Agentic AI leaps from lab demos to daily infrastructure

Agentic AI is quietly slipping out of demos and into infrastructure: your spare Mac can now host an always‑on digital proxy, banks are letting software agents move money, and social networks where bots befriend bots are being bought by Big Tech.

The shift turns AI from a conversational tool into a class of autonomous services that see your files, touch your accounts and negotiate with other agents on your behalf — raising new questions about security, oversight and who gets to script the behavior of software acting in your name.

From spare Macs to bot‑only social networks

Perplexity’s new Personal Computer feature turns a Mac into a local gateway for its Perplexity Computer assistant, giving the agent continuous access to files and applications so it can run tasks even when you’re away. The company says the app runs persistently on the machine while core AI processing happens on its servers, effectively turning idle hardware into a 24/7 AI proxy with system‑level privileges. Discussions on the launch have already highlighted the trade‑off between convenience and the risk of granting an internet‑connected agent deep access to a personal computer, as summarized by AppleInsider.

At the platform layer, Meta is buying Moltbook, a viral Reddit‑style social network built for AI agents rather than humans. The bot‑only site exploded to more than 1.6 million AI accounts in a few weeks before Meta struck a deal to acquire it and hire its founders into Meta’s Superintelligence Labs, according to TechCrunch and Tom’s Guide. Meta frames Moltbook as a testbed for “new ways for AI agents to work for people and businesses,” as reported by the Associated Press, hinting at a future where the company manages not just social graphs of people, but "agent graphs" mapping how autonomous systems coordinate.

Banks, backdoors and the race to contain agents

In finance, Banco Santander and Mastercard say they have completed Europe’s first live end‑to‑end payment executed entirely by an AI agent within a regulated banking framework. In a press release, the bank describes the agent initiating, authenticating and completing a real customer transaction over Santander’s production payments rails, under human‑defined controls and limits, as part of a broader collaboration on “agentic payments” and transaction automation Santander. That makes the idea of delegating routine bills, treasury moves or cross‑border transfers to software agents look less speculative — and more like a near‑term product roadmap.

Security researchers, meanwhile, are warning that multi‑agent systems open fresh attack surfaces. Recent work on collaborative backdoor attacks shows how malicious instructions can be split across several agents so that each looks harmless alone but, when combined in a specific interaction pattern, quietly exfiltrates data or executes forbidden actions, according to a preprint on distributed backdoors in LLM‑based multi‑agent systems arXiv. Another study on multi‑agent safety finds that adversarial content can hijack agent‑to‑agent communication inside popular orchestration frameworks to trigger unsafe tools and arbitrary code execution arXiv.

Defenders are already experimenting with countermeasures. New sandbox projects aim to keep agents and their tools isolated inside containers or virtual environments — often using Docker under the hood — while monitoring what they read, write and execute, a pattern echoed in emerging research systems like SentinelNet, which proposes credit‑based monitoring to detect and quarantine malicious agents during collaboration arXiv. The agent community is treating NVIDIA’s GTC and similar conferences as live test ranges for these ideas, with frameworks, orchestration layers and safety tools all vying to become the default stack for always‑on agents.

The common thread is that agents are no longer just chatbots with longer memories; they are becoming autonomous infrastructure. As phones, banks and social platforms hand them agency over money, messages and machines, the pivotal question is shifting from “What can models do?” to “Who writes, verifies and audits the scripts that will act on everyone’s behalf.”