Eight non-negotiables. Everything else follows from these.
- Start with workflows, not tools. The question is "which workflow is repetitive, high-volume, data-rich, and a good fit for probabilistic reasoning?" — not "where can we use AI?"
- Treat AI agents as actors with identity, scope, and accountability. Every agent has an owner, a defined identity, a documented scope of access, a KPI, and an escalation path. Same shape as a human privileged account.
- Human-in-the-loop is the default. Autonomy is earned. Agents move from Assistive → Human-Validation → Autonomous Operations only after measured reliability.
- Risk drives rigor. A meeting-summary agent and a refund-approving agent do not get the same approval path or the same monitoring.
- Governance is enforced at runtime, not just at design time. Policy that lives only in PDFs and design reviews does not constrain a running agent. Identity, permissions, approval gates, and data rules must execute at the orchestration layer.
- Every agent action is reconstructable. Inputs, outputs, tool calls, model + prompt version, policy checks, approvals, who reviewed it — captured for every execution, day one.
- Vendor-embedded AI is part of the AI footprint. AI features inside SaaS tools the company already uses are inventoried, risk-classified, and governed the same as internally built agents.
- Governance and delivery run in parallel. Ship the first agents and stand up the governance scaffolding at the same time. Six months of pure governance with nothing shipped loses executive support.