Right now, when you give an AI agent access to your work, it logs in as you. Your email. Your files. Your permissions. It acts as you.

That felt fine when agents were doing simple tasks under close watch. It doesn’t feel fine anymore.

Think about hiring someone new. You don’t hand them the master key on day one. They get access to what their job needs. A marketing hire doesn’t touch the financial accounts. A contractor fixing your website doesn’t get your customer database. Not because you distrust them. Because it’s just sensible.

We haven’t done this with AI agents.

It mostly didn’t matter when agents were small and supervised. But agents now run for hours. Days. They spawn other agents. One agent hands work to another agent you’ve never reviewed. Suddenly “it has my permissions” stops feeling convenient. It starts feeling like a problem.

A human assistant self-limits. They don’t read every email they technically can access. They use judgment. An agent doesn’t do that. It touches everything it can reach, because that’s what it’s built to do. Give it access to your inbox to help with scheduling, and it might quietly read three years of sensitive conversations. Not maliciously. Just because nothing stopped it.

That’s what people mean by blast radius. It’s not paranoia. It’s a new kind of exposure that didn’t exist before.

There’s a second problem. When an agent makes a bad call, your logs say “user did X.” You can’t tell what the agent decided versus what you decided. You can’t audit it. You can’t explain it to a regulator or a lawyer. That matters when agents start touching contracts, finances, or health records.

So where does this go? Somewhere unglamorous. We’ll treat agents like employees. Give them their own identities. Scoped access. Audit trails. Some people are already doing this by hand - creating separate accounts, managing agents like contractors. It’s clunky. But it works, because the underlying infrastructure already exists.

What needs to be built is the layer that makes it automatic. Something that lets you say: this agent can read these folders, email these people, and nothing else. And if it reaches beyond that, it simply can’t.

Not because someone is watching. Because the permission isn’t there.

That’s not a moonshot. It’s identity and access management, adapted for agents. Unglamorous infrastructure that suddenly becomes load-bearing.

The internet didn’t get adopted by businesses when it got faster. It got adopted when it got secure enough to trust with real work. Agents are at that same moment right now.

The agents that get trusted with real work won’t necessarily be the most powerful. They’ll be the ones with clear boundaries. Because boundaries are what let an organization say yes.

🙏

Be kind,

Manuel