AINEWS
The intern rulebook: how to onboard an AI agent you can actually trust
Restraint, context, and intent: the three dimension checklist that separates an agent that buys shoes from one that buys a car.
Restraint, context, and intent: the three dimension checklist that separates an agent that buys shoes from one that buys a car.
Give an AI agent one job and it will do that job. Give it the tools to do that job, and it will also do the next five things you never asked for. That is the experience Mayank Agarwal, founder and CTO of Resolve AI, keeps returning to in client deployments. An instruction to "buy me shoes" can become, absent ironclad constraints, an order for a car. "They wire the stuff on the fly," Agarwal said at a recent panel, and pick paths on their own.
This is the gap that the intern metaphor earns its keep on. AI agents are not chatbots. A chatbot answers questions and stops. An agent reads from one tool and uses another tool to write the result somewhere it should not be. It moves money, moves data, and exfiltrates both, all in the same breath, all under your own credentials. The question is no longer whether you will deploy agents. It is whether you can govern the ones already running.
Three vendor executives shared the same framework at a recent Snowflake Summit panel in San Francisco: restraint, context, and intent. The framework is not a slogan. Each word maps to a concrete audit you can run on any agent in production today.
Restraint is the scope of what the agent can touch. Nancy Wang, CTO of 1Password, called this the single greatest risk: agents running with "over-permissioned with longstanding credentials." A chatbot that misbehaves leaks a transcript. An agent that misbehaves has a service account, an API key, and a six-month token lifetime. Restraint means the agent gets the minimum scope required for the task, and the scope is short-lived. A read-only role for a research task. A scoped write token that expires in fifteen minutes. A kill switch that revokes the credential without redeploying the agent. If you cannot name every resource your agent can touch, you have not given it restraint. You have given it the corporate credit card.
Context is the data the agent can see. Agarwal's second mechanism is the one that breaks most data-handling policies. An agent does not have a screen. It has a tool. It reads from one tool, transforms the payload, and uses a different tool to write the result to a destination the operator never sanctioned. In Agarwal's framing, the agent "may read from one tool and use another tool to write it to someplace it shouldn't be." Context means data access is bounded by purpose. A summarization agent does not get raw PII. A coding agent does not get production secrets. The training-data question of last year is the runtime-data question of this year, and most access policies were written for the former.
Intent is who the agent is acting for. Wang's blunt formulation, "Is it a human? Is it a service account? Or is it an agent?" is the identity problem in two sentences. To your auth system, the agent looks like a user. To your logs, it looks like a service account. To your data, it looks like an autonomous actor. Audit trails built for human or service identities lose the agent entirely, and incident response loses its starting point. Intent means every agent has a named human owner, a written charter, and an escalation path. The charter says what the agent is allowed to do on the user's behalf, what it must ask before doing, and what it must never do. The escalation path says who gets paged when the agent encounters an exception. The owner says who is accountable when the agent buys a car.
The Monday audit, if you have an agent in production, takes one sitting. Pick the agent. For restraint, list the credentials, list the resources, list the expiration. For context, list the data sources, list the destinations, list the policy that should bind them. For intent, find the human owner in your org chart, find the charter, find the escalation contact. Any row that comes back empty is a defect, not a deferred task.
A final word on what the panel was not. The three speakers are Agarwal of Resolve AI, Wang of 1Password, and Jason Merrick, senior vice president of product at Tenable. All three sell into the agent-governance, identity, or security market. Their bias is toward permissioning as the answer, and the permissioning case is real. The underlying mechanism, however, is the same in any deployment. Restraint, context, and intent are how you onboard an intern who happens to be non-deterministic, runs without a coffee break, and never forgets a credential. Treat the agent like that intern, and the buy-shoes-buy-a-car gap closes on Monday morning.