Gary Marcus’s “driving without a license” critique correctly flags real risk in agentic tooling but proposes the wrong remedy. Agents are becoming ubiquitous; the practical response is UI-level engineering: bake backups, sandboxes, diffs, and provenance into editors so novices form safe habits while shipping. Cursor’s recent product moves illustrate how UI-enforced practices scale safety more effectively than political gatekeeping.
ary Marcus raised the obvious moral panic: give powerful coding agents to inexperienced people and you invite spectacular mistakes. “Vibe coding without considerable experience is like driving without a license,” he wrote, and he’s not wrong — an AI that deletes a project, leaks credentials, or ships insecure defaults can do real harm. The instinctive policy response, though, has been to imagine a velvet rope: restrict access, vet users, and keep the tools inside the hands of the credentialed. That instinct is politically fraught, technically brittle, and pedagogically backward. Agents aren’t a fad you can put back in the box. They are already shipping as first-class features inside IDEs that millions of people use. Cursor, one of the companies at the center of this debate, sells the very thing critics fear: multi-file, agentic workflows that can plan, edit, run, and deploy code. But Cursor’s playbook is instructive precisely because it rejects gating as its safety posture. Instead, the product team has layered affordances to teach and enforce good practice at the moment of use: each agent runs in an isolated worktree so parallel runs can’t clobber the repo, sandboxed terminals block network access unless explicitly allowlisted, diffs from agent edits are surfaced with accept/reject controls, plans are saved as files so they can be read and iterated on, and agent transcripts can be shared or forked for audit. In short: the UI becomes the teacher and the auditor. There is a deep logic to this approach. Software safety depends not only on model behavior but on how humans interact with outputs. Forcing novices to pass a licensing exam won’t change the incentives that make tools irresistible — nor will it teach the habits that prevent errors. Interfaces, however, can shape behavior in real time. A novice who sees a tidy diff, a button labeled “commit & push,” and a clear sandbox indicator is being trained in a review loop: inspect, approve, and version. Those tiny affordances instantiate practices — backups, code review, provenance — that experienced teams take for granted, and they make those practices the default rather than optional. Compare two hypothetical interventions. One says: “No agent access until you prove you’re competent.” It creates a bureaucratic threshold, routes people to black markets or cracked tools, and places gatekeepers in a political crossfire over who counts as competent. The other says: “Agents are available to everyone, but they operate in read-only demos by default, run in isolated worktrees, and must produce a PR with tests before merge unless an approver explicitly overrides.” That second approach is enforceable through product design and scales; it also delivers educational value: the novice learns the rhythms of testing, revision, and rollback because the tool forces them into those steps. The Cursor changelog reads like a checklist for productive safety: run up to eight agents in parallel using git worktrees to prevent file conflicts; run agent commands in sandboxed terminals; show a code review UI that makes it trivial to accept or undo all edits; save plans as files so they live in the repo; and provide service accounts and allowlists for enterprises to configure boundaries. These are not theoretical mitigations — they are implemented primitives that teach proper workflows automatically. They convert the abstract admonition to “always keep a backup” into a concrete UX: automatic checkpoints, clear rollback buttons, and a change history that novices can inspect before they push. Other products are converging on the same idea. Browser-based IDEs that run code in isolated sandboxes can execute tests and report failures in a way that’s visible to the user — the environment becomes a safety net rather than a dangerous toy. Agentic features that “try until tests pass” shift the work into a loop where correctness is measured against executable tests, making it harder for generated code to be shipped unvalidated. Those are not policy fantasies; they are engineering features that companies are shipping today. This is not to dismiss Marcus’s core critique. There are real harms when a novice’s app leaks credentials, or when a generated dependency chain introduces vulnerabilities at scale. But treating harm by restricting access misunderstands both technology diffusion and how people learn. Tools like calculators, spreadsheets, or compilers were not made safe by licensing them; they were made safer by embedding corrective practices and by building layers that make common mistakes visible and reversible. The same pattern applies to agents: lock-in, education, and auditability are features, not gatekeepers. There’s also a political angle: restricting access to widely useful tooling invites backlash and regulatory complexity. Who decides what level of competence is “safe”? How do you prevent supplier bias where incumbents lobby to keep newcomers out? Those questions quickly turn safety into a cudgel for incumbency. By contrast, mandating or standardizing UI-level safety primitives — mandatory change review UIs, default sandboxing for agent runs, required test-generation steps before merges, and immutable transcripts for audits — produces rules that are verifiable, implementable, and less easily politicized. If we care about scaling agentic software safely, we should invest in a developer ergonomics of safety. Build default commit checkpoints, surface provenance, require test artifacts, and make approvals explicit and easy. Teach novices by doing — a cursor diff pane that forces a human to click “apply” teaches review more effectively than a licensing exam. Make it cheap to roll back. Make it cheap to run tests. Make it visible who or what made each change. Blocking the car keys is a tempting moral posture; teaching everyone to check the mirrors, buckle up, and use the turn signals is the realistic program. Agents are going to be ubiquitous. The sensible path is to make their defaults safer and their UIs pedagogical, so that as people adopt them, they also learn the small, repeatable habits — backups, tests, provenance, and review — that stop most mistakes from becoming disasters. That is how you scale safety: not by restricting access, but by making good practices unavoidable in the tools people already use. Pulling the handbrake might feel like prudence; designing a dashboard that won’t let you drive with the engine light on is strategy.
One dispatch per day at 06:00 UTC. No commentary, no ceremony.