← Back to Your Website Is Invisible to AI Agents
2026-04-13·Ryan Bolden·Part of: Your Website Is Invisible to AI Agents

Three standards exist. The critical fourth is missing.

The internet runs on standards. HTTP lets browsers talk to servers. HTML lets content render in any browser. SMTP lets email flow between any provider. These standards are invisible to most people, but without them, nothing works.

Right now, three emerging standards are shaping how AI agents will interact with the web. Model Context Protocol, from Anthropic, defines how AI systems connect to external tools and data sources. OpenAI's agent protocols define how agents communicate their capabilities. Google has its own frameworks for agent-to-service interaction. These are real standards, backed by billions in infrastructure investment, being implemented right now.

But there is a critical fourth standard missing. And its absence is going to create a massive problem — especially in healthcare.

None of the existing standards address how an AI agent proves it has authorization to act on behalf of a specific human in a specific context with specific boundaries.

Let me make this concrete. A patient tells their AI agent: "Book me an appointment with Dr. Chen for next Thursday." The agent needs to visit Dr. Chen's practice website or system, communicate what it needs, and complete the booking. The three existing standards handle the mechanical parts — how the agent connects, how it describes its request, how the practice system responds.

But who verifies that this agent actually represents this patient? Who ensures the agent is only accessing scheduling and not pulling the patient's medical records? Who defines what happens when the agent encounters a clinical question it should not answer? Who audits the interaction for HIPAA compliance?

Nobody. Because that standard does not exist yet.

I have been building healthcare AI systems for over a year and a half. Over a million lines of production code. Real patients. Real calls — 1,710 in sixty days for a single practice. I did not arrive at this problem theoretically. I arrived at it by building systems that actually work in production and discovering where the gaps are.

In healthcare specifically, this missing standard is not just an inconvenience. It is a compliance catastrophe waiting to happen. HIPAA does not care that the technology is new. If an AI agent accesses patient data without proper authorization, the practice is liable. Period. And right now, there is no standardized way for a practice's system to verify that an incoming agent request is legitimate, scoped, and compliant.

This problem extends beyond healthcare. Any industry with sensitive data — financial services, legal, insurance — will hit the same wall. But healthcare will hit it first because healthcare is where AI agents are being deployed fastest and where the regulatory consequences are most severe.

I have been working on pieces of this at IB365. Our systems handle agent-to-system interactions in ways that maintain security, verify authorization, and create audit trails. But those are proprietary solutions. What the industry needs is an open standard that any practice, any agent, and any platform can implement.

The businesses that participate in defining this standard will have an enormous advantage. They will understand the protocol intimately because they helped build it. Their systems will be compliant from day one. Their competitors will spend years adapting.

I am not saying I have the answer. I am saying I see the problem clearly because I am building at the boundary where AI agents meet regulated healthcare operations every single day. And I can tell you with certainty that the current approach — where every company invents its own authorization scheme and hopes it holds up under regulatory scrutiny — is not sustainable.

The first three standards handle plumbing. The fourth standard handles trust. And in healthcare, trust is not optional.

If you are building AI systems that interact with healthcare infrastructure, or if you run a practice that will eventually need to accept agent-based interactions, this gap matters to you. The question is whether you help define the standard or scramble to comply with it after someone else does.

This is one piece of a larger framework we built and operate in production. The full picture — and how it applies to your business — is in the playbook.

We specialize in healthcare because it is the hardest vertical — strict HIPAA regulation, PHI handling, BAA chains, and zero tolerance for failure. If we can build it for healthcare, we can build it for any industry. We work across verticals.

See the Playbook →Talk to Ryan
The numbers that should terrify every practice ownerEvery major AI company is building agents. Your practice has no way to participate — yet.
Written by Ryan Bolden · Founder, Riscent · ryan@riscent.com