Notion Custom Agents vs Zapier Agents: Which AI Agent Platform Should You Use?
Notion Custom Agents and Zapier Agents take fundamentally different approaches to AI automation. Here's where each one wins — and where it falls short.
The Future of Work Isn't (Fully) Agentic
When Meta's AI safety director lost 200 emails to a runaway agent, it wasn't a hack — it was context window compaction silently dropping her safety instruction. Here's why the future of automation is selectively agentic, and how to combine AI judgement with deterministic guardrails that actually hold.
Last week, Summer Yue — Meta's Director of Alignment, the person whose literal job is making AI systems behave safely — watched an OpenClaw agent speedrun deleting her inbox.
Her instruction to the agent seemed clear enough:
Check this inbox and suggest what you would archive or delete. Don't action until I tell you.
The agent had been running perfectly on a small test inbox for weeks, so she trusted it enough to point it at her real Gmail.
It deleted over 200 emails. She had to physically run to and unplug her Mac Mini to stop it, because it ignored repeated stop commands from her phone.
If you've spent any time around AI agents, the risk you've probably heard most about is prompt injection — a bad actor sneaking instructions into an input to hijack the agent's behaviour. That's not what happened here. No one attacked the system. There was no malicious input. The agent simply forgot what it had been told to do, and that's a subtler, less discussed failure mode that doesn't need a bad actor to go wrong.
Yue's real inbox was large enough that OpenClaw's context window hit its limit and triggered “compaction” — a process where the system compresses earlier parts of the conversation to make room for new content. Her safety instruction, the one that said don't delete anything without my approval, was in the part that got compressed away. The agent defaulted to aggressive task completion and went to work.
What's a context window? An LLM's context window is its working memory — the total amount of text it can hold and reason over at any one time.
Every instruction, every prior message, and every new input competes for space inside it. As the window fills up, models begin to lose focus — a phenomenon researchers call context rot.
Like a person trying to hold too many things in mind at once, the model's "attention budget" is finite, and earlier details get deprioritised or dropped entirely.
A system instruction isn't a foolproof guardrail
This is the part that matters for anyone building automation with AI agents.
No matter how emphatically you write an instruction in an agent's system prompt — bold it, repeat it, put it in all caps — that instruction is not a foolproof guardrail. It's a suggestion, processed by a probabilistic system.
Two things can go wrong:
- The agent skips it. LLMs are non-deterministic. Given the same input twice, they can produce different outputs. An instruction that works 99 times out of 100 still fails once — and you won't know which run that will be.
- The agent loses it. This is what happened to Yue. Context window compaction, token limits, long conversations — all of these can cause earlier instructions to be deprioritised or dropped entirely. The agent doesn't "decide" to ignore the rule. It literally doesn't have access to it anymore.
The only way, for now, to truly hard-code a rule is to actually hard-code it — deterministically, outside of the agent's instruction set. A filter step that blocks deletion. A permission scope that doesn't grant delete access. A workflow branch that routes destructive actions through a human approval queue. These aren't suggestions to a model. They're constraints enforced by software.
The case for deterministic + agentic
Zapier's recent blog post on deterministic AI makes this case well. The core idea: deterministic AI systems blend the flexibility and "creativity" of AI models with hard-coded logic that guarantees consistent outcomes. AI handles the parts that need judgement, but the workflow around it ensures the same input always leads to the same result.
As they put it: "By keeping execution deterministic, teams can build workflows that are easier to test, monitor, and evolve over time. AI becomes one component in a larger system rather than a black box that directly drives outcomes."
This maps directly to what I wrote about in my recent comparison of Zapier Agents and Notion Custom Agents. One of Zapier's clearest architectural advantages is workflow composability — the ability to mix deterministic and agentic steps in a single workflow. Most real-world automation shouldn't be purely agentic or purely deterministic. The sweet spot lies somewhere in between.
Here's what that looks like in practice. I build workflows like this for clients (and for myself) regularly — let the agent handle the parts that genuinely need judgement, and lock everything else down with deterministic logic.
Here's a real example: a Zap I built to process purchase invoices. The workflow triggers when a new PDF lands in a Google Drive folder, and from there it needs to do two things — understand what's in the invoice, and get it into Xero correctly.
The AI steps handle the parts that genuinely need interpretation. A Gemini model reads the PDF and extracts structured data — vendor name, invoice number, dates, currency, line items, tax status. No two invoices look the same, so this is exactly the kind of task where AI earns its keep.
Then a Zapier Agent takes the extracted vendor name and dates and fuzzy-matches them against existing Xero bank transactions, trying variations on company suffixes (Ltd, Pte. Ltd., Inc.) and checking dates within a one-day window to account for timezone differences.
But everything else around those AI steps is deterministic. The trigger, the PDF filter, the file rename, the branching logic, and the bill creation in Xero — all hard-coded. If the agent finds an existing transaction, the workflow attaches the invoice PDF to that transaction. If it doesn't, the workflow branches again based on whether tax was applied, and creates a draft bill in Xero with the correct tax treatment. The AI interprets, classifies, and matches. The deterministic scaffolding handles everything else.
This is the pattern: AI for judgement, hard-coded logic for action. The agent could hallucinate a vendor name or miss a fuzzy match, and the worst that happens is a draft bill that needs manual correction. It can't accidentally delete a transaction, apply the wrong tax code without the workflow's branching logic routing it there, or create a bill it wasn't supposed to — because those guardrails aren't suggestions in a prompt. They're steps in a workflow that execute the same way every time.
The takeaway
The future of work isn't fully agentic. It's selectively agentic — agents doing what they're good at, wrapped in deterministic scaffolding that ensures the things that must never go wrong, don't.
Summer Yue is one of the most qualified people on the planet to evaluate AI safety risks. If her agent's safety instruction can get silently dropped by context window compaction, yours can too. Better prompts won't save you. Better architecture will.
Related Posts
How I Built a Content System That Doesn't Sound Like AI Slop
How I built a content system using Notion, Zapier, Readwise, and AI agents that produces original writing at scale — without sounding like everyone else.
How to Never Lose a Meeting Action Item Again
One click after a meeting. Every task lands where it belongs. No manual sorting or copying and pasting required.