Field notes from the operation.
Working papers on Transfer of Experience and AI agents, shipped by teams running agents in production.
Agent permissions, approval gates, and governance
Govern AI agents before autonomy by defining permissions, approval gates, data boundaries, and draft versus send rules.
Agent permissions, approval gates, and governance
AI governance should not begin after an agent goes wrong. It should be part of the role design from the start. For boutique consulting firms, the first question is not whether the model is capable. The first question is what the agent is allowed to do in the business.
Permissions, approval gates, and data boundaries turn an impressive demo into an accountable operating role. Without them, the firm risks giving a model access to sensitive context before deciding who owns the outcome.
This article builds on the model strategy in frontier and local AI models for boutique firms. It also pairs with the guide to moving from prompts to a small AI employee, where permissions are one part of the role anatomy.
Permissions should be written in business language
Permissions are often discussed as technical access, but the team needs business rules. What may the agent read? What may it summarize? What may it draft? What may it edit? What may it send? What must never be stored?
Good permission rules are plain:
- May read approved prospect threads
- May draft follow-up notes
- May create internal tasks for review
- May not send client or prospect messages
- May not store sensitive personal details as memory
- Must cite sources for factual claims
Rules like these are easier for partners, operators, and technical teams to share. They also prevent the common mistake of connecting systems before defining authority.
Approval gates protect trust
Approval gates are not bureaucracy. They are how a firm earns trust in the system. Early agents should prepare work, not own final action.
A staged pattern works well. First, the agent observes and summarizes. Then it drafts for review. Then it queues low-risk actions. Only after the firm has evidence should it consider narrow autonomous actions, and even then only inside a clearly bounded workflow.
For example, a daily briefing agent may summarize inbox and calendar changes from day one. It may draft follow-up notes after the team has corrected its brief format. It should not send messages until the firm has decided the exact conditions, reviewer, and rollback path.
This is not a lack of ambition. It is a faster path to adoption because people can use the agent without fearing silent mistakes.
Draft versus ship
Every agent should have a clear line between draft and ship. Draft means the model prepares material for a person. Ship means the action leaves the firm, changes a record, commits a decision, or triggers another workflow.
Drafting can include emails, proposal notes, meeting briefs, CRM updates, task descriptions, and internal summaries. Shipping can include sending email, updating client-facing records, approving spend, changing deal stage, or publishing content.
Most early AI roles should draft more than they ship. The firm can still save time if the agent prepares useful work. The point is to keep accountability with a person while the role proves itself.
The distinction also helps model choice. A frontier model may be right for a nuanced draft. A local model may be right for private extraction. Neither should ship high-consequence work without rules and review.
Data boundaries come before tool access
Before connecting tools, decide which data classes the agent may touch. Client confidential material, personal information, pricing logic, acquisition notes, and internal performance data may require different handling.
Some workflows can use local models through tools like Ollama or LM Studio. Others can use hosted frontier models with redaction, limited excerpts, or vendor controls. Some should stay manual until the firm has cleaned its sources and clarified obligations.
Data boundaries should answer four practical questions:
- Which sources are approved?
- Which sources are forbidden?
- What can be stored as memory?
- What must be deleted or excluded?
If those answers are unclear, the project is not ready for broad access.
Governance should be visible to users
People should not have to guess what an agent is doing. The output should show sources, uncertainty, required approvals, and any action it proposes. The team should be able to inspect why a recommendation appeared.
Visible governance also makes corrections useful. If an agent cited the wrong source, the team can fix source rules. If it misunderstood a preference, the team can update memory. If it recommended an action outside scope, the permission rule can be tightened.
Governance is a living operating layer, not a one-time policy document. It improves as the role encounters real work.
The governance test
Before launch, ask a simple set of questions. If the agent makes a bad draft, who catches it? If it sees data it should not see, how would we know? If it stores a wrong memory, who can correct it? If a model is unavailable, what happens to the workflow? If a person leaves, who owns the role?
If the team cannot answer those questions, the agent is not ready for more autonomy. It may still be ready for a narrow pilot with read-only access and human review.
Strong governance does not slow the best projects down. It helps the firm expand from one safe role to the next.
Where to go next
Done-for-you implementation assessment For boutique firms that want our team to assess, build, and manage the first agent.
Self-serve AI platform For teams that want to operate their own AI workspace.
Pay-per-run workflows For power users who want low-commitment workflow runs.