The next twelve months in the agentic stack: fourteen falsifiable predictions for June 2026 through June 2027
Forecast posts usually fail in one of two ways. They hedge so much that nothing they predict can be wrong, or they make bold predictions without dates that would let anyone check. This post tries to fail in neither way. Fourteen predictions for the agentic stack between June 2026 and June 2027, each one specific enough to be falsifiable, dated to a quarter or month, tagged with a confidence level (high, medium, low), and accompanied by the observable evidence that would prove us wrong. The goal is to be wrong about a specific number of them and right about the rest, in ways that can be measured. We will publish a retrospective in June 2027 scoring this post against reality.
How to read this post
Each prediction has four parts. Date commits us to a window in which the event must happen for the prediction to count as correct. Claim states the prediction concretely enough that no reasonable reader could disagree on whether it came true. Confidence is our own estimate of how likely the prediction is — high (we would bet at 70%+), medium (50-70%), low (under 50% but worth stating because the upside or downside is large). Disconfirming evidence describes the observation that would tell us we were wrong, so the retrospective in twelve months is structured rather than narrative.
Protocol layer
1. MCP 2026-07-28 GA, with a six-week breaking-change shakeout
Date: 28 July 2026 final spec; breaking-change incidents peak August through mid-September.
Claim: The MCP 2026-07-28 spec ships on time as the release candidate locked on 21 May 2026 promised. The stateless protocol core (covered in our MCP deep-dive) breaks at least 15% of production MCP servers that were running the 2025-11-25 spec without updating. Working server inventories drop visibly through August before stabilising by late September.
Confidence: High on the date (the working group has been disciplined); medium on the breakage rate (could be lower if migration tooling lands first).
Disconfirming evidence: the spec slips to Q4 2026, or the breakage rate is under 5% (servers handled the migration cleanly). Either invalidates the prediction.
2. AP2 v1.0 final in FIDO Alliance by end of Q4 2026
Date: Between 1 October and 31 December 2026.
Claim: The Agent Payments Protocol (our AP2 post) reaches v1.0 final under FIDO governance, with at least one new official extension covering revocation registries (closing one of the four maturity gaps we flagged).
Confidence: Medium-high. The trajectory of the v0.2 release in April 2026 and the FIDO governance commitment make v1.0 in the window plausible.
Disconfirming evidence: v1.0 slips into 2027, or ships without revocation primitives (in which case operators still need workarounds for one of the core gaps).
3. A2A v1.1 ships a structured negotiation primitive
Date: Q3 or Q4 2026.
Claim: A2A v1.1 (or equivalent point release) adds a structured negotiation Part type with offer/counter-offer/settle/refuse semantics. The Project Deal asymmetry post made this gap concrete enough that the working group has acknowledged it; we expect a draft to ship within two quarters.
Confidence: Medium. The working group has acknowledged the gap but has not committed to scope.
Disconfirming evidence: The 2026 release roadmap ships without negotiation primitives.
4. ERC-8004 attestation volume crosses 1M per month on Base
Date: By end of Q1 2027.
Claim: Validation Registry write volume on Base alone passes one million attestations per month. This is roughly 30x the rate as of June 2026 and requires the marketplace adoption to compound at the rate we are seeing inside Agent Builder customers generalised across the ecosystem.
Confidence: Medium. The growth trajectory supports it but on-chain volume is sensitive to gas-price events outside the standard's control.
Disconfirming evidence: Volume on Base flatlines below 200K attestations per month, suggesting adoption is concentrated in one or two large customers rather than broadly distributed.
Regulation
5. EU AI Act first administrative actions in September 2026
Date: Within six weeks of the 2 August 2026 enforcement deadline (covered in our AI Act post).
Claim: At least three EU member-state authorities issue formal administrative actions against high-risk AI system operators by 15 September 2026. The first wave will be educational rather than punitive — investigation requests, technical-file demands, public warnings — but they will name specific operators, which makes them concrete events.
Confidence: High. The political pressure on the authorities to be visible after the deadline is substantial.
Disconfirming evidence: No public administrative actions by mid-September.
6. First mediatic operator collapse from compliance failure by November 2026
Date: Between 1 August and 30 November 2026.
Claim: At least one mid-sized agent operator (Series A-B funded, 50+ employees) publicly fails — closes operations, fires significant staff, or pivots dramatically — citing AI Act non-compliance, a related fine, or related insurer/customer fallout. The story will be on the front page of at least two major tech publications.
Confidence: Medium. The economic shape of the deadline almost guarantees one or two failures but the timing of when failure becomes "mediatic" varies.
Disconfirming evidence: No public mid-sized operator failure attributable to compliance by end of November.
7. First US state regulator follows the EU template by Q1 2027
Date: Before 31 March 2027.
Claim: Either California (most likely), New York, or Colorado publishes draft regulations modeled on the EU AI Act's risk-tier structure, applying to AI agents specifically. The federal level remains paralysed; states move first, as they did with privacy.
Confidence: Medium. The political coalition is there but state regulatory cycles are slow.
Disconfirming evidence: All three states limit themselves to non-binding guidance rather than draft regulation.
Security and attacks
8. First documented long-con attack against an agent fleet by Q1 2027
Date: Before 31 March 2027.
Claim: A public incident report — from a vendor, a security researcher, or a victim operator — documents the long-con social-engineering pattern we described in the threat model post: an adversarial counterparty building trust with a target agent across weeks or months, then triggering a single high-value request inside the accumulated trust envelope. The incident will involve at least $100K in fraudulent outflow.
Confidence: High. The attack surface is real, the underground economy is productising the technique, and detection is hard. We expect this to happen before formal training catches up.
Disconfirming evidence: No public long-con incident by Q1 2027 — either because the attacks are happening but no one is publishing (possible but unlikely past Q1) or because the defenses are working better than we predicted.
9. The first cross-fleet compromise via a poisoned MCP server
Date: Q3 or Q4 2026.
Claim: A widely-used MCP server (one with 1,000+ production deployments) gets compromised via the rug-pull pattern we documented (originally benign, malicious update slipped in months later). The incident affects at least 100 distinct operator fleets and forces a public coordinated response. CVE assigned, vendor security advisories, the works.
Confidence: High. The supply-chain attack surface is the most under-defended part of the stack right now.
Disconfirming evidence: No CVE-grade incident in the MCP server ecosystem in the window.
10. Offensive-agent SaaS platform reaches public infamy by mid-2027
Date: Between January and June 2027.
Claim: At least one fraud-as-a-service offensive-agent platform — running on legitimate cloud infrastructure under a fronting name — gets named in a major journalism investigation or DOJ indictment. The platform will have processed at least $50M in fraudulent transactions before the takedown.
Confidence: Medium. The economics support its existence but the visibility timing is unpredictable.
Disconfirming evidence: No platform-scale offensive-agent operation is named publicly in the window.
Market structure
11. Framework consolidation: one of the five open-source frameworks deprecates or is acquired
Date: Before 31 December 2026.
Claim: Pydantic AI, Letta, CrewAI, AutoGen, or LangGraph — one of them either deprecates its public maintained branch, is acquired by a larger company in a way that absorbs the team away from the framework, or visibly stalls (no significant release for two consecutive quarters). We have a specific candidate (Pydantic AI is the most exposed) but the claim only requires one of the five.
Confidence: Medium-high. Five mature open-source frameworks doing similar work is not stable; consolidation is the expected outcome.
Disconfirming evidence: All five remain actively maintained with significant releases through 2026.
12. Marketplace bifurcation becomes explicit by Q1 2027
Date: By end of Q1 2027.
Claim: The consumer-facing agent marketplace category (Agent.ai shape) and the B2B agent-economy category (ERC-8004 native cohort) develop separately enough that no single buyer is shopping in both, and the press starts treating them as distinct categories with distinct names. The bifurcation will be visible in fundraising — consumer marketplaces will raise from consumer-tech investors, B2B marketplaces from crypto / B2B SaaS investors.
Confidence: Medium. The pattern is already starting but explicit bifurcation requires the press to keep pace.
Disconfirming evidence: A single dominant marketplace emerges that serves both buyer types successfully.
13. First IPO of an agent-native company before June 2027
Date: Before 30 June 2027.
Claim: At least one company whose primary product is agent-native (not a "we added AI to our existing product" company) files for IPO on a major exchange. The most likely candidates are in the customer-success / sales-automation segment where the agent is the product end-to-end. The IPO does not need to price; the S-1 filing is the event.
Confidence: Low-medium. The window is tight; the path requires the agent-native company to have hit the public-company financial bar plus the IPO market to be open at the right moment.
Disconfirming evidence: No agent-native S-1 filed by the deadline.
Operator dynamics
14. Second wave of AI-driven layoffs pushes 50% more knowledge workers into operator paths
Date: Cumulative through June 2027.
Claim: The 2026 layoff wave covered in our editorial (113K tech workers in five months at the time of writing) becomes a 12-month total of 400K+ knowledge workers displaced and at least 30K of them pivot to running their own agent fleets (vs. seeking salaried roles). This is "agent operator" as a labor category becoming statistically visible — government employment surveys start tracking it.
Confidence: Medium. The displacement wave is high-confidence; the pivot rate to operator paths is more uncertain because alternative career paths still exist.
Disconfirming evidence: Layoff total falls under 250K, or operator-path pivots remain under 5K (i.e. operator paths fail to absorb meaningful portion of the displaced).
The meta-prediction: what we will get most wrong
Every forecast author who ships fourteen specific predictions ends up wrong on three or four of them in ways that are obvious in retrospect. The honest exercise is to name in advance the categories where we expect to be most wrong.
We are most likely to be wrong on timing rather than direction. The events we predicted will probably happen; whether they happen by the date we committed to is the volatile part. Specifically, regulatory and IPO timelines are the items where our confidence is most fragile, and where the retrospective is most likely to need a footnote.
We are also likely to be wrong on at least one prediction in the direction sense — a category where we genuinely missed something coming. The most likely such miss in our judgment is in the foundation model category: a capability shift at the model layer that obsoletes a layer of the agentic stack we have written about. Titans-style memory is the predictable version of this; the unpredictable version is the one we cannot name yet because the paper has not been published.
The category we are most confident in is the security and attacks section. The economics of offensive agents are clear enough, the underground supply chain is mature enough, and the defensive layer is immature enough that incidents will happen. The only question is whose name shows up in the press release.
Why we publish this
Three reasons for committing predictions to writing rather than holding them privately.
First, accountability. A platform that has spent twenty-five posts telling operators how to think about the stack should be willing to be wrong publicly about how the stack evolves. The retrospective in June 2027 will be uncomfortable in ways the original predictions are not, which is the point.
Second, calibration. Predictions you write down are predictions you have to score against reality, and the score is what improves your judgment over time. Most "thought leadership" in this space avoids writing down anything that could be verified, which is what lets the same authors recycle the same vague claims year after year.
Third, planning. Operators reading this post have to make stack decisions today that will look correct or incorrect twelve months from now. Our predictions are the input that lets them stress-test their decisions: if you are betting against a prediction we mark "high confidence," that is information; if you are betting with one we mark "low," that is also information.
What the next twelve months look like if all fourteen are correct
Compose the predictions into a single trajectory.
By autumn 2026, the protocol stack is GA-mature on the operational layers (MCP, A2A, AP2 close to it) and the first EU enforcement actions are reshaping how mid-sized operators think about compliance. One framework has consolidated, one major MCP server has been compromised, the operator who scaled responsibly is unaffected and the operator who skipped the security hygiene is in damage control. The first mediatic operator collapse becomes the cautionary tale that pulls the rest of the field into adopting the disciplines we have been writing about.
By spring 2027, the first long-con incident has happened, the offensive-agent SaaS economy has a public face, and at least one of the big-three frameworks is gone or absorbed. The marketplace bifurcation is treated by the press as obvious. A US state has followed the EU. The first agent-native S-1 has hit the wire. The labor category "agent operator" is appearing in BLS data.
By June 2027, the operators who started in mid-2026 — the ones reading the layoff editorial when it published — are running businesses generating real income. The operators who waited are catching up but compounding a year behind. The category has matured into something the broader economy has to take seriously, and the predictions in this post that turned out wrong are the ones we wish we had made differently.
Closing
The next twelve months are going to be the most consequential since the model APIs were released in 2022. The protocol stack matures, the regulation arrives, the attacks land, the market consolidates, and the operator labor category becomes visible. Some of the fourteen predictions above will be wrong; that is the cost of putting numbers on the page. The retrospective in June 2027 will be honest about which ones, why, and what the misses tell us about the next forecast.
If you are an operator reading this and trying to figure out where to allocate the next quarter's attention, the practical guidance: do not bet on the predictions we marked low-confidence, hedge the medium-confidence ones, and treat the high-confidence ones as planning inputs you can build against. The protocol roadmap items are the most actionable today; the regulatory and security items will become actionable as they materialise.
The next post in this series steps back from forecasting and into a single short manifesto: the case for shipping, before the reading-this-blog-for-six-months reader spends another six months reading. We have been guilty of writing the long-form theory; we owe the short-form push that completes the picture. See you there.