One Cloud Platform, One Scoped Identity
In July 2026, AWS announced an ERP automation agent that processes invoices, matches payments, and clears purchase order exceptions — tasks that accounts receivable teams currently handle by hand. The agent ships with deny-by-default permissions: it can only touch the specific ERP resources its role allows, it carries a separate identity from the human who configured it, and every action is logged against that identity. None of this is novel inside a cloud platform. IAM roles, least-privilege policies, and audit trails are standard AWS infrastructure. What makes it worth noting is the contrast with what sits on the other side of the boundary.
The Web Agents Will Cross
The AWS ERP agent operates through API calls to internal systems — it does not browse public websites. But the broader class of AI agents now emerging — research agents, procurement bots, AI assistants that summarize vendor pages — do traverse the public web. When they arrive at a site, they encounter a surface built for human browsers: HTML pages, cookie consent banners, JavaScript-rendered content. Almost none of it carries machine-readable signals about what an agent is allowed to do, what data it can extract, or how to verify its identity.
WebPulse's census of over 466,000 sites found 9 implementing WebMCP — a protocol that lets sites declare what actions an agent may take — and 28 publishing llms.txt files, a convention for telling language models what content is available and how to use it. Combined, 37 sites out of 466,000 have any form of machine-readable agent guidance. The rest offer nothing beyond robots.txt.
Blunt Instruments vs. Scoped Identity
Robots.txt is ubiquitous and has been the web's crawl-control mechanism for decades. But it is a blunt instrument: allow or deny an entire user-agent string, with no concept of scoped permissions, credentialed identity, or least-privilege access. A robots.txt entry cannot distinguish between a search engine indexer, a price-scraping bot, and an AI research agent acting on behalf of a specific user with a specific task. It cannot grant read access to public documentation while denying access to pricing pages. It cannot verify that the agent is who it claims to be. What AWS built for its ERP agent — scoped identity, per-action permissions, audit logging — is the model the public web currently lacks.
The Gap in Numbers
Inside cloud platforms, agent identity is arriving fast. AWS, Google Cloud, and Azure all now offer some form of agent-scoped IAM or service identity. Outside those platforms — on the open web where agents increasingly operate — the infrastructure barely exists. The 37 total signals across more than 466,000 sites represent an adoption rate that rounds to zero. For budget-signers evaluating whether their public web presence is ready for an agent-mediated world, the answer the data gives is unambiguous: it is not.


