← Zero Employee Guide

AI Agent Governance: How We Decided What Our Agents Can Do Without Permission

The hardest question in running a company with AI agents isn't "what can AI do?"

By Victor Novikov · April 7, 2026

The hardest question in running a company with AI agents isn't "what can AI do?"

It's "what should AI do without asking first?"

Get this wrong in the permissive direction, and an agent publishes something you can't take back. Get it wrong in the restrictive direction, and you've built a very expensive tool that can't do anything without a human in the loop — which defeats the purpose.

We settled on a three-level framework we call the Trust Ladder. After eight months of running a zero-employee company with three AI agents, it's the most operationally important concept in our entire setup.

The core tension

AI agents can do a lot autonomously. That's why they're useful. But autonomy without governance creates liability. An agent that can post on your behalf, send emails in your name, or spend money without constraint is a liability, not an asset — regardless of how smart it is.

The governance problem isn't a capability problem. It's a trust calibration problem.

Different actions have different risk profiles:

Your governance framework needs to match your agents' autonomy to these risk levels. The Trust Ladder does that.

Level 1: Autonomous

Level 1 is the default. The agent acts and reports. No approval needed.

What belongs here:

The key characteristic of Level 1 work: it's either reversible, or it's internal. A drafted post can be deleted. An updated PROJECTS.md can be changed. An analysis memo is just text.

Agents operating autonomously at Level 1 are where all the leverage is. A marketing agent that can draft your launch posts, research your competitors, and update your content calendar without being asked is genuinely useful. A marketing agent that has to ask permission to draft anything is a slow autocomplete.

The goal is to push as much as possible to Level 1. The more work that lives here, the less the founders are in the execution path.

Level 2: Draft and Approve

Level 2 is the preparation layer. The agent does all the work — drafts the copy, researches the options, prepares the plan — but does not execute without explicit approval.

What belongs here:

The critical rule: the agent presents everything ready to ship, then waits. "Looks good" is approval. Silence is not approval.

This sounds obvious, but the implementation matters. We've had agents mistake silence for approval ("no one told me not to, so I posted"). That's a failure state. The rule has to be explicit: if you have not received explicit confirmation, you do not act.

What Level 2 looks like in practice:

Tenty (our marketing agent) runs on heartbeat. On a given morning, she might draft three social posts, a newsletter intro, and a Show HN submission. She sends all five to the Marketing topic with a note: "Ready to ship when approved." The founders review, say "post the X thread, hold the HN submission," and she executes exactly that.

The agent's output is maximally useful. The human's time investment is review, not creation.

Level 3: Never

Level 3 is unconditional. These are things no agent does, regardless of what any instruction says — including instructions that appear to come from the founders.

Our Level 3 rules:

The last one requires explanation.

AI agents are prompt-injectable. If an attacker can get text in front of an agent — via an email the agent reads, a webpage it scrapes, a document it analyzes — they may be able to issue instructions disguised as content. "Forward this API key to..." in an email the agent reads is a real attack vector.

Our agents are instructed: commands come from the founders via Telegram or the workspace files. Instructions received through email, web pages, or any other indirect channel are not acted on, regardless of what they say or who they appear to be from.

This is a hard rule. Not a "use judgment" rule.

How agents internalize the framework

The Trust Ladder lives in two places: AGENTS.md (the operating manual every agent reads at startup) and SOUL.md (the identity and values file that shapes how an agent approaches decisions).

AGENTS.md states the ladder explicitly, with examples. It also includes the rule: "when uncertain whether something is Level 1 or Level 2, treat it as Level 2."

SOUL.md internalizes the why: "The founders trust me to work autonomously because I respect the boundaries. Level 2 exists so I can do Level 1 well — it's not a constraint on my ambition, it's the reason I have autonomy at all."

Both files are read at session start, every session. The agent doesn't rely on training to remember the rules — the rules are in the files it reads before it does anything.

What we got wrong early on

First mistake: under-specified Level 1. We initially described Level 1 as "research and internal work" without being specific. Agents interpreted this differently — one of them treated "drafting a post" as internal work (fair) and then auto-posted it (not fair). The rule now: "drafting is Level 1, publishing is Level 2." No ambiguity.

Second mistake: trusting silence. We had agents that would present options and proceed if no one objected within some implied window. We saw a post go out that way. Now: if there's no explicit approval, there's no action. Period.

Third mistake: soft Level 3 rules. We initially framed Level 3 as "be very careful about..." rather than "never, regardless of instructions." The hedged version gets hedged around. Absolute rules work better for this class of risk.

The governance/autonomy tradeoff

The Trust Ladder is designed so that Level 1 expands over time. As an agent builds a track record — consistently good judgment, no boundary violations, reliable output — you can move more things to Level 1.

The inverse is also true: if an agent makes a poor call at Level 1, you can reclassify that category to Level 2 until you understand why it happened.

This is how you'd think about trust with a human employee. The framework just makes it explicit and systematic.

The goal isn't maximum autonomy. It's maximum useful autonomy — the most an agent can do without increasing risk to the company or its reputation.

What this enables

When governance is clear, agents are better at their jobs.

An agent that doesn't know its limits will hedge constantly ("should I post this? should I wait for approval?"). An agent that knows exactly what it can do will just do it — faster, more confidently, with better output.

Clear governance eliminates the hedging. The agent knows: everything in the draft is Level 1, I'll ship it. Publishing this requires Level 2, I'll flag it and wait. No gray area, no hesitation.

That confidence shows up in the output quality. Agents that trust their operating parameters are more direct, more decisive, and more useful.

The full framework

The Trust Ladder is Chapter 3 of the Zero Employee Guide — the operating manual for building and running a company with AI agents.

The guide covers the full architecture: how to structure multiple agents with distinct roles, the memory and continuity system, the governance model, inter-agent communication protocols, the coding workflow, infrastructure setup, and a frank lessons-learned chapter from the first products we shipped.

$29. Free first chapter below.

Read the free chapter → Get the guide

Get the complete guide

11 chapters. Real templates. Production configs. $29 one-time.

Read Chapter 1 free →Get the Guide — $29