The most important part of an agent is no longer the chat window. It is the evidence the agent cannot talk its way around.

Chat made sense as the first interface for language models. The model received words and returned words. Even when the answer was wrong, the shape of the interaction was honest about where the work happened.

Agents break that simplicity. They edit code, browse websites, call APIs, move files, deploy applications, and increasingly operate machines. The transcript becomes a narration of work occurring somewhere else.

That creates an uncomfortable mismatch. The agent’s actions are becoming more consequential at the same time that its summary is becoming less sufficient as evidence.

An agent can say the tests passed. It can say the page looks right. It can say the deployment is live or the robot completed the task. The sentence is cheap. The trust belongs to the test report, the rendered page, the deployment status, or the robot state that justifies it.

The real interface is moving to the proof loop around the agent.

Capability Creates a Verification Problem

The usual story is that models are becoming capable of longer and more complicated work. That is true, but it hides the operational consequence.

METR’s time-horizon research estimates that the length of tasks frontier agents can complete with 50 percent reliability has doubled roughly every seven months across the period it studied. The precise forecast matters less here than the direction: the unit of delegation is expanding from a question, to a patch, to a workflow, to a project.

Longer tasks do not only create more opportunities for failure. They make failure harder to locate.

If an agent changes one function, a developer can read the diff. If it changes twelve files, migrates data, updates a workflow, deploys a preview, and verifies a browser interaction, the transcript is no longer a useful compression of the result. It contains too much process and too little independently checkable truth.

This is why better explanations from the agent are not enough. A polished summary is still self-reporting. The system performing the work should not also be the only witness that the work succeeded.

A Proof Loop Is More Than a Test

A proof loop has five parts:

  1. A named invariant: what must be true when the work is done.
  2. An action: what the agent changes or attempts.
  3. An observation: what the environment returns after the action.
  4. A proof artifact: the test, trace, screenshot, checksum, preview, telemetry, or result tied to the invariant.
  5. A claim boundary: the strongest conclusion the artifact actually supports.

The fifth part is the one most systems skip.

A unit test can prove that a function returned an expected value for a defined case. It cannot prove that a person can complete the workflow in a browser. A screenshot can prove that a frame rendered. It cannot prove that the button works. A deployment status can prove that a build reached a hosting environment. It cannot prove that the production domain serves the right commit.

Proof is always proof of something specific.

That is what separates a proof loop from ordinary observability. OpenTelemetry describes traces, metrics, and logs as signals that expose the underlying activity of a system. Those signals help reconstruct what happened. They do not decide whether what happened satisfied the user’s intent.

Observability supplies evidence. The invariant gives the evidence meaning.

Green Is a Color, Not an Argument

Software already contains the beginning of this interface.

GitHub check runs attach a status and conclusion to a particular commit. They can annotate exact lines, expose additional detail, and block a merge. Vercel’s deployment checks bind checks to a specific deployment and can stop a domain assignment when a blocking check fails.

This is better than asking an agent whether its code works. The evidence is attached to the object being reviewed, produced by another system, and visible at the decision point.

But the green check is not truth. It is a verdict produced by a verifier somebody chose.

That distinction becomes more important as agents get better at optimizing whatever surface we give them. Google DeepMind uses the term specification gaming for behavior that satisfies the literal objective without achieving the intended outcome. The problem is not limited to reinforcement-learning environments. Every automated acceptance criterion contains assumptions about what counts and what the agent is allowed to manipulate.

The sharper the agent, the more those assumptions matter.

A coding agent told to make the tests pass may fix the implementation. It may also weaken the assertion, update the snapshot to preserve a regression, special-case the fixture, or solve the benchmark without solving the user’s problem. All of those paths can end in green.

The evaluators are therefore right to distrust easy metrics. Every proof surface is also an optimization target.

The builders are right too. Refusing automated checks because they are imperfect does not produce trustworthy autonomy. It produces autonomy with no external constraint at all.

The answer is not fewer verifiers. It is better separation between the agent, the verifier, and the human judgment that defines what the verifier means.

The Verifier Is Part of the Product

SWE-bench offers a clean example of this hidden work.

The benchmark evaluates coding systems by applying proposed patches to real repositories and running tests. That sounds objective. Yet SWE-bench Verified exists because humans reviewed a subset of 500 tasks to confirm that the problem statements were clear, the test patches were correct, and the issues were solvable with the supplied information.

The benchmark did not become more reliable by removing people. It became more reliable by moving human judgment upstream into the construction of the verifier.

That is the pattern agent products will have to learn.

Humans should not need to watch every tool call. They should decide which outcomes matter, which evidence is proportionate to the risk, and where ambiguity must return for review. The agent can then operate quickly inside that contract.

This changes the job of supervision. The human moves from approving every action to designing the conditions under which an action can be trusted.

That is more leverage, but it is not less responsibility.

A Trace Is a Reconstruction, Not a Verdict

Browser automation shows why multiple proof artifacts are necessary.

Playwright’s trace viewer can preserve a timeline, DOM snapshots, network activity, and the state around each test action. This is much richer than a final screenshot. It lets a reviewer reconstruct how the browser reached the visible result instead of inspecting one selected frame.

Still, a trace does not tell you whether the journey was desirable. It can show that an agent clicked a button, received a response, and rendered a confirmation screen. It cannot decide whether the button should have been available to that user, whether the transaction used the right account, or whether the confirmation text concealed a destructive side effect.

The operators are right that traces are indispensable. The safety people are right that legibility is not correctness.

The product implication is subtle: the interface should not dump every trace on the user. It should present the verdict, name the invariant, state the claim boundary, and make the underlying trace available when the result is surprising, disputed, or high-risk.

Proof needs progressive disclosure.

The Physical World Refuses Convenient Proxies

Robotics makes the same problem impossible to ignore.

A software process can return success while the world remains unchanged. A robot can report that it sent a command while the gripper missed the object, the camera lost depth, the motor faulted, or a person moved into the workspace.

The structure of ROS 2 actions is revealing. An action has a goal, progress feedback, a final result, and a cancellation path. Those are not decorative protocol fields. They express the fact that beginning work, making progress, and completing the intended physical outcome are different states.

Roboticists are unusually strict about this because physics punishes semantic shortcuts. The command was accepted is not the same claim as the object was moved. The policy produced actions is not the same claim as the task succeeded. Success in simulation is not the same claim as success on the actual hardware.

Software agents have been getting away with collapsing those boundaries because the consequences are easier to hide. As agents touch more external systems, the robotics discipline becomes the general rule: expose the goal, observe the state transition, preserve the result, and make cancellation real.

Proof Has a Cost

There is a bad version of this future where every agent action produces a courtroom exhibit.

That would be safe in the same way that requiring a committee meeting for every shell command would be safe. The coordination cost would erase the value of autonomy.

The builders’ objection is legitimate. Evidence takes time to capture, store, render, and review. Playwright explicitly warns that recording traces on every test is performance-heavy and recommends concentrating them around failures. The same principle should govern agent proof.

Low-risk, reversible work may need a diff and a focused test. A deployment may need a build, a preview, a smoke test, and confirmation that the tested commit is the deployed commit. A financial action may need authorization, an idempotency key, a receipt, and a reconciliation step. A robot action near a person may need live state, acknowledgement, bounded motion, feedback, and a physical stop path.

The proof burden should scale with consequence, reversibility, and ambiguity.

This is not maximal logging. It is risk-shaped evidence.

Provenance Is Not Correctness

The cleanest proof systems are often explicit about their limits.

GitHub’s artifact-attestation documentation says an attestation can connect an artifact to the source and workflow that produced it, but it is not a guarantee that the artifact is secure. The attestation establishes provenance. A separate policy decides whether that provenance is acceptable.

That warning is a useful model for agent interfaces.

A proof artifact should make a bounded claim and resist the temptation to inflate itself into a general certificate of quality. The checksum proves the bytes match. The screenshot proves the pixels rendered. The trace proves the recorded sequence occurred. The test proves the specified assertion held in that environment.

Trust emerges from combining those bounded claims around the invariant that matters.

The agent should surface the boundary instead of smoothing it away:

The build passed and the preview served the expected commit. Mobile layout was checked at one viewport. Payment behavior was not exercised.

That sentence is less confident than “done.” It is much more useful.

The Interface Should Organize Doubt

The winning agent products will not be the ones that generate the longest activity logs. They will be the ones that organize doubt well.

They will know which facts can be checked automatically, which artifacts a human can interpret quickly, which proxies are vulnerable to gaming, and which uncertainties deserve to remain visible.

The default surface should be compact:

  • what changed
  • what was supposed to become true
  • what evidence supports that claim
  • what remains unverified
  • what decision, if any, still belongs to a person

Everything else can sit behind the result: the trace, the logs, the screenshots, the test output, the commit, the deployment, the telemetry, and the provenance chain.

This is not only a safety feature. It is a usability feature.

Nobody wants to supervise an agent by reading its diary. People want to inspect the consequential parts of the work at the level where disagreement is still possible.

Autonomy Needs a Claim Boundary

The chat window made the model’s language feel like the product. Agents reveal that language was only the first control surface.

As task horizons expand, the scarce capability will not be producing more actions. It will be making those actions cheap to trust without pretending that trust can be fully automated.

The acceleration camp is right that humans cannot remain in every loop. The verification camp is right that agents cannot grade their own work. The observability camp is right that traces make complex behavior legible. The robotics camp is right that commands, progress, and outcomes must remain separate. The product camp is right that evidence nobody can navigate is not an interface.

The synthesis is a proof loop: automate the work, externalize the evidence, state the limit, and return judgment only where judgment is still required.

An agent should not ask to be trusted because it sounds certain.

It should make trust cheap because its claims are inspectable.