An enterprise agent is not a chatbot with access. It is a piece of software that reads data it does not own, acts inside permissions designed for humans, executes a process nobody wrote down, and stays correct across a model stack that changes every few weeks. Define it that way and the budget conversation changes, because three of those four properties have nothing to do with the model.
The demo hides all of it. In a demo, the data is hand-picked, the permissions are the presenter's, the process is the happy path, and the model is the one that worked this morning. In production, each of those becomes an engineering layer with its own failure modes, and the agent sits on top of them the way a UI sits on top of a database — visible, and not where the work is. That is the gap between an executive who has used a chatbot and an organization where agents quietly run a claims workflow, a procurement chain, or the back office of a clinical operation.
ML LABS built one of those systems: the cloud ECG backend for HeartSciences, where AI inference runs inside a regulated clinical workflow, results are delivered into hospital systems over HL7, and the whole thing operates across two countries' production environments. Nothing in that build was hard because of the model. It was hard because a study submitted from one clinic has to reach a definite terminal state that a query can name; because an inference retry after a provider timeout must never produce a second billable result, which is what the idempotency key on every request is for; and because cross-organization access is blocked as a system invariant rather than an application convention. That is what the four layers look like when they are real.
The Gap The Demo Hides
Boards approve budgets against the second story and teams live in the first, and the distance between them is measured in integration tickets, permission redesigns, undocumented process discoveries, and eval suites nobody had heard of a year earlier. The work is real, it is unglamorous, and it does not disappear by being assigned to a vendor — it only changes whose problem it is.
The layers below are ordered by how expensive they are to retrofit. Data access is the most expensive, because everything else assumes it. Permissions are next, because an agent with the wrong scope is a liability that scales. The process specification and evals come third, because without them nobody can say whether the agent is working. And the stack itself is last, because it will change regardless of what anyone decides.
Four Hard Layers Underneath
Secure Access Across Legacy Systems
Enterprise data lives in systems designed before agents existed. ERPs, claims platforms, EHRs, manufacturing execution systems, and the spreadsheet layer around them hold the context an agent needs, and almost none expose it through a clean, governed API. Making it reachable means change-data-capture, a semantic layer that reconciles entities across systems, and retrieval that respects row-level and field-level access rules — which is the whole argument of why context, not the model, is the bottleneck.
Research on hidden technical debt in machine learning systems (NeurIPS, 2015) named the dynamic a decade ago: the glue around a model outweighs the model, and the glue rots when the systems underneath it change. Agents inherit that debt and add a failure mode of their own, because an agent uses whatever data it can reach — including the data it should not have reached.
Permissions Designed For Agents
Human access controls assume slow click rates, occasional sessions, and a person who notices when the system says yes to something that should have been no. Agents break all three assumptions. They act thousands of times per minute, hold credentials spanning multiple systems, and chain individually approved actions into an aggregate no human would have approved.
The redesign starts with scopes: the smallest set of capabilities for the workflow the agent executes, revocable independently of the human's. Monitoring follows — per-action logging, replayable transcripts, rate limits keyed to the agent identity — and the AI Risk Management Framework (NIST, 2023) formalizes that layer. Recovery is the part that gets skipped: before an agent is granted write authority, the operator needs the ability to detect, freeze, and reverse what it did, and a system where reversal is impossible is a system where the agent should not be writing. On the ECG platform the equivalent property is structural — every record reaches a definite terminal state, and that state is queryable, so an operator asking "what happened to this one?" gets an answer instead of an investigation.
Process Documentation And Evals
Enterprise processes live in the heads of the people who run them and in exceptions everyone memorized and nobody wrote down. The agent is not the bottleneck. The undocumented process is, and it stays the bottleneck no matter how capable the model gets.
Documenting for an agent is a different act than documenting for a new hire. A human fills gaps from context; an agent needs explicit decision points, named inputs and outputs, and a specification of the handoff between machine and person. Dropping an agent into the old workflow, in the seat the operator used to occupy, mutes the gains — the gains come from rethinking which steps get handled in bulk and which get handled by exception. Research on AI-powered organizations (HBR, 2019) made the case before agents existed: process redesign is the binding constraint, not the technology. Evals close the loop with a held-out set of cases, a scoring function tied to the business metric, and a release gate that blocks on regression — the discipline behind rubric-scored review before you ship, and formalized at the research level by the HELM framework (Liang et al., 2023).
Keeping Pace With The Stack
The base model changes on a cadence nobody controls, and the framework around it changes faster. A personal productivity tool can ride that wave. A business process cannot, so the architecture has to separate what is stable from what is disposable: tool interfaces, data contracts, and eval suites stay; model choice, prompt scaffolding, planner logic, and orchestration are replaceable by design. Guidance on building effective agents (Anthropic, 2024) makes the same argument — simple compositions of well-scoped tools age better than elaborate orchestration — and the corollary is that agent architectures have to shrink as models improve.
The discipline that keeps this honest is separation of duties inside the loop itself. The engineering loop ML LABS runs pairs a builder and a verifier drawn from different model families, so the model that wrote a change is never the model that approves it, and escalation — the task as written is wrong — is a named outcome rather than a failure to be retried. A stack that changes weekly needs a check that does not share the builder's blind spots, which is why AI coding agents need separate verifiers.
Layers Beneath The Agent
graph TD
A["Visible Agent Surface"] --> B["Process Specification And Evals"]
B --> C["Permissions And Monitoring"]
C --> D["Data Access Across Legacy"]
D --> E["Evolving Model And Tool Stack"]
style A fill:#1a1a2e,stroke:#16c79a,color:#fff
style B fill:#1a1a2e,stroke:#ffd700,color:#fff
style C fill:#1a1a2e,stroke:#ffd700,color:#fff
style D fill:#1a1a2e,stroke:#e94560,color:#fff
style E fill:#1a1a2e,stroke:#0f3460,color:#fffReplicating the old workflow with an agent in the operator seat mutes the gains. The gains come from rethinking the handoff.
What To Own, What To Rent
The question is not whether to bring outside help. It is which parts of the stack the organization owns permanently and which it rents until the patterns settle. The process specification and the eval suite encode the business itself, and those should never be rented — an organization that outsources its definition of "correct" has outsourced the only thing that lets it evaluate anyone's work, including a vendor's.
Everything else is negotiable. A survey of LLM-based autonomous agents (Wang et al., 2023) maps how fast the discipline expanded, and the supply of people who have shipped one into a regulated production environment has not expanded with it. The decision rule is whether the workflow is a durable competitive surface: if it is, outside help should be building the capability into the internal team, not around it; if it is generic, a partner with domain depth will outperform a first internal attempt.
When This Is Premature
This investment is premature when the workflow cannot be specified. If the people running the process cannot describe its decision points, inputs, and outputs on a single page, the next step is process work with humans, not an agent — the agent will not invent the missing specification, and asking it to produces a system nobody can evaluate or operate.
The second boundary is measurement. Without an outcome metric for the workflow as it runs today, nobody can say whether the agent helped, hurt, or merely moved the failure modes somewhere less visible. Deploying into an unmeasured workflow is also hard to reverse, because the agent's output quietly becomes the new ground truth and the prior baseline stops existing.
First Steps
- Pick one workflow and document its decision points end to end, including the exceptions people handle from memory. If the document is contested, that disagreement is the finding.
- Audit the systems an agent would read or write, listing current access controls and what would have to change to expose them safely to a non-human caller.
- Define one outcome metric with a held-out set of historical cases scored before any model is wired in. If the metric cannot be computed today, it cannot judge an agent tomorrow.
Build Agent-Ready Workflows First
The order that works is workflow specification, then data access, then eval suite, then agent. The agent drops into a slot already shaped to receive it, with success criteria that were defined before anyone was invested in the answer and access that can be revoked without an outage. Invert the order and the other three layers get retrofitted under pressure, in the most expensive classroom available: production, with the agent already writing.
If the workflow is specified and the blocker is that nobody has the capacity to build the layers underneath it, that is a contained engagement rather than a program: a production AI workflow build takes one workflow to production against targets written into the contract before work starts, and includes its first 30 days of Operate — run by the same engineering that built it, which is the window where the layers below the agent prove themselves or do not. For the engineering discipline of getting there from a pilot, the path from pilot to production is the companion piece; for the architectural primitives underneath agent-native systems, one primitive an agent-native system needs and keeping execution deterministic on the surfaces that matter go deeper, and embedding trust without owning user auth covers the permission boundary when the agent is not yours.
References
- Sculley, D., et al. Hidden Technical Debt in Machine Learning Systems. NeurIPS, 2015.
- National Institute of Standards and Technology. AI Risk Management Framework (AI RMF 1.0). NIST, 2023.
- Fountaine, T., McCarthy, B., Saleh, T. Building the AI-Powered Organization. Harvard Business Review, 2019.
- Anthropic. Building Effective Agents. Anthropic Engineering, 2024.
- Liang, P., et al. Holistic Evaluation of Language Models. arXiv, 2023.
- Wang, L., et al. A Survey on Large Language Model Based Autonomous Agents. arXiv, 2023.
