How far should AI agents be trusted to touch production data?
The author spent years building and personally handling 2am failures, and found that most 'agentic' tools they tried were really just fancy autocomplete — largely useless once the work required tracking data lineage or enforcing governance rules. Recently they have been testing Databricks' Genie Code for heavier work, where it can plan and execute multi-step jobs — such as profiling features, training a few models, logging results to MLflow, and shipping a dashboard — all within a single thread.
What won them over is that the tool is grounded in , a system that manages who can access which data, so it only shows data the current user is actually allowed to see and asks for confirmation before changing a table. Generic agents connected through MCP, a protocol that lets agents reach external tools and data, kept getting exactly this permission boundary wrong.
Even so, the author still reviews everything before it ships, and describes the shift from copiloting (assisting alongside a human) to delegating (letting the agent actually execute) as a real change in how they work. They then ask others where they draw the line between letting an agent execute actions directly versus only proposing changes as a diff, and whether the s have actually held up enough to trust the agent on s, or whether they are still checking everything by hand.
Key points
- Databricks' Genie Code plans and executes multi-step jobs (profile features → train models → log to MLflow → ship a dashboard) in a single thread
- Grounded in , so it only surfaces data the user can see and confirms before mutating a table
- Generic MCP-connected agents reportedly kept failing at this same permission boundary
- Everything shipped is still manually reviewed — described as a shift from copiloting to delegating, not full automation