AgentKit: We All Work For OpenAI Now

Turns out developing AI Agents is kind of hard, so OpenAI wants you to do it for them | Edition 19

OpenAI dropped their AgentKit dev platform, which people are speculating will eliminate other Agentic build workflows. Before you get excited about what it does, consider what’s not in it:

A threat model.

This despite the still-unpatchable vulnerabilities inherent to LLMs, the documented impossibility of securing MCP, the underlying protocol, not to mention the myriad supporting components and all their supply chains.

You want to package up a fundamentally insecure technology, built on insecure protocols, with potentially dangerous, real-world consequences and sell it to consumers and enterprise alike like it’s a harmless Lego kit?

You’d better include a threat model.

From AGI To Consumer Apps

OpenAI used to be a respected lab that some “AI experts” (aka scifi enthusiasts) thought might even come up with AGI. That was always a fantasy, but the social cache was real.

Now they’ve apparently fully pivoted to making apps and “products”. Products like AgentKit, a platform for sort-of-tech-savvy people to make their own semi-functioning travel agents.

So basically AGI. Except not at all. And just kidding, you really need to be a developer to deploy on this platform–sorry normies, vibe-coded Agents are still as much a fantasy as AGI itself.

How many devs are already being lured into giving up the keys to their systems’ security for the promise of something useful, only to find out it really only (poorly) semi-automates the mundane?

How much time, and how many tokens, are organizations willing to waste on problems that could be solved with regex–or don’t need solving at all?

If you look at the demos, the “no-code” promise doesn’t align with reality. You still need developer skillsets to prototype even a simple example.

And let’s be clear: That’s prototyping, not productionizing, not launching, and certainly not ensuring business value.

No matter what pretty interface a platform provides, it cannot obscure the technical realities that AI requires threat modeling to build, talent to deploy, and operationalization to provide ROI.

There’s just no way around it.

Every Company Is Now An AI Company

Before anyone tells me that this is not really a consumer technology because it requires dev-level expertise to actually use: how many devs have already plugged in their personal information or company IP as a personal side project?

Judging by social media posts, quite a number.

I’ve said this before and it bears repeating: Every company is now an AI company, whether or not they realize it.

Developers are the consumers of AgentKit, and like it or not, so are the organizations they represent.

What risks are introduced when developers are the consumers of tools like these? How are these risks being approached?

How can companies, governments, etc. model threats they can’t see?

A great first step would be for a major provider like OpenAI to set an example and publish their threat models.

A good second step: Publish guides to general threat modeling for Agentic development.

Why It’s Always Travel

The OpenAI demo video shows how to build an “AI Agent” whose task is–wait for it, you’ll never guess–booking a flight.

You, like me, may be wondering why the main Agentic AI use case we’ve seen for years now is “booking a flight”. Future anthropologists studying Agentic demos would probably conclude that in 2025, finding an air travel itinerary was the worst problem humanity faced–since that’s the one virtually every demo seems to solve.

Comments on the YouTube video introduction are pretty brutal: A lot of commenters are wondering out loud why the only demonstration for this tech seems to be as less-good travel agents.

Comments under OpenAI’s official intro video

Most people are apparently starting to be as confused as I am about why the single use case that’s ever demonstrated is just about always booking a flight.

My guess is that for travel information, it’s fairly simple to search what’s left of the web, and the results for travel searches are usually consistently structured, so it’s easier for these “Agents” to appear to pull it off.

Think about it: You can easily get flight information and it’s in a very consistent format, which is why there are so many discount travel websites–and why these have existed since the dawn of the internet.

I am begging people to remember that the first flight aggregation site appeared in the 1990s. That’s thirty years ago.

I’m not kidding: Travelocity, billed as the first site that let consumers buy airline tickets directly from the internet, came online circa 1995.

So in terms of capabilities, I am unimpressed.

Sorry, was I once again supposed to be wowed that your multi-billion dollar “AI” has managed to sort-of-almost accomplish what python and regex did decades ago?

Be serious.

Overall, it’s unclear why we all supposedly need travel plans made so urgently, or why that’s a job for AI Agents.

What is the use case for this application? People who can afford international travel but not a travel agent, and who also don’t have time to Google?

The question still being begged: Does this technology actually do anything?

Side note but where exactly are all the AI enthusiasts who told me 6 months ago that AI was going to replace everyone’s job and AGI was just around the corner? Because all I hear are crickets now.

Real Engineering Requires Real Receipts

This is why technical skepticism, and demanding engineering receipts, matter. If you’ve repeatedly adjusted your expectations down from “AGI any minute” to “maybe it can book a flight” you might not be in the best position to demand security.

And this is exactly the position that many organizations find themselves in now, when 95% of AI projects fail, and businesses are chronically unable to find ROI.

This whole situation could have been avoided had more people resisted the mental trap of believing that AI was magic, and letting FOMO take the lead.

Now that another “no code” platform has dropped from the OG provider themselves, OpenAI, will industry finally wake up to the reality that deploying AI Agents requires talent, time, and infrastructure?

If Agents were easy, practical and profitable, OpenAI wouldn’t be begging you to use their tools to create them.

And if they were secure, you wouldn’t be asked to assume all the risk.

Full stop.

When did we all sign up to do OpenAI’s R&D for free? And why are we assuming this risk?

With their latest DevDay releases, OpenAI has cemented their shift from an AGI lab to consumer app maker. So are they ready to take consumer product levels of responsibility?

Publish the threat models, please. Or else your product is the threat.

The Threat Model

• The promise of no-code AI Agents belies a technical reality: Agents are complex, and any AI deployment requires technical expertise.

• AgentKit allows devs to visually build Agents using components like MCP, with known insecurities and no mitigations–on top of the already shaky security of the LLMs they’re based on.

• Without a threat model, devs are left in the dark about the risks they’re taking on–both for themselves, and for their organization.

Resources To Go Deeper

• Yang, Yingxuan, Huacan Chai, Yuanyi Song, Siyuan Qi, Muning Wen, Ning Li, Junwei Liao, Haoyi Hu, Jianghao Lin, Gaowei Chang, Weiwen Liu, Ying Wen, Yong Yu and Weinan Zhang. “A Survey of AI Agent Protocols.” ArXiv abs/2504.16736 (2025): n. Pag.

• Kong, Dezhang, Shi Lin, Zhenhua Xu, Zhebo Wang, Minghao Li, Yufeng Li, Yilun Zhang, Hujin Peng, Zeyang Sha, Yuyuan Li, Changting Lin, Xun Wang, Xuan Liu, Ningyu Zhang, Chao-Jun Chen, Muhammad Khurram Khan and Meng Han. “A Survey of LLM-Driven AI Agent Communication: Protocols, Security Risks, and Defense Countermeasures.” ArXiv abs/2506.19676 (2025): n. Pag.

• Deng, Zehang, Yongjian Guo, Changzhou Han, Wanlun Ma, Junwu Xiong, Sheng Wen and Yang Xiang. “AI Agents Under Threat: A Survey of Key Security Challenges and Future Pathways.” ACM Computing Surveys 57 (2024): 1 - 36.

Executive Analysis, Research, & Talking Points

Full Risk, Shifting Responsibility

It’s evident from the gate that much of the ‘empowerment’ to build Agentic AI via AgentKit comes with a caveat: build at your own risk.

It’s a neat way to shift the risk and responsibility for productizing GenAI and Agentic AI specifically onto the builders themselves.

Make no mistake: If OpenAI were able to release an actual Agentic product suite that worked and did not open them up to tremendous liability, they would have done it themselves, and done it yesterday.