Last week I watched a friend's side project make its first real purchase with no human in the loop. His agent needed a paid API key, compared two plans, pulled card details from a scoped credential, and kept going. It worked. It also made me a little uneasy, because nobody clicked "confirm" anywhere in that flow. That small moment is the whole story of where startups are heading right now.
The headline names are still the agent products themselves. Emergent, the vibe-coding startup out of India, hit $100M ARR in roughly eight months and raised a $70M Series B from Khosla Ventures and SoftBank in January 2026 at a $300M valuation. Those numbers are real and a little absurd. But look at what the next wave of founders is actually building, and it is rarely another coding agent. It is the plumbing that lets agents act without burning the house down: identity, payments, memory, and sandboxes.
Why the money moved down a layer
The logic is not complicated. A consumer-facing agent that books your travel or writes your code is sitting on top of a model that three other teams also have access to. The differentiation is thin and the price keeps falling. Infrastructure is stickier. Once an agent platform standardizes on your identity layer or your payment rails, ripping it out means re-auditing every transaction path, and nobody volunteers for that.
You can see the capital following this. Across agentic commerce, the payments and identity layer has pulled in serious money, with companies like Basis Theory, Nekuda, and Skyfire raising close to $50M combined just to build the financial rails for agent-initiated transactions. The protocols are showing up too. Google published the Agent Payments Protocol (AP2), and in May 2026 AWS launched AgentCore Payments in preview with Coinbase and Stripe, leaning on Coinbase's x402 protocol so agents can settle payments for APIs and web content. When the hyperscalers start shipping primitives, that is usually the signal that a category has become real infrastructure rather than a demo.
What I would actually build
If I were starting a company this year, I would not try to out-agent the agent companies. I would pick one boring, load-bearing problem and own it completely. A few that I think are genuinely underbuilt:
- Scoped, revocable credentials for agents. Not OAuth bolted on sideways, but identity designed from scratch for a non-human actor that spins up, acts, and disappears.
- Hard spend controls. Every team I have talked to is terrified of an agent in a retry loop racking up a five-figure bill at 3am.
- Durable memory that an agent can trust across sessions without leaking one user's context into another's.
- Sandboxes that are fast enough to launch per-task but isolated enough that a compromised agent cannot reach anything it should not.
The first two are where I would start, because they map directly to a fear every engineering leader already has. Here is the kind of boundary I mean, written out plainly:
type AgentCredential = {
agentId: string;
scopes: string[]; // e.g. ["payments:write", "search:read"]
spendLimitCents: number; // hard cap for the whole session
expiresAt: number; // epoch ms
};
function authorizeCharge(cred: AgentCredential, amountCents: number) {
if (Date.now() > cred.expiresAt) throw new Error("credential expired");
if (!cred.scopes.includes("payments:write")) throw new Error("missing scope");
if (amountCents > cred.spendLimitCents) throw new Error("over budget");
return { ok: true, remaining: cred.spendLimitCents - amountCents };
}
That is forty lines of thinking, not a product. But the product is everything around it: issuing those credentials, rotating them, attributing spend, and giving a human a clean audit trail when something goes wrong. That surface area is large, and it is exactly the kind of unglamorous work that compounds.
The agent that makes you money is replaceable. The system that keeps that agent from spending money it shouldn't is not.
The risk nobody is pricing in
There is a real threat to this thesis, and it is the same one that has eaten infrastructure startups before: the platforms. AWS shipping AgentCore Payments is convenient for builders and brutal for any startup whose entire pitch was "payment rails for agents." When the default cloud handles identity, sandboxes, and settlement out of the box, a thin wrapper has nowhere to hide.
So the bar is higher than it looks. Picking the agent infrastructure layer is correct, but it only works if you go somewhere the hyperscalers structurally will not. That usually means cross-cloud neutrality, opinionated developer ergonomics, or a compliance and audit story that a platform team treats as someone else's job. The category is right. The lazy version of it is already dead.
If I am wrong about anything here, it is the timeline, not the direction. Agents are going to spend real money on real systems whether or not the safety layer is ready, and the teams quietly building that layer now are the ones I would want to be holding equity in two years from now.