The consensus says agents automate away SaaS. The architecture says something stranger: the systems of record survive, and a new system-of-action layer forms on top of them.

There is a comfortable story making the rounds that agentic AI is an extinction event for enterprise software. Agents read the dashboard, fill the form, update the record, so why keep the human-shaped application around it? The logic is tidy and mostly wrong.

A sharper version of the argument comes from a recent piece arguing that agentic AI does not kill SaaS but changes what enterprise software is fundamentally for. Its framing is worth sitting with: for twenty years the enterprise stack was built around one hidden constant, that the human is the actor. A person logs in. A person reads a dashboard. A person updates the opportunity stage, approves the invoice, closes the ticket. Every CRM, ERP, and workflow tool was, underneath the chrome, a system that held canonical state and waited for a human to act on it.

Remove that constant and you do not remove the state. The opportunity still has a stage. The invoice still needs approval. What changes is who pulls the lever. The winning layer shifts from the system that holds the record to the system that can take action against that record safely, reliably, and observably.

That is not a story about deletion. It is a story about a new layer forming on top of an old one, and about which firms are positioned to own it. The plumbing being shipped this month, in obscure framework release notes, tells you the layer is already under construction.

The system of record was always a passive object waiting for a human verb

Start with what these platforms actually are. A CRM is a database of opportunities, contacts, and stages, wrapped in forms and views. An ERP is a ledger of inventory, invoices, and approvals. A ticketing system is a queue of states. None of them do anything on their own. They are nouns. The verbs (close, approve, escalate, forecast) have always been supplied by a person clicking through a workflow that the software politely arranges in front of them.

This is the point The Sequence makes cleanly: the enterprise stack assumed the human is the actor. A person logs in, reads, fills, updates, approves, closes. The application's entire surface area (the navigation, the field validation, the role permissions, the audit log) exists to mediate one human verb against the canonical state.

Once you see software this way, the agent question reframes itself. The naive read is that agents replace the human clicking through the form, so the form is dead and the vendor with it. But the form was never the value. The form was the interface to the verb. The value was the canonical state and the guarantee that actions against it were valid, permissioned, and recorded.

Agents do not change what the canonical state is. Salesforce still owns the opportunity object whether a human or an agent advances its stage. What agents change is the actor, and that is a far smaller demolition than the extinction narrative implies. You are not removing the database. You are swapping out the thing that holds the mouse.

The new winning layer is the one that executes against state safely, not the one that stores it

If the actor changes from human to agent, the design center of enterprise software moves with it. A system built for a human actor optimizes for legibility: dashboards a person can scan, forms a person can fill, confirmation dialogs a person can read. A system built for an agent actor optimizes for something else entirely: a clean action surface, deterministic execution, permission boundaries the agent cannot talk its way past, and an observable record of what the agent did and why.

The Sequence calls this the shift to systems of action, where the new winning layer is the one that can take action against state safely, reliably, and observably. Notice the three adverbs. They are not decoration. They are the entire competitive moat.

Safely means the action layer enforces permissions the agent cannot override, the way a payments rail refuses an over-limit charge regardless of what the requester claims. Reliably means an action either completes or fails cleanly, with no half-updated record. Observably means every agent action leaves a trace a human can audit after the fact.

This is where my own framing earns its keep. The value in AI was never the model. It is the harness that connects the model to the world, and a system of action is precisely that harness wearing an enterprise badge. The model proposes; the harness decides whether the proposal is allowed to touch production state. Whoever owns that harness owns the layer where value now accrues, and it is not the model vendor and not, on its own, the database vendor.

The framework release notes are quietly building the safe-execution layer

You can watch this layer being assembled if you read the right changelogs, which are dull on purpose. The interesting signal in agent tooling right now is not capability. It is control.

Look at what shipped this week. OpenAI's agents framework added an update to expose sandbox error retryability, which is a fancy way of saying the system now tells you whether a failed action is safe to attempt again. That is reliability plumbing, the unglamorous guarantee that an action either completed or didn't. Arize's Phoenix added a run cancellation tool and a copy trace ID action: stop a running agent, and grab the identifier that lets you reconstruct exactly what it did. That is observability plumbing.

Langfuse, an agent observability platform, spent its recent release on feedback buttons and faster metadata queries. Mundane. Also exactly what you build when the product's job is to make agent actions auditable after the fact.

None of these are features a power user requested. They are the connective tissue of a system of action: cancel, retry, trace, audit, permission. The autonomy spectrum runs from copilot to full autonomy, and most failures come from deploying at the wrong point on it. The tooling above is what lets a vendor move an agent rightward on that spectrum without the deployment blowing up, which is to say it is what lets enterprise software become a system of action at all. The capability to act was never the hard part. The capability to act safely against canonical state is the whole game.

Sub-agents spawning sub-agents is why the action layer needs governance built in

The control problem gets sharper as agents stop being single actors. Two release notes this week point the same direction. Claude Code now lets sub-agents spawn their own sub-agents, up to five levels deep. Agno's latest release added sub-agent event streaming, so events from a child agent surface up to the parent run.

Read those together. The first creates depth: an agent delegating to an agent delegating to an agent, a tree of actors several layers removed from the human who started it. The second creates the visibility to follow what that tree is doing. One feature makes the system more powerful and more opaque; the other claws back the observability that power costs you.

This is the system-of-action design tension in miniature. The more autonomous and recursive your agents become, the more the value migrates to the layer that can still answer: who took this action, with whose authority, and can I see it? A five-level-deep delegation chain acting against your ERP is either a governance nightmare or a competitive feature, and the only thing that decides which is the control surface around it.

This is also where the Shadow Agent Problem stops being a security footnote and becomes a platform argument. An agent installed by an individual, acting against enterprise state without IT approval, carries the threat profile of shadow IT with broader system access. The platform that wins the action layer is not the one with the cleverest agent. It is the one enterprises trust to keep the recursive delegation tree inside the permission boundary. Safe, reliable, observable. The same three words again, because they are the product.

This is an aggregation play, and the incumbents are better positioned than the panic suggests

Now the market-structure question. If the action layer is where value accrues, who captures it?

The extinction story assumes the model vendors do, by routing around the enterprise apps entirely. I think that misreads where the demand aggregates. Platforms win by aggregating demand and then commoditizing supply, and the scarce, demand-side asset here is not the model. It is the canonical state plus the permission graph: who is allowed to do what against which record. That asset lives inside Salesforce, SAP, ServiceNow, and Workday today, and an agent vendor does not acquire it by being clever.

Which means the incumbent move is obvious and defensive in the best way: commoditize your complement. The agent runtime is the layer adjacent to the system of record. If incumbents can make safe agent execution a cheap, standard feature of their own platform (an action surface bolted onto the state they already own) they keep the margin in the state layer and turn the agent into plumbing. Expect every major enterprise vendor to ship a system-of-action layer rather than cede it.

On a Wardley map, the canonical-state layer is sitting comfortably in product-to-commodity territory, evolved and entrenched. The action layer is in genesis, still being invented in the release notes above. Value in a value chain accrues to whoever controls the component that is evolving, provided they also hold an adjacent entrenched asset. The incumbents hold the entrenched asset. The open question is execution speed, not positioning.

The firms genuinely at risk are the thin-workflow SaaS tools whose entire value was being the form: a nicer interface to a verb a human performed. When the actor is an agent, a nicer human interface is worth roughly nothing. That is the real extinction list, and it is much shorter than the headline.

What this means for someone running agents against real systems today

Pull this down to the operational level, because the architecture argument has immediate consequences for anyone wiring agents into a CRM or a ticket queue right now.

First, stop evaluating agent platforms on capability demos and start evaluating them on the three adverbs. Can it execute safely (does it respect a permission boundary you set, not one it can argue around)? Reliably (does a failed action fail cleanly)? Observably (can you reconstruct what it did from a trace)? The release activity above suggests the serious tools are converging on exactly these properties. That convergence is your shopping list.

Second, treat the system of record as the source of truth and the agent as a constrained actor against it, never as a replacement for it. The agent should not hold canonical state in its own memory and reconcile later. It should act against the record the way a human did, through a permissioned action surface, so the audit trail stays intact.

Third, watch the delegation depth. Recursive sub-agents are powerful, but a chain that spawns five levels deep acting against production data is precisely where deploying at the wrong point on the autonomy spectrum becomes expensive. Keep the human approval gate on the actions that touch money, identity, or customer-facing state.

The larger point is that the agent era does not hand you a blank slate. It hands you the same enterprise stack you already had, with the actor swapped out and a new safety-critical layer forming on top. The platforms that win are the ones that make that layer trustworthy. Bet accordingly, and be skeptical of anyone selling you the extinction of software you are, in fact, still going to be running next year.

/Figures

System of record vs. system of action
PropertySystem of Record (human actor)System of Action (agent actor)
Optimizes forLegibility: dashboards, forms, confirmation dialogsExecution: clean action surface, permission enforcement
Where value sitsHolding canonical stateActing against state safely, reliably, observably
Core interfaceHuman-readable UIConstrained, permissioned action surface
Failure modeUser makes a mistake in the formAgent acts outside the permission boundary
Audit needWho edited the recordWho/which agent acted, with whose authority, traceable
The design center moves when the actor changes from human to agent. Source
One week of control plumbing in agent frameworks
  1. 2026-06-10
    Claude Code v2.1.172

    Sub-agents can spawn their own sub-agents up to five levels deep.

  2. 2026-06-10
    Agno v2.6.13

    Sub-agent event streaming surfaces child events to the parent run.

  3. 2026-06-10
    Phoenix v17.3.0

    Run cancellation tool and copy trace ID action added.

  4. 2026-06-11
    OpenAI Agents v0.17.5

    Exposes sandbox error retryability for safe re-execution.

  5. 2026-06-11
    Langfuse v3.184.0

    Feedback buttons and faster metadata queries for auditing agent runs.

Recent releases skew toward reliability, observability, and delegation control rather than raw capability.

/Sources

/Key Takeaways

  1. Agents change the actor, not the canonical state. The CRM, ERP, and ticketing record still owns the truth; the agent just becomes the thing that acts against it.
  2. The new value layer is safe, reliable, observable execution against state, not the storage of state. Whoever owns that action layer captures the margin.
  3. This week's framework releases (sandbox retryability, run cancellation, trace IDs, sub-agent event streaming) are control plumbing, not capability features. Control is the competitive signal.
  4. Recursive sub-agent delegation makes governance the product. Five-level-deep chains acting on production data are a feature only if the permission boundary holds.
  5. Incumbents are better positioned than the panic suggests: they hold the canonical state and permission graph and can commoditize the agent runtime as a feature of their own platform.
  6. The real extinction risk is thin-workflow SaaS whose only value was being a nicer human interface to a verb. When the actor is an agent, that interface is worth roughly nothing.