Imagine a 40-person consultancy that wires up an automated assistant to read incoming support emails, pull relevant context from the company wiki, and draft replies. To save time, the team flips a switch from “draft for approval” to “send automatically below a confidence threshold.”<\/p>\n
Three weeks later, a client calls. They received an email promising a refund the company never agreed to give. The agent, having generalized from a few past resolutions, decided this was the right answer. The email went out under a real person’s name. The client has already forwarded it to their legal team.<\/p>\n
The agent has no legal personhood. The vendor’s terms of service almost certainly exclude liability for output. The team member whose signature appeared on the message didn’t write it. The manager who flipped the switch didn’t see this particular email. The agent did the thing, but everyone else is left holding the consequences.<\/p>\n
In my last article, I argued that the new models got smarter but not more honest. That asymmetry was uncomfortable when they only talked. It becomes load-bearing now that they act.<\/p>\n
The real shift in 2026 is not what most AI in the workplace articles claim. Models did not become partners. They did not develop judgment, accountability, or stakes. What changed is that they can now do things: browse, click, run code, edit files, send messages, modify state in systems you depend on.<\/p>\n
That’s not partnership. Partners share judgment and consequences. What you actually have is a highly capable delegate: you authorize, it executes, you own the outcome.<\/strong><\/p>\n The distinction matters because the law, the contract, and the org chart already know what to call this. When an agent acts using your API key, your OAuth token, your credentials, your account, your domain: you are the principal. The agent is acting in your name. The legal frameworks are catching up to this reality. In California, AB 316 (Civil Code \u00a71714.46), effective January 1, 2026, prohibits defendants who “developed, modified, or used” an AI system from arguing that the AI autonomously caused the harm. In the EU, the new Product Liability Directive,\u00a0 which Member States must transpose into national law by December 9, 2026, extends strict liability to AI systems as “products”,\u00a0 with rebuttable presumptions that lower the burden of proof for claimants. The direction is consistent: accountability follows authorization. Whoever deployed it, owns it.<\/strong><\/p>\n This isn’t a thought experiment. Browser agents, coding agents, spreadsheet agents, MCP-connected tool agents, they are in production at small and medium businesses right now. Most of those businesses have not thought hard about what that means.<\/p>\n When an LLM only talks, verification is cheap. You read the output. You catch the mistake or you don’t, but the cost of missing one is bounded \u2014 usually wasted time, occasionally a bad decision based on bad information.<\/p>\n When an LLM acts, verification has to move *upstream* of the action. Once committed, state changes propagate. Some you can roll back. Some you can’t.<\/p>\n The 2025 reflex of “let the model run, then read what it produced” does not survive contact with the second and third categories. By the time you read it, the action has already happened.<\/p>\n This is the structural reason “trust the agent more” is the wrong advice for 2026. The question is not how much to trust. The question is *where* in the workflow trust gets verified, and for irreversible actions, that has to be before the action, not after.<\/p>\n What actually works, in roughly the order most small and medium businesses should adopt it, mirrors established DevSecOps practice, the Microsoft Security Development Lifecycle (SDL) being the canonical example. None of these are new ideas in IT; what is new is that SMEs now operate systems that require them.<\/p>\n The novelty in 2026 is not the practices themselves. It is that small and medium businesses now operate systems requiring them, without the infrastructure teams that grew up around them in larger organizations.<\/p>\n The skill that distinguishes good agentic AI users in 2026 is not prompting. It is **authorization design**: deciding what the agent is allowed to do, under what conditions, with what verification, in whose name.<\/p>\n 1. What is the worst outcome if this goes wrong?<\/strong> For small and medium businesses, this is knowledge management work, not IT work. The agent is operating on your processes, your client relationships, your data, your reputation. The architecture decisions, what the agent can touch, who confirms what, where the audit trail lives, are decisions about how your business operates, not just how your tools are configured.<\/p>\n If your company is rolling out agentic AI without explicit answers to those four questions for each use case, you are not deploying technology. You are placing a bet, blind, on a behaviour you have not characterized.<\/p>\n In the last article, I argued that smarter models are not more honest. That meant verification was still your job when the model talked. Agentic models extend the argument: verification can no longer happen after the fact, because the act has already happened.<\/strong><\/p>\n So structural verification, the guardrail stack above, becomes the new honesty mechanism. Not because the model has become trustworthy, but because you have built an environment in which its untrustworthy moments cost less than its trustworthy ones save.<\/p>\n This is what calibrated trust<\/strong> actually means in practice. It is not “trust more”. It is “design a system in which the consequences of misplaced trust are bounded, observable, and recoverable”.<\/p>\n The AI is not your partner. It is your highly capable delegate. You are still the principal, and in 2026, that distinction is beginning to matter in ways the vendors are in no hurry to explain.<\/strong><\/p>\n Authorize accordingly.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":" The 2026 shift isn’t from prompting to partnership. It’s from conversation to delegation \u2014 and delegation comes with strings the vendors aren’t talking about. Imagine a 40-person consultancy that wires up an automated assistant to read incoming support emails, pull relevant context from the company wiki, and draft replies. To save time, the team flips …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[102,55,68],"tags":[35,104,57,59,63],"class_list":["post-255","post","type-post","status-publish","format-standard","hentry","category-agentic-ai","category-ai-en","category-ai-in-practice","tag-advice","tag-agenticai-en","tag-ai-en","tag-gpt-en","tag-llm-en"],"_links":{"self":[{"href":"https:\/\/knowtech.waszmann.com\/index.php?rest_route=\/wp\/v2\/posts\/255","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/knowtech.waszmann.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/knowtech.waszmann.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/knowtech.waszmann.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/knowtech.waszmann.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=255"}],"version-history":[{"count":2,"href":"https:\/\/knowtech.waszmann.com\/index.php?rest_route=\/wp\/v2\/posts\/255\/revisions"}],"predecessor-version":[{"id":262,"href":"https:\/\/knowtech.waszmann.com\/index.php?rest_route=\/wp\/v2\/posts\/255\/revisions\/262"}],"wp:attachment":[{"href":"https:\/\/knowtech.waszmann.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/knowtech.waszmann.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/knowtech.waszmann.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}The Verification Asymmetry<\/h3>\n
A rough taxonomy worth carrying in your head:<\/h3>\n
\n
The New Guardrail Stack<\/h3>\n
\n
What This Means for Knowledge Workers and SMEs<\/h2>\n
Four questions to ask before delegating any task to an agent:<\/h3>\n
\n2. Is it reversible? In what timeframe? At what cost?<\/strong>
\n3. Whose name is on the action when it happens?<\/strong>
\n4. What is my detection latency \u2014 how long before I notice something is wrong?<\/strong><\/p>\nThe Honesty Throughline<\/h3>\n
The Closer<\/h3>\n