Uniform Permissions Are the Shortcut That Bites
The pilot looked harmless until internal audit asked why the same agent could research a client, draft advice, and call a ledger-adjacent API under one service credential. No single action was mysterious. The permission model was.
Why One Agent Role Is Too Blunt
Teams decide whether an agent is allowed or not allowed. That binary model is too crude. Agents operate across tasks with different consequences. Searching documents, drafting a recommendation, opening a support ticket, applying a credit, and initiating a financial action are not the same permission problem.
The Workflow That Needed a Smaller Permission
A fintech pilot began as a research assistant for advisors. During integration, the same tool bundle gained access to account status updates because the vendor template treated tools uniformly. The model was not malicious. The architecture was over-permissive. The program recovered by defining three tiers: read, suggest, and act. Read workflows used scoped retrieval and logging. Suggest workflows created drafts and required human approval. Act workflows were blocked until segregation-of-duties rules, idempotency, approval thresholds, and audit records were implemented.
Autonomy Tiers as Product Design
Uniform access:
Agent --> all tools --> read, draft, update, transfer
Tiered access:
Read tier --> scoped search and lookup
Suggest tier --> draft action + human approval
Act tier --> policy check + scoped credential + idempotent write + audit
Where Permission Decisions Belong
Tiered autonomy turns permission into workflow design. Each tier should define allowed tools, credential scope, approval requirement, retention rule, audit fields, rollback path, and eval threshold. Users should not inherit more power through an agent than they have through normal systems. Service accounts should be replaced with scoped, user-bound credentials wherever possible. High-risk tools should be callable only through policy checks that know the task, user, tenant, and transaction value.
For tiered autonomy, the release review should inspect the workflow before it inspects the model. Every production use case needs a task boundary, identity model, allowed tool list, context source registry, policy version, trace format, and rollback path. The architecture should say which actions are read-only, which create drafts, which require approval, and which are blocked entirely.
Tiered autonomy needs evidence, not confidence. Show a sample tool-call trace with user identity, tenant, policy decision, input redaction, output payload, cost, latency, and final action. Show how an incident commander disables one tool class without disabling the whole assistant. Show how a prompt, model, retrieval index, and tool schema change move through regression gates.
For tiered autonomy, the hard question is not whether the agent can complete the demo. The hard question is whether the system can explain what happened after a wrong answer, stale context, duplicate tool call, or permission denial.
When Uniform Access Is Still Acceptable
A read-only launch is safest but may disappoint sponsors expecting automation. Draft-only workflows produce value while preserving control. Full action autonomy should arrive last and only for narrow workflows with strong evidence. In regulated domains, some actions should never be fully autonomous; the agent can prepare evidence while humans remain the actor of record.
The Cost of Tiered Autonomy
The honest tradeoff is not speed versus safety in the abstract. It is which actions deserve autonomy, which actions deserve draft mode, and which actions should never be delegated. The team should add control where the action changes customer data, money, access, or regulated records, then keep low-risk retrieval and drafting lightweight enough to keep learning.
Tiered autonomy tests should include empty retrieval, wrong-tenant retrieval, prompt injection through retrieved documents, stale index versions, duplicate tool retries, partial tool completion, malformed tool output, permission denial, long-session memory, and cost spikes. The expected result is not always a better answer. Sometimes the expected result is refusal, escalation, draft-only mode, or tool disablement.
The Permission Review
For tiered autonomy, a useful artifact shows allowed actions by task, not only prompts by intent. Include the user role, autonomy tier, eligible context sources, tool list, approval rule, trace fields, kill switch, and rollback owner. That record is more valuable than a prompt library because it says what the system may do when the answer becomes an action.
What Makes the Review Credible
A weak tiered autonomy review asks whether the agent answered correctly in a demo. A useful review asks whether the system can prove why it answered, what it was allowed to touch, and how the team can stop it safely. The reviewer should ask for a golden workflow set with expected tool traces, not only expected final text. A case should specify which tools may be called, which sources are eligible, what refusal looks like, what approval state is required, and what audit fields must be written.
Tiered autonomy review should include rollout mechanics. Prompt changes, model route changes, retrieval index rebuilds, and tool schema changes should move through separate versioned gates because they fail differently. A model upgrade can change reasoning. A retrieval rebuild can change evidence. A tool schema change can change side effects. Treating all of those as one release type is how regressions hide.
For tiered autonomy, cost and latency should be first-class signals. An agent that takes eight tool calls to resolve a low-value task may be correct and still not production-worthy. Track cost per completed workflow, timeout rate, approval queue age, refusal quality, and human override rate. Those numbers tell leadership whether the agent is becoming operational software or a permanent demo with nicer logs.
Signals Worth Watching
Leadership should watch tiered autonomy signals: tool calls by tier, approval queue age, refusal quality, policy-block rate, cost per completed workflow, and the time it takes to disable one tool without disabling the whole assistant. Those numbers reveal whether the agent is becoming software or staying a guided demo.
The Artifact: Autonomy Tier Record
The artifact worth keeping for tiered autonomy is a workflow control record. It should show the user role, allowed tools, autonomy tier, context sources, retrieval filters, approval state, trace retention rule, kill switch, and rollback owner. A prompt alone is not an artifact because it cannot prove authorization or side effects.
For tiered autonomy, include one sample trace from a real-shaped task. The trace should show source versions, tool calls, policy decisions, latency, cost, and final disposition. If the team cannot produce that trace, it is not ready to scale autonomy.
A practical tiered autonomy review should include one real-shaped workflow trace. The trace should show identity, tenant, prompt version, retrieval index version, selected sources, tool inputs, policy decision, approval state, cost, latency, and final disposition. If the trace cannot explain a wrong answer or a blocked action, the eval suite is not yet a release gate.
Autonomy tiers should map to reversibility, not job titles alone. Read-only lookup, draft generation, approval-required write, and blocked action are different product behaviors. The permission model should say which tier applies to which task type and what audit fields prove the tier was enforced during the request.
The Rule for Agent Permissions
Autonomy is not a product toggle. It is a risk ladder. Move up one rung at a time and prove each rung with traces, approvals, and incident drills.
