Insight / signal
AI's next fight is over permission, not prompts
The next serious AI question is not 'what prompt did you use?' It is 'why did the agent have access to that in the first place?'
The useful AI story this week is not another model.
It is access.
A few things landed at once. Google is showing more AI-assisted production work and The Verge has been testing Gemini Spark, described as a 24/7-style agent that can do things on your behalf. Nvidia is pushing further into agent PCs with Microsoft, Dell and HP in the mix. Marketing School has an episode about building an AI to watch how you work, which is a much more honest framing than most “AI employee” nonsense.
At the same time, the backlash is already visible.
Meta’s AI support chatbot was reportedly exploited in an Instagram account hijacking issue. Strava is tightening API access and blaming zero-code AI apps and scrapers. DuckDuckGo is making its no-AI search option easier to access as its traffic grows.
That looks messy if you read it as news items.
It looks obvious if you read it as a market pattern.
AI is moving from generation to access.
For the last couple of years, most companies have played with AI inside a fairly safe box. Draft this. Summarise that. Rewrite this email. Give me ideas for a campaign. Make this blog post less dull. Fine. Useful enough. Annoying when wrong, but usually recoverable.
Agents change the shape of the problem.
A useful agent needs doors opened for it. It needs files. Tools. Context. Login sessions. APIs. Customer records. Publishing rights. Analytics. Inbox access. Calendar access. CRM access. Maybe payment access later, because of course someone will suggest that before lunch.
That is when AI stops being a toy in a tab and starts becoming part of the operating system of the business.
And that is exactly when the trust problem gets real.
A chatbot giving you a bad answer is irritating. An agent with the wrong permissions can create actual work. It can send the wrong message. Pull the wrong data. Expose a private file. Trigger a support process. Scrape something it should not touch. Update a record from stale context. Make a customer-facing mistake at speed.
This is not an argument against agents. I use agents every day. Foundry is built around the idea that AI systems can remove real drag from commercial work.
But the boring bit matters.
Who gave the agent access?
What was it allowed to do?
Could it only draft, or could it publish?
Could it read the whole vault, or only the project folder?
Could it contact customers, or only prepare a response for approval?
Could anyone see what it did afterwards?
Could anyone roll it back?
These questions are not governance theatre. They are the product.
This is where a lot of AI adoption will go wrong. A business owner will see a slick demo and think: great, this can run our follow-up. Then someone will connect Gmail, HubSpot, Slack, Google Drive and the website CMS without first deciding what the agent is allowed to touch.
That is not innovation. That is giving a keen intern admin access on day one because they made a nice spreadsheet.
The Marketing School “AI to watch how I work” idea is interesting because it points to a better model. AI as an apprentice, not a replacement fantasy.
An apprentice observes first. Then it helps. Then it gets trusted with small, repeatable jobs. It earns more scope when the work holds up. You do not hand it the keys to the whole building because it produced three decent summaries.
That is the frame business owners need.
Start with one workflow. Not “we need AI across the company.” That sentence should be illegal until someone can explain the first useful job.
Pick something repeatable and annoying. Sales follow-up after a call. Turning a webinar into usable content and email follow-up. Checking daily support tickets for recurring complaints. Watching analytics for obvious campaign waste. Preparing a weekly competitor brief. Turning podcast notes into draft posts with source links.
Then design the access model before you design the agent.
What does it need to read? What can it write? What must stay read-only? Where does it need approval? Where can it act without approval because the downside is tiny? What evidence does it need to cite? Where does the log go? Who owns the result when it is wrong?
This is the practical work. It is also the bit most AI vendors skip because it ruins the demo.
A demo wants magic. A business needs boundaries.
The same logic applies to marketing.
The post-agency opportunity is not “we can make more content with AI.” Everyone can make more content now. Most of it is landfill with paragraph spacing.
The better opportunity is to build permissioned commercial loops.
A content system that reads approved source notes, drafts in the founder’s voice, flags claims that need proof, and waits for sign-off before publishing. A sales system that checks CRM context, drafts follow-up, marks the evidence it used, and queues the message for a human. A campaign system that watches performance, spots the obvious mismatch between ad and page, creates an experiment brief, and does not randomly edit the live site because it got excited.
That is where AI becomes useful without becoming feral.
It also explains why trust and data access are becoming commercial issues. DuckDuckGo’s no-AI push is not just a search feature. Strava tightening API access is not just developer admin. Meta’s support bot exploit is not just a security story. They are all reminders that people and platforms are deciding how much access AI gets.
That decision is going to show up everywhere. In procurement. In client contracts. In marketing ops. In customer support. In publishing workflows. In every SaaS product that now has an “AI assistant” bolted onto the side like a spoiler on a family hatchback.
The serious question is not whether AI agents will get better. They will.
The question is whether the businesses using them will get better at managing access.
My bet: the winners will not be the people with the fanciest prompt library. They will be the people who can turn messy work into visible, permissioned systems.
That means fewer grand AI transformation decks and more actual operating design. Scope the job. Limit the access. Ground the context. Log the action. Ask for approval where the downside matters. Review the output. Improve the workflow.
Boring? Yes. Also the difference between an AI system that helps the business and one that quietly creates a mess for someone else to clean up.
If you are a business owner, do not start by asking which agent to buy.
Start by asking which keys you are about to hand over.
Then decide if the system has earned them.