AI Agents Are Now the Majority User on Your Product Surfaces

◆ DEEP DIVES

1. 01

   Your Product Now Has Two User Bases — And You're Only Measuring One

   <p>Across eight independent sources this week, a single pattern emerges with enough hard data to move from observation to action: <strong>AI agents have become the majority user</strong> on multiple product surfaces, and most product teams have zero visibility into this shift.</p><h3>The Data Is Unambiguous</h3><p>Hex's CEO published a graph showing AI agents creating more dashboard cells than humans. Mintlify explicitly states agents read developer docs more often than people. Tally — a form builder — reports <strong>25% of all new signups come from ChatGPT referrals</strong>. Imperva's 2025 report confirms automated traffic hit 51% of all web activity. Vercel sees 25% of bot traffic from AI crawlers. AI-referred sessions jumped <strong>500%+ year-over-year</strong>. Tyler Cowen reports using LLMs 10x more than Google for information queries. This isn't a trend line — it's a threshold crossing.</p><h3>Why This Changes Your Product Strategy</h3><p>a16z's David George published a litmus test that should be pinned to every PM's wall: <em>'If an agent cannot consume and pay for your product autonomously, you probably have not achieved the necessary new product model.'</em> This means your product now needs to be legible to two fundamentally different audiences:</p><ul><li><strong>Humans</strong> who click, scroll, and evaluate with judgment</li><li><strong>Agents</strong> who parse structured data, call APIs, and make decisions programmatically</li></ul><p>Your documentation needs to be machine-comprehensible. Your pricing page must be unambiguous to comparison-shopping agents. Your API needs to support <strong>agent-scale consumption patterns</strong> — orders of magnitude beyond human usage — with appropriate rate limiting and pricing.</p><h3>GEO Is Already a Top-3 Acquisition Channel</h3><p>Generative Engine Optimization has matured from concept to industry in under a year. The Tally case study is the proof point: 25% of signups from ChatGPT alone makes it a top-three acquisition channel. Dedicated GEO agencies and dozens of VC-backed startups have emerged. The critical difference from SEO: in traditional search, you compete for rankings on a page. In GEO, you compete for <strong>inclusion in an AI's answer</strong> — a winner-take-most dynamic where being second means being invisible.</p><blockquote>Every query that moves from Google to ChatGPT is a query where your SEO investment yields zero return and your GEO investment determines whether you exist.</blockquote><h3>The Agent Payment Infrastructure Is Forming Now</h3><p>Three competing open protocols launched within weeks to let agents pay for services: Coinbase's <strong>x402</strong> (HTTP 402 with stablecoin payment instructions), Tempo/Stripe's <strong>MPP</strong>, and WLFI's <strong>AgentPay SDK</strong> which auto-installs into 7 major AI dev environments. The standards war for machine-to-machine commerce has started. Products that can accept agent payments will capture revenue that products requiring human checkout will miss entirely.</p><h3>The Niche Content Moat</h3><p>One strategically important signal: niche, proprietary content is <strong>disproportionately valuable</strong> to AI systems because it fills training data gaps. If your product generates unique data — usage benchmarks, domain insights, performance metrics — publishing it builds a citation moat that compounds as AI systems rely on it. This inverts traditional content marketing: volume matters less than uniqueness.</p>

   Action items

   • Instrument AI agent traffic separately in your analytics stack this week — add tracking to distinguish agent visits from human visits across docs, marketing pages, and product surfaces
   • Run a GEO audit by end of sprint: test how ChatGPT, Claude, and Perplexity describe and recommend your product vs. competitors
   • Add 'agent persona' to your next PRD — define what it takes for an AI agent to discover, authenticate, consume, and pay for your product autonomously
   • Evaluate infrastructure cost exposure from AI crawler traffic and implement tiered access for agents vs. human users by end of quarter

   Sources:Your next user isn't human — AI agents now outnumber people in key product surfaces · a16z says your seat-based pricing is a target · The 100:1 agent ratio is real · Your app distribution strategy just got a timer · Agent payments just got their HTTP moment · Your analytics are about to break

2. 02

   42% of AI Skills Are Malicious — The Ecosystem You're Building On Has Early-2000s Security

   <p>Five independent sources converge on the same alarming conclusion this week: <strong>the AI tooling ecosystem your product depends on has catastrophic security gaps</strong>, and the data is now specific enough to act on.</p><h3>The Numbers That Should Stop Your Sprint Planning</h3><table><thead><tr><th>Risk Surface</th><th>Finding</th><th>Source</th></tr></thead><tbody><tr><td>ClawHub Skills</td><td><strong>42% of 238,180 skills are malicious</strong></td><td>Raxe analysis</td></tr><tr><td>MCP Servers</td><td>555 of 5,125 (10.8%) have toxic data flows</td><td>AgentSeal scan</td></tr><tr><td>Model Vulnerability</td><td>o1-mini follows injected instructions <strong>72.8%</strong> of the time</td><td>MCPTox benchmark</td></tr><tr><td>Exploitation Speed</td><td>Langflow CVE exploited <strong>20 hours</strong> post-patch</td><td>Sysdig</td></tr><tr><td>Enterprise Impact</td><td>McKinsey chatbot fully compromised in <strong>2 hours</strong></td><td>AI-hacking-AI scenario</td></tr></tbody></table><h3>The Paradox: Better Models Are MORE Vulnerable</h3><p>The most alarming finding from the MCPTox benchmark: <strong>model capability and prompt injection susceptibility scale together</strong>. Upgrading your model to improve agent performance simultaneously increases vulnerability to the attack patterns found in 10.8% of MCP servers. This creates a genuine product design paradox: the improvement your users want makes the security problem worse.</p><blockquote>The model upgrade you're planning to improve agent performance simultaneously increases your vulnerability to the exact attack patterns found in 10.8% of MCP servers.</blockquote><h3>The Attack Pattern Is Combinatorial</h3><p>The primary toxic data flow pattern is <strong>individually benign tools that become exploitable when combined</strong>: a tool that reads credentials paired with a tool that sends webhooks. Neither is malicious alone. Together, they form an exfiltration pipeline. 84.7% of toxic findings were rated critical or high severity. This means security review at the individual tool level is insufficient — you need to audit <strong>tool combinations</strong>, and the attack surface grows quadratically with each tool added.</p><h3>Supply Chain Attacks Are Targeting Security Tools Themselves</h3><p>The Trivy supply chain attack (March 19) used encrypted C2 and exfiltration — a sophistication upgrade. Attackers compromised the scanner designed to catch compromises. North Korean actors are poisoning hundreds of real npm-related GitHub repos. Dormant VSCode extensions activated over the weekend. The exploitation window has compressed to under 24 hours for critical CVEs.</p><h3>The Enterprise Governance Category Is Forming</h3><p>Four agentic security products launched in the same cycle: <strong>1Password Unified Access</strong> (shadow AI and agent credential governance), <strong>Arctic Wolf's Agentic SOC</strong>, <strong>Surf AI</strong> (agent-based SecOps), and open-source <strong>agent-password</strong>. When 1Password starts selling NHI governance, enterprise procurement teams will start requiring it. You have roughly one quarter before <em>'how do you manage agent credentials?'</em> becomes a standard security review question.</p><hr><p>The practical mitigations are product design decisions: separate read and write MCP servers, apply least privilege per tool, cap tool count per server, and consider whether a <strong>less capable model with lower injection susceptibility</strong> is the right choice for tool-calling workflows involving sensitive data.</p>

   Action items

   • Audit every MCP server and AI skill integration in your product for toxic data-flow patterns this week — specifically check for private-data-reading tools paired with external communication capabilities
   • Add adversarial AI red-teaming to your launch checklist for any customer-facing AI feature — run a focused 2-hour attack simulation this sprint
   • Compress your security patching SLA to under 24 hours for critical CVEs in AI infrastructure components
   • Add NHI credential management to your product security roadmap — determine how AI agents authenticate and whether actions are attributable to specific agent instances

   Sources:Your AI feature dependencies are a ticking bomb · 10.8% of MCP servers are toxic · The 100:1 agent ratio is real · Your AI agent strategy just got a 6-month window · Microsoft's Copilot retreat is your AI feature playbook

3. 03

   The Seat-Based Pricing Extinction Event — a16z Says Two Paths, No Middle Ground

   <h3>The Strategic Ultimatum</h3><p>a16z's David George published what amounts to a binary ultimatum for every software company: either <strong>accelerate revenue growth by 10+ percentage points</strong> through AI-native products within 12-18 months, or <strong>restructure to 40-50% true operating margins</strong> (counting SBC as a real expense). Companies that try 'a little of both' face persistent multiple compression through 2027. This isn't a think piece — it's the most influential enterprise VC firm setting the agenda for board conversations across the industry.</p><h3>Why Seat-Based Revenue Is the First Casualty</h3><p>George's core argument: customers' most obvious AI savings lever is labor efficiency, which means seats. <strong>Every time your customer deploys an AI agent that replaces a workflow formerly done by a human, that's a seat they don't need.</strong> The new growth vectors are tokens, consumption, automations, and outcomes. His acid test is devastating: <em>can an AI agent autonomously discover, consume, and pay for your product?</em> If not, you're building for a shrinking addressable market.</p><blockquote>Seat-based pricing is now customers' single biggest target for cost reduction, and new software budget growth is flowing into tokens, consumption, automations, and outcomes instead.</blockquote><h3>YC W26 Confirms the Market's Thesis</h3><p>The market is already building for this world. Of 198 companies in YC's W26 batch, <strong>85% are AI-first and 56 (28.3%) are explicitly building autonomous agents</strong> positioned as AI employees replacing $50-150K knowledge workers. AI accountants closing books. AI law firms staffed entirely by models. Healthcare is the largest vertical with 22 companies targeting clinical work directly — not EHR wrappers. If your product's ICP is 'mid-level professional who does X,' you're looking at a world where X gets done by an agent.</p><h3>Traditional Moats Are Weakening Simultaneously</h3><p>George argues all four traditional software moats are eroding at once:</p><ol><li><strong>Data</strong> — usually insufficient alone</li><li><strong>Integrations</strong> — getting easier to reproduce</li><li><strong>Workflow/UI advantages</strong> — less relevant when agents navigate across systems</li><li><strong>Migration friction</strong> — getting easier as AI reduces switching costs</li></ol><p>Private credit funds that loaded up on SaaS loans — on the thesis of sticky revenue and durable switching costs — are now <strong>gating redemptions</strong>. Institutional investors with deep access to portfolio company metrics are running from SaaS exposure. They're seeing churn and margin data that hasn't hit public earnings calls yet.</p><h3>The Organizational Restructuring Is Coming</h3><p>George recommends <strong>50% of R&D budget on net-new AI products</strong>, organized in 4-person pods (PM + designer + 2 engineers) that write code on day one. Top engineers managing 20-30 AI agents simultaneously. <strong>$1,000/month token spend per engineer</strong> described as 'table stakes.' A wave of 'strong form' corporate restructuring — not 8-10% layoffs but full organizational redesign — is expected across software in the next 12 months, targeting 40-50% operating margins.</p><p>The Broadcom/VMware case (radical simplification, subscription conversion, <strong>61% adjusted EBITDA margins</strong>) is being positioned as the template. Expect boards across the industry to ask 'why can't we do that?' within two quarters.</p>

   Action items

   • Conduct a seat-risk audit this quarter: quantify what percentage of revenue is seat-based, model the impact if customers reduce seats by 20-30% in the next 18 months, and draft a consumption-based pricing alternative for leadership
   • Run a competitive moat stress-test this sprint: score each of your product's defensibilities (data, integrations, workflow, switching costs) against the a16z erosion thesis and present findings to leadership
   • Pilot a 4-person pod on your highest-priority AI initiative and measure velocity against your standard team structure
   • Frame your product area's contribution against the two paths — prepare a one-pager showing either 10+ points of revenue growth acceleration or margin contribution — before the next planning cycle

   Sources:a16z says your seat-based pricing is a target · 56 YC startups are building AI to replace your users' $50-150K colleagues · Microsoft's Copilot retreat is your AI feature playbook · OpenAI's checkout retreat validates your merchant-owned UX