Agentic UX

An explicit, plain-language description of which resources, accounts, and actions the agent can reach. Shown at enrollment and on demand inside the surface, not only in a legal document.

Permissions that expire by default (an hour, a day, a session) rather than persisting until explicitly revoked. Users re-authorize on a visible cadence.

Per-capability toggles (read email vs. send email; view calendar vs. book calendar) instead of all-or-nothing grants. Each capability can be revoked independently.

A surface that reminds the user which permissions the agent currently holds and when they were last reviewed. Prevents grants from accumulating invisibly over months.

A dry-run mode that shows exactly what the agent would do (files touched, emails drafted, calls made) before granting real execution rights. The user promotes from preview to execute.

One-click revoke, visible in the same surface where consent was granted. Revocation should be at least as easy as granting, ideally easier.

Every proposed action is labeled by how easily it can be undone: fully reversible (draft), partially (DB row with a backup), or not (sent email, charged card). Users see this before approving.

A chronological, human-readable log of everything the agent did, with the ability to inspect inputs, outputs, and side effects for each step. The trail is the primary debugging surface.

A compact preview of how many records, files, or users a proposed action would affect. The user sees "will rename 412 files across 37 folders" before approving.

Named snapshots before significant actions, with a visible restore button. Works whether the state lives in the app, a codebase, or an external API with a supported undo window.

High-impact actions run on a delay (5s, 30s, 5 min) during which a single click cancels. Trades a moment of latency for a wide margin of user control.

Proposed changes rendered as a diff the user can read line-by-line (for text, for settings, for database rows), not just described in prose.

Three discrete modes, chosen per task or per session: the agent suggests only, confirms each step, or executes end-to-end. The mode is always visible and one click to change.

Autonomy set at the capability level, not the app level: auto-send drafts to known contacts but require approval for new ones; auto-commit to feature branches but never to main.

A persistent indicator (color, badge, ambient shape) that makes it unmistakable when the agent is acting without asking. Users should never discover autonomy by accident.

Rules that auto-demote autonomy when risk crosses a line: dollar amount, user impact, novelty. Crossing the threshold hands control back to the human before execution.

Time- or action-count-bounded grants of autonomy: "run unattended for 30 minutes or 50 actions, whichever comes first, then pause for review." Prevents runaway sessions.

A predicted cost range (tokens, dollars, minutes) shown before the agent begins, with the same precision the user is about to spend at.

User-set caps per task, per day, per account. The agent stops when the cap is hit and asks, rather than billing through it.

Live counters during execution: tokens consumed, dollars spent, steps remaining. Ambient enough to ignore when fine, obvious enough to notice when off.

After a run, a breakdown the user can inspect: which tool calls cost what, which steps were retries, where the time and dollars went.

Honest time estimates for long-running agents (seconds vs. minutes vs. hours), and a way to walk away and come back without losing state.

Budgets that persist across sessions, users, and devices. Starting a new chat should not silently reset a cap the user cared about.

A clear mechanism for what context moves when the agent crosses an app boundary: credentials, history, files, preferences. Users can inspect and edit the handoff payload.

Permissions scoped per destination app, not once globally. Granting Gmail access does not implicitly grant Google Drive access inside the same agent.

When one agent invokes another, the UI shows the chain: who called whom, with what payload, under which permissions. Handoffs are first-class citizens, not hidden plumbing.

Legible auth flows when an agent acts across identity domains. The user sees which identity is performing each step and can revoke any link in the chain.

Clear records of which agent (and which human) is responsible for each action across the chain. Essential for audits, incident reviews, and shared accountability.

Explicit, visible starts and stops for listening, watching, or running. Wake words, hardware indicators, and time-boxed sessions, not an ambiguous always-on state.

Low-attention signals (a color, a shape, a sound) that convey agent state without requiring a glance at a screen. Quiet when idle, louder when active.

A single, known gesture to pause or cancel an ambient agent: a word, a button, a hand sign. Works the same way regardless of what the agent is doing.

Explicit voice or multimodal confirmation before irreversible actions, not a silent "sure, done that." The user hears or sees the exact action before it commits.

The agent knows who is speaking, acts on the right permissions, and can say so. "I heard Alex ask me to pay the bill; Alex does not have billing access." Shared devices demand it.

Each agent has a stable name, version, and capability set the user can point at. Distinguishes which agent did what when multiple are in play.

A plain-language "what I can do and what I cannot" surface, kept current as capabilities change. Users should never have to test the limits to learn them.

Honest signaling when the agent hit a wall: unknown, blocked, rate-limited, low confidence. The failure mode is named, not hidden behind a hopeful paraphrase.

Every external artifact the agent produces (commit, email, ticket, message) carries legible attribution. Downstream humans can tell what was agent-authored.

A one-click, user-owned export of agent activity: inputs, tools called, outputs, costs. Works for compliance and for the user reviewing their own history.