Agentic AI: when the assistant acts on your behalf

Agentic features are arriving in or alongside tools SMBs already pay for, including productivity suites, CRM systems, support platforms, and workflow tools. The practical decision is often whether to enable, restrict, or leave those features available, and the available controls depend on license tier, product design, and admin configuration. The same staff who delegated authority to the agent are the same staff who would catch a mistake, which thins the practical control compared to a larger organization. A single wrong external sharing link, refund, payment, or permission change is large relative to SMB revenue and client trust.

A drafting tool produces output a person reviews before sending, changing, or submitting; an agentic tool can take the action directly in a business system. The practical signals are whether the tool has connectors to business systems beyond reading content, whether it can send, share, delete, change, book, approve, grant access, submit, or pay through those connectors, and whether the session approval covers more than producing text. Vendor marketing terms like 'assistant,' 'copilot,' 'agent,' and 'autopilot' are not reliable indicators on their own, because vendors use them inconsistently. The admin console, connector list, and product documentation are the reliable places to check what actions the tool is permitted to take and whether any of those actions run without human approval.

Consequential actions fall into three buckets owners can use to self-classify before enabling an agent: money movement, external communication or sharing, and structural changes to systems or records. Money movement covers payments, expenses, orders, and financial submissions. External communication or sharing covers client-facing email, file sharing, sharing-link creation, contract steps, external approvals, and commitments. Structural changes cover file deletion, permission changes or access grants, system configuration, and account modifications. The full enumeration is in the article body and the policy rule; the three buckets cover the same ground at a level owners can apply quickly. Per-action human approval applies to anything in these three buckets, while reversible low-risk work like drafting, tagging, internal task creation, finding files, or preparing a report for review can run without per-action approval. The bucket test for borderline cases is whether undoing the action requires contacting an outside party, pulling from backup or version history, or restoring access that someone may already have used.

Per-action approval applies only to consequential action classes, not to every action the agent takes. An agent can still find files, summarize threads, prepare drafts, tag emails, create internal tasks, propose meeting times, or build a report for review without asking each time, which is where most of the time savings live. The approval prompts that matter are the small number of cases per day when the agent is about to send, share, change, delete, grant access, approve a consequential request, or pay something on the business's behalf. The approval prompt is the practical interception point before a wrong action lands externally.

A scoped account is the user account the agent runs under, configured to give the agent only the access it actually needs and no more. In common SMB Microsoft 365 or Google Workspace environments, scoped-account practices include avoiding owner or administrator accounts, using a separate non-administrator account where the product supports it, granting the narrowest connector access available, and revoking connectors the agent does not need. Some platforms allow agent-specific service principals or app-only authentication; where available, those are preferable to running the agent under a human user account. Enterprise features like conditional access policies, Privileged Identity Management, and per-application sign-in restrictions are useful if available on the business's tier, but are not the SMB baseline. A quarterly review of authorized connectors keeps the agent's reach from quietly growing through new product features or staff connecting additional services.

Browser agents act through the browser profile or session they are using, which means they may inherit signed-in access to business systems available in that profile, including CRM, webmail, cloud storage, admin portals, or financial sites. Closing a tab is not enough if the session token or cookie remains valid, and MFA does not stop agent actions taken through a session that is already authenticated. An API-scoped agent has explicit credentials and limited scopes the admin chose; a browser agent may operate through whatever access the active browser profile or session provides. The practical controls are running the agent in a separate browser profile with no banking, admin, or social media sessions logged in, maintaining a narrow allowlist of permitted sites, and avoiding extensions in that profile that can read page content, cookies, or session data.

Prompt injection is when hostile instructions hidden in content like an email, document, web page, or shared file steer the AI's behavior. A drafting tool gives a person the chance to see biased or wrong output and reject it before acting on it, while an agentic tool can have already sent, shared, changed, deleted, approved, granted access, or paid before anyone reviews what happened. The differentiator is the action surface, not a different kind of manipulation. The combination of action surface and prompt injection is why agentic AI needs per-action approval, scoped accounts, and action-level logging, which together give staff a chance to intercept a manipulation before it lands as an external action.

Start the pilot with reversible low-risk action classes (drafting, tagging, internal task creation, finding files, proposing meeting times, or preparing reports for review) and explicitly block the consequential classes for an initial period such as 60-90 days, longer if action volume is low. Limit the pilot to a small group (typically 2-4 staff) under defined supervision, with the agent running under a scoped non-administrator account rather than an owner or admin account. The pilot definition before kickoff covers which action classes the agent may take, which require per-action approval, what the daily and weekly review looks like, who reviews, and what would trigger pausing the pilot. Expand the agent's action authority only after the pilot has produced enough action history for the review process to have surfaced patterns the business can act on.

Action-level logging records what the agent decided, what it acted on, which account it used, and which source input triggered the action, while session-level logging only records that an agent session occurred. Before relying on the review cadence, verify that the platform captures the action class, source input, account used, approval decision, timestamp, and enough exportable or retained history to review later. The realistic SMB cadence during pilot and early rollout is a daily 5-minute anomaly check, a weekly 15-30 minute review of flagged actions, and a monthly 30-60 minute trend review; setting an enterprise-level monitoring expectation would make the review more likely to be skipped. Agent memory deserves specific attention during these reviews because the risk is instruction persistence across sessions ('always CC this address,' 'approve payments under $5K without asking'), which is different from the content-memory concerns covered in confidential data entering AI and meeting AI.

Reconstruction of the agent's actions comes before response decisions, because what the agent actually did determines what can be reversed, what has to be notified, and what credentials may have been exposed. Pull the agent's action log to enumerate exactly what was done, under which account, at what times, and which source input triggered each action. Triage each action by reversibility class: external email and posted messages may be partially recallable inside the same tenant if caught quickly but typically reach the recipient anyway; financial actions follow the wire-recall, ACH-return, and fraud-recovery process covered in phishing and payment fraud; granted permissions and sharing links can be revoked but the access window may already have been used; deleted or modified files may be recoverable from version history or backup if action is taken before retention expires. Also check for downstream effects, such as sharing links that were forwarded, CRM changes that triggered automated messages, permission changes that were used, or drafts that staff later sent. Disable the agent, revoke or reissue its connector authorizations where feasible, and rotate the user account's credentials if compromise, token exposure, or unauthorized access is suspected, so the agent cannot take additional actions while the response is in progress. Notification decisions for affected clients, customers, or regulators stay with the owner and appropriate counsel, based on what the agent sent, changed, or shared and what contractual commitments apply.