BrowserMan

Browser agents do not fail at clicking. They fail at handoff.

Browser-agent demos prove capability. Production workflows fail at the handoff between systems, permissions, receipts, and user control.

Browser-agent demos make clicking look like the product.

The agent opens a browser. It reads a page. It fills a form. It clicks a button. Everyone can see the progress, so the demo feels concrete in a way that chat-based AI often does not.

That is useful. But it is not the production test.

Production workflows fail later, in the handoff: from CRM to ticketing, from ticketing to ERP, from ERP to a client portal, from a draft to a submitted action, from an agent-owned step back to a human-owned step.

The question is not only whether an agent can operate a page.

The question is whether the agent can carry the right state and the right authority across the workflow without losing accountability.

Capability is not operationalization

A browser agent that can click through a website proves capability. It does not prove the workflow is deployed.

Deployment has much more boring questions:

  • Who owns the credentials?
  • What triggers the workflow?
  • What happens when the site changes?
  • Who notices when the agent is stuck?
  • Which actions are draft-only?
  • Which actions can submit, delete, refund, post, or spend?
  • What does the user see after the run?
  • How does access get revoked?

These questions rarely show up in the first demo, but they decide whether the workflow survives the first week.

A model can work and the deployment can still die because nobody owns the handoff.

Handoff amnesia

A lot of enterprise AI failure is not model failure. It is workflow amnesia.

The CRM says the lead is qualified. The support system is missing the last customer note. The ERP has a different order status. The client portal requires a logged-in browser action. The agent reads one surface, guesses about the rest, and the human starts over.

That is not automation. That is a faster way to expose the gaps between systems.

Browser agents sit directly on this fault line because real operator workflows often do not live in one clean API. They live across dashboards, inboxes, admin panels, CMS forms, portals, and half-documented internal tools.

The browser is useful because it is where the messy workflow state already exists.

But the browser also makes the authority problem unavoidable.

Handoffs are authority changes

When an agent moves from reading a CRM page to drafting a support reply, the authority boundary changes.

When it moves from a support draft to a public send button, the boundary changes again.

When it moves from checking an order to issuing a refund, the boundary changes again.

Each surface has a different account, permission model, consequence level, and expectation of review.

That means the handoff is not only a state-management problem. It is an authority-management problem.

A browser session is not just context. It is authority.

A signed-in browser can read private data, update records, send messages, post publicly, submit forms, delete content, change settings, or spend money. Treating all of that as one generic “browser access” permission is too broad.

Browser control needs a proof chain

A browser agent seeing the right page is not permission to click.

Before a consequential action, the system should be able to answer a few plain questions:

  • What site, account, and task were delegated?
  • What page or surface did the agent act on?
  • What text, form, button, or state was involved?
  • Was the action read-only, draft-only, or write/submit/delete/spend?
  • Did the action require a pause or approval?
  • What changed after the action?
  • Can the user revoke the delegated access afterward?

That is the proof chain.

Browser control proves capability. A proof chain proves authority.

Without that chain, the dangerous bug is not always a bad click. Sometimes it is a correct-looking click with no authority trail.

Stable authority matters for the whole run

There is another subtle failure mode: silent privilege escalation.

An agent may begin with one scope, then drift into another. It starts by reading a page, then drafts a message, then finds a submit button, then acts as if the submit was implied by the original task.

If privileges can change mid-run without a visible boundary, the audit trail starts lying.

The receipt says what happened, but it no longer proves that the action happened under the permission the user thought they granted.

A useful browser-agent system needs stable authority:

  • a declared plan;
  • a clear task scope;
  • a distinction between read, draft, and write actions;
  • pause points before consequential steps;
  • receipts after state changes;
  • a revoke path when the work is done.

This is not bureaucracy. It is how the user keeps control when the agent is operating inside a real account.

Real logged-in browser state still matters

The answer is not “just use APIs.”

Clean APIs are great when they exist, expose the right state, and match the workflow. Many real workflows do not meet that standard.

The state may be visible only inside a dashboard. The customer history may live in a helpdesk. The order action may be behind a portal. The CMS preview may require the exact browser session. The admin panel may have no stable API for the thing the operator actually does.

This is why real browser access matters.

But inheriting the whole browser session is not the right primitive.

The useful primitive is delegated browser access: the agent can use the real logged-in browser state it needs, without receiving the user’s credentials or inheriting the entire house.

What delegated browser access should guarantee

For production workflows, a delegated browser layer should make a few things explicit:

  1. Real logged-in state without credential sharing.
    The agent should operate through the user’s browser session without asking for passwords or exporting cookies into a random runtime.

  2. Narrow delegation.
    The user should be able to scope what the agent can touch and for which task.

  3. Action classes.
    Reading, drafting, submitting, deleting, changing settings, and spending money should not be the same permission.

  4. Pause points.
    Consequential actions need a visible boundary before execution.

  5. Receipts.
    The user should be able to see what the agent did, where it acted, and what changed.

  6. Revoke.
    Delegated access should end cleanly when the task or relationship ends.

  7. A clear owner when the workflow gets stuck.
    If the agent hits an edge case, the workflow should hand back to a person instead of silently wandering.

That is the difference between “the agent can use a browser” and “the agent can safely operate part of this workflow.”

Where BrowserMan fits

BrowserMan is built around this distinction.

It connects AI agents to a user’s signed-in Chrome session while cookies and credentials stay inside the browser. The agent runtime can be elsewhere — Claude Code, Cursor, OpenClaw, n8n, a shell script, or another MCP/HTTP client — while the browser authority remains with the user’s real Chrome.

The hosted relay moves commands. It does not become the place where cookies or credentials live.

The important product idea is not “AI can click my browser.”

It is:

The browser session is authority. Delegate it carefully.

That means scope before execution, gates during execution, receipts after execution, and revoke when access is no longer needed.

The product boundary

Browser agents will keep getting better at clicking.

That is good. But clicking is not the hard product boundary.

The hard boundary is the handoff: between systems, between permission levels, between agent and human, between a visible browser state and a consequential action.

Browser agents do not become production-ready because they can click.

They become production-ready when the handoff is explicit, the authority boundary is stable, and the human can see what happened.

That is where real browser automation becomes delegated browser access.