The agents got jobs.
What YC's Spring 2026 batch reveals about the design problem nobody finished solving. The overwhelming majority aren't building assistants that talk — they're building agents that act. The unit of value moved from seats to outcomes, and that quietly rewrites the job.
For about a decade, the YC batch has been a reliable tell for where software is heading. This one reads differently. Go down the Spring 2026 list — just under two hundred companies — and the pattern is hard to miss. The overwhelming majority are not building assistants that talk. They're building agents that act: they process the refund, test the SOX control, bind the insurance policy, chase the overdue invoice, run the building, book the table, move the deal. The pitch is no longer “a smarter chat.” It's “the work, done.”
A few public tallies have tried to put a number on it. The number is the least interesting part. What matters is the unit of value, and it has moved — from seats to outcomes. You no longer buy a tool and supply the labour yourself. You buy the labour. That sounds incremental. It quietly rewrites the design problem.
The reframe
When software acts, layout stops being the question.
When software only suggested, the craft was about clicks: fewer steps, clearer labels, smoother flows. The worst case for a bad suggestion was that you ignored it. When software acts, every action carries consequence — money moves, messages send, records change, customers are told things that are binding, and a wrong call is not a dead end but an event with a cost.
The craft was clicks
Fewer steps, clearer labels, smoother flows. The worst case for a bad suggestion was that you ignored it.
Unit of value · seatsThe craft is consequence
Money moves, records change, customers are told binding things. A wrong call is an event with a cost — and someone has to own it.
Unit of value · outcomesSo the questions change. They stop being about screens and start being about authority:
- Who is this agent?
- What is it allowed to touch?
- What can it spend?
- Who approves the risky move?
- When does a human step back in?
- What's the evidence for what it did?
- And when it's wrong — who is liable?
These are not features you bolt on at the end. In an agentic product, they are the product. We've argued for a while that trust isn't a layer you add — it's the architecture, and that designing agents is closer to relationship design than interface design. The most useful thing about this batch is that, taken together, it maps almost every one of those questions onto a company. Here is that map.
| The question | What it forces you to answer | In the Spring 2026 batch | The auxfirst pattern |
|---|---|---|---|
| Identity | Who is this, on whose authority? | AgentPhone · primitive · Chert | the new question |
| Permission | What may it touch? | Clawvisor · Drip | Clarify Before Commit · Escape Hatch |
| Spend | What may it commit? | Allowance · HEVN · Kinro | The Action Heat Ladder |
| Control plane | Many humans, many agents, over time? | Wato · Pentagon · Linzumi | Memory in Motion |
| Evidence | Why did it believe it was right? | Arden · Korso · Inth | Confidence Cues · Provenance |
| Human-in-the-loop | When to hand off? | Humwork · RentAHuman · Klarify · Clara · Taiga | Loop In Experts |
| Liability | Who owns the consequence? | Mount | Advocacy Trust |
| The agent surface | Can an agent discover, read & operate you? | Scope · Bloom · StableBrowse · Sherpa · BentoLabs · Arga · Stage | Agentic API Experience |
Identity
An agent has to be someone.
Before an agent can act in the world, it needs to be addressable — and accountable. AgentPhone gives every agent its own phone number to reach people and businesses; their framing is blunt about why it matters — without a number, an agent “lacks identity.” primitive is building communication infrastructure for autonomous agents; Chert is doing it over iMessage for business. The moment an agent speaks on your behalf, every channel needs an answer to who is this, and on whose authority? — a question classic product UX never had to ask, because the human was always the sender.
Permission
What an agent may touch.
Identity without scope is a liability. The cleanest statement of the problem in the batch is Clawvisor, an authorization layer that lets an agent use Gmail, Slack, or Drive “without ever seeing your credentials” — approve the task once, enforce it on every request. Drip puts the same idea in plain language for outbound. This is the Clarify Before Commit and Escape Hatch patterns made into infrastructure: intelligent friction before high-stakes actions, and an obvious way to revoke, scope, or override. Permission UX — scopes, risk levels, revocation, a legible “here's what this agent can do for you” — is about to become table stakes.
Spend
What an agent may commit.
Once an agent can buy, book, renew, or pay, financial control becomes interaction design. Allowance issues scoped, one-time payment credentials with spending limits, merchant restrictions, and expiry — humans approve from their phone, agents transact without ever holding the real card number. HEVN is doing agentic payroll; Kinro runs an autonomous insurance brokerage whose agents have already bound live policies on their own. Not every action sits at the same altitude of risk — which is exactly why we built the Action Heat Ladder. Sending a draft is not the same as wiring money, and the interface should make that gradient visible. Spend is the hottest rung.
Control plane
Many humans, many agents, over time.
Single agents are a demo. Teams of them are a product, and they need somewhere to coordinate. Wato calls itself “the control point for AI agents at work,” giving agents shared memory, reusable workflows, and living artifacts so work compounds across a team instead of vanishing into chat threads. Pentagon is a coordination layer for humans and agents working as one team; Linzumi is the chat an engineering team uses to direct dozens of coding agents at once. This is Memory in Motion at organizational scale — what's shared, inherited, corrected, and owned across a roomful of agents and the people supervising them.
Evidence & audit
Why it believed it was right.
If an agent acts, someone will eventually ask it to show its work. The regulated end of the batch is already there. Arden runs agents that pull evidence from your stack, test controls, and produce audit-ready workpapers — turning SOX testing into something traceable. Korso routes every agent action in manufacturing through scoped tools, dry-run validation, secondary review, and a full audit trail. Inth makes privacy compliance produce audit-ready evidence by default. This is proving what the agent did taken seriously: not a vague “the AI did it,” but a legible record of what happened, when, on what basis, and what was reviewed. Evidence is becoming a first-class output, not an afterthought.
Insurance is a lagging indicator of seriousness. You don't underwrite demos. You underwrite consequences.
Human-in-the-loop
Escalation as infrastructure.
The mature move isn't full autonomy — it's knowing when to hand off. Humwork connects an agent to a verified human expert over MCP in under thirty seconds when it hits a wall. RentAHuman inverts the old marketplace entirely: a place where agents hire humans. And the healthcare cohort treats the loop as non-negotiable — Klarify for therapists, Clara for primary care, Taiga for medical billing all keep a human decision-maker in the chain by design. This is the Loop In Experts principle becoming a market: every serious agentic workflow needs a designed help loop — when to escalate, who owns the answer, how context transfers, and how the agent resumes once a human has intervened.
Liability
Who owns the consequence.
And then the question that tells you a market has grown up: what happens when the agent is wrong? Mount is building an AI insurance carrier, starting with liability coverage for deployed agents — prompt injection, autonomous workflow errors, data leaks. Their thesis is the cleanest summary of the whole shift: when responsibility moves from human operators to autonomous systems, the liability moves with it. This is Advocacy Trust — will it act in my interest when incentives misalign? — turned into something a balance sheet has to price.
The surface nobody designed for
Your product now has a second audience: the agent.
Here is the cluster we'd urge any product team to sit with longest, because it reframes the job. A growing slice of the batch assumes your product now has a second audience — not the human buyer, but the agent evaluating, choosing, and operating it. Scope helps software get discovered and used by AI agents, measuring where an agent picks you over a competitor and where your docs confuse it. Bloom turns brand into infrastructure an agent can call — tone, claims, and boundaries as something machine-consumable, not a PDF style guide. StableBrowse gives agents a semantic understanding of the web instead of brittle screens; Sherpa tests agent-facing versions of your site until agents recommend you more often. And the reliability layer is filling in fast — BentoLabs monitors long-running agents for silent failure and drift, Arga Labs gives you sandboxes to test agents against replicas of real services, and Stage rebuilds code review for a world where humans and agents are the reviewers.
This is the heart of what we call Agentic API Experience — and the same shift Vercel's Eve makes legible at the framework level. It's why we maintain a running map of agent-native and managed platforms. Products will increasingly need agent-readable docs, machine-consumable brand rules, clean action schemas, legible permission models, and evaluation paths for the agents themselves. Human-facing UX isn't going away. It's getting a sibling.
The proof, in real industries
None of this is theoretical.
The vertical operators in the batch are the evidence that the interface is changing shape. Modern rebuilds the IT service desk as always-on agents operating across Slack, Teams, email, voice, WhatsApp, and Telegram. CentralComs runs property management inside AppFolio, Buildium, and Yardi; Trellis runs short-term-rental operations end-to-end; Cignara handles Fortune-500-scale support and sales; Userlens is an AI customer-success manager that renews and expands accounts; Salesgraph is the revenue agent that does an AE's between-call work.
For anyone in advertising, retail, or FMCG, three are worth a closer look: qomplement, an agentic ERP for the transaction volume of retail and logistics; Foresight, which runs agent-driven consumer simulations for CPG research; and InstaAgent, which scales a single brief into hundreds of audience-specific campaigns across Meta and TikTok. If you operate in or sell to that world, this is the conversation we've been having in our Ad Industry hub and in MCP for Advertising.
The center of gravity moved from screen to consequence.
The companies that look like plumbing — authorization, spend control, identity, evidence, insurance, observability — are not a side quest. They are quietly defining the UX constraints every agent product will have to live inside. Classic SaaS optimized clicks, flows, and conversion. Agentic products have to be designed around consequences: can it send the email, approve the refund, spend the money, tell the customer something binding — and can a human see and stop it.
That's the design discipline this batch is calling for. If you're building the agent-facing infrastructure, that's Agentic API Experience. Turning a SaaS into an adaptive partner, that's AI Product Experience. Putting agents inside real workflows, that's Agent Process Design. Different layers, one job: the trust, control, and accountability that turns a capable agent into one people will actually let act.
The agents got jobs. Someone still has to design what it feels like to trust them.
Building an agent that acts? The hard part isn't the model.
It's the identity, the permission scopes, the spend gates, the evidence trail, the escalation loop, and the line where a human can step back in. That's the layer auxfirst designs — on whatever you're building on.
Start a conversation →Sources & further reading
Method · Every company named here was verified against YC's public Spring 2026 batch directory on 18 June 2026. A handful named in early drafts that could not be verified in-session were dropped rather than tagged. Company descriptions reflect each company's own public positioning.