featured-image
Published on

Designing for the Agent Era: A Paradigm Shift

Authors
  • avatar
    Name
    Baran Cezayirli
    Title
    Technologist

    With 20+ years in tech, product innovation, and system design, I scale startups and build robust software, always pushing the boundaries of possibility.

    githubGitHublinkedinLinkedinxX

The ritual was absurd by today's standards. To type the letter "S" on a mobile phone in the early 2000s, you pressed the number 7 key four times. A simple greeting like "Hi" required careful arithmetic: H was 4-4, I was 4-4-4. A full sentence meant dozens of deliberate, sequential keystrokes — each one a small negotiation between what you wanted to say and what the hardware would allow. We called it T9, and at the time, we thought it was a miracle.

This was not a failure of imagination. T9 and its predecessor, multi-tap input, were rational adaptations to a genuine hardware constraint: a twelve-button keypad with a fixed vocabulary of symbols. The interaction model was shaped entirely by what the device could physically support. Then the iPhone arrived in 2007, and Steve Jobs demonstrated something that felt obvious in retrospect but was genuinely radical — a phone with no physical keyboard, controlled entirely through touch. Within a few years, every major manufacturer had abandoned the keypad paradigm. The constraint that had defined mobile interaction for a decade simply evaporated.

We are living through the same kind of inflection point now. AI agents represent the next fundamental shift in how humans interact with software. But unlike the jump from T9 to touchscreen, this transition is not driven by new hardware. It is driven by a new kind of interface consumer. And for the first time in the history of software design, that consumer is not human.

A Brief History of Talking to Machines

Every era of human-computer interaction has been defined by the hardware available at the time, and each shift made software dramatically more accessible to a broader population. The numeric keypad gave us mobile communication, but it imposed a cognitive tax on every word typed. T9's predictive dictionary — which required as little as 64KB of storage — was a genuine engineering breakthrough that made text messaging viable for mass adoption. It was not an ideal interface; it was the best possible interface given the constraints of the moment.

The mouse and graphical user interface did the same thing for personal computing in the 1980s and 1990s. Before the GUI, interacting with a computer meant memorizing command syntax and file path conventions. The shift to visual, point-and-click interfaces collapsed the expertise barrier and opened computing to anyone willing to learn the basic spatial metaphors of desktop, folder, and file. Touch further democratized this by removing the mouse entirely, making software accessible on devices that fit in a pocket. Each transition followed the same pattern: the interface evolved to close the gap between human intent and machine capability.

What we are experiencing with AI is not simply another input method. It is a collapse of the gap itself. When a user can describe what they want in natural language and have a system act on it directly, the entire intermediary layer of learned UI conventions — menus, tabs, form fields, navigation hierarchies — becomes optional. The question is no longer how we adapt humans to software. The question is how we adapt software to agents that can act on behalf of humans.

The Browser Agent Trap

The most obvious response to this shift has been to point AI agents at existing software and let them operate it the same way a human would. Browser-based agents navigate web pages by processing screenshots or DOM trees, clicking buttons, filling forms, and reading the resulting page state. This approach has intuitive appeal — it requires no changes to existing software — but it is fundamentally the wrong architecture, and the problems compound quickly.

The security implications alone are serious. When an agent navigates arbitrary web content, it is exposed to every string of text on every page it visits. Research has identified prompt injection as the most pervasive attack vector in browsing agents: malicious instructions embedded in DOM content or page text can override the user's original intent, redirecting the agent toward actions the user never authorized (Alkasir & others, 2025). Anthropic's own documentation for computer use warns explicitly that pages containing embedded instructions "may override user instructions or cause Claude to make mistakes" (Anthropic, 2024). Securing a browser agent requires securing every page it might ever visit — which is to say, it cannot be truly secured.

The performance problems are equally structural. Browser agents operating on screenshots are constrained by image resolution (Claude's computer use is most reliable at 1024×768 or 1280×800), consume substantial tokens with every page load, and suffer from what researchers call "hallucination drift" on long task sequences — the agent gradually loses coherent track of its original objective. Tasks requiring more than ten sequential steps become unreliable, and tasks requiring dozens of steps fail unpredictably. The agent is, in every sense, fighting an interface designed for a different kind of user. It is like trying to parse a spreadsheet by photographing the printed page rather than reading the underlying file.

The deeper problem is architectural mismatch. Web UIs encode vast amounts of implicit knowledge about how software works — which buttons are primary, which flows are recommended, which states are transient — but they encode it visually, for human perception. An agent operating on screenshots receives none of that structure. It sees pixels. An agent operating on the DOM receives markup that was written for browser rendering engines, not for machine consumption. Neither representation gives the agent what it actually needs: a clear model of what actions are available and what their consequences are.

The Architecture That Actually Works

The right model is not an agent that navigates existing software from the outside. It is an agent that operates from the inside, with privileged knowledge of the system it is helping the user work with. This architecture has three components, and all three are necessary.

The first is a system knowledge layer. The agent must understand the domain — not just the API schema, but what the product does, what the data means in context, and what workflows are meaningful. A CRM agent that knows only endpoint signatures cannot help a sales representative understand why a deal stalled. An agent that also knows the company's sales process, the meaning of each pipeline stage, and the history of that specific account can reason about the situation and suggest concrete next steps. This knowledge does not come from scraping the UI; it is deliberately authored and maintained as part of the product.

The second component is an internal API surface — a set of tools and actions designed specifically for agent consumption. This is distinct from the product's public REST API, which is designed for developer integrations, and from the UI, which is designed for human interaction. An agent surface exposes actions at the right level of abstraction: not raw CRUD operations on database records, but business-meaningful actions like "advance this deal to negotiation," "draft a follow-up based on the last meeting notes," or "identify at-risk accounts by segment." Function calling, introduced across major AI platforms in 2023, provides the technical mechanism: the agent reasons about which tools to invoke, the system executes them with appropriate authorization, and the results feed back into the agent's context.

The third component is an explicit trust boundary. When the agent operates through an internal API, access control is enforced at the system level — the same authorization model that governs human users governs the agent. The agent cannot access records the user is not permitted to see, cannot execute actions the user is not permitted to take, and cannot be misled by injected content into crossing those boundaries. This is categorically more secure than a browser agent, where the trust model depends on the agent's ability to resist adversarial page content.

The emerging standard for connecting agents to systems at this layer is the Model Context Protocol (MCP), introduced by Anthropic in November 2024 and subsequently adopted by OpenAI and Microsoft Azure (Anthropic, 2024b). MCP provides a standardized way to expose tools, data sources, and context to AI agents — a kind of interface contract between the system and the agent. The pace of adoption has been striking: thousands of MCP servers now exist, and the protocol has become the practical lingua franca for agent-system integration in the two years since its introduction.

The Pioneers Are Already Proving This

The evidence that this architecture works is not theoretical. The companies that have shipped embedded AI agents at scale — and reported measurable outcomes — have all converged on the same pattern: the agent operates inside the system, with full access to the system's data and a dedicated action surface, not outside it.

HubSpot's Breeze platform, launched at INBOUND 2024, is built directly into the Smart CRM with access to the full context of each customer relationship — contact history, deal stage, recent interactions, and business context (HubSpot, 2024). The Breeze Prospecting Agent does not navigate the CRM like a human would; it queries structured CRM data, applies knowledge of each prospect's history, and takes actions through internal tools. The results are concrete: teams using Breeze respond to leads 94% faster, and case studies show win rate improvements of 66% for customers like Aerotech. These are not the marginal gains of a productivity overlay. They reflect a fundamental change in what the software is capable of doing.

Salesforce's evolution from Einstein Copilot to Agentforce tells the same story. The system is natively integrated with Salesforce's internal toolchain — Apex, Flow, and MuleSoft APIs — so the agent acts through the same channels that the software itself uses, not through simulated user interaction (Salesforce, 2025). The results from Salesforce's own Agentic Enterprise Index for the first half of 2025 reflect the momentum this approach generates: agent creation among early-adopter companies grew 119% in six months, and employee interactions with AI agents grew at an average monthly rate of 65%. These are compounding numbers, not one-time adoption spikes. When the architecture is right, use deepens over time.

The pattern is consistent across both companies. Neither is building a browser agent or a chatbot layered on top of existing software. Both are rebuilding the relationship between software and AI at the architectural level, making the agent a first-class participant in the system rather than an outside observer trying to operate the controls.

What Software Builders Need to Do Differently

The gap between current practice and this architectural ideal is significant. According to the 2025 State of the API Report, only 24% of developers currently design APIs with AI agents in mind, despite the fact that 89% use AI tools daily in their own work (Postman, 2025). Most enterprise APIs were designed for human developers building integrations — they are optimized for readability and documentation, not for machine reasoning and tool selection. They expose data structures, not business actions. They require stateful session management that agents cannot reliably maintain. They lack the semantic richness that allows an agent to understand what an operation actually means in the context of the business.

Designing software for agent consumption requires rethinking three things. First, the action model: rather than exposing raw data operations, agent surfaces should expose meaningful business actions with clear preconditions and effects. An agent that can call closeWonDeal(dealId, amount, closeDate) operates at a much higher level of reliability than one trying to navigate the sequence of form fields and clicks that a human would use to accomplish the same outcome. Second, the knowledge layer: the agent needs to understand the domain, not just the schema. This means investing in system-level documentation, examples, and context that is specifically designed for AI consumption — not user help documentation repackaged. Third, the trust architecture: agent permissions should be modeled explicitly, not inherited from whatever session the agent happens to run in. An agent surface with well-defined capabilities and clear authorization is far more auditable and controllable than a browser agent with implicit access to everything the user's session can reach.

MCP is rapidly becoming the convergence point for this kind of standardization. Building an MCP server for your product is becoming roughly analogous to building a REST API ten years ago: the companies that do it early will define how AI interacts with their data and actions; the ones that wait will find the integration defined for them, less accurately, by agents scraping their web UIs.

The Agent Doesn't Think — But It Can Act

There is a tempting misconception that AI agents are effective because they are intelligent. They are not, at least not in any meaningful sense. As explored in an earlier post on this blog, large language models do not reason — they pattern-match against learned representations and generate outputs that are statistically consistent with those patterns. An agent does not understand your CRM the way an experienced sales manager understands it. It recognizes patterns in the data and selects actions from its available tool set that are consistent with those patterns and the user's stated goal.

Paradoxically, this limitation is also a feature when the architecture is right. A human user navigating a complex enterprise application brings preconceptions, habits, shortcuts, and frustrations. They forget where settings are, they skip steps in workflows, they work around confusing UI in ways that introduce data inconsistencies. An agent with a well-designed action surface does none of this. It invokes the right action for the stated goal, every time, without fatigue or impatience. It does not find the UI confusing because it does not see the UI at all. It operates on structured actions with predictable outcomes, which makes it in some ways a more reliable software user than a human being — provided the software is designed to be used that way.

The builders who recognize this earliest — who start designing their software with an agent surface as a first-class concern, not an afterthought — will not just have better AI features. They will have software that is categorically more capable in the agent era. The interaction paradigm is shifting again, as it always has. The constraint is no longer the keyboard, the screen, or the touch sensor. The constraint is whether your software knows how to speak to the new kind of user that is arriving.

References

Alkasir, R., & others. (2025). The Hidden Dangers of Browsing AI Agents. https://arxiv.org/abs/2505.13076
Anthropic. (2024a). Introducing computer use, a new Claude 3.5 Sonnet, and Claude 3.5 Haiku. https://www.anthropic.com/news/3-5-models-and-computer-use
Anthropic. (2024b). Introducing the Model Context Protocol. https://www.anthropic.com/news/model-context-protocol
HubSpot. (2024). HubSpot Launches New AI, Breeze, Plus Hundreds of Product Updates at INBOUND 2024. https://ir.hubspot.com/news-releases/news-release-details/hubspot-launches-new-ai-breeze-plus-hundreds-product-updates
Postman. (2025). State of the API Report 2025. https://www.postman.com/state-of-api/
Salesforce. (2025). Salesforce Shares Agentic Enterprise Index Insights for H1 2025. https://www.salesforce.com/news/stories/agentic-enterprise-index-insights-h1-2025/