AI Without A Safety Net

How Marketers Are Scaling With AI in 2026

61% of marketers say this is the biggest marketing shift in decades.

Inside you’ll discover:

• Results from over 1,500 marketers centered around results, goals and priorities in the age of AI

• Stand out content and growth trends in a world full of noise

• How to scale with AI without losing humanity

• Where to invest for the best return in 2026

Get Your Report

Let's Call It Working-Without-A-Net Engineering

Anthropic announced Claude for Small Business last week: 15 ready-to-run agentic workflows wired straight into QuickBooks, PayPal, HubSpot, Canva, DocuSign, Google Workspace, and Microsoft 365. Payroll runs. Invoices go out. Month-end close gets reconciled. Contracts get sent for signature. Campaigns scheduled and pushed. The framing is noteworthy: "Claude does the work; you approve before anything sends, posts, or pays." One sentence, one thin gate; a one-click operation working without a net.

The agents are what some small businesses have been begging for. A two-person dental office that runs its books in QuickBooks Online and pays subcontractors through PayPal has no practical need for a CFO; there's potency in typing out "close out April" and seeing it happen. The intent is right, the integration list is right, and the framework keeps at least the most crucial human in the loop.

I want to be clear that I'm not going after the product or its premise.

The implementation should give every dev on this list at least a moment's pause, because the deploy gate Anthropic shipped is a simple UX confirmation, not an engineering gate. The lay owner sees "Claude wants to send 47 invoices. Approve?" Click. They have no way to tell which of those 47 invoices the system can pull back if a duplicate-customer mistake pops up five minutes later, which ones land in a recipient's inbox and become irreversible the moment they leave the SMTP queue, and which one is the bookkeeper's actual bill-pay button that wires money to a vendor's account in clearing within the hour. The button reads the same in all three cases, but the blast radius is wildly different in each, for a group of people who mostly don't want or need to think about this while trying to keep their businesses off the ground.

Companion script for this issue: agent-net. Reads an MCP tool manifest (or a flat JSON list) and classifies each tool by reversibility tier. Details in the Quick Tip below..

For Further Reading

• Introducing Claude for Small Business (Anthropic, May 13, 2026). The announcement, the 15-workflow inventory, and the framing sentence this issue is responding to.

• Bashmatica! #014: Anthropic Chose Blackmail 96% Of The Time. The deploy-gate framing this issue extends, one layer up.

• Bashmatica! #013: The Schema Validated. The Values Lied. The wrapper-versus-contents distinction the trilogy was built on.

• OWASP Top 10 for LLM Applications: Excessive Agency. The security community's nearest naming for this failure class.

One-Click Pony

The announcement is precise about one thing and quiet about another. It's precise that a human approves before the agent sends, posts, or pays; the consent gate's real, the button exists, the workflow doesn't proceed without the click. It's quiet on what the human is actually approving. The owner of a five-person catering company sees "Approve and run" on a workflow that strings together a QuickBooks query, an email draft, an Instagram post, and a DocuSign envelope to a venue partner. Four actions. Four reversibility profiles. One button, one click, no turning back.

Reversibility is what the consent gate is implicitly trading on, and what it's worst at surfacing. A QuickBooks query is read-only: worst case, the agent looked at data it shouldn't have. An email draft sitting in Gmail is reversible-write: nothing's left the perimeter, the draft can be deleted. An Instagram post is irreversible the instant the API returns; the post can be deleted, but the screenshot's already in someone's group chat by then. A DocuSign envelope to a venue partner is privileged-blast-radius: it triggers a counterparty notification, lands on a legal calendar at the recipient's company, and can produce a signed contract any time the counterparty clicks through.

Anthropic's button doesn't distinguish between any of these. The agent pushes through four reversibility tiers stacked end-to-end, and the human on the button (probably juggling more non-technical than technical tasks to keep the day running) sees one approve action with no way to tell which of the four it's for. That's the consent gate doing UX work the engineering layer was supposed to do further up the stack. The catering owner can't be expected to draw this distinction between two Tuesday-morning meetings; the product premise is that they shouldn't have to. The classification has to live in the tool manifest, the surfacing at the gate, the no-fire-without-confirmation guarantee in the agent's runtime.

Many will argue that this is what observability is for. The audit log records what fired; if a bad action shipped, the audit log will show it.

The quick retort is show it to who?

The small business owner wearing every hat in the company is the last person with the time to parse through logs. What happens next is an LLM conversation, and whether the owner resolves the problem or ends up buried in several more depends almost entirely on what the conversation's context window holds at that moment.

An Empty Barn Needs No Doors

The exposure for builders is anywhere a customer-facing agent holds a tool whose action lands on someone outside your company. Three concrete cases:

Customer-service agent with refund, cancellation, and escalation tools. A subscription company ships a Claude-powered support agent with three tools: process-refund, cancel-subscription, escalate-to-human. The agent has a reversibility budget it doesn't know about. A refund in error is clawed back only if the customer hasn't withdrawn the funds (sometimes hours, sometimes never). A cancellation is reversible only if the customer agrees to sign up again from scratch, which they often won't. An escalation is fully reversible (nothing's happened yet), but the agent treats it as the most expensive because it surfaces a human interruption. The bias runs backwards from the actual reversibility cost: without classification visible at runtime, the agent picks by which actions feel weighty, not by which can be undone.

Sales-ops agent with send-email and schedule-meeting tools. An outbound agent drafts personalized follow-ups and pushes them through the company's send pipeline. It also has calendar write access to book 20-minute discovery calls into a sales rep's calendar. Both tools are irreversible from the recipient's point of view: the email's in the inbox the moment SMTP returns, the calendar invite lands on the prospect's schedule the moment the API returns. The cost of a bad email lands on the prospect, now someone who's been cold-sold by a bot whose owner has never met them. The cost of a misbooked meeting lands on a sales rep who didn't approve it and has to defend it to a prospect who agreed to a 20-minute call they didn't want. Neither cost lands on the agent's owner, the only person in the approve loop. The failure here is calling "user-approved" the perimeter when the actions sail across it onto people who never consented.

Multi-agent chain where Agent A's read becomes Agent C's commit. A pipeline runs three agents: Agent A pulls CRM activity as read-only research, Agent B summarizes into a brief, Agent C drafts and sends a personalized retention offer. Agent A's surface is read-only. Agent B's is reversible-write. Agent C's includes an irreversible send. The blast radius compounds invisibly because each agent only knows its own classification, not the cumulative reversibility of the chain. A subtle misread by Agent A propagates through Agent B's brief and lands as a real-world offer in a customer's inbox at Agent C's send step, addressed by name, referencing the wrong tier or renewal date, whatever Agent A got wrong four hops back. The action that committed the chain is at the end, on an agent without the context to know it was the one that mattered.

The common denominator: reversibility classification has to live at the system level, not the individual agent. Agents don't know their action surface, or whether they're the early-stage reader or late-stage committer in a chain. Wire the classification into the tool manifest, surface it at every approve gate, enforce it as a hard refusal that won't fire irreversible or privileged-blast-radius actions without explicit second-factor confirmation.

There’s No Undo Button

This is what tool permissions, scopes, and OAuth grants are for, right? The owner authorized the agent to access QuickBooks and PayPal during OAuth setup; the authorization's the consent gate, the per-action button's a courtesy. The system worked as designed.

Right?

The objection is correct on its face and incomplete where it matters. OAuth scopes define what the agent's allowed to do; they don't define which actions are reversible. A bookkeeper.write scope doesn't distinguish a journal-entry write (deletable by the next action) from a bill-pay write (an ACH transfer clearing in a window the owner can't see into). The OAuth layer is necessary plumbing; it isn't a reversibility classifier, and treating it as one is the category mistake the Claude for Small Business product is making at the surface.

The shared-responsibility analog from last week applies here, with a twist. AWS draws the line between security of the cloud and security in the cloud because the consequences on each side are well-defined. The foundation-model equivalent draws the line between the model's behavior and the deployment's actions; the lab's on the hook for what the model produces, the builder's on the hook for what the deployment does with it. Anthropic ships the model and the scaffolding. The deployer (say, a dental-office owner clicking through a setup wizard between two patients) owns the action surface. The product premise is that the deployer doesn't have to know this, which is the part that should worry anyone building a customer-facing agent on Claude. Whatever Anthropic ships to small businesses this quarter is what your customers will expect from your agent next quarter, and they'll assume the deployer is you.

The mitigation isn't "wait for the platform to ship reversibility classification." The platform will ship it eventually, scoped to whichever failure class produced the loudest customer complaint first. The mitigation is to classify every tool by reversibility before wiring it in, bias the agent toward reversible tools when both options exist, surface the classification at every approve gate, require second human confirmation on every irreversible and privileged-blast-radius action, and log every action with its reversibility tag. The probabilistic layer will produce tool-call decisions you can't predict. The deterministic wall lives at the runtime gate around the irreversible tools, not at the platform's UX confirmation button. That wall is the net Anthropic didn't string for you.

That's the same thesis the trilogy's been circling, extended one layer. Calculate the values, in #12. Verify the contents, in #13. Instrument the behaviors, in #14. Classify the actions, in this one. The probabilistic layer is the same in every case; what changes is the surface that lets a bad output land somewhere you can't take it back from.

Benchmark against 2,000+ private B2B SaaS and AI companies

Is your growth in-line with your peers in B2B SaaS & AI? 

Key takeaways from the report: 

• Average growth across 2,000 companies

• Growth by revenue band 

• AI-led vs AI-enhanced. Who performed better?

Quick Tip: Agent-Net

I've posted agent-net, a bash script that reads an MCP tool manifest (or a flat JSON list) and classifies each tool into one of four reversibility tiers. Anything ambiguous defaults up a tier; the cost of over-classifying is a few extra confirmation clicks, the cost of under-classifying is an unrecoverable action. The scorecard core:

# Classify a single tool entry from a manifest into a reversibility tier.
# Prints "tool_name|tier|signals" for the scorecard.
classify_tool() {
  local tool_name="$1" tool_desc="$2" tool_schema="$3"
  local tier="read-only" signals=""

  # Privileged-blast-radius: anything that touches money, contracts, or
  # external counterparty notifications by default.
  if echo "$tool_desc$tool_schema" | grep -qiE 'pay|wire|ach|invoice|contract|sign|docusign|publish|post|send.*email'; then
    tier="privileged-blast-radius"
    signals="money/counterparty"
  # Irreversible-action: outbound communication or external state change.
  elif echo "$tool_desc$tool_schema" | grep -qiE 'send|post|create|delete|cancel|refund'; then
    tier="irreversible-action"
    signals="outbound/state-change"
  # Reversible-write: internal writes with a clear undo path.
  elif echo "$tool_desc$tool_schema" | grep -qiE 'draft|save|update|write'; then
    tier="reversible-write"
    signals="internal-write"
  fi

  echo "${tool_name}|${tier}|${signals}"
}

Run it against a tools/list response or flat JSON inventory; it emits a markdown scorecard with counts of irreversible and privileged actions. --strict mode exits non-zero on any tool above reversible-write that lacks requires_confirmation: true, so you can wire it into deploys as a release gate. Full implementation in the bashmatica-scripts repo.

Quick Wins

🟢 Easy (15 min): Write down every tool wired into your highest-stakes agent and assign each one to a reversibility tier by hand. Default ambiguous tools up a tier. It's the seed for everything that follows, and the part most teams skip because it feels obvious until they try it.

🟡 Medium (1 hour): Run agent-net against the same agent's tool manifest and diff against your hand-written classification. The script is conservative; it'll surface tools you classified as reversible that have a counterparty-notification side effect you forgot. Commit the reconciled classification alongside the agent's deploy config.

🔴 Advanced (half day): Wire the classification into the runtime as a hard refusal gate. Any tool classified irreversible-action or privileged-blast-radius requires second human confirmation captured outside the agent's UI (Slack approval, email reply, PIN on a separate channel) before firing. Log every fired action with its reversibility tag, the confirming human, and the timestamp.

Next Week

How agents end up holding tools they were never explicitly granted, why the failure mode is implicit privilege escalation through tool chaining, and a companion script for diffing runtime tool sets against declared manifests.

Anthropic shipped Claude for Small Business with the right intent and the wrong implementation: one consent gate covering four reversibility tiers, a button that reads the same whether the agent's querying a database or wiring money. Small businesses will adopt it; the action surface is going to land in customer-facing pipelines whose owners haven't classified a single tool. The deploy gate that classifies, surfaces the classification, and refuses to fire the irreversible ones lives in your runtime, not in the platform's UX. You're the net Anthropic didn't string. Nobody else is going to.

Your tool list is a budget. Spend it like the actions are real. To whoever's on the receiving end, they are.

P.S. The interesting part of the announcement isn't the integration list, which is what many small businesses have been asking for. It's the framing sentence: "Claude does the work; you approve before anything sends, posts, or pays." Six verbs, one button, four reversibility tiers stacked behind it. The button's doing engineering work the engineering layer was supposed to do, and the owner's absorbing the cost when classification fails. If you've shipped a customer-facing agent on top of Claude and assumed the platform's tool-permission layer covers the action surface, this is the cheapest reminder you're getting that it doesn't. If this issue helped you find an unclassified irreversible tool, forward it. If a colleague forwarded this to you, subscribe at bashmatica.com.