Skip to content

AI and Agentic Marketing

Start with the cold numbers, not the vendor optimism. Gartner expects more than 40% of agentic AI projects to be cancelled before the end of 2027, blaming rising costs, unclear value and weak risk controls, and reckons only around 130 vendors offer genuine agentic capability amid widespread “agent washing”. MIT’s NANDA “GenAI Divide” study found 95% of enterprise generative-AI pilots showed no measurable P&L impact. The root cause was not the model; it was an organisational learning gap. The companies that succeeded mostly bought from a specialist rather than building internally, and the buyers won roughly twice as often as the in-house builds. Even OpenAI, which put agentic shopping on the map, has not shown that native in-chat checkout scales beyond an early set of merchants. Do not assume native in-chat checkout will scale.

Hold those facts together and the picture is consistent. Capability is shipping fast, autonomy stays supervised, and the failure mode is the organisation rather than the model. That reframes the two rules this chapter is built around. Drafting by default and keeping a human on the send button are not timidity. They are the correct production discipline for a technology where the irreversible action is a send to tens of thousands of people, and the thing making the decision is non-deterministic.

Across 2025 and into 2026 every major ESP and CRM shipped a marketing agent, and they converged on the same loop: read signals, decide a next-best action, act across channels, with a human setting the guardrails and approving the send. That convergence is the tell. Staged review is the safer centre of gravity, not the universal default: most of the serious vendors stage the send for a human, though a few (Attentive, some HubSpot agents) run autonomous, because full autonomy does not survive contact with a real list. Treat every capability below as a claim unless a first-party outcome number is attached, because almost none of these vendors have published agent-attributed lift that holds up to a second look.

The job changed underneath all of this. For twenty years the email marketer was an operator: log into a dashboard, build the segment, write the copy, drag the blocks, schedule the send, come back later to read the report. By 2026 that work is increasingly briefed to an agent. You set the goal and the guardrails. The agent plans, segments, builds, runs its checks and stages the send. You review it and press the button. You have moved from operator to director, and the lift comes from rebuilding the workflow around the agent, not bolting a chatbot onto the old one. That is the same finding MIT reached the expensive way.

An AI agent that can compose, segment and send across email, SMS and WhatsApp is a loaded weapon pointed at your sender reputation and your legal exposure. The failure mode is not a bad subject line. Picture a confident agent firing a 24,000-recipient blast at 2am local time, to a list that includes people who opted out last week, from a number never registered with the carriers. Every one of those is a gate that should have stopped the send and didn’t.

The platforms have moved from guidelines to enforcement, and that is what gives these gates teeth. Gmail rejects and defers non-compliant bulk mail rather than just filtering it. US carriers block SMS from unregistered 10DLC numbers outright. Meta caps marketing template delivery per recipient across all brands and returns a hard error when the cap is hit. So the gates below are not hygiene; they decide whether a send lands or gets you rejected, blocked or sued. An agent should treat every one as a hard precondition: pass or abort, never “proceed with a warning”.

Run these as a machine-checkable checklist. Each gate returns a boolean and a reason. If any returns false, the send does not go out and the agent escalates to a human.

  • Consent verified. Confirm every recipient has a recorded, in-scope opt-in (source, timestamp, and the channel and category they consented to) before the send is assembled. Sending without provable consent is the root compliance failure under consent-based regimes like the GDPR and the TCPA. CAN-SPAM is opt-out, so it does not require prior consent for marketing email, but you still must honour unsubscribes and use accurate headers. The TCPA penalty runs up to US$500 per message, US$1,500 if wilful, and SMS marketing specifically needs prior express written consent, not a soft opt-in.

  • Suppression list synced. Pull the current global suppression and unsubscribe list at send time, not from a cached copy, and diff it against the audience. One stale unsubscribe that gets re-mailed is a spam complaint, and Gmail’s enforcement is keyed to the user-reported spam rate. Suppression covers unsubscribes, hard bounces, complaint addresses and any role or abuse addresses.

  • Frequency cap checked. Verify the send will not breach your own per-recipient frequency rules, and on WhatsApp respect the platform cap you cannot see. Meta applies a per-user marketing-template limit across all businesses combined, varying with how engaged that user is, and over-cap messages fail with error 131049, “not delivered to maintain healthy ecosystem engagement”. Meta does not publish a fixed integer, so treat 131049 as a per-recipient fatigue signal: wait at least 24 hours before retry, never a fast retry loop.

  • Channel eligibility. Confirm the channel is actually allowed to send to this audience right now. For US SMS, the brand and the specific campaign use-case must be registered with The Campaign Registry; the major US carriers block traffic from unregistered 10DLC numbers entirely. For WhatsApp, the recipient must have opted in on WhatsApp for the message category you are sending, and the template must be approved in that category. An unregistered or mis-categorised channel does not degrade gracefully; it returns nothing.

  • Jurisdiction and quiet-hours. Resolve each recipient’s local time zone and confirm the send falls inside the legal window for their jurisdiction. The TCPA prohibits marketing calls and texts before 8am or after 9pm in the recipient’s local time, and a wave of 2025 class actions targeted ecommerce brands sending promotional SMS outside that window. There is a live FCC petition on whether prior written consent overrides quiet hours, but it is unresolved, so the conservative gate holds.

  • Rendering QA. Render the message in dark mode and across the major clients (Gmail web and app, Apple Mail, Outlook) before send, and fail on broken layout, invisible text or images that do not load. A dark-mode inversion that turns black text into a black-on-black logo, or an Outlook table that collapses, ships a broken email to the whole list with no recall. The agent should diff a rendered screenshot against the approved design, not trust that the HTML “looks fine”. Litmus and the other rendering tools exist precisely because what the HTML says and what the client shows are different things.

  • Accessibility. Confirm the message uses live HTML text rather than text baked into images, every meaningful image has alt text, and colour contrast meets a minimum. Image-only emails fail for screen-reader users and for anyone with images off, and image-heavy, text-light emails also correlate with spam filtering. This is both an inclusion requirement and a deliverability one.

  • Personalisation confidence. Verify every merge field resolves to a real value for every recipient, and abort on any unresolved token, fallback collision or low-confidence inference. An agent that invents a first name, mis-genders a recipient, or ships “Hi {{first_name}}” literally has produced a visible, brand-damaging error at scale. No merge field sends on a guess. If the data is not there, drop the personalised element or hold the recipient. Do not hallucinate the value.

  • Inventory and pricing freshness. For any commerce message, re-fetch product availability and price at send time and reconcile against the creative. A promo for a sold-out product or a stale price is a customer-service fire, and a wrong price is a potential consumer-law problem. The agent pulls live catalogue data, not the values that were correct when the campaign was drafted.

  • Approval status. Confirm the campaign carries an explicit, current human approval for this audience and this content, not one granted against an earlier draft. The single most expensive class of agent error is firing a real send while looking for the “schedule” or “preview” action. The approval record, the audience and the content hash must all match before dispatch, and any send above one recipient requires a logged human sign-off.

  • Rollback and kill plan. Before dispatch, confirm there is a working pause or kill control, batched or throttled sending so the whole list is not gone in one shot, and a defined rollback (suppress, halt, follow-up correction) if a problem surfaces mid-send. Email cannot be unsent, but a throttled send can be stopped after batch one when the spam rate spikes or someone spots the wrong link. An agent with no kill switch is an agent you cannot trust with the send button.

The consent, suppression and frequency gates are not just legal cover. They feed directly into the thresholds the mailbox providers now enforce. Gmail’s bulk-sender rules apply to anyone sending more than 5,000 messages a day to Gmail accounts. Keep the user-reported spam rate below 0.10% in Postmaster Tools and never reach 0.30%; at 0.30% Gmail may reject or defer your mail, and you stay ineligible for mitigation until you are back under 0.30% for seven consecutive days. Bulk senders must also authenticate with SPF and DKIM, publish DMARC, pass DMARC alignment on the From domain, and include RFC 8058 one-click unsubscribe on marketing mail. For SMS, the STOP and HELP opt-out keywords must be honoured effectively instantly, which the CTIA treats as a carrier prerequisite, not a nicety.

So a suppression miss is not an inconvenience; it is a spam complaint that pushes you toward the 0.30% rate where Google cuts off mitigation and your delivery degrades through graduated throttling and rejections, not a clean switch you can flip back.

Make every gate a function that returns {pass, reason}. The send pipeline calls all gates, collects the failures, and aborts on the first false. No gate may be skipped, and “warn and continue” is not a valid outcome for a hard gate. Draw the hard-versus-soft line clearly. Consent, suppression sync, channel eligibility, jurisdiction and quiet-hours, approval status and the kill plan are hard, and a false aborts the whole send. Rendering QA, accessibility, personalisation confidence and inventory freshness are hard for the affected recipients but may degrade gracefully (drop the merge field, hold the sold-out segment) rather than abort everything, provided the degradation is logged.

Three more rules make this real. First, pull at send time, not draft time: suppression, frequency state, inventory and pricing, and the approval hash all get re-read immediately before dispatch, because cached state is how stale unsubscribes and dead products get mailed. Second, log the gate result for every send, the boolean and the reason per gate, so a complaint or a deliverability dip can be traced to the gate that should have caught it. Third, wire the kill switch first: batch or throttle every bulk send, expose a pause control the agent can call, and define the rollback before the first batch goes out. If there is no working kill switch, the send is blocked.

When an agent runs your marketing, it touches data at every step. It reads profiles to build a segment, fires events that trigger flows, and decides who gets which message on which channel. The same autonomy that makes it useful makes a data-governance failure cheap to cause and expensive to discover. A human who pulls the wrong list sends one bad campaign. An agent with a loose prompt and broad database credentials can leak PII into a model context, message people who never consented on that channel, or invent a segment rule that quietly excludes half your customers, and it will do all of it confidently and at speed.

The regulators have not written agent-specific rules yet, and they do not need to. The existing data-protection principles already bind whoever operates the agent, and “the model did it” is not a defence the operator gets to use. Under the GDPR you are the controller; the agent is just a processing method you chose. The obligation is yours, and everything below is about keeping the agent inside rules that already apply to you.

Identity resolution and profile freshness. An agent acts on whatever profile it reads at decision time. If your identity graph stitches a logged-out web session to the wrong known contact, the agent will personalise to the wrong person, with no independent way to know it. Treat identity matches as confidence-scored, not binary. The agent should be able to read the match basis (deterministic email or login match versus probabilistic device or fuzzy match) and refuse to send identity-revealing content (order details, name, account status) on a probabilistic match alone. Profile freshness is the second half. A profile read an hour ago may already be stale after a purchase, an unsubscribe, or a consent change. Decisions that gate sends (consent, suppression, channel preference) must be re-read at send time, not cached from when the segment was built.

Event latency. Trigger-based flows assume the event is true now. Most event pipelines are eventually consistent, so a “cart abandoned” event can fire after the person already bought, and a “purchased” event can arrive minutes late behind the abandonment flow. An agent that triggers on raw events without a latency buffer will send abandonment reminders to people who completed checkout. Build in a settle window, a wait step long enough to absorb your pipeline’s typical lag, often a few minutes to an hour, and a suppression check that re-queries terminal state (purchased, unsubscribed, suppressed) immediately before the send fires.

PII minimisation and retention. GDPR Article 5 requires personal data to be adequate, relevant and limited to what is necessary, and kept no longer than necessary. For an agent that means scoping its data access to the task. A segmentation agent needs behavioural attributes and consent flags, not passport numbers, full payment records or free-text support transcripts. Give it a purpose-built view, not the raw customer table. Retention applies to what the agent produces too: drafted-but-unsent message logs, intermediate exports and scratch files containing email addresses are personal data and inherit the same retention clock.

Prompt and data leakage. The fastest way to lose control of customer data is to dump a large slice of your CRM into a model context because it was easier than writing a query. Every record in the context window is a record that can surface in a generated email, be retained in provider logs, or leak through a prompt-injection payload hidden in a customer’s own free-text field: a support note, a name field, a survey response. The rules that hold up are concrete. Pass the model the minimum rows and columns it needs for the immediate decision. Never put raw PII in a system prompt reused across users. Treat any customer-supplied free text as untrusted input that could carry injected instructions, and strip or sandbox it before it reaches a model with tool access. If the agent needs to act on 50,000 contacts, it passes identifiers to a deterministic send API. It does not narrate 50,000 profiles to an LLM.

Consent propagation: consent does not travel. This is the rule marketers most want to be false, and it is not. Consent is channel-specific and purpose-specific by law and by carrier policy, so an agent must never infer permission on one channel from permission on another. The CTIA’s Messaging Principles state plainly that SMS consent is separate and should not be transferable or assignable between entities or purposes. WhatsApp is the same: Meta requires an affirmative opt-in specific to receiving WhatsApp messages, and pre-checked boxes, terms-of-service acceptance, or an inferred opt-in from a purchase do not qualify. The agent’s contact model should carry a separate, timestamped consent state per channel and per purpose, and the send-time check reads the consent for the exact channel it is about to use. An email opt-in is not an SMS opt-in, and neither is a WhatsApp opt-in.

Hallucinated segmentation logic. When an agent translates “loyal customers who’ve gone quiet” into a query, it can invent thresholds, misname fields, or silently substitute a column that does not mean what it thinks. The failure is invisible because the campaign still sends; it just sends to the wrong people, and you find out from the revenue report or the complaint rate. Three controls catch it. Make the agent emit the resolved query or segment definition in human-readable form and show the matched count before any send, so a person or a stricter gate can sanity-check the size. Validate field names and allowed values against a schema the agent cannot edit, so a hallucinated column fails loudly instead of matching nothing. And treat large swings in segment size between runs as a stop condition: a segment that jumped from 8,000 to 80,000 contacts overnight is a bug until proven otherwise.

Automated decisions have a legal ceiling. GDPR Article 22 gives people the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, with human-intervention safeguards required even where an exception applies. Ordinary campaign targeting rarely meets that bar, but agent-driven decisions that gate pricing, credit, eligibility or account standing can, and the operator carries the obligation to provide meaningful human involvement. A human who rubber-stamps the agent’s output without independent assessment does not satisfy the safeguard, which the Irish data-protection regulator has made explicit.

“AI optimisation” covers two very different things, and the gap between them matters for what you should believe. One is generative content, an LLM writing per-user copy. The other is reinforcement learning, a system reallocating live traffic toward what is working. The reinforcement-learning half is where the verifiable substance sits, and it is the part vendors talk about least clearly.

The bandit-versus-A/B distinction. A deterministic A/B test fixes a split, waits for significance, then declares a winner. A multi-armed bandit reallocates live traffic continuously toward the better-performing variant while still exploring the others. Braze’s AI Decisioning Studio, built on the OfferFit reinforcement-learning engine Braze acquired for US$325M in 2025, runs multi-armed and contextual bandits across variant, offer, channel, timing and frequency, reallocating to winners while still exploring. Hightouch and OfferFit frame the same idea as choosing content, timing, channel, offer and frequency per customer, including whether to send at all. Braze’s own guidance is the right rule of thumb: use A/B for foundational direction, bandits for ongoing fine-tuning. The headline customer figure, Kayo Sports reporting a 2.5x lift in conversion across triggered campaigns while scaling to 1.2 million personalised variations a day, is vendor-reported, so treat it as a vendor claim rather than a benchmark you can plan against.

Two caveats matter and vendors skip both. The first is non-stationarity. Thompson-sampling bandits are sensitive to seasonal and behavioural shifts and can chase noise through them, so an agent should not over-trust a bandit through a sales peak or a category swing. The second is cold start. Reinforcement learning needs volume and clean event data to beat simple rules, so it will not help a small list; if your list is thin, a bandit is a worse choice than a sensible fixed rule.

The measurement discipline follows from those caveats. Require a holdout so you can attribute the lift to the optimiser rather than the season. Set an explicit exploration budget. Define bandit-reset rules for seasonal breaks. And encode “do-not-optimise” constraints the optimiser is never allowed to trade away: margin floors, fatigue caps, complaint-rate ceilings, brand-safety lines. A bandit optimising pure conversion with no constraints will happily over-mail your best customers into churn.

Generative per-user content has roughly one useful first-party case study. HubSpot reports that moving from segment-based to 1:1 personalisation, where a model infers each person’s goal, vector-matches it against the content library, and writes a personalised message, lifted email conversions by 82%, with roughly 30% higher opens and over 50% higher click-through. That is a HubSpot internal first-party case, not a general benchmark. The post gives no baseline, no sample size, no holdout and no conversion definition, and it admits the early attempts were “meh” before months of tuning produced the final number. Keep the 82% as a worked illustration of the 1:1 mechanism. Do not reuse it as a planning figure until you have a baseline, a sample, a holdout and a stated conversion definition of your own. The rest of the generative-personalisation numbers floating around are vendor capability claims, not measured outcomes.

There is a named-practitioner warning worth pairing with the upside. Chad White has predicted that brands bragging about 100,000-plus generative variations will conclude they overdid it, and Jay Schwedelson’s counsel as inboxes flood with generative content is to be real rather than relentlessly optimised. The governing tension: cap generative variation against brand-voice limits, and treat “100,000 variations” as a vanity metric rather than a result. Litmus’s 2025 State of Email found 49% of teams now use generative AI for email copy, so the practitioner concern is not theoretical. Half the industry is already doing it.

On adoption claims generally, anchor to one source rather than stitching survey cuts together, and treat the “advanced AI adopters are 75% more likely to hit 45:1 ROI” line as directional vendor-survey data, not a target. One more correction worth carrying, because it travels around as a personalisation proof point and is not one: Canva’s strong result (a reported lift in opens with very high deliverability) came from a localisation strategy plus a careful IP warm-up from 30 million to 50 million sends a week, not from generative per-user content. File it under localisation and deliverability, not personalisation.

GA-versus-beta is verified against each vendor’s own pages as at June 2026. Read the outcome-evidence column carefully: it is uniformly vendor-reported or absent. Nobody in this table has published an independent, holdout-controlled agent lift number.

Vendor / productGA or betaWhat the agent can doApproval modelAuditabilityOutcome evidence
Klaviyo K:AI Marketing AgentGA (Sep 2025)Build campaigns, flows and forms; learn brand voice and catalogue from a URL; stage for one-click launch (email, SMS)Staged for review before anything goes near customersNot documented publiclyNone agent-attributed
Klaviyo ComposerPrivate/closed betaPrompt to a staged multichannel campaign plus segments (email and SMS today, push and WhatsApp flagged as coming)“Nothing goes near customers without review” per KlaviyoNot documentedNone
Salesforce Agentforce (Marketing Cloud Next)Partner GA (Dec 2025); capabilities staged from Oct 2025Draft copy, creative, audience and a Flow journey; pull from CRM, SharePoint, Google Drive; lead nurtureHuman briefs, sets brand guidelines and limitsSalesforce platform loggingNone public
Iterable MCP serverGA, open source (Nov 2025)Read by default; writes and sends are opt-in flagsExternal agent driven, human in the loop by config; read-only default, ENABLE_WRITES / ENABLE_SENDS to widenStandard Iterable activity logsNone
Braze AI Decisioning StudioGA (Sep 2025)Choose channel, message, offer, timing and frequency via reinforcement learning (OfferFit engine)Marketer sets objectives and guardrailsBraze reportingKayo 2.5x conversion (vendor-reported)
HubSpot Breeze agentsCustomer / Prospecting / Data GA 2026; others in betaResearch, prospect, draft, and 1:1 content across email, web and chatVaries by agent; some autonomousHubSpot activity log82% email conversion (vendor first-party)
Twilio Conversation suiteGA (SIGNAL, May 2026)Orchestrate conversations and persistent memory, grounded on Segment profilesDeveloper-definedTwilio logsNone marketing-specific
Attentive AI Journeys / AI CampaignsJourneys live; AI Campaigns roadmap (May 2026)Trigger and personalise per shopper; orchestrate campaigns (SMS, email)No per-message approval in JourneysNot documented publiclyUS$6B platform GMV, not agent lift

A few reads on the table. Staged review is the safer centre of gravity, not the universal rule. Klaviyo, Salesforce and Iterable all default to a human gate before the send, the same discipline the credibility frame argued for, while Attentive and some HubSpot agents run autonomous. Klaviyo Composer is private beta, not GA, whatever the launch coverage implied, and currently covers email and SMS only. The “193,000 brands and 8 billion profiles” data-grounding line that travels with Klaviyo is network-size positioning, not evidence of model quality, and Klaviyo’s own Composer page does not even cite it. Iterable’s MCP server is the example to copy on safety: read-only out of the box, writes and sends behind opt-in flags, so an agent cannot send until you deliberately let it. Twilio is infrastructure, an agent substrate rather than a campaign builder, so assess it that way. Attentive runs the loosest approval model in the set, triggering and personalising without per-message approval, which is the configuration most exposed to brand-safety failure. None of these vendors has shipped an independently verified lift number, so the column that matters most for your planning is the empty one.

This belongs in a clearly marked watchlist, not the main body, because it is early and unproven at scale. Treat everything here as speculative, build rails if you like, and do not budget revenue against them.

OpenAI’s ChatGPT Instant Checkout, the Agentic Commerce Protocol built with Stripe, launched in late September 2025 with Etsy live and Shopify expanding. It is early and unproven at scale, and native in-chat checkout has not been shown to work across a large merchant base. OpenAI has also shipped merchant-controlled “ChatGPT apps” that route the buyer back to the merchant’s own site. Do not assume native in-chat checkout will scale or replace your owned channels. That caution paces every prompt-to-purchase claim you will be pitched.

The open question for email, parked for a future edition, is what email does when the recipient is increasingly an agent. The plausible answers are structured, machine-readable content, MCP-exposed offers, and email as a trigger for conversational checkout rather than the place the conversion happens. For disclosure, nitrosend is MCP-first, which is one practitioner on-ramp here, but there is no outcome evidence yet, so this stays a watchlist item, not a recommendation. On conversational-commerce numbers, be precise or silent: Bloomreach’s early-access average for its Clarity shopping agent is a reported +9% conversion and +20% average order value, while the eye-catching +35.2% conversion belongs to one retailer on a single Black Friday, not a general cohort. Both are self-selected, so treat them as correlational and directional, not as a forecast.

Strip away the vendor noise and the operating model is stable. Capability keeps shipping, and you should adopt it where it earns its keep: send-time optimisation, variant generation and testing, abandonment triggers, first-draft copy. Autonomy stays supervised, because the irreversible action is a send and the decision-maker is non-deterministic. The failure mode is the organisation, which means the work that pays off is rebuilding your workflow and your guardrails around the agent, not buying a bigger model.

Run the preflight gates on every send, human or agent. Govern the data as if the operator is liable, because the operator is. Use reinforcement learning where you have the volume and the holdouts to measure it, and ignore it where you do not. Read every vendor number as a claim until a holdout-controlled outcome backs it. And keep a human on the send button. The best email marketers of 2028 will be the best editors, strategists and risk managers, not the best button-clickers. The agent optimises. You direct, and you approve.