You Can’t Sue an Agent

On February 3, 2026, $285 billion in software market cap evaporated in 48 hours. The trigger was Anthropic's legal plugin for Claude Cowork, shipped four days earlier, which demoed an AI agent doing contract review, NDA triage, and compliance checks that used to require five mid-level associates per matter. The market did the math instantly. Thomson Reuters dropped 18%. RELX fell 14%. Salesforce, Workday, ServiceNow, Atlassian, every name in the index sold off on the same intuition: if one agent does the work of five seats, and seats are how you charge, the entire per-seat business model is on fire. The "SaaSpocalypse" became consensus by Friday.

In April, the consensus reversed. Q1 earnings reports came in better than feared. The narrative pivoted to a V-shaped recovery: "Agents don't replace software. They become its primary users. Consumption-based pricing replaces per-seat. Software survives." The same analysts who pronounced the category dead in February pronounced it saved by mid-April. Recovery pieces ran in CNBC. The market re-priced upward. Everyone felt better.

Both consensus narratives are wrong. They are wrong in opposite directions, but they share the same underlying mistake. They are both reasoning about software companies as if the product is software.

It isn't.

What Salesforce actually is

The panic crowd looked at Salesforce and saw a CRM. The recovery crowd looked at Salesforce and saw a CRM that agents would consume via API instead of via seats. Both got the noun wrong.

Salesforce isn't a CRM. Salesforce is a 27-year-old public company with 80,000 employees, a CISO with a name and a phone number, SOC 2 Type II and ISO 27001 attestations, errors-and-omissions coverage, an incident response playbook, a legal entity that can be sued in San Francisco Superior Court, a publicly traded ticker that disciplines the company's behavior every ninety days, and a quarter-century of customer relationships that took an enormous amount of time and money to build and would take days to destroy. The CRM functionality is the part of all that you see. It is not the part you actually pay for. You pay for everything else.

Workday isn't a payroll system. Workday is a regulated counterparty that, when an IRS notice arrives, has contractual obligations to defend specific positions and indemnify customers for specific errors. ServiceNow isn't a ticketing tool. ServiceNow is a partner whose Trust Center you can hand to your auditor without a follow-up question, and whose name on a contract is, by itself, a substantial chunk of an enterprise's risk-management strategy. Atlassian isn't Jira. Atlassian is a publicly named company you can put in a press release when explaining to your customers what happened during the outage, and that name carries weight precisely because Atlassian also wants to keep its name intact for the next outage.

What you are buying when you buy enterprise SaaS is not the software. The software is, at most, the artifact through which you consume the actual product. The actual product is a legal counterparty with skin in the game. The UI is the receipt.

Agents are not counterparties

An AI agent in April 2026 is, structurally, a sequence of LLM calls coordinated by an orchestrator that you, the customer, configured. When the agent does something wrong, the entity legally responsible is you. There is no counterparty to point at. The model provider's terms of service explicitly disclaim responsibility for what the model is asked to do. The orchestrator is software you configured. The cloud provider is selling you compute, not outcomes. The chain of liability is a chain of self-pointing arrows that ends at the customer.

You cannot sue an agent. There is no entity to serve. You cannot wake an agent up at 3am when production is down, because the agent has no obligation to be awake, no SLA defining availability, and no on-call rotation. You cannot audit an agent's compliance posture, because there is nothing to audit; the agent is a transient invocation, not an organization. You cannot ask an agent for a SOC 2 report, because the concept does not apply to a function call. You cannot demand a postmortem from an agent, because there is no agent to demand it from after the request returns. You can demand all of those things from the model provider, and the model provider will helpfully point you to the legal language explaining that you are responsible for what you asked their model to do.

This is not a technology problem. It is a structural problem about what trust is.

Trust is a property of relationships between entities that have something to lose. A vendor with a reputation has something to lose. An employee with a job has something to lose. A licensed professional with a credential has something to lose. A public company with a stock price and a board has a great deal to lose. The reason the enterprise software stack works the way it does is that every layer is anchored in a counterparty whose continued existence depends on not screwing you over too obviously. Pull that anchor out and the stack doesn't get faster. It gets untrustable.

Agents have nothing to lose. They are not entities. They cannot acquire entity-hood by being invoked harder. The "company behind the agent" is a counterparty, but it is not the counterparty for the work the agent is doing on your behalf. That counterparty is you. This is also why the Goldman Sachs return-on-AI-spend analysis keeps coming back disappointing. A great deal of the productivity gains from agents get clawed back by the cost of being the only entity in the value chain who can be held responsible.

The trust burden moves up the stack

In a world where agents do the work but cannot be the counterparty for the work, the trust burden has to move somewhere. Either the customer accepts it directly, which is what most "AI agent" deployments are quietly doing right now and is the reason most of them are not running anything that actually matters, or the customer finds a counterparty willing to wrap the agent in their own liability and reputation.

Salesforce shipping Agentforce 360 is not Salesforce capitulating to the apocalypse. It is Salesforce monetizing the only thing they have that the agent provider does not: the legal and reputational shell that makes an agent's actions trustable inside an enterprise. The same logic explains ServiceNow's AI Agent Orchestrator, Workday's Illuminate agents, and the rest of the incumbent agent strategies. The SaaS companies that survive aren't the ones that bolt on AI features. They're the ones that let customers borrow their counterparty status when an agent does something a real entity needs to be on the hook for. I've written before about the moment when the incumbents make your argument. This is another one. Salesforce is not selling agents. Salesforce is renting out its legal entity by the seat-equivalent.

This is also why agent-replaces-X predictions keep failing wherever a regulator sits on the other end. Healthcare. Financial services. Legal. Anything HIPAA, SOX, GDPR, or PCI touches. Regulators do not accept "an agent did it" as an explanation. They want a name, a license, an entity, and a person who signs a piece of paper attesting that they personally understand what was done and why. The compliance frameworks built up over the last forty years assume the existence of an organization with a board, an executive team, and a designated officer who signs the attestation. None of that translates to an LLM chain. Google's Agent2Agent protocol routes tasks between agents from different vendors at scale, and the protocol does many things well, but it does not produce an attestable counterparty. It produces a longer chain of self-pointing arrows.

The recovery crowd's framing, "agents become primary users of software," is closer to right than the apocalypse crowd's, but they're missing why. Agents become users of software because they need a counterparty too. They need someone whose name goes on the audit log when they take an action. The software is not surviving because consumption-based pricing happens to be the new revenue model. The software is surviving because trust did not get cheaper to manufacture in February.

The thing you can't build in two years

Could you, in principle, build the trust infrastructure for agents from scratch? Stand up the legal entity, get the certifications, take on the liability, hire the compliance officer, train the response team, accumulate the customer relationships? Yes, in principle. Companies like Sierra and a half-dozen others are doing variants of this, positioning themselves as agent-counterparties for specific verticals. Some will succeed. The ones that succeed will succeed by becoming, over time, what Salesforce already is: a 1,000- or 10,000-person organization with insurance, certifications, named executives, and the entire dreary apparatus of being a real company that can be sued.

In other words, the survivable answer to "agents replace SaaS" is to become a SaaS company that uses agents. That is a much smaller and more constrained outcome than "agents kill SaaS." It looks a lot more like the AWS-era reorganization of the application layer than it looks like the death of an industry. The capital that got vaporized in February was not paying for software. It was paying for the option that agents could compress all the trust infrastructure of an established enterprise vendor into a model weight. They cannot. The option is worthless. The re-pricing was overdue.

In the meantime, the SaaSpocalypse-V-recovery cycle will keep oscillating, because the people writing the cycle are pricing software and not pricing trust. The recovery crowd does not know why it is right. It got lucky on the direction and wrong on the reason. The apocalypse crowd was wrong on the direction because it confused the artifact for the product. Both crowds will be back in six months with new charts.

The boring true thing is this. Agents are tools. SaaS companies are counterparties. Tools without counterparties cannot be trusted with consequential work, and counterparties without tools can still operate, just less efficiently. The asymmetry is not subtle. It will not be erased by a model release.

You cannot sue an agent. Until you can, the apocalypse is a re-pricing.

Want to learn how intelligent data pipelines can reduce your AI costs? Check out Expanso. Or don't. Who am I to tell you what to do.

NOTE: I'm currently writing a book based on what I have seen about the real-world challenges of data preparation for machine learning, focusing on operational, compliance, and cost. I'd love to hear your thoughts!