Anthropic published a survey on May 27, 2026, of 1,260 social scientists, fielded in late February and March 2026. One pair of numbers carries the whole story. 81 percent had used generative AI to help with their research. Only 20 percent regularly used a coding agent, a command-line tool like Codex, Cursor, or Claude Code, more than once a week.
The detail that makes that gap sharp is the sample. These researchers were recruited with access to Claude Max accounts, so the group skews toward people already curious about AI. Even among the eager, four out of five had not adopted agents into their workflow.
If you read that as "agents are still early," you are not wrong. But you miss the mechanism.
Chat is a universal interface. Agentic work is a governance problem.
A chatbot is trusted because you can check it before you act. An agent has to be trusted because it acts for you.
That difference is the whole adoption curve.
The adoption gap is the verification gap
Most people can tolerate a chatbot being wrong, because the blast radius is contained. You read the output, you decide, you act. The system is interactive, not autonomous. The cost of trying one is almost zero: you paste text into a box and get text back.
An agent breaks that bargain. It executes. It writes files, runs analyses, pulls data, installs dependencies, submits jobs, and creates artifacts, at machine speed. Even when the agent is right, it creates a new operational reality. The work is no longer trusted because it sounds smart. It is trusted because it can be verified.
So an agent forces three questions a chatbot never does:
What exactly did it do? Could I reproduce it? If it is wrong, or compromised, can I reverse it?
The moment you ask those questions, you are not adopting an agent. You are adopting a runtime, the layer that holds state, permissions, and evidence around the model. Most teams do not have one. They have a model API key, a prompt, and a hope.
This is not only an academic pattern. McKinsey's 2025 state-of-AI survey found 62 percent of organizations experimenting with AI agents, but only 23 percent scaling an agentic system somewhere in the enterprise, meaning in at least one business function. In a follow-on McKinsey survey on AI trust, close to two-thirds of organizations named security and risk as the top barrier to scaling agentic AI, ahead of regulatory uncertainty and technical limitations. The gap between "we tried it" and "we run it" is not a capability gap. It is a trust gap.
To be fair, not all of the lag is fear. Some of it is plain deployment friction: agents are harder to integrate, harder to test, and harder to keep stable than a chat box, and enterprise buyers say so. But friction and trust point at the same missing thing. Both are the cost of making an agent's behavior legible and controllable, which is exactly the work a chatbot lets you skip.
The Anthropic survey shows the same shape inside academia. Researchers at top universities were about 40 percent more likely than others to use coding agents, and adoption was more than twice as high among researchers with typically male names as among those with typically female names. It is tempting to read that as taste or interest. The systems reading is simpler. An uneven adoption curve is exactly what you should expect when a technology needs operational scaffolding to be safely useful. Institutions that can amortize the cost of building or buying that scaffolding adopt sooner. Everyone else stays in chat, where the cost of trust is lower.
Governance is execution-time control, not a policy document
When people hear "agent governance," they think of policy PDFs, model cards, and safety training. Those are upstream controls. They matter, and they do not substitute for control at the moment the agent acts.
I keep coming back to the same four-part contract, the one I laid out for advice-giving assistants, because it is the same contract whether the agent is recommending or executing.
Intent: what is the agent actually trying to do, in terms a human can read? Authorization: who approved this action, and at what scope? Evidence: what artifacts prove what happened, and why? Reversibility: how do we roll it back, and what happens if we cannot?
Notice what is not on that list. Alignment. Model quality. Prompt craft. Those are real, and they are upstream of the moment that actually carries risk. The contract lives at execution time or it does not live at all. This is the same argument I have made about agents in the delivery pipeline: the bottleneck is governance, and governance is architecture, not documentation.
If you cannot audit an agent run, you cannot defend it. If you cannot defend it, you will not deploy it. That is the shape of the gap between experimenting and scaling.
State is what makes agents hard to trust
There is a second reason agents are gated, and it runs deeper than execution. It is state.
Chat is mostly stateless. Even when a product offers memory, the experience stays conversational and largely disposable. Agents are stateful by necessity. They need durable context to work across sessions and tasks. That sounds like a feature until you look at it as a surface, because the blast radius of an agent is not set by the model. It is set by the state the model is allowed to touch, and persistent memory is the longest-lived state of all.
And persistent memory has become a documented attack surface, on a research line that is now several years deep.
It starts with indirect prompt injection, shown by Greshake and colleagues in 2023: an attacker plants instructions in content the model will later read, a web page, a document, an email, with no direct access to the user. PoisonedRAG extended the idea to retrieval stores in 2024, corrupting a knowledge base so the system returns attacker-chosen answers. AgentPoison, also 2024, carried it into agent memory itself, a backdoor in the long-term store that an optimized trigger could activate. In 2025, MINJA showed an attacker could inject malicious records into an agent's memory using nothing but ordinary queries, no privileged access required.
The 2026 paper "Hidden in Memory" adds the most unsettling property: time. It studies what the authors call sleeper memory poisoning. External content causes the assistant to write a fabricated memory about the user, the memory sits dormant, and it re-emerges across later conversations to steer behavior. The reported numbers are high, with poisoned memories written up to 99.8 percent of the time on one model and 95 percent on another, and among the cases where a poisoned memory was later retrieved, it produced the attacker's intended action in 60 to 89 percent of evaluations across the models tested. Treat the exact figures as paper-reported. The pattern is the point.
The novelty here is narrow and worth stating precisely. Memory poisoning is not new. The contribution is dormancy: a payload that survives the session it was planted in and activates later, when nobody is watching the conversation that introduced it.
That reframes what memory is. If an agent can remember, an attacker can influence what it remembers. And if an attacker can influence what it remembers, they can influence what it does next week. This is not prompt injection in the moment. It is supply-chain compromise of state.
Which means memory cannot be a magic blob the agent silently trusts. It needs the same properties as any other governed surface: where a memory came from, when, on whose authority, and a way to revert it. A memory that can steer an action has to be as inspectable and reversible as the action itself. The architecture of how to build that, provenance, quarantine lanes, evidence trails, is a longer subject than this post, and I will take it up on its own.
Why this is the real product
When teams say "we are building an agent," they usually mean prompts, tools, and model selection. That is the visible part and the smallest part.
The thing that decides whether the agent gets adopted is the layer underneath: the one that records what the agent did, bounds what it can reach, proves what happened, and lets you undo it. The harness is the control plane, and the control plane is where trust is manufactured.
Chat went universal because its state surfaces are shallow and its blast radius is small. Agents are gated because their surfaces are deep and their actions are real. The way through is not a smarter model. It is a runtime that makes actions auditable and memory safe.
Agents are not blocked by intelligence.
They are blocked by trust, and trust is something you have to build, not prompt.
Sources
- Lyttelton, Massenkoff, Wilmers (Anthropic), "Coding agents in the social sciences" (May 27, 2026): https://www.anthropic.com/research/coding-agents-social-sciences
- McKinsey, "The State of AI in 2025: Agents, innovation, and transformation" (November 2025): https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai
- McKinsey, "State of AI Trust in 2026: Shifting to the Agentic Era" (March 2026; the security/risk-as-top-barrier figure): https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/tech-forward/state-of-ai-trust-in-2026-shifting-to-the-agentic-era
- Greshake et al., "Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection" (arXiv 2302.12173, 2023): https://arxiv.org/abs/2302.12173
- Zou et al., "PoisonedRAG: Knowledge Corruption Attacks to Retrieval-Augmented Generation of Large Language Models" (arXiv 2402.07867, 2024): https://arxiv.org/abs/2402.07867
- Chen et al., "AgentPoison: Red-teaming LLM Agents via Poisoning Memory or Knowledge Bases" (arXiv 2407.12784, NeurIPS 2024): https://arxiv.org/abs/2407.12784
- "MINJA: Memory Injection Attacks on LLM Agents via Query-Only Interaction" (arXiv 2503.03704, 2025): https://arxiv.org/abs/2503.03704
- Pulipaka et al., "Hidden in Memory: Sleeper Memory Poisoning in LLM Agents" (arXiv 2605.15338, May 2026): https://arxiv.org/abs/2605.15338
The figures here are reported by the vendors and papers cited, not independently verified. Read them as directional.