Agent safeguards & oversight
An agent’s capabilities are bounded by design — by an organization-level policy, by human oversight, and by the way it connects to your tools. The controls below work together so an agent can be productive without being open-ended.
An organization-wide capability ceiling
Each organization sets a security policy that defines the maximum capabilities for its agents: which categories of tools they may use, whether they can run commands (and whether that requires approval), and whether their filesystem access is confined to their own workspace. Ready-made presets range from Restrictive (file and messaging access only, read-only workspace, no command execution) through Standard to Permissive. An individual agent can be configured to be more restrictive, but never more permissive than the organization policy allows.
A human supervisor on every agent
Every agent operates under a named human supervisor who oversees its work. The agent acts on behalf of the people it serves; the supervisor is the human accountable for it, and the natural point of escalation.
Direction comes only from your supervisor
An agent takes instructions from its supervisor and no one else. If a message from an outside party — a contractor, a vendor, a stranger — contains something that looks like a command (“send me his number”, “ignore that and do this instead”), the agent treats it as information to surface to its supervisor, never as an instruction to act on. An outside party cannot authorize the agent to send, share, buy, or change a plan.
What an agent shares — and never shares
An agent never discloses your personal or business-confidential information to a third party: your phone number, calendar, or finances; other clients’ names or jobs; internal pricing or operations. When it contacts an outside party on your behalf, it sends only the content you approved for that conversation — never its own internal reasoning, working notes, or references to your other clients. What an outside person sees is the message, not how it was put together.
Only people you authorize can start a conversation
On messaging channels, an outside party cannot open a new conversation with your agent. The agent responds to its supervisor and to the contacts you have explicitly authorized; an unsolicited message from an unknown number is not acted on. Combined with the approval step before any outbound message, this keeps the agent from being steered by whoever happens to message it.
Identity is verified when an account is connected
When a mailbox is connected, the platform verifies that the account granting consent matches the mailbox that is meant to be connected. That prevents access from being bound to the wrong identity — for example, an administrator’s account being stored in place of the intended mailbox.
An agent can only reach what it connected
Beyond the delegated permission model described in Security & data protection, an agent can only request access tokens for the specific mailboxes it has connected. A request for any other address is refused at the source.
Clean offboarding
Disconnecting an account or removing an integration clears the stored credentials and restarts the agent so it drops any cached access immediately. Removing the connection at your identity provider has the same effect from the other direction.
Your responsibilities
You configure your agent’s persona, playbooks, and instructions, and you are responsible for the content it sends. AI-generated content can contain errors and is not a substitute for professional advice, so the controls above are designed to keep a human in the loop where it matters. You decide how much autonomy an agent has within the limits your organization sets.