Production AI agents need step-level permissions
Production AI agents become risky when broad are attached to the whole agent. A single agent-level permission such as updating a CRM, sending emails, charging a card, or opening may feel simple in demos, but it does not hold up well in real systems. The safer control point is each execution step.
The system should not only ask whether an agent may update a CRM; it should check whether this exact change to this exact object is allowed under the current source state, , approval policy, retry rule, and receipt requirement. The LLM can suggest an action, but the runtime should decide whether that action is allowed to run. Without this split, systems can end up with overly wide , outdated approvals, unsafe retries, and audit logs that record what the model claimed instead of what actually happened.
The direction for agent is less about a smart agent with tools and more about a around every action that changes something outside the model.
Key points
- Broad agent-level are convenient for demos but risky in production.
- Each real action should be checked at the step level before it runs.
- The LLM should propose actions, while the runtime approves or blocks execution.
- and retry rule checks help prevent duplicate or unsafe repeated actions.
- Audit logs should record what actually happened, not only what the model said it did.