Spent an hour today with a peer running internal AI at a fast-scaling software company.
We got into the question that doesn't get talked about enough: where do you draw the line on what an AI agent can do without a human in the loop?
His answer is an agent mesh with strict approval modes. Every action gets promoted or demoted based on whether the agent earned trust on similar actions before.
Mine is different. One core agent with a minimal default tool set, sandboxed in a micro-VM, that has to request scoped permissions for anything bigger. The agent never sees the API keys. The platform decides what it's allowed to call.
Both work. Both have real failure modes.
The Pocket OS incident is the version everyone remembers (an agent finding keys in a repo and going off the rails). The version nobody talks about is the opposite failure: agents so locked down they're useless and the "AI rollout" quietly stalls.
If you're rolling out AI internally, where's your line? Read-only by default, or trusted-by-track-record? Or something else?