The Unanswered Policy Question
Enterprise HR, legal, and compliance policies were written before agents existed, of course, and most have not been updated. They don’t define an agent as an actor or describe what happens when one takes an action that would get a human employee fired. That absence is an operational risk that typically sits between HR, IT, and legal without clear ownership. No one team has claimed it because it doesn't fit neatly inside any existing function.
After an incident, the question of who is responsible for what the agent did becomes urgent and uncomfortable. The organizations that handle it well are the ones that answered it before they needed to: defining agent authorization explicitly, assigning ownership of agent categories to specific roles, and building the audit infrastructure that makes the post-incident investigation tractable.
Agents are not standing by; they are operating, and someone needs to write the policy before the next incident forces your hand. As any writer will tell you, a first draft beats no draft. Most enterprises are still staring at a blank page.
Author
