> So you can never give a support chatbot real support powers like “refund this customer”, because the moment you do, thousands of people will immediately find the right way to jailbreak your chatbot into giving them money.

And that's the elephant in the room. AI "agents" can't do much until someone solves that problem. Most AI "agents" work for and favor the business operating the agent, but impose the costs of their errors on the customer. Errors are an externality, like pollution. This is no good.