Operator memo: a short checklist before an agent gets more permission.
Before giving your agent more access, write the boundary first
If you only do one thing this week, pick one agent that can change something outside its own sandbox. Write down what it may do, what it may only prepare, who can approve the risky step, and how you revoke the permission.
I turned that into a short checklist you can copy into a team doc.
why this check exists
Most permission reviews happen too late. The agent already has the key, the workflow already has write access, and the team is trying to remember who approved what.
The checklist forces the boundary into writing before the permission changes.
the seven questions
What may it do without approval?
What may it prepare but not execute?
What may it never do?
Which tool identity does each action use?
Which actions require approval?
Who can pause or revoke the permission?
Which logs prove what happened?
If one answer is fuzzy, stop there. Fix the boundary before adding more access.
You can open the checklist here, or use the button below.
what to paste into the team doc
Agent or workflow:
Owner:
Permission being requested:
System/tool affected:
Allowed without approval:
Allowed to prepare, not execute:
Never allowed:
Approval gate:
Pause or revoke path:
Logs and recovery:
Gradient Push. Practical notes for building AI automation without losing the thread.
