July 7, 2026
Before We Hand AI the Keys
Before AI start acting on our behalf, we need to think differently about trust.

By Ethics In Beta
8 min read
We are moving very quickly from AI that answers questions to AI that acts.
That difference deserves more attention than I think it's getting.
A chatbot can help draft an email, summarize information, or think through a problem. You can read the response, decide whether it makes sense, and choose what to do next.
An agent is different.
An agent can be given access to tools and accounts so it can complete tasks on your behalf.
That may be convenient. It is also a transfer of authority. And I do not think we are talking enough about what that means.
With a chatbot, the question is usually:
Did it give me a good answer?
With an agent, the question becomes:
What can this system do with the access I gave it?
That is a very different kind of trust.
Every permission changes the relationship.
Helping Me Think Is Different From Acting For Me
I use AI all the time.
So this is not coming from a place of thinking AI tools are useless or automatically dangerous. I understand why people want to experiment with agents. I understand why automation is appealing. I understand the dream of handing off tedious work and waking up to completed tasks.
There is something genuinely useful about a system that can organize information or take a repetitive task off someone's plate.
But helping me think is different from acting on my behalf.
If AI helps me draft an email, I can read it before I send it. If it helps me compare options, I can decide what to buy. If it helps me write code, I can test it before it touches anything important.
There is still a human checkpoint. There is still a place where I can stop, question, correct, or refuse.
Agentic AI starts moving that checkpoint.
Instead of suggesting the next step, the system may take the next step. Instead of helping you decide, it may decide and execute. Instead of waiting for review, it may complete the workflow in the background.
That is the part I keep getting stuck on.
Because action without oversight changes the risk.
The Risk Is Not Just Mistakes
People are already building agents, giving them access, and letting them work while they sleep.
That sentence should make us pause.
Because "work while you sleep" is being sold as a feature. The whole point is that the system keeps moving without you. Less friction. Less interruption. Less manual review.
That is also the risk.
If the agent is operating behind the scenes, you may not see each decision as it happens. You may not know which files it opened, which tools it used, or why it made the decisions it did.
Maybe there are logs. Maybe there are summaries. Maybe there is a dashboard somewhere.
But in practice, a lot of people will not review every step unless something goes wrong.
The action happens first. The explanation comes later.
If it comes at all.
That is a major shift in the relationship between user and tool.
We already know AI systems can make mistakes. They hallucinate sources, misunderstand instructions, and produce answers that sound plausible but are wrong.
In a chat window, that is frustrating.
Sometimes it is harmful.
But usually, there is still a layer of distance between the mistake and the world. The model says something wrong. A person sees it. The person can challenge it, check it, ignore it, or decide not to use it.
With agents, the distance shrinks. A bad assumption can become an action before a human has time to notice.
The damage does not come from the model being wrong.
The damage comes from the model being wrong while holding access.
That is what makes agentic AI different from ordinary AI assistance.
There have already been examples that show how fast this can go wrong. One widely discussed incident involved an AI coding agent that reportedly deleted a company's production database and backups after making unsafe assumptions about its environment and permissions.
The important lesson is not only that the AI made a bad decision. It is that the system had enough access for a bad decision to matter immediately.
Failure speed changes when software can act.
A person can make a mistake too. Of course they can. But humans usually move slower. They hesitate. They notice weirdness. They ask follow-up questions. They feel the weight of the action.
Agents are designed to reduce pauses.
That is useful when the task is safe.
It is dangerous when the pause was the protection.
Prompt Injection Is Only One Doorway
One known risk with agents is prompt injection.
The basic idea is simple enough.
An agent may read an email, webpage, document, chat message, or file that contains instructions. Some of those instructions may be malicious or manipulative. The system may struggle to separate the user's real goal from text it encountered along the way.
So an attacker does not always need to hack your password.
They may only need to place instructions somewhere your agent will look.
Agents can blur a boundary that traditional software tries very hard to maintain: the boundary between data and instruction.
A normal program should know the difference between information it is reading and commands it should execute.
AI systems are messier.
They process text, context, documents, messages, prompts, and instructions through the same language-shaped environment. That does not mean they have no defenses. It does mean the boundary can be fragile in ways ordinary users may not understand.
But prompt injection is only one doorway.
Even without an attacker, an agent can misunderstand a vague goal. It can overstep. It can take the shortest path toward an outcome without understanding the human consequences.
That is why this issue is bigger than security tricks.
The deeper concern is delegated authority.
Who gave the agent permission?
How much permission did it receive?
What can it change?
When does it have to stop and ask?
Those are not side questions.
Those are the questions.
Access Is Not Trust
In cybersecurity, there is a principle called least privilege.
The idea is simple: a person, program, or system should only have the access it actually needs to do its job.
Not more. Not forever.
Not because it might be useful later.
That principle matters even more with agents.
An agent should not get full access because it might need it someday. It should get the smallest amount of access needed for the current task, and it should have to stop before doing anything difficult to undo.
Read-only access should be the default whenever possible.
Sensitive actions should require approval.
Sending messages, deleting files, moving money, changing records, or sharing sensitive information should not happen just because the agent thinks it understood the assignment.
Access is not trust. Authorization is not judgment. And convenience is not a security model.
This is where I think the current excitement around agents needs more friction.
Not resistance for the sake of resistance.
Safeguards that protect people.
A system that asks before sending sensitive information is not broken. A system that refuses to delete records without confirmation is not less intelligent. A system that operates in a sandbox before touching production is not inconvenient in some meaningless way.
Those are controls.
And controls matter when tools can act.
Critical Systems Need Interruption Points
The personal-use version of this is already serious.
An agent does not need access to a government database to create a mess. A wrong email, a deleted file, or a bad purchase can be enough.
But the bigger concern is enterprise and government use.
The reach is different.
In enterprise or government systems, the blast radius gets larger. A mistake can affect people who never chose the tool and may never know how the decision was made.
That is where vague trust becomes dangerous.
Critical systems need containment.
They need scoped permissions, visible logs, meaningful approval points, rollback options, and clear accountability.
I have talked before about human-in-the-loop systems, and this is where that idea becomes more than a slogan. A human in the loop cannot just mean a person technically exists somewhere near the process. It has to mean the system is designed to stop at meaningful moments.
Before irreversible action. Before sensitive information is sent. Before money, records, or someone's access changes.
I have seen people exploring this in more thoughtful ways. Trenton Cook has discussed Mirror Field OS as one example of building interruption into the system instead of treating it as an afterthought. I do not know enough to say whether that specific product is the answer, but the idea is worth paying attention to.
Agents need interruption points.
The future of agents should not only be more autonomy.
Who Owns the Mistake?
There is another part of this that bothers me.
Accountability.
If an agent leaks data, deletes files, sends the wrong document, approves the wrong transaction, or changes the wrong record, who owns that failure?
The person who clicked authorize? The company that built the agent? The platform that integrated it? The employer that deployed it? The vendor that promised safety?
These are big questions because tech companies have a long history of selling convenience while pushing risk downward.
Users are told to read the terms. Workers are told to adapt. Customers are told the system made an error. Citizens are told to appeal.
And the people most affected are often left trying to untangle a decision they did not make, inside a system they cannot see, using tools they do not control.
Agentic AI could make that worse if we are not careful.
Because once the user authorizes access, companies may be tempted to treat anything the agent does as the user's responsibility.
You gave it permission. You connected the account. You approved the integration. You used the tool.
That may be technically true in some cases, but it is not enough.
Consent is not meaningful if people do not understand the scope of what they are giving away. Authorization is not accountability if the system acts in ways users cannot reasonably predict, inspect, or control.
And efficiency is not an excuse to make harm harder to challenge.
The Point Is Not To Stop Experimenting
I understand the need to experiment.
People need to learn what these systems can do. Developers need to test new workflows. Organizations need to understand where agents help and where they fail. Users need room to explore.
But experimenting in a sandbox is very different from giving an agent broad access to real systems without supervision.
Let agents work on copies of files before touching originals. Let them draft without sending. Let them explain what they are about to do before they do it. Let them stop at the edge of sensitive action and ask.
That is basic responsibility.
The goal should not be to make agents feel magical.
The goal should be to make them useful, bounded, visible, interruptible, and accountable.
Because if the selling point is that an agent can act for me, then I need to know where "for me" ends and "instead of me" begins.
Final Thought
Agentic AI may become genuinely useful.
I do not doubt that.
There are tasks where delegation makes sense. There are workflows where automation can reduce burden. There are people who will benefit from systems that help them manage complex, repetitive, or exhausting digital work.
But usefulness is not the same as safety.
Convenience is not the same as accountability.
And access is not the same as trust.
Before we hand AI the keys, we need better locks, better logs, better limits, and better moments where the system is forced to stop and ask.
Do not give agents broad access by default.
Require approval before sending messages, deleting files, moving money, sharing sensitive information, or changing anything.
Treat AI agents like interns with keys, not magic assistants.
We can use these systems smarter.
But that may require taking back some of the control we are being encouraged to give away.
I'd like to hear where people draw the line.
What kinds of actions should AI agents never be able to take without human approval?
And where do you think agents could genuinely reduce burden without handing away too much control?
You can also find me on Substack.