Srinath Therampattil
Back to blog
agents · enterprise · platform-engineering · reliability 3 min read

Designing Reliable AI Agents on Top of Enterprise Platforms

An agent that can take actions in a system of record is powerful and dangerous in equal measure. The guardrails — permissions, idempotency, audit, and human checkpoints — that make autonomous actions safe on business-critical data.

TL;DR

An agent that acts on a system of record is powerful and dangerous in equal measure. Make it act with the user's permissions, keep every action idempotent, give it a small reviewed set of tools, require human checkpoints on consequential actions, and log the full chain. The guardrails — not the model — are what let you turn it on.

A chatbot that answers questions about your data is useful. An agent that acts on that data — updates records, creates cases, triggers workflows — is an order of magnitude more useful and an order of magnitude more dangerous. On an enterprise platform, where the data is the business’s system of record, that danger is not theoretical.

A read-only mistake produces a wrong answer. A write mistake produces a wrong state — and that propagates through every downstream automation, report, and integration that trusts the record. Here’s how I think about making action-taking agents safe enough to ship on business-critical systems.

Actions need permissions, not just the agent’s

The most important design decision: an agent acts with the permissions of the user it’s acting for, never with god-mode credentials. It’s tempting to give the agent a powerful service account so it “just works.” That’s how you build a confused-deputy problem — a user asks the agent to do something they could never do themselves, and the over-privileged agent happily does it.

If the agent runs in the user’s security context, the platform’s existing permission model does the hard work for you. The agent simply cannot take an action the user wasn’t allowed to take. You get the platform’s decade of access-control thinking for free, instead of reinventing it badly.

Every action must be idempotent

Agents retry. The model times out, the loop re-runs, a network blip triggers a second attempt — and now you’ve created two cases, sent two emails, or applied the same update twice. On a system of record, duplicate actions are corruption.

Design every action the agent can take to be idempotent: safe to apply more than once with the same effect as applying it once. Use idempotency keys, check-before-create, and natural deduplication on the platform side. Assume the agent will repeat itself, because under real conditions it will.

Constrain the action space deliberately

An agent with access to “any API call” is unauditable and unsafe. The reliable pattern is a small, well-defined set of tools — each one a deliberate, reviewed capability with validated inputs, not a raw gateway to the platform.

This is the difference between “the agent can update the opportunity’s stage to one of these valid values” and “the agent can run arbitrary updates.” The first is something you can reason about, test, and trust. The second is something you’ll be explaining in an incident review. Narrow the surface until each action is individually defensible.

Match the checkpoint to the blast radius

Not every action needs a human in the loop — but the consequential ones do. Tier the agent’s autonomy by reversibility and impact:

  • Auto-execute the cheap and reversible: drafting a summary, suggesting a next step, populating a scratch field.
  • Require confirmation for the consequential and hard to undo: closing a deal, issuing a refund, mass-updating records, anything customers or money touch.

The mistake is treating these the same. Full autonomy on trivial actions is fine; full autonomy on a refund is a headline. Decide where the line is before you ship, and make the agent ask for permission across it.

Make the agent observable, not a black box

When an agent takes an action on a system of record, you need to be able to answer “why did this happen?” weeks later. That means logging the full chain: what the user asked, what context the agent retrieved, what it decided, which tool it called, and what the platform returned.

This isn’t just for debugging. It’s the audit trail that makes the feature defensible to security, compliance, and the customer whose record changed. An agent you can’t explain is an agent you can’t ship on business-critical data.

The takeaway

A reliable enterprise agent isn’t the one with the smartest model. It’s the one that acts within the user’s permissions, can’t corrupt state by retrying, has a deliberately narrow set of reviewed actions, asks before doing anything consequential, and logs enough to explain itself afterward.

The intelligence is the cheap part now. The guardrails are what let you actually turn it on.

Srinath Therampattil

Srinath Therampattil — Staff Engineer at Airbnb. Writing on agentic AI, platform engineering, and making models reliable on the systems businesses run on.

← Previous Non-Functional Requirements for AI Systems: What Staff Engineers Should Specify Next → Building Reliable LLM Features: What Production Actually Demands