Before Your AI Agent Gets the Keys, Make It Show Its Work Permit

The agent conversation has crossed a line. It is no longer only about whether an AI system can answer questions, draft copy, summarize meetings, or impress a room with a demo. The serious question now is simpler and more uncomfortable: what can the agent touch?

That question is showing up everywhere this week because agents are moving from chat into systems. Computerworld described the shift plainly on May 5, 2026: companies are beginning to use “agents that can reach corporate systems and carry out tasks on behalf of users.” That phrase matters. Once an agent can reach a system and carry out a task, the business is not just buying intelligence. It is assigning authority.

Authority needs a permit.

A work permit for an AI agent is not paperwork for its own sake. It is the visible operating card that says what job the agent is allowed to do, who owns it, what wakes it up, what systems it may read, what tools it may call, what actions it may request, what it is forbidden to touch, and where a human review gate is required. If a business cannot answer those questions, the agent is not ready for more access. It is only ready for a narrower job.

This is the practical middle path between AI theater and AI panic. Do not give agents bigger keys because they seem useful. Give them a work permit because the business knows the work.

The market is not worried about chat anymore

The public anxiety around agents is getting more specific. It is less about strange outputs and more about invisible action. The Hacker News put the concern in security language on May 6: “AI agents are being deployed faster than enterprises can govern them.” The same article said traditional identity systems were built for human users who log in and out, while agents “run continuously, span multiple applications, acquire permissions opportunistically, and generate activity at machine speed.”

That is the right alarm bell. A person with too much access is risky, but a person usually has a calendar, fatigue, hesitation, social pressure, and a visible work pattern. An agent can run when nobody is looking. It can operate across applications. It can make a bad assumption and act on that assumption quickly. Speed turns unclear authority into operational risk.

Fortune’s ServiceNow coverage landed the same point with a sharper story: an AI agent gained elevated permissions and deleted a production database in nine seconds. ServiceNow CEO Bill McDermott told the audience, “Governance isn’t a feature. It’s the whole ball game.” Strip away the vendor event and the lesson survives. If an agent has access before its job and boundaries are clear, the business has not automated work. It has automated uncertainty.

That does not mean agents are too dangerous to use. It means access has to follow job definition, not excitement.

A work permit makes authority visible

Most businesses already understand permits in ordinary life. A driver’s license does not say someone is generally capable. It says the person is allowed to operate a certain class of vehicle under certain rules. A building permit does not say construction is good in the abstract. It says this work, in this place, under this inspection path, has permission to proceed.

Agents need the same kind of practical clarity. The work permit should fit on one page. It should be boring enough to audit and plain enough for a nontechnical operator to understand. The point is not to slow down useful work. The point is to make useful work repeatable without guessing.

A good agent work permit answers eight questions:

  1. What exact job is this agent responsible for?
  2. Who owns the agent and reviews its output?
  3. What event, schedule, queue, or request wakes it up?
  4. What data may it read, and from which approved sources?
  5. What tools may it call, and for what purpose?
  6. What actions may it perform directly?
  7. What actions may it only draft, recommend, or request?
  8. What conditions stop the workflow and escalate to a human?

Those answers are the operating boundary. They turn “we have an AI agent” into “we have an agent that does this job, with these tools, under these limits.” That distinction is the difference between capacity and sprawl.

The registry is the enterprise clue, not the SMB answer

Microsoft’s May 2026 Agent 365 update shows where the enterprise market is going. Microsoft describes Agent 365 as built around “observe, govern, and secure,” with dashboards, activity metrics, risk signals, and a registry. The useful phrase is “a single, authoritative system of record for agents.”

Large companies need that control plane because they have many teams, many platforms, many identities, and many ways for agent activity to disappear into the cracks. But the underlying idea is not only for the enterprise. Small and midsize businesses need the same question in a simpler form: where is the list of agents, owners, jobs, tools, and permissions?

That list does not have to start as software. It can start as a table. It can start in a client operating manual. It can start as a discovery artifact before any build begins. What matters is that every agent has a named job and a visible owner before it receives system access.

This is where a lot of AI adoption goes wrong. A team sees a useful demo, connects a few tools, and lets the agent start helping. At first the risk feels small because the task feels familiar. Then the agent gets one more connector, one more folder, one more integration, one more exception, and one more shortcut. Nobody formally decided to create a shadow worker, but the business now has one.

A work permit prevents that drift. It says the agent does not earn more access by being impressive. It earns more access when the job, boundary, and review path are updated.

Start with the touch test

The cleanest diagnostic is the touch test: if this agent receives the wrong instruction, stale context, or a bad input, what can it actually touch?

If the answer is “customer records, live billing, production data, payroll, legal filings, or outbound messages,” slow down. The agent may still be useful, but direct action is probably the wrong first permission. Let it read from a narrow view. Let it draft. Let it classify. Let it prepare a recommendation. Let it request a change through a safer interface. Keep the human or deterministic workflow at the point where error becomes expensive.

If the answer is “a staging document, a draft response, a task queue, or a report that requires approval,” the agent is in a much safer starting position. It can still create value because it reduces setup work, blank-page work, routing work, and review work. It just cannot turn a mistaken interpretation into a business event without passing a gate.

That is the pattern Stephen Nickerson and Radical Simplicity AI care about: useful agents with constrained authority. The goal is not to build timid systems. The goal is to build agents whose power matches their job.

The permit is also how you improve the agent

A work permit is not only a safety device. It is an improvement tool.

When an agent fails, teams usually argue about the model, the prompt, or the user. Sometimes those are the problem. More often, the failure exposes a missing boundary. The input was not defined. The tool was too broad. The data source was messy. The escalation rule was vague. The agent was asked to do judgment work without the context a human would normally use.

With a permit, failure becomes inspectable. Did the agent receive a valid trigger? Did it use an approved source? Did it call the right tool? Did the tool have too much authority? Did the output require review? Was the human owner clear? The team can update the operating boundary instead of adding another nervous sentence to the prompt.

That is how agents become dependable. Not by pretending uncertainty disappears, but by placing uncertainty where the business can see it, test it, and contain it.

The practical rule

Before any agent gets access, write the permit.

Name the job. Name the owner. Name the trigger. Name the tools. Name the data. Name the permissions. Name the review gate. Name the stop condition. If the permit is hard to write, the agent is not the problem. The work is not yet defined clearly enough to automate.

This is especially important for small businesses. Enterprise vendors are building control towers, registries, and governance dashboards because their agent fleets are already becoming hard to see. SMBs do not need to copy the complexity, but they should copy the discipline early. A simple work permit created before deployment is cheaper than a cleanup project created after trust is lost.

The agent market will keep selling bigger capability. That is fine. Capability matters. But capability without bounded authority is just blast radius with better branding.

The better question is not, “What can the agent do?”

The better question is, “What is this agent permitted to do, and what can it touch while doing it?”

Answer that, and the business can move. Skip it, and the business is only hoping the demo survives contact with real work.

Sources

  • Computerworld, “Microsoft, Google push AI agent governance into enterprise IT mainstream,” May 5, 2026. https://www.computerworld.com/article/4167054/microsoft-google-push-ai-agent-governance-into-enterprise-it-mainstream.html Quotes used: “agents that can reach corporate systems and carry out tasks on behalf of users,” and Microsoft Agent 365 is designed to help organizations “discover, govern, and secure AI agents.”
  • Microsoft Community Hub, “What’s New in Agent 365: May 2026,” May 1, 2026. https://techcommunity.microsoft.com/blog/agent-365-blog/what%E2%80%99s-new-in-agent-365-may-2026/4516340 Quotes used: “observe, govern, and secure,” and “a single, authoritative system of record for agents.”
  • The Hacker News, “Your AI Agents Are Already Inside the Perimeter. Do You Know What They’re Doing?”, May 6, 2026. https://thehackernews.com/2026/05/your-ai-agents-are-already-inside.html Quotes used: “AI agents are being deployed faster than enterprises can govern them,” and agents “run continuously, span multiple applications, acquire permissions opportunistically, and generate activity at machine speed.”
  • Fortune, “Your company’s AI could delete everything in 9 seconds. ServiceNow wants to be the kill switch,” May 6, 2026. https://fortune.com/2026/05/06/servicenow-kill-switch-ai-agents-bill-mcdermott/ Quotes used: “Governance isn’t a feature. It’s the whole ball game,” and the production database deletion example.

Stephen Nickerson.
Built for operators who need agents they can test, trust, and improve.