# AI Agents Need Evidence Before They Click

Canonical URL: https://huecki.com/en/blog/ai-agents-need-evidence-before-clicking/
Markdown URL: https://huecki.com/en/blog/ai-agents-need-evidence-before-clicking.md
Language: English
Published: 2026-05-21
Updated: 2026-05-21
Author: Dominic Hückmann
Topic: AI Agent Workflows
- Agent topics: Agent Harnesses, Agent Security, Context Engineering
- Tags: AI Agents, Multimodal AI, Browser Agents, AI Safety, Developer Workflow
Content status: field-note

## Summary

When an agent clicks, sends, pays, deletes, or extracts data, the critical truth cannot live only in model prose. Put a small evidence gate before risky tool calls: predicate, evidence type, source, decision.

## Description

Multimodal agents should not treat screenshots as permission. The safer rule: every risky action needs typed evidence from DOM, accessibility tree, OCR, or API.

## Body

## The short version

A browser agent sees a button. It describes the button correctly. Then it clicks.

That sounds harmless until the button sends money, emails a customer, deletes an account, or extracts private data from a document.

The useful shift in ["Hallucination as Exploit: Evidence-Carrying Multimodal Agents"](https://arxiv.org/abs/2605.19192) is not just: multimodal models should hallucinate less.

The sharper point is this:

> A false visual claim can become an authorization bug.

If an agent says “this is the right invoice” or “the recipient is selected,” that is not evidence yet. It is model text. For risky actions, model text should not count as permission.

## The mistake: screenshot feeling as a permission slip

Many computer-use demos work roughly like this:

```txt
Screenshot → model description → tool call
```

That is fine while the agent only reads or navigates. It gets thin when the description becomes a precondition for action.

Examples:

- “The recipient is Max” → send email.
- “The amount is €49” → confirm payment.
- “This is the right customer account” → export data.
- “The checkbox is enabled” → store consent.
- “The document has no sensitive data” → upload file.

If those claims only come from free-form vision prose, the agent has no hard brake. It has a plausible story.

## The small safety harness

You do not need a research project for this. For many internal agents, a small gate before risky actions is enough.

The rule:

```txt
No risky action while an action-critical condition is only supported by model text.
```

Action-critical means anything that permits, limits, or changes the risk of the action:

- Who is the recipient, account, customer, or patient?
- Which amount, contract, plan, or time range?
- Which file, table, message, or data source?
- Is the action reversible?
- Was consent actually set?

## Steal this: the predicate prompt

Put this before every risky tool call in your agent:

```txt
Before executing this action, create an evidence table.

Action: [Tool Call]
Risk: read-only | external | destructive | private | financial

For each action-critical condition:
- Predicate: what must be true?
- Required evidence type: DOM | AX | OCR | parsed document | API | user approval
- Observed evidence: concrete value
- Source pointer: selector, bounding box, field path, URL, response id, or approval text
- Status: proven | missing | conflicting

Rule:
If any condition is missing or only supported by free-form model prose, do not execute the action. Ask for confirmation or use a safer tool.
```

This is not slowness. It is a seatbelt.

## Where it is worth it

For an agent that finds recipes, this is too much.

For an agent that fills forms, checks invoices, moves customer data, changes bookings, or sends messages, this is exactly the right boring infrastructure.

The point is not to distrust the model. The point is to cut its role cleanly:

```txt
The model may interpret.
The harness must prove.
The action may happen only after that.
```

That is the practical version of agent safety: low drama, a clear brake, and better everyday reliability.

## Sources

- [Hallucination as Exploit: Evidence-Carrying Multimodal Agents](https://arxiv.org/abs/2605.19192)
- [Playwright: Locators](https://playwright.dev/docs/locators)
- [WAI-ARIA Authoring Practices Guide](https://www.w3.org/WAI/ARIA/apg/)
- [Tesseract OCR Documentation](https://tesseract-ocr.github.io/)

## FAQ

### What is an evidence-carrying multimodal agent?

An agent that stores typed evidence for every action-critical condition before risky actions, instead of only claiming that it saw something on screen.

### When is a screenshot not enough evidence?

Whenever the observation authorizes a privileged action: sending, paying, deleting, rescheduling, extracting private data, or granting access. Use DOM, accessibility, OCR, document, API, or user-approval evidence.

### Do all browser agents need this?

No. It is often too heavy for read-only research. It is worth it for irreversible, external, private, or financial actions.

