The AI That Clicks: Why 40% of Agent Projects Will Be Scrapped by 2027
TokenShift Executive Note

For two years, your AI has been answering questions. It's about to do something else entirely: click, fill in forms, trigger payments, update customer records inside your real applications. On 24 June 2026, Google opened a public preview of "computer use" in Gemini 3.5 Flash, an agent able to see a screen and act in a browser, on mobile and on the desktop. Anthropic and the other major labs now offer the same capability, and they are sharpening it fast. The prevailing instinct is to see this as a faster assistant. That's a category error. An agent that acts is not a high-performance chatbot; it's an operator with credentials and, for now, no chain of accountability.
What "computer use" really does, and why it isn't an assistant
The term is technical, but the stake is simple. "Computer use" is a model's ability to perceive an interface (a screenshot, a page) and then emit actions: mouse clicks, keystrokes, navigation. The dividing line isn't the degree of intelligence; it's the nature of the output. An assistant produces text you review before acting. An agent doing "computer use" produces the action itself.
That dividing line is becoming the market standard. In late June 2026, LangChain shipped a "Computer Use in Fleet" feature: its agents now get an isolated virtual computer to run code, manipulate files and make authenticated API calls. The same platform offers an "On-Call Copilot" that works through your code, your traces and your runbooks to triage alerts and draft updates. Anthropic positions Claude Opus 4.8 as its best browsing-agent model, with an 84% score on the Online-Mind2Web benchmark. The shift is unmistakable: we are moving from an AI that drafts to an AI that executes.
For a leadership team, the consequence is concrete. An "authenticated" API call means the agent acts under an identity that holds rights in your systems. The question is no longer "is the answer correct?" but "which actions can this agent trigger, up to what ceiling, under which account, and who answers if it gets it wrong?".
An agent that gets it wrong commits your company, not your vendor
The precedent already exists, and it's recent. On 12 May 2026, the Oberlandesgericht Hamm (a German court of appeal) held a company liable for the misleading claims produced by its chatbot: through its AI, the platform asserted that its doctors held specialist qualifications they did not have. The court rejected the "third party" argument: the conversational agent is part of the company's communications, on the same footing as an employee or a page on its website. The company therefore answers for its outputs—and the court made clear it does so even when it fed the system accurate data to begin with. In October 2025, Deloitte Australia refunded roughly AUD 97,000 on a government report containing citations fabricated by a model. Those cases were about text. With an agent that acts, the error is no longer something you read in a message: it's written into a transaction.
The market senses this, and it's overreacting. Gartner predicts (press release of 25 June 2025) that more than 40% of agentic AI projects will be scrapped by the end of 2027, owing to runaway costs, unclear business value or inadequate risk controls. The same firm warns of "agent washing": of the thousands of vendors claiming to offer agents, it estimates that only around 130 genuinely do. The lesson is not that agents don't work. It's that an agent deployed without an execution framework produces exactly the two outcomes an executive dreads: a liability incident, or a project cancelled after six months and a burned budget.
An agent that acts with no defined perimeter isn't a productivity gain; it's an employee with no contract—and the credentials on top.
The execution mandate: four guardrails before you hand over the keys
Before an agent touches a production system, set its execution mandate. Four elements—written down, approved, audited.
- Scope. Which systems the agent can reach, which actions it's allowed, and what ceiling (amount, volume, number of records) triggers human sign-off. An agent that reads your CRM and an agent that edits your customer records are two different mandates; never conflate them.
- Identity. The agent acts under a dedicated service account—traceable and revocable within minutes; never under an employee's credentials. If you can't answer "under which account did this agent just act?", you don't have a mandate, you have a leak.
- The escalation point. Which actions require human sign-off before execution. Irreversible actions (payment, external send, deletion) stay outside the autonomous perimeter by default, until the observed error rate justifies otherwise.
- Traceability. A replayable action log, tied to a named owner (an owner map). In an incident, you need to be able to reconstruct the sequence and name who answers for it. It's also what the transparency provisions of the EU AI Act, applicable from 2 August 2026, will require you to document.
Same Tuesday morning, two companies deploy the same on-call copilot on their alerts. The first gives it a dedicated service account, a perimeter of "read the traces, draft an update, no outbound action without sign-off," and an audited log. The second gives it a senior engineer's account "to move faster." At the first false alarm, the gap shows: one has a draft to review, the other has an agent that has already closed a critical ticket under the identity of a human who was asleep.
Mistakes to avoid
- Agent washing. Buying an RPA tool or an assistant rebranded as an "agent." Check what it actually does, not the name on the invoice.
- Shared identity. Letting the agent act under a staff member's account. You lose traceability and you blend human and machine accountability.
- The implicit ceiling. Testing in a demo on read-only cases, then deploying on write actions with no ceiling and no escalation point. The demo creates a false sense of control.
- No kill switch. No procedure to revoke the agent within minutes. If revocation takes a day, the incident lasts a day.
The markers to track from day one of deployment
You'll know your execution mandate holds through observable signals, not a gut feeling:
- the share of actions executed autonomously versus those escalated to a human, tracked over time;
- the time to revoke an agent, measured and below a threshold you've set;
- the rate of out-of-scope actions actually blocked by the guardrail (if it's zero, either the agent is perfect or your guardrail controls nothing);
- the existence of a replayable log, and proof it has already served an audit—not just that it exists.
The capacity to act arrives fast; the capacity to answer for it is built beforehand, not after the first incident. Put an agent into production on a narrow workflow, with a written mandate and a named owner. That's the difference between a project that lands among the 40% scrapped and an agent that works for you, under control.
---
TokenShift works with the leadership teams of regulated companies to move AI from pilot to governed production: scope, ownership, guardrails and governance cadence. Follow the Page for the summer series, on the way to the September executive-committee campaign.
Sources:
- Google, "Introducing computer use in Gemini 3.5 Flash," blog.google, 24 June 2026 — https://blog.google/innovation-and-ai/models-and-research/gemini-models/introducing-computer-use-gemini-3-5-flash/
- Gartner, "Over 40% of Agentic AI Projects Will Be Canceled by End of 2027," 25 June 2025 — https://www.gartner.com/en/newsroom/press-releases/2025-06-25-gartner-predicts-over-40-percent-of-agentic-ai-projects-will-be-canceled-by-end-of-2027
- Oberlandesgericht Hamm (Hamm Court of Appeal), judgment of 12 May 2026 — company liability for its chatbot's outputs — OECD.AI, incidents database — https://oecd.ai/en/incidents/2026-05-12-cfef
- Deloitte Australia, refund on a government report containing citations fabricated by a model — Fortune, October 2025