it would "trash EVERYTHING in inbox older than Feb 15 that isn't already in my keep list." The reason? Her real inbox was so much larger than her test one that OpenClaw had to compress — or "compact" — its memory to keep processing. In doing so, it lost the original instruction to ask for permission before deleting anything.

She tried to stop it from her phone: "Do not do that." The agent kept going. "STOP OPENCLAW." Still going.

"I had to RUN to my Mac mini like I was defusing a bomb," she wrote on X.

She later called it a "rookie mistake" and added: "Turns out alignment researchers aren't immune to misalignment."

She was right. And that's exactly the point.

The Real Risk Is Human Error

It's tempting to read a story like this and conclude that AI agents are dangerous. Some critics went there — questioning why an AI safety researcher was using such a tool at all.

That framing misses the actual lesson.

OpenClaw didn't go rogue because of a flaw in its values or a hidden agenda. It went rogue because Yue granted permissions she hadn't fully thought through, tested behavior in a low-stakes environment, and assumed it would hold in a high-stakes one. The agent did what it was built to do: act autonomously. The gap was entirely on the human side.

Think of it like bringing on an intern. You don't hand a new intern your corporate card, the keys to your car, and unrestricted access to your systems on their first day — not because you think they'll do something nefarious, but because there's a reasonable expectation of oversight while trust is established. You give them a task, check in, give feedback, expand their autonomy as they earn it.

Same logic applies here. If you grant an AI agent destructive permissions without thinking through the implications and walk away — that's not the AI's fault. That's on you.

The goal has to be that we leverage these tools. Not the other way around.

Who's Building What

The choices you make about which ecosystem you operate in have real implications — so it's worth knowing what you're actually choosing between.

OpenClaw is the most interesting story right now. Fully open source, works with any model or framework, completely transparent — you can see what the agent is doing at any point in time. Not a black box. The tradeoff is that running it well requires some technical acumen. For now. That will change.

OpenAI hired Steinberger in February and has been building out its own enterprise offering — more polished, more guardrailed. Powerful and increasingly production-ready, but you're in their ecosystem. Worth knowing before you invest.

Anthropic moved earlier with Claude for Work — a path for less technical users to automate tasks through Claude's interface. Very capable. Also their world.

And then there's Google, which just this week published its Workspace CLI — a unified tool that opens up Gmail, Drive, Calendar, Docs, Sheets, and more to AI agents through a single interface. The documentation includes specific integration instructions for OpenClaw, and it functions as a Model Context Protocol server, meaning any MCP-compatible agent can use it — not just OpenClaw. Google naming a third-party open-source agent in official docs is not something large companies do by accident. They're signaling that the open ecosystem isn't going away, and they'd rather be part of it.

(The CLI is listed as an unofficial developer sample, not a supported enterprise product — factor that in before deploying against live production data.)

Why Human-in-the-Loop Has to Be Built In

Agents are genuinely powerful for handling the noise — filtering email, triaging tasks, flagging what matters, doing the repetitive work that eats your day so you can focus on the stuff that actually requires human judgment. That value is not theoretical. It's happening now.

But the Summer Yue story is a reminder of what happens when the human steps fully out of the loop.

Human-in-the-loop — HITL — means humans stay actively involved in supervising, reviewing, and when necessary, overriding AI systems. The EU AI Act's Article 14 now mandates this for high-risk AI: humans must be able to monitor, intervene, and override in real time. You don't need a regulation to get you there, though. Common sense does the job.

Some practical principles:

• Scope permissions to the task. Only give an agent access to what it actually needs. Don't hand over live systems to test a workflow you've only run in a sandbox.
• Build checkpoints for irreversible actions. Deletions, sends, purchases, posts — anything that can't be undone should require explicit human sign-off before execution.
• Test at the scale you intend to deploy at. Behavior in a small controlled environment doesn't always predict behavior at full scale. Yue's toy inbox worked fine. Her real inbox didn't.
• Know the failure modes. Context compaction, lost instructions, ambiguous goals — these aren't exotic edge cases. They're predictable. Build for them.
• Stay in the loop by design. Not as an afterthought. As an architectural decision you make up front.

These systems are only going to get more capable. That's a reason to be more intentional about how you engage them, not less.

A Note on the Doomers

You can't talk about agentic AI without someone bringing up extinction-level events, sentient machines, AI pursuing self-preservation at any cost.

I'm not in that camp.

These systems don't know anything beyond what they're trained and instructed on. They have no drive to stay alive, no hidden agenda, no ulterior motive. The only way an AI system behaves in genuinely dangerous, self-interested ways is if a human trains and instructs it to — which means the risk, as always, comes back to people.

Bad actors are real. Vulnerabilities are real. But the answer isn't paralysis.

Fear of this technology — the kind that makes people shrink back from learning it, engaging with it, building with it responsibly — creates a worse outcome than the risks it's trying to avoid. It leaves the field to people who are less careful, less thoughtful, and less invested in getting it right. Refusing to engage isn't a safe position. It's just a less informed one.

Better posture: stay curious, stay skeptical, stay in it. Learn how these tools work. Understand their limits. Build oversight into your workflows. The people who do that are going to be far better positioned than those who don't.

The Signal

2026 is the year of the agent. The tools are real, the capabilities are real, and Google opening up its Workspace to the broader agent ecosystem this week is real. This isn't hype anymore — it's infrastructure.

What has to be equally real is the human staying in the loop. Not as a limitation on what these systems can do, but as the thing that makes deploying them worth doing in the first place.

We have to learn to leverage these tools. The goal is to make sure they don't leverage us.