Safety work moves from demo to product

An AI agent is a model that does more than answer a question once: it can search, click, run tools, and carry a task across multiple steps. In 2025 and 2026, OpenAI and Cloudflare both started shipping more of that work as product infrastructure, with approvals, tracing, private networking, and long-running workflows built in. (openai.com) OpenAI said on March 11, 2025 that it was releasing a Responses API, built-in tools for web search, file search, and computer use, an Agents Software Development Kit, and observability tools to trace agent runs. The company said customers had found it hard to turn model demos into “production-ready agents” without custom orchestration and visibility. (openai.com) On May 21, 2025, OpenAI added remote Model Context Protocol support, Code Interpreter, image generation, background mode for long-running tasks, reasoning summaries, and encrypted reasoning items. OpenAI said those features were aimed at “reliability, visibility, and privacy” for developers and enterprises. (openai.com) Model Context Protocol is a standard way for an agent to connect to outside tools, like a universal plug shape for software. Cloudflare said on April 7, 2025 that its Agents SDK added remote Model Context Protocol clients with built-in transport, authentication, and authorization, while Workflows reached general availability for long-running, multi-step actions. (blog.cloudflare.com) That work moved further into core infrastructure this week. Cloudflare said on April 14, 2026 that it launched Cloudflare Mesh, a private networking product for AI agents that gives agents scoped access to private databases and application programming interfaces without exposing those systems to the public internet. (cloudflare.com) Cloudflare’s Agents Week posts framed the problem as cloud plumbing as much as model quality. The company said the internet and cloud “weren’t built for the age of AI,” then rolled out products including Sandboxes, Dynamic Workers, and Mesh to keep agents stateful, isolated, and connected under policy. (blog.cloudflare.com, blog.cloudflare.com, blog.cloudflare.com) OpenAI has been making the same shift inside its own agent products. Its developer docs say guardrails can validate inputs, outputs, and tool calls automatically, while human review can pause a run before side effects such as cancellations, edits, shell commands, or sensitive Model Context Protocol actions. (developers.openai.com) In consumer products, OpenAI used similar controls for Operator and ChatGPT agent. OpenAI said Operator launched with “watch mode” on sensitive sites such as email and financial services, and its ChatGPT agent help page says the product uses confirmations for high-impact actions, prompt-injection monitoring, and supervision requirements on some sites. (openai.com, help.openai.com) Cloudflare is also betting that safer agents need persistent state, not just a better prompt. Its Agents SDK runs on Durable Objects, which the company describes as stateful execution environments with their own storage and lifecycle, and its public repository showed about 4,700 GitHub stars as of this week. (blog.cloudflare.com, github.com) The pattern across both companies is that “safety” is being shipped as approvals, identity, isolation, logging, and network boundaries around agent actions. The more agents move from browser demos into tools that can touch files, internal systems, and customer accounts, the more the product work starts to look like operations and security engineering. (developers.openai.com, cloudflare.com, blog.cloudflare.com)