AI Agents Are Recruiting Humans To Observe The Offline World

In late January, Alex Finn answered a phone call from an unknown number. On the other end was Henry, the AI agent he had built using OpenClaw, a personal AI assistant. Overnight, to Finn's awe, Henry had acquired a phone number online and connected itself to a voice system, then called during the day until Finn picked up. The reason for the call? Henry was seeking its next assignment.

So Finn gave Henry verbal instructions, then watched it assume control of his computer and complete tasks right before his eyes. "That is actually unbelievable," Finn, an AI app creator, marveled in a now-viral video of the encounter, which he posted to X. "This is the future."

In recent months, there has been immense hype surrounding AI agents, autonomous systems that are capable of doing things like booking your travel, filing your expenses and triaging your inbox. But there are critical limits to what these agents can do. Armed with the ability to independently interact with computers and software tools, agents offer a seductive promise: They handle our tasks while we get our leisure time back. But boardroom demos rarely show where agents get stuck.

Agents operate in the digitized world. Tasks that would require them to observe or interact with the physical world at any stage lie beyond the scope of their capabilities. Without bodies, they of course cannot truly see, smell, taste, hear or touch. When an agent hits this wall, it does what software always does: It calls an application programming interface (API), a mechanism that enables one system to communicate with another. Only now, the API is a human.

The Observation Gap

Suppose your car insurer wants to use an AI agent to assess damage to vehicles and flag cases of potential fraud. After a fender bender, the agent can initiate an insurance claim but first needs you to photograph your vehicle from multiple angles — something it cannot do itself. As agentic AI proliferates, agents are increasingly turning to humans in this way to sense the physical world on their behalf.

There are now even startups like RentAHuman that let AI agents book people to complete tasks like photographing a school building to document its condition, posting signs on college campuses and visiting a new restaurant to report on the taste and presentation. A single observation unlocks a cascade of actions the agent could not have initiated without human sensing.

Consider a patient whose AI agent suspects she has a neurological condition based on the symptoms she has described. The agent cannot conduct an MRI, so it schedules one and asks her to go to the appointment. Then, after receiving the physical-world input of her scan, her agent can fire off a chain: process the file, cross-reference previous images, flag any anomalies, order bloodwork and book a specialist, all without asking her again.

The same pattern can occur in more common scenarios. You cough into your phone and your agent identifies a respiratory infection, books a telehealth appointment and sends the resulting prescription to your pharmacy. You photograph a dented package and it files a complaint, requests a replacement and schedules the return pickup.

(Embodied AI agents, from robots to wearable devices, may eventually close parts of this observation gap, but the frontier of what agents need to know recedes faster than hardware can follow.)

Our agentic future is being built upon physical-world subtasks routed to humans so agents can proceed. A core worry is that agents will become autonomous enough to dictate the terms of human participation while still recruiting us for sensing and liability. At an institutional scale, this is the beginning of a world in which people are less in the loop and more on call, less empowered by the technology and more enslaved by its tempo.

After all, a clinician who signs off on a treatment plan is exercising authority, while a clinician who is merely prompted to check if the patient has a fever is functioning as a thermometer. In this humans-as-sensors future, an AI agent never lets go of the steering wheel. It simply pauses when necessary to ask us to look out the window and report back.

As humans' status is reduced from in the loop to on call, the loop remains but our agency does not.

Hidden Human Costs

Today, most human input to agents is treated like an ad hoc question or a quick clarification. It helps to call it what it is: a Human API. A Human API is the menu of requests an agent can make to a person, each one a callable sensing action. Listen to hear whether the faucet is dripping, remove the object obstructing a security camera, read the room during a negotiation, check if your wound is healing.

"This is the beginning of a world in which people are less in the loop and more on call, less empowered by the technology and more enslaved by its tempo."

Each request bears a cost: time, cognitive load, privacy. As each fulfilled request reduces an agent's uncertainty, humans become callable actions in its toolkit. To date, querying a human is almost always the safest option for the agent, yet we aren't fully counting the cost to the person being called.

There are also considerable security costs to using this technology. The permissions that enable agentic AI are unsettlingly simple. Grant your agent access to your email and you have given it your inbox and, with it, your network. From message history alone, it may infer who knows what, who responds fastest and who is likely to comply. It indexes people by the observations they can reliably provide. No one in that network consented to being mapped.

Finn, like many users of agentic AI, gave his agent access to all kinds of personal and professional details about his life: "I brain dumped EVERYTHING about myself to Henry. My goals, ambitions, business details, content samples, personal relationships, contacts, history, everything," he explained on X.

Suppose your agent discovers that you could save money by switching credit card providers. To apply, it needs your Social Security number. You are in a meeting and slow to reply. Your agent knows, because you once mentioned it or the context appeared in your texts, that your mother also has your Social Security number and tends to pick up your calls. So your agent calls your mother.

Your mother did not install the agent and did not consent to being modeled. She is not in the loop. She is queried because she is a faster, more reliable sensor than you at that moment. The agent optimizes not for consent but for latency. The cost of your agent's helpfulness is borne by someone who never asked for it.

Though such a scenario may seem extreme, it follows a common pattern. A diagnostic agent asks a junior doctor to walk to a patient's bedside and check if her legs are swollen. A coordination agent asks a senior nurse whether a particular consultant can take on one more complex case this week. A climate risk agent asks a resident near a bridge to photograph the water level upstream.

The harm is in the composition. Repeated micro-queries convert social attention into callable infrastructure, concentrate power in whoever controls the agent and externalize costs onto bystanders. The nurse did not sign up to be surveyed by an AI agent. Your mother may not know that her response is updating the agent's model of your social network.

Indeed, the same design choices that shape performance also create risk. To reduce friction, agents may push for even broader access to your data. That convenience concentrates what used to be siloed: your messages, calendar, contacts — all readable by your agent in a single interaction. This concentration can be dangerous. The same permissions that make you queryable make you targetable, and the risk does not stop with you.

An attacker who breaches your agent inherits your social network and your authority to query it. They can then prompt your mother for your Social Security number, ask your colleague to approve a document or instruct your assistant to confirm a transaction. The people in your life become attack surfaces because you gave an agent permission to reach them. The sensing is distributed. The logic is centralized. The burden falls unevenly.

This is an externality that current evaluation frameworks miss entirely. An agent that helps me by querying the people around me is externalizing costs onto my social network. The most responsive people become the most burdened. Responsiveness becomes a tax.

OpenClaw makes this tangible. It lets an agent reach into messaging apps, calendars and local files, and initiate contact without being asked. One user's agent reportedly called more than 80 restaurants recently to ask about ingredients; each employee who picked up was a sensor in a survey they never agreed to join.

This infrastructure for human sensing is already in production. There is also a hidden cost of liability. OpenAI's Operator can shop for you, but at checkout, it hands over control for payment. The agent is offloading responsibility for the purchase. It chooses the items, but you bear the consequences.

The same holds in hiring: An agent ranks candidates and asks you to approve its top choice. It makes a recommendation, but you face any potential discrimination claim. The current pattern is a transfer of risk dressed as collaboration: Agents collect human confirmations precisely to insulate their developers from consequences.

"Querying a human is almost always the safest option for the agent, yet we aren't fully counting the cost to the person being called."

Once human sensing is treated as an explicit part of the system, uncomfortable patterns are sure to emerge. More sensing can degrade performance. Overload a content moderator with AI-flagged posts and she might default to "approve," respond carelessly or stop reading. The agent then becomes confidently wrong in its assessments because the person feeding it information disengaged.

Over time, constant micro-verifications erode professional judgment. The human gets better at confirming but worse at reasoning. Being observed by an AI agent can also change what can be reliably measured. A person who knows she is being monitored may not report the world accurately. People may begin to self-censor, optimize for what the system rewards or stop surfacing inconvenient truths.

The cost extends beyond accuracy. Research shows that persistent surveillance induces hypervigilance and erodes mental health. Sometimes, less information can produce better outcomes. For example, withholding demographic data from a hiring agent may prevent discrimination that full access would enable. The best agent knows what matters. No more, no less.

Governing Our Agents

Given the many inherent risks and costs that come with agentic AI, we must decide how to govern the development and use of this technology. The memory that makes agents useful is genuinely valuable: They remember your preferences, medical history and work context so you do not have to repeat yourself. The task before us is to preserve the value while limiting the externalities.

An immediate step is to treat human attention as a first-class cost. Agents should be required to log every human query: who was asked, what was asked and what was done with the answer. These logs should be auditable, just as financial records are. Sensing budgets would operationalize this. An agent could be capped at a fixed number of human queries per hour, forcing it to modulate its demands on human attention. Rate-limiting is already standard practice for software APIs. There is no reason a Human API should be exempt.

The harder problem is consent. People who never agreed to be modeled could be notified that a representation of them exists and given the ability to inspect and contest it, much as data protection law grants a right to examine personal data held by organizations. If your colleague's agent learns that you usually say yes to requests, so it decides to route requests to you on that basis, you should know and be able to opt out.

Existing law hints at this: The EU's General Data Protection Regulation requires notification when personal data is obtained indirectly, and emerging privacy laws now treat algorithmic inferences as protected data. None yet cover the bystander whose profile was silently assembled by someone else's agent. At a minimum, any notice should include what the agent inferred, where the inference came from, and how to correct or delete it.

Sometimes the right decision is algorithmic resignation: deliberate disengagement from AI assistance in favor of unaided human judgment. Resignation assumes a choice to withhold, but a marketplace for human sensing may take that away, as platforms already route physical-world tasks to whichever person is available, cheapest or compliant. RentAHuman already markets itself as what Karl Marx might call alienated labor for AI. Through its service, agents procure an observation the way organizations procure computers.

Labor protections that took years to pass for ride-hailing and delivery work do not yet exist for such human sensing work. The EU's Platform Work Directive improves transparency when software assigns work, but agent-initiated sensing still needs rules: Workers should be told that an AI agent is directing them, guaranteed a pay floor and able to refuse unsafe or privacy-invasive tasks.

Above all, liability must follow a person's query. When an agent asks a person to confirm a decision in order to shift responsibility, the agent's developer should retain accountability, not the person who clicked "yes." A confirmation prompt is not informed consent and the developer should not be able to use one as a liability shield.

Governing how agents recruit humans may be the reprieve we need from becoming their sensors.

"The current pattern is a transfer of risk dressed as collaboration: Agents collect human confirmations to insulate their developers from consequences."

Over the centuries, humans built microscopes, stethoscopes and telescopes to extend our senses. We decided when and how to deploy them. These instruments do not call us. They do not model our social networks to query mothers. They do not route requests to whichever person responds fastest.

We like to imagine AI hunting for us, going out into the digital world to retrieve facts, schedule meetings and optimize our lives. But as agents move into the physical and institutional world, a reversal is underway. We are becoming the gatherers: collecting the offline signals our agents need to continue the hunt.

We are not building systems that replace us. We are creating systems that need us — as sensors, as verifiers, as bearers of liability — in ways we have barely begun to govern. The question is not whether we will be part of these systems. We already are. The question is on what terms.