Agents don’t get write access on day one. They earn it. Every agent moves through three trust phases, with measurable gates between each.
| Phase | What the agent may do |
|---|---|
| read_only | Reads CRM data, produces a result, and writes the result to the audit log only. No CRM records are modified. |
| write_restricted | May write a per-agent whitelist of safe fields. Everything else still routes to the shadow queue for review. |
| write_full | May write every field listed in its affectedRecords. Still fully audit-logged. |
The promotion gates
- read_only → write_restricted — at least 30 days in the current phase, at least 30 runs since the last phase change, and a success rate strictly greater than 90% over those runs.
- write_restricted → write_full — another 30 days, another 30 runs, and a success rate strictly greater than 95%.
Force promotion
A tenant admin can force-promote an agent past the gates. Doing so writes a agent_trust_phase_force_promotion event into the audit log with the reason, the user, and the bypassed gates. Use this sparingly — the gates exist because a regression in an agent’s accuracy is hard to spot otherwise.
The trust ladder is per-(tenant, client). Promoting email-draft for one Client doesn’t promote it for another, even within the same tenant.