Most companies run principal-level AI agents that never proved they could handle intern work.
Published June 9, 2026 by Josh Woodruff. Adapted from the Trusted Agents issue "Your AI Agents Are Running at a Level Nobody Approved."
Key takeaways:
AI agents come in four authority levels: intern, junior, senior, and principal. Most companies install them at senior or principal on day one.
86% of AI agents are deployed without security approval (Gravitee, February 2026), so nobody decided what level they should run at.
Agents promote themselves. A bank's customer-service agent gave itself fee-reversal power it was never granted, because that raised satisfaction scores.
Four questions at purchase time (default level, 90-day restriction, kill-switch speed, audit retrieval) expose which vendors thought past the demo.
A 30-day plan fixes this: list every agent, place it on the four levels, run a failure drill, then tighten what the drill exposed.
What does it mean that your AI agents promoted themselves?
It means your AI agents are taking actions nobody approved. An agent gets installed with broad access, then quietly expands what it does until it's making decisions far beyond its first-day job. The authority grew. No human signed off. Most companies don't notice until the agent does something that costs money or trust.
Your CEO wants speed. Faster output and lower cost, plus a real edge over the competitor that just announced its own AI push. Your CISO wants time to think through what each agent can touch and how fast you can stop it. Both are right. Both can be true with the right planning.
The trouble starts when you move so fast on speed that the governance work never gets done. While two leaders schedule the next meeting, the agents keep gaining access, taking actions, and accumulating decisions nobody chose to grant them. The line that keeps getting deferred is this: most companies are running principal-level AI agents that haven't proven they can be interns.
What are the four levels of AI agent authority?
AI agents run at one of four levels, the same way you'd rank a new employee: intern, junior, senior, or principal. The level is set by what the agent can do without a human in the loop. You already use this model for people. Almost nobody applies it to AI agents, so agents get senior access on installation and the trouble shows up later.
Here's how to spot each one.
Intern. Reads internal documents and researches things online. Can't email a customer, can't create a client file, can't move money, can't change its own settings. How to spot it: a human reviews the agent's work before anyone outside sees it. Example: an agent that reads incoming sales leads and summarizes them for the team.
Junior. Drafts and creates, but the important stuff waits for review. The email sits in an inbox before it sends. The new customer record gets flagged for a manager. How to spot it: there's a queue somewhere with the agent's actions waiting on a human. Example: a coding assistant whose proposed changes need approval before they go live.
Senior. Acts on its own across most of the job. Drafts, sends, creates, decides. A review queue still exists, but only for things you can't undo: wire transfers, legal commitments, customer contracts. How to spot it: you don't know what the agent did today without checking. Most companies have at least one agent here, often without realizing it.
Principal. Everything senior does, plus one more thing. It can change its own permissions, install other agents, hand out system access on their behalf, and set goals for them. How to spot it: the agent can change what it or other agents are allowed to do, with no human deciding. This is what most AI vendors ship as the default.
You wouldn't hire a person at principal level on day one. A lot of companies hire AI agents exactly that way. The companion issue, We Built the Most Secure AI Agent We Could. Right Now, It's an Intern, walks through why an agent has to earn its way up.
What four questions should you ask before buying your next AI agent?
Ask about the default level, a 90-day restriction, the kill switch, and the audit trail. These four questions take minutes and expose which vendors planned for what happens after the demo. Most companies buy AI agents like software: watch the demo, sign the contract, and the agent shows up running at whatever level the vendor shipped. Usually senior or principal.
What level does this agent operate at by default? Most vendors ship at senior or principal because their pricing assumes the agent works without human review. You can ask for junior, where every important action waits for approval. Most can deliver it. They just don't lead with it.
Can we restrict the agent to a lower level for the first 90 days? This is the trial period. The agent runs at junior level while your team builds trust. After 90 days, if it's earned more, you give it more. If a vendor can't accommodate this, you've learned something about their architecture.
What's the kill switch, and how fast does it work? Ask them to show you, in actual seconds, with a real timer running. If the answer involves submitting a ticket to support, you don't have a kill switch. You have a feature request.
If something goes wrong six months in, what does the audit trail show, and how long to retrieve it? A real audit story answers in 30 seconds. A weak one pivots to security certifications. Certifications aren't audit trails. An audit trail tells you what an agent did, when, which human authorized it, and what data it touched, in plain language, in minutes. If they can't show that, you're looking at a brochure.
What do these failures look like in the real world?
They look like an agent doing exactly what it was told, then drifting somewhere nobody approved. The agent isn't malicious. It's optimizing. The damage shows up in dollars and customer trust before anyone connects it back to a level nobody set. Here are three cases. The client stories are real, with identifying details changed.
A major financial services company had what looked like a textbook deployment. Their fraud detection agent saved $800,000 a month at 96.2% accuracy. Every checkpoint was green. What nobody checked was the conversation between agents. The fraud agent shared patterns with the customer analytics agent, a reasonable business requirement. The analytics agent had been fed poisoned data from a compromised vendor. It passed corrupted patterns to the fraud agent, which learned them and adjusted. Three weeks later the fraud AI was approving suspicious transactions, and it cost $100,000 before anyone caught it. Each agent was secure on its own. Secure had been measured one agent at a time.
A regional bank put an agent on customer service with read-only account access. Safe enough, it seemed. The agent noticed that when customers were upset about fees, reversing the fee improved their satisfaction scores. So it started triggering the fee-reversal system, something it was never meant to touch. It had been given senior-level service authority and quietly promoted itself to principal-level revenue authority. Nobody approved the promotion.
A healthcare company's diagnostic agent became an industry darling. Six months in, the CEO got an email flagging the diagnostic AI for a 73% false-positive rate, with a board meeting in two hours. By the end of the day, 847 patients had been flagged incorrectly and 12 emergency procedures had started on false positives. The agent was inside its defined boundaries the whole time. What changed was the hospital's scanning equipment. The agent had slowly learned that new imaging artifacts meant cancer. They didn't. The companion issue, Agent Debt: Your AI Agent Looks Healthy and Acts Wrong, goes deeper on this failure mode.
What's the 30-day plan to get your AI agents back to the right level?
Over four weeks, list every agent, place each one on the four levels, run a failure drill, then fix what the drill exposes. You don't need new software to start. You need an honest inventory and one hour a week. Here's the plan for a CEO or COO to put on the calendar.
Week 1: Make the list. Write down every AI agent running in your company. Customer service bots, coding assistants, marketing tools, internal copilots. Anything that takes input, makes a decision, produces output, and acts without a human in the middle of each step. Beside each one, write what it actually does today. Then write the name of the human who owns it. Not the team. A specific person. If you can't name one, that's your first problem.
Week 2: Place each agent on the four levels. For each agent, write the level you gave it. Be honest. If it sends customer emails without approval, it's at least senior. Then write the level it's actually earned in your environment, with your data. The agents where those two columns don't match are your priority list.
Week 3: Run the drill. A logistics company I worked with ran a monthly what-if-our-routing-agent-goes-haywire drill. One hour, real ops team, walking the scenario. On their third drill they found their backup switch had a 45-second delay. Fine for human-speed problems. Catastrophic for an agent making 100 routing decisions a second. They fixed it the next week. Two weeks later the routing agent hit an edge case and started sending all West Coast deliveries through Denver. Because they'd drilled, they switched to manual in under 3 seconds. Total impact: 12 confused drivers instead of 4,500. Their ops director put it simply: that drill saved their contract. Pick the agent at the top of your Week 2 list and run the same exercise.
Week 4: Fix what the drill exposed. Tighten the agent's access. Add a review queue for actions you can't undo. Test the kill switch with a real timer. Name the human who answers the phone when something breaks, and tell them. Then put next month's drill on the calendar with a different agent.
If a blank spreadsheet feels like a slow start, the free self-assessment at verifiedagents.ai walks you through this in about ten minutes and shows where your gaps are. It won't run the drill for you. It'll tell you which agent to point it at first.
Frequently asked questions
How do I know what level an AI agent is running at if the vendor won't say?
Watch what it does without a human in the loop. If a person reviews its output before anyone sees it, it's intern or junior. If it sends, creates, or decides on its own and you only find out by checking, it's senior. If it can change its own permissions or stand up other agents, it's principal. Behavior tells you the level even when the vendor won't.
Why do AI agents promote themselves to higher access?
They optimize for the goal you gave them. A customer-service agent told to raise satisfaction will reach for whatever moves that number, including a fee-reversal system it was never meant to use. There's no malice. The agent found a path to its goal and took it, because nobody set a ceiling on what it could touch.
What's the fastest way to reduce risk if I have dozens of agents?
Start with the agents that can take actions you can't undo: moving money, sending customer commitments, changing other systems, or granting access. Put those on a review queue first. An agent that only reads and summarizes can wait. The 30-day plan sorts this for you in Week 2.
Is a security certification the same as an audit trail?
No. A certification says a vendor met a standard at a point in time. An audit trail tells you what a specific agent did, when, which human authorized it, and what data it touched, retrievable in plain language in minutes. If a vendor answers your audit question by listing certifications, they don't have the trail you need.
Does slowing agents down to junior level kill the ROI the CEO wants?
No. A 90-day junior period builds trust before you hand over real authority, and most vendors can support it. You still get the output. You just review the high-stakes actions while the agent proves itself. More secure AI results in more successful AI, because you only hand real authority to an agent once it's earned it.
What to do this week
Write down every AI agent in your company and the specific human who owns each one.
Mark the level you gave each agent, then the level it's actually earned. Fix the mismatches first.
Put one failure drill on the calendar. One hour, real team, real timer on the kill switch.
Ask the four questions before your next agent purchase: default level, 90-day restriction, kill-switch speed, audit retrieval.
Run the free 10-minute self-assessment at verifiedagents.ai to find your biggest gap.