When AI Becomes the Interface
AI agents are becoming the layer between users and your product – researching, booking, buying, without opening an app. What does that mean for trust, for platforms, for the experience you designed, and for who is legally responsible when something goes wrong?
Key Takeaways
AI agents can already complete purchases, bookings, and queries without a person ever opening an app. A new shared standard – the Model Context Protocol – means any AI tool can now connect to any app that supports it. Whether companies can block agent access depends on which route the agent takes. And the liability question, when an agent gets something wrong, is only beginning to be answered by courts and regulators.
In this article
Most apps are built with one assumption: a human is on the other end. Someone looking at a screen, making deliberate choices, interacting with a UI that was designed for them.
That assumption is starting to shift.
AI agents – software that acts on your behalf – can already browse websites, fill out forms, log in, select products, and complete purchases. Tools like OpenAI’s Operator and Anthropic’s Claude can do this at a working level today. The question isn’t whether it’s coming. It’s already here. The questions are: who controls access, and what does it mean for the products we’re building?
Do Users Actually Trust This?
Before asking how agents access apps, it helps to ask a simpler question: do people actually want them to?
The answer depends on who you ask and how. One large survey found 74 % of people would trust a personal AI agent more than their own best friend to make a purchase for them. Another, just as large, found the opposite: 77 % are worried about AI agents acting on their behalf online, and only 23 % trust companies to handle their data responsibly through AI.
The clearest signal comes from a study that asked the same question twice, a few months apart. In late 2025, 70 % of consumers said they were comfortable letting an AI agent shop for them. By early 2026, that had dropped to 45 %. More people are using these tools. Fewer people are comfortable with how much control they are handing over.
70 %
were comfortable with AI agents shopping for them in late 2025
45 %
felt the same way a few months later, in early 2026
That gap matters for anyone building a product. Adoption is not the same as trust. People may happily let an agent reorder something they buy every month, while staying unwilling to let it pick a hotel or negotiate a price on their own. The safe assumption right now: trust is specific to the task, not general. Design for the cautious user, not the confident statistic.
Looking at actual behaviour rather than stated preferences makes this even clearer. In 2026, 58 % of consumers use AI to research products – but only 17 % complete a purchase through AI. And within that smaller group who actually bought via AI, only 4 % are comfortable letting an agent buy without checking first. The gap between “I use AI to look things up” and “I let AI act without checking” is still very wide.
58 %
use AI to research products before buying
17 %
complete a purchase through AI
4 %
trust AI to buy without a final review step
How AI Agents Currently Access Apps
There are three main ways an AI agent interacts with an app or website today.
Through the Interface
The agent clicks and types like a person would. No cooperation needed from the app.
Through an API
The agent connects directly to the service, skipping the screen entirely.
Through Official Integration
The app itself defines what the agent is allowed to trigger, and how.
The clearest real-world example of what this looks like in practice launched in June 2026. Apple announced that starting with iOS 27, apps can register specific actions, like booking a table or sending a calendar invite, that Siri can trigger directly. The user never has to open the app at all. Apple also ended the exclusive deal that made ChatGPT the only assistant built into the iPhone: Claude and Gemini now get the same level of access. The official-integration model just moved from a niche feature to the default way the world’s most-used phone works.
Starting with iOS 27, Siri can trigger registered app actions – bookings, calendar invites, status checks – without the user ever opening the app.
Claude and Gemini now get the same access tier as ChatGPT. The official-integration model just became the default for the world’s most-used phone.
The first two options are very hard for app providers to block. The third is where they actually have a say.
That distinction matters more than it looks. Whether an app can do anything about agent access depends entirely on which route the agent is using. And there is now one shared standard that is changing how all three of those routes work.
MCP: The Standard Layer
In November 2024, Anthropic published the Model Context Protocol – MCP for short. It is an open standard: a shared set of rules that lets any AI agent connect to any app or service that supports it, without each combination needing to be built separately. Think of it as a universal plug – once an app supports MCP, every AI tool that also supports MCP can work with it.
Adoption has been fast. By early 2026, MCP had been downloaded 97 million times per month and over 10,000 apps and services had published support for it. Every major AI company – Anthropic, OpenAI, Google, Microsoft, and AWS – supports it. In December 2025, Anthropic handed ownership to an independent industry foundation. It is now a shared standard, not one company’s product.
97M
monthly downloads of the MCP standard as of early 2026
10K+
public MCP servers in production across industries
For app operators, this is the most important practical shift. Publishing an MCP server means you define which actions agents can trigger – book a table, check stock, initiate a return – and exactly how each one works. You set the boundaries. Without one, agents still reach you, but through the browser route: clicking your UI as if they were a human, with no knowledge of your intended flow and no way for you to guide or limit them.
The consequence for users is the one this entire shift is built on: the user never has to open the app at all. With MCP, a supported action – a booking, a product search, a status check – happens inside the agent’s interface. The user types a request. The agent calls your server. The result comes back. Your app was involved in every step and present in none of them.
Having an MCP server is becoming table stakes for staying relevant in agentic flows. Not having one means someone else defines how agents interact with your product.
For app operators, this is the same shift that forced companies to build mobile versions of their sites in 2010. Not a technical curiosity. A distribution question.
Can App Providers Block Agent Access?
Technically: it depends on which route the agent is taking.
If the agent accesses your app through the browser interface, blocking is genuinely hard. A modern AI agent navigating at human speed, from a real device, logged into a real user account, is nearly indistinguishable from a person. Bot detection and CAPTCHAs were designed for automated scripts. They were not designed for a system that reads, pauses, scrolls, and clicks the way a human does.
If the agent accesses through an API, the picture changes completely. Companies have strong control here: they decide who gets access, under what conditions, and can cut off anyone who violates the rules. Blocking is straightforward. The harder question is legal: if a user authorises an AI agent to use their account on their behalf, can the company refuse that? This is still unsettled, but technically manageable.
If the agent uses official integrations or MCP, the operator has complete authority by definition. You wrote the server. You define what is possible. Nothing happens outside those boundaries.
3 layers.
Each access route has a different answer to “can you block it?”
Browser: hard. API: controllable. Official integration: entirely yours.
In Europe, there is a fourth layer now: regulation. The EU AI Act, which took effect in 2026, adds a regulatory layer for any AI system that interacts with people in Europe. Depending on what an agent does, companies may need to meet transparency rules, keep records, and allow for human oversight. Fines can reach 7 % of global annual revenue – higher than GDPR. For any business serving European users, this is no longer just a strategic question. It is a legal one.
The Protectionism Question
Whether to allow agent access isn’t just a technical decision – it’s a business strategy decision.
For some companies, the answer is easy: yes. A payment service that works with AI agents is more convenient for users. Fewer steps, more completed transactions. Being agent-compatible is a feature.
For others, it’s the opposite. Companies whose value comes from their own interface – their discovery experience, their recommendations, the journey they designed – have reason to keep agents out. If an agent completes the transaction without the user ever opening the app, the whole experience gets bypassed.
This creates a real split: some platforms will open up, others will actively close. For product teams, this becomes a strategic question – is openness to agents a competitive advantage, or a risk to the user relationship?
If the user never opens your app, the experience you designed for them is invisible. The agent becomes the interface.
There is a third position that often goes unacknowledged, sitting between “fully open” and “actively blocking”: passive unreadability. Brands that have not structured their product data for agent access are not blocking anyone. They are simply being skipped. Research from PwC and Amplience (2026) consistently shows the same finding: agents bypass products whose data is incomplete, ambiguous, or poorly organised. In agentic commerce, bad data does not just create a worse experience. It creates no experience at all, because the agent moves on to the next option.
The strategic question is therefore not only “open or closed?” It is “readable or invisible?”
The brands most at risk are not the ones blocking agents. They are the ones that did nothing.
Passive unreadability is the bigger gap. Agents do not skip you because you blocked them. They skip you because your data is too messy to use.
The App Store’s Own Dilemma
Apple is not just watching this shift from the sidelines. It is one of the companies facing the exact conflict described above, at a much larger scale.
AI-related apps brought Apple close to $900 million in App Store fees in 2025, with more expected in 2026. That revenue depends on people opening apps, browsing, and buying inside them: the same screen-based experience that AI agents are starting to skip.
$900M+
in App Store fees from AI-related apps in 2025 alone.
Revenue that depends on people opening apps, not skipping them.
Apple’s response is not to block agents. It is to make sure it still controls the route they take. By building agent access directly into its own operating system, Apple stays in the middle of every transaction, even when the user never sees the app’s interface. It is a way of staying the gatekeeper while the front door changes shape.
The bigger risk for Apple sits outside its own walls. Open standards, like the Agentic Commerce Protocol built by OpenAI and Stripe, or the Universal Commerce Protocol backed by Google, Shopify, and major retailers, let an AI agent complete a purchase directly with a business, with no phone maker involved at all. If agents increasingly shop this way, the App Store’s role in the transaction disappears, regardless of what Apple allows on the device.
This is no longer a future scenario. Visa Intelligent Commerce and Mastercard Agent Pay, both launched in 2025, have already processed real transactions in 2026 – early volumes, but live. Neither routes through an App Store. When an AI agent buys something using a Visa-authenticated flow, no phone maker is involved. The payment rails exist. The question is whether enough consumers will trust them at scale.
The phone may still be the device people own. It may stop being where the transaction actually happens.
When Users Never Open the App
This is the scenario the whole industry is preparing for. It is also the one that has not yet proven itself at scale – and the data shows exactly why.
The technical side is largely in place. Visa, Mastercard, Stripe, and Apple have all built payment and integration layers for agentic commerce. MCP servers can route app actions without a screen. The infrastructure exists. What has not scaled is trust. Only 4 % of consumers are comfortable letting an agent complete a purchase without a final review. That is not a niche edge case. It is the ceiling for fully autonomous commerce right now.
Where “never opens the app” already works is in a narrow set of situations: reordering something you always buy the same way, business purchasing from an approved supplier list, or booking a recurring appointment. What these share: the user already knows exactly what they want, the decision is simple, and a mistake is easy to fix. Choosing a hotel, buying a gift, picking a new product – anything where judgement matters – stays in human hands, because trust has not stretched that far yet.
The infrastructure for app-bypass commerce is ready. Consumer trust is not – yet. The gap between the two is where this decade’s most interesting UX and product design work will happen.
Preparing now is not premature. The brands that built mobile-optimised sites before the iPhone tipped into mainstream still had to wait. But they were not scrambling when it did.
When agents do handle a transaction, the product still has to be readable. This is where the data argument matters regardless of timeline. When an AI agent evaluates options on someone’s behalf, it does not browse the way a human does. It reads structured information: product specs, prices, stock levels, data that comes back from the site in a clean, machine-readable format. The visual layer – the photography, the design, the brand voice – does not reach the agent at all. The agent reads what machines can read.
Humans are forgiving readers. A slightly ambiguous product title, a missing size chart, an inconsistent category label – a human shopper works around these. An agent does not. It either finds a clean data point or moves on. In agentic commerce, bad data becomes invisibility – not a worse result, no result.
Human reader
Works around gaps, infers intent, tolerates ambiguity. A missing spec is mildly annoying.
Agent reader
Needs clean, structured, unambiguous data. A missing spec means the option is skipped entirely.
The parallel to SEO is direct. Brands that did not structure their content for search engines became invisible to the system deciding what gets seen. The same applies now. Optimising for agents means clean, accurate product data, clear categories, well-structured checkout flows, and either an MCP setup or participation in one of the open commerce standards like Stripe’s Agentic Commerce Protocol or Google’s Universal Commerce Protocol.
The product detail page now has two audiences: the customer browsing, and the agent deciding. They need different things from the same page.
Structured data, clear specs, and clean APIs serve the agent. Visual hierarchy, emotional copy, and social proof serve the human. Neither can be sacrificed for the other.
What This Means for UX Design
UX is built on understanding who you’re designing for. If agents are increasingly the ones completing tasks, that question gets more complicated.
Agents do not browse visually. They do not notice a well-placed button, a reassuring image, or a carefully written headline. They do not hesitate or get distracted. They execute.
This doesn’t mean abandoning human-centred design – most interactions will stay human for a long time. But it raises a new question: is this flow usable by an agent, not just by a person?
For e-commerce, three practical questions are already on the table:
Who is the product page for?
If an agent handles the purchase, the product detail page is being read by a machine. What does it need to show a machine that it does not already show a human?
Who is the confirmation screen for?
If checkout is automated, the confirm step is not UX polish. It is the moment a user either takes back control or hands it over completely.
What is post-purchase UX?
If returns are handled agent-to-agent, the customer never opened your app. What does customer care mean in that model?
These are live questions for product teams today, not 2030.
There is also a research angle: what mental model do people build of an agent, and what happens when they hand over control? A 2026 study where 31 people tested commercial AI agent tools found a consistent gap: what the agent could actually do rarely matched what users assumed it could do. Agents also expected trust from the start, before doing anything to earn it – the opposite of how trust normally forms between a person and a new tool.
The interaction-design literature names the fix and the failure mode in the same breath. The fix: show the agent’s plan before it acts, not just the result afterwards. Without that preview, every autonomous step feels like a surprise the user never agreed to.
Show the plan. Before it acts.
The single most important UX principle for agents: a user who can see what is about to happen is a user who can stop it. That is where trust is earned or lost.
The failure mode even has a name now: “agentic sludge” – when a product removes so much friction that people approve agent actions without really thinking about them. That quietly shifts the benefit away from the user and towards whoever built the agent.
Capability is moving faster than trust – and that gap is the actual design problem.
Nielsen Norman Group’s 2026 outlook names this directly: AI adoption keeps climbing while user trust keeps falling. Teams that show their reasoning earn that trust back faster than teams that only show a result.
For UX design, this changes the brief. It is not enough to make a flow usable by an agent. The harder problem is designing the moment of handover itself: a visible plan before the agent acts, an easy way to correct it mid-task, and a default that earns trust gradually instead of assuming it on day one.
There is one more dimension UX teams now have to consider: liability. California enacted legislation (effective January 2026) stating that “the system acted autonomously” is not a valid defence. The company that deployed the agent stays accountable. Clifford Chance has flagged the same gap in enterprise contracts, written for passive software and not for agents that initiate actions. Confirmation and consent screens are no longer just UX polish – they are potentially the legal record of what a user was shown and agreed to before an action was taken on their behalf.
Design two parallel flows: one for the human, one for the agent. Then design the moment where control moves between them.
That handover point – what the user is shown, what they can change, what they confirm – is where usability, trust, and legal accountability all land at once.
Sources & Further Reading
- Anthropic. Building Effective Agents. Technical overview of agentic AI systems – how they are structured, how they interact with external services, and the design principles behind them.
- OpenAI. Introducing Operator. OpenAI’s agent product for browser-based task execution on behalf of users – an early example of consumer-facing agentic access to third-party interfaces.
- MIT Technology Review. AI Agents Are the Future of Software. On how autonomous agents are changing the structure of human-software interaction.
- The Verge. AI Agents. Ongoing coverage of how AI agents are being deployed across consumer products and the tensions they are creating.
- Nielsen Norman Group. State of UX 2026: Design Deeper to Differentiate. On the widening gap between AI capability and user trust, and what closes it.
- Smashing Magazine. Designing For Agentic AI: Practical UX Patterns For Control, Consent, And Accountability. Design patterns for previewing agent intent, consent, and the risk of “agentic sludge”.
- Pradyumna et al. Why Johnny Can’t Use Agents: Industry Aspirations vs. User Realities with AI Agents. Usability study (ACM, 2026) on the mismatch between marketed agent capabilities and users’ actual mental models.
- MacRumors. Apple Outlines Major AI and Developer Tool Updates (June 2026). On the App Intents 2.0 expansion and Siri’s new ability to call app actions directly.
- MacRumors. Apple Working on Plan to Allow AI Agent Apps on the App Store (May 2026). On the App Store revenue figures and Apple’s agent-aware review approach.
- Accenture. Consumer Pulse Research 2026. Survey of 25,590 people across 16 countries on trust in personal AI agents.
- Thales. Digital Trust Index 2026. Survey of 14,300 consumers on concerns about AI agents acting on their behalf.
- HomePage News. Consumer Trust Lagging Adoption for Agentic AI (2026). Riskified data showing comfort with AI shopping agents dropping from 70% to 45% within months.
- Stripe. Agentic Commerce Protocol. The open standard built with OpenAI for AI agents to complete purchases directly with businesses.
- Stanford HAI. 2024 AI Index Report. Comprehensive data on AI agent adoption, capability growth, and the policy gaps opening up as agentic systems become mainstream.
- Model Context Protocol. What is the Model Context Protocol?. The open standard specification for how AI agents communicate with external tools and services – the technical foundation behind agent-to-app access.
- PwC. Agentic Commerce Discoverability. On why structured product data and machine-readable content determine which brands agents surface and which they skip entirely.
- Clifford Chance. Agentic AI: The Liability Gap Your Contracts May Not Cover. On the gap between legacy software contracts and the accountability questions raised by agents that initiate actions autonomously.
- EU AI Act Service Desk. EU AI Act 2026: What AI Systems Must Prove by August. On compliance requirements, risk classifications, and penalty thresholds for AI systems operating within the EU.
- Amplience. Invisible Commerce & Agentic AI: How E-Commerce Brands Can Stay Visible. On the structural shift from visual brand presence to data quality as the primary driver of agent-era discoverability.
AI Agent
An agent acting on your behalf, inside a chat window – no app screen in sight.
René Manikofski is a Senior UX Designer with 10+ years of experience in e-commerce and digital product design across Europe. All articles are based on personal professional experience and supported by AI in writing.