The hard part of putting AI agents into production is not getting them to work. It is getting them to work without quietly accumulating risk you cannot see, stop, or explain. Plenty of teams have a working agent in a notebook and no agent in production, because the gap between the two is governance, not capability.
This is a practical guide to crossing that gap. The thesis is simple: deploy gated, widen scope on evidence, and never give up the ability to see, stop, and prove what an agent did. Everything below is an elaboration of those three moves.
The instinct to launch an agent with broad authority "to see what it can do" is exactly backwards. The right starting posture is the narrowest scope that still produces value — typically recommend, not act. Let the agent draft, score, and propose while a human executes. This is not a permanent state; it is rung zero of a graduation path.
Narrow scope at launch does two things. It caps the blast radius of any early mistake to something a human catches before it matters, and it generates the outcome data you will need to widen scope responsibly. You cannot calibrate an agent you have never observed making real decisions.
Authority should expand the way trust expands with a new hire: in response to a demonstrated track record. On the platform, this is handled by a graduation state machine plus human-set guardrails — an agent earns wider scope as its calibrated confidence holds up against tracked outcomes, and it can be demoted just as readily if reliability slips.
The discipline here is refusing to widen scope because an agent feels reliable or because a few impressive runs created momentum. Wilson-interval calibration is deliberately conservative on small samples precisely so that a handful of lucky outcomes does not buy an agent authority it has not earned.
Some actions should never execute unattended, no matter how reliable the agent becomes. Anything that moves money, sends an irreversible external communication, or changes a system of record belongs behind a human approval gate. On the platform, which actions require approval, how many approvers, and the authority thresholds are all configurable per deployment, with conservative defaults — and any high-impact or externally consequential workflow carries a quadruple-gate.
The craft is in gating the right things. Gate everything and operators tune out and rubber-stamp; gate nothing and you have removed the human exactly where they were most needed. The goal is gates that fire on genuinely consequential or low-confidence actions and stay quiet otherwise.
However well an agent behaves in testing, you need the ability to stop it instantly in production. A supreme kill-switch sits above anything that touches the real world, and watchdog supervision monitors the running system. This is not a sign of distrust in the agent — it is the basic precondition for trusting it at all. You can extend authority generously precisely because you can revoke it instantly.
Capture the audit trail before you think you need it. Every decision should land in a hash-chained, replayable log with its evidence and reasoning, from the very first gated run. Retrofitting audit is impossible: if the evidence behind a decision was never recorded at the moment it was made, no later tooling recovers it. Day-one audit is also what makes the graduation path defensible — when you widen an agent's scope, you can point to the logged track record that justified it.
Deployment location is a control, not a logistics detail. Self-hosted keeps data and execution inside your own boundary; managed offloads operations while we run the infrastructure for you; multi-tenant adds isolation for enterprise contexts. The Deployment models page lays out the trade-offs, and the right answer depends on how sensitive the data is and how much operational burden you want to carry.
Put together, a controlled deployment looks like this: launch at recommend-only scope, capture full audit from the first run, gate every consequential action, keep the kill-switch live, and widen authority only as calibrated outcomes justify it. None of these steps slows you down in any way that matters — they are what make it possible to move fast without betting the business on an agent's good day.
The Trust Center documents how each of these controls is implemented and configured, and is the best next stop if you are scoping a real deployment.
See the deployment models and the governance controls that keep you in command at every tier.
Explore deployment models →