Agentic AI Has a Long Way To Go Before It Can Book Your Flight

-

 

Agentic AI Has a Long Way To Go Before It Can Book Your Flight

It's smart enough to find your flight. But not secure enough to book it.

#AgenticAI #AISearch #GoogleIO



This is a Tech-Reader AI Digest Special Edition.

There is a kind of exhaustion that accumulates invisibly.

You do not notice it at the airport gate or in the moment you finally click "confirm purchase." But it was there all along — in the thirty-seven browser tabs, the comparison sites that compared the comparison sites, the Reddit thread from 2019 that might still be accurate, the airline's own website with its deliberately confusing fare class designations.

Somewhere between the first search and the final booking, you became your own travel agent. Nobody paid you for it.

For most of the internet's commercial life, this was simply the deal. Google found things. You decided what to do with them. The machine handled retrieval; the human handled judgment, navigation, and the maddening last mile of actually completing a transaction.

It was a division of labor so familiar that most people stopped perceiving it as labor at all.

What Google announced at its I/O conference this spring suggests that arrangement is being renegotiated.

From Search Engine to Task Coordinator

The company has been building — and has now begun demonstrating publicly — a version of Search powered by Gemini that does not merely return results but attempts to complete tasks.

The distinction sounds modest until you sit with it.

A search engine answers the question you typed. An agent pursues the outcome you described. Those are not the same thing, and the gap between them is where an enormous amount of effort, money, and genuine technical difficulty currently lives.

Consider the flight.

Say you want to fly nonstop from New York to San Francisco on July 7, first class, Delta or United preferred, no red-eyes. The traditional workflow is familiar enough to require no explanation.

The agentic workflow is meaningfully different.

You describe what you want in plain language. The system goes to work — querying schedules, filtering against your stated preferences, weighing the tradeoff between a marginally cheaper fare and a departure time you would regret, and eventually presenting you with a shortlist. In the more ambitious version of the vision: a completed booking awaiting your confirmation.

The research portion of that task is, by now, something large language models handle with reasonable competence.

The interesting problems begin the moment the system tries to do something consequential with what it has found.

Some Systems Resist Being Automated

Airline reservation systems do not particularly want to be automated. Neither do hotel booking platforms, insurance portals, or apartment applications.

These systems were designed — deliberately, expensively, and with considerable legal motivation — to verify that a human being is present and consenting at the critical moment.

Multifactor authentication. Biometric prompts. One-time codes sent to a phone number on file.

These are not bureaucratic nuisances. They are the machinery of identity, and they exist precisely because the alternative — a world in which accounts can be accessed and transactions completed by any sufficiently capable automated process — is a world that airlines and banks have spent decades trying to prevent.

The irony is structural.

The more capable an AI agent becomes at navigating the web autonomously, the more aggressively the web's security infrastructure will resist it. Every CAPTCHA, every "verify it's really you" prompt, every fraud-detection system flagging unusual purchasing patterns is a checkpoint designed to distinguish human intention from automated action.

An AI agent, however sophisticated, arrives at those checkpoints and must either pause for human approval or find ways around them.

Neither option looks quite like the frictionless automation the demos suggest.

The Browser Was Never Built for This

There is a deeper problem that predates the booking confirmation entirely.

Web browsers — Chrome, Firefox, Safari, Edge — are built on a security model that treats the internet as fundamentally hostile territory. Tabs are isolated from one another. Websites cannot freely read your local filesystem. Sensitive operations require explicit user permission.

This architecture exists because decades of experience with malware, phishing, and data theft demonstrated that an open, trusting browser was a catastrophically dangerous thing to operate.

Agentic AI puts pressure on that architecture in ways that have not yet been fully resolved.

Users increasingly want AI systems that can retrieve a document from a local folder, compare it against something found online, populate a form with stored information, and complete a multi-step workflow that crosses the boundary between the local machine and the broader web.

The browser was not designed to permit this kind of movement.

Making it possible requires either relaxing security constraints that exist for good reasons, or building entirely new permission frameworks that preserve safety while accommodating something the original architects never imagined.

The Prompt Injection Risk

Security researchers have raised another concern the industry calls prompt injection.

An AI agent browsing the web on your behalf is, at some level, reading whatever the web puts in front of it. A malicious webpage could theoretically embed instructions designed to manipulate the agent — redirecting its task, exposing information it was not meant to share, or producing errors at expensive moments.

Humans filter the web's noise through long experience and a degree of skepticism that is difficult to formalize.

Large language models are more literal-minded.

In this context, that literalness is a vulnerability.

The Hard Part Was Never Intelligence

None of this means the vision is wrong, or that it will fail.

The demand is genuine. The technology is improving at a rate that would have seemed implausible five years ago. And there is something authentically appealing about describing what you want — in the way you would describe it to a competent assistant — and having the work done without managing it yourself.

For anyone who has spent an afternoon navigating an insurance company's website or comparison-shopping a major appliance purchase across a dozen retailers, the appeal is immediate and obvious.

What the Google I/O demonstrations revealed, read carefully, is that the hard part is not intelligence.

The models are already intelligent enough to understand what you want and to identify, in the abstract, how to get it.

The hard part is permission.

The web of authentication systems, security constraints, institutional policies, and legal requirements that governs what any automated process is actually allowed to do on your behalf — that is where the real work remains.

A Semi-Automated Process

The future of agentic search, if it arrives, will probably look less like the seamless automation of the demos and more like a semi-automated process — one where a human stays in the loop at every critical step.

A system that handles everything it is permitted to handle automatically. That pauses at checkpoints where human verification is required. That is auditable enough that you can see, afterward, exactly what it did on your behalf.

That is a more modest vision than the marketing suggests.

It is also, arguably, a more trustworthy one.

Google is not the only company working on this. Microsoft, Apple, Anthropic, OpenAI, and a constellation of smaller startups are all somewhere in the same territory. The browser as execution environment. The search bar as the beginning of a workflow rather than the beginning of a research session. The AI as personal assistant for the digital world.

For most of computing's history, computers waited for instructions.

The ambition now is something different: a system that understands the outcome you want and figures out — within the limits it has been given — how to produce it.

The limits are the interesting part.

They always are.

Aaron Rose is a software engineer and technology writer at tech-reader.blog

Catch up on the latest explainer videos, podcasts, and industry discussions below.


Popular posts from this blog

Insight: The Great Minimal OS Showdown—DietPi vs Raspberry Pi OS Lite

-
Image
Insight: The Great Minimal OS Showdown—DietPi vs Raspberry Pi OS Lite When you're building a headless server, IoT device, or lightweight project box, the last thing you want is bloatware eating your precious resources. Enter the world of minimal operating systems—where every megabyte matters and efficiency reigns supreme. Two contenders dominate this space: DietPi and Raspberry Pi OS Lite. Both promise lean, mean computing machines that boot straight to the command line. But scratch beneath the surface, and you'll find they take fundamentally different approaches to the "less is more" philosophy. The Minimalist's Dilemma Picture this: You've got a Raspberry Pi 3B+ sitting on your desk, destined to become a home media server. Do you go with the familiar comfort of Raspberry Pi OS Lite, or venture into DietPi's optimized territory? The choice isn't just about personal preference—it's about understanding what "minimal" means to each operatin...
Read more

Running AI Models on Raspberry Pi 5 (8GB RAM): What Works and What Doesn't

-
Image
  Running AI Models on Raspberry Pi 5 (8GB RAM): What Works and What Doesn't The Raspberry Pi 5, with its upgraded processing power and 8GB RAM option, brings new possibilities for running AI models at the edge. While it remains a low-power alternative to high-end GPUs, the improvements over previous models make it an intriguing choice for machine learning projects. However, not all AI models run smoothly on the Pi 5, and understanding its strengths and limitations is key to making the right deployment decisions. The Raspberry Pi 5 as an AI Workhorse? At first glance, the Raspberry Pi 5's quad-core Cortex-A76 processor, clocked at 2.4 GHz, seems like a step toward AI workloads. Paired with 8GB of LPDDR4X RAM, it offers a substantial improvement in memory bandwidth and processing efficiency compared to its predecessors. But raw specs only tell part of the story. AI models demand specialized hardware acceleration, and while the Pi 5 can handle some tasks, complex deep learning mo...
Read more

Raspberry Pi Connect vs. RealVNC: A Comprehensive Comparison

-
Image
Raspberry Pi Connect vs. RealVNC:  A  Comprehensive Comparison The Raspberry Pi has revolutionized the way we interact with computers, providing a low-cost, highly adaptable platform for countless applications. One critical aspect of using a Raspberry Pi, especially for remote management and control, is the ability to access it from another device. Historically, RealVNC has been the go-to solution for this purpose. However, the recent introduction of Raspberry Pi Connect offers an integrated alternative. This article will compare Raspberry Pi Connect and RealVNC, exploring their features, requirements, and practical applications. Introduction to Raspberry Pi Connect Raspberry Pi Connect is a new VNC service directly integrated into Raspberry Pi OS 12. Designed for simplicity and ease of use, Connect aims to provide a seamless remote desktop experience for Raspberry Pi users. Currently in beta, Raspberry Pi Connect is free to use and requires a Raspberry Pi 4, 400, or 5 running...
Read more