Access Is Not Agency

A developer argues that the true measure of an AI agent's agency is not the number of tools it can access but the action contract governing what it can change, prove, escalate, and revoke. The post introduces a five-layer 'rights stack'—visibility, mutation, proof, escalation, and revocation—as a diagnostic for evaluating agent systems, warning that most teams cannot answer all five questions. The developer predicts the agent market will split between those selling reach (more connectors) and those selling agency (permissioned action with bounded autonomy).

Your agent can read Slack. It can search email. It can query the CRM, open GitHub issues, check billing, browse docs, edit a spreadsheet, draft a customer reply, and call three internal APIs. Everyone in the room calls it powerful. That is the first mistake. The question is not what the agent can access. The question is what it is allowed to change. Can it send the email, or only draft it? Can it update the customer's plan, or only propose the update? Can it merge the pull request, or only open it? Once an agent can act through tools, the real system is no longer the model. The real system is the action contract around the model. More tools do not automatically make the agent more agentic. More tools expand the surface on which judgment must be engineered. A connector is a door. Agency is a contract about who may walk through it, what they may carry, who inspects the bag, and who reviews the footage if something goes wrong. The current agent conversation misses this. People talk as if the next leap is connectors — give the model Slack, Gmail, GitHub, Linear, Notion, Stripe, and wait for autonomy to emerge. But a connector is not a decision right. If you want to know whether an agent has real agency, do not start with the model card. Start with the rights stack. Every agent action system has five layers: Visibility — which data, tools, documents, logs, and systems the agent can inspect. Mutation — which objects the agent can change. Reading a customer record and changing it are different powers. Drafting a reply and sending it are different powers. Proof — what the agent must produce before a mutation becomes real. A test run, a diff, a trace, a policy check, a human approval, or an evidence bundle. Escalation — when the agent must stop and hand the decision to someone else. Not "human in the loop" as a slogan. A named condition: missing context, high reversibility cost, payment movement, privilege change, legal exposure. Revocation — what changes after the agent fails. A human loses trust after a bad judgment. Most agents lose nothing. They fail, get patched, and return with the same action surface. That is not delegation. That is amnesia with API keys. Run this on the most powerful agent you currently use. Not a toy. The one you are most tempted to trust. Most teams can answer the first question. Some can answer the second. Almost no teams can answer all five. That is the diagnostic. If you cannot answer "what can it see?", you do not have an inventory. If you cannot answer "what can it change?", you do not have a permission model. If you cannot answer "what must it prove?", you do not have verification. If you cannot answer "what triggers escalation?", you do not have oversight. If you cannot answer "what permission disappears?", you do not have learning at the authority layer. Good action rights are not one wall around the whole system. They are a slope. Read-only Slack search should be cheap. Drafting a customer reply should be cheap. Local reversible edits should be cheaper than external irreversible commitments. Sending the email, refunding the invoice, or merging the pull request should pass through stronger gates. The goal is not to turn every agent into a form-filling intern. The goal is to match authority to consequence. That is how good human organisations work. The graduate can model scenarios. The manager can approve a small budget. The director can reallocate headcount. The board approves the acquisition. Authority changes with consequence. Agents need the same gradient. This is where the serious agent market will split. One side will sell reach: more connectors, more memory, more tools, more environments. The other side will sell agency: permissioned action, bounded autonomy, proof before commitment, escalation when context breaks, and revocation when trust is lost. Reach will demo better. Agency will survive contact with the organisation. Reach demos well in the room. Agency holds up in the incident review. Before next week, run the Agent Action Rights Test on one workflow. Not your whole stack. One agent. One workflow. Write the five answers in a note. If the fifth answer is blank, you found the missing layer. The agent did not need another tool. It needed a smaller right to be wrong.