Stop Calling Agents Employees

Stop Calling Agents Employees

The language around AI agents has gotten too cute.

People call them interns, coworkers, operators, copilots, and digital staff. It sounds useful until you remember what the system actually is: a probabilistic text engine wired to tools, logs, credentials, APIs, and sometimes infrastructure that can hurt you.

That is not an employee. That is an actuator.

And actuators need guards.

The metaphor is doing damage

An employee can be trained, corrected, disciplined, fired, and held responsible. A model cannot. It can produce better outputs under better conditions, but responsibility never moved into the model. Responsibility stayed with the system designer.

When teams pretend the agent is a worker, they skip the boring parts:

  • what it is allowed to read
  • what it is allowed to change
  • what requires approval
  • what gets logged
  • what gets replayed after failure
  • what gets rate-limited
  • what gets denied forever

Those are not personality issues. They are control-plane issues.

Agents should ask, not mutate

The useful pattern is not "let the agent run the stack." The useful pattern is "let the agent propose a bounded action, then make the system prove it is allowed."

That means the agent does not get raw shell trust. It does not get to quietly edit production state because a prompt sounded confident. It emits an intent. The control plane classifies the intent, checks policy, writes an audit event, and asks for approval when the blast radius is real.

If that sounds slower, good. Some things should be slower.

The point is not to remove automation. The point is to stop pretending that speed is the same thing as safety.

Receipts beat vibes

The next serious agent platforms will not win because they make the model sound more human. They will win because they make the machine easier to distrust.

Show the requested action. Show the files. Show the host. Show the command class. Show the risk. Show the rollback path if one exists. Show the exact human approval that moved the system from proposal to mutation.

If an agent cannot explain the action well enough for a control plane to classify it, it should not be allowed to perform the action.

The better story

The agent is not your employee. It is not your friend. It is not your junior engineer.

It is an untrusted proposal engine attached to a set of tools. That can still be incredibly useful. It can inspect logs, summarize state, draft patches, generate plans, and catch patterns you missed.

But the system around it has to be built like the model will eventually be wrong.

Because it will be.

The grown-up version of agent infrastructure is not charisma. It is restraint.