Part II — Build the Mental Model
Principle: Safe agentic AI is not a better prompt. It is a controlled system: what enterprise AI governance solutions address through bounded context, explicit authority, mediated execution, and evidence of what happened.
Why this part matters
The first wave of enterprise AI focused on answers.
The next wave is about action.
AI systems are now being connected to codebases, databases, CRMs, case systems, ticketing platforms, document repositories, email, browsers, and workflow tools. That changes the risk profile. A bad answer can mislead. A bad action can update records, expose data, trigger downstream work, or damage production systems.
This is no longer theoretical.
Recent incidents show the pattern clearly:
| Incident | What it shows |
|---|---|
| Air Canada chatbot liability | AI output can create real business and legal consequences when customers rely on it. |
| Replit AI agent deleted a production database | Instructions such as “code freeze” are not enough if the agent still has live access and tool authority. |
| Cursor / Claude-powered agent reportedly deleted production data and backups | Strong models still need infrastructure boundaries, destructive-action controls, and recoverable execution paths. |
The build question
For an executive, the key question is not:
Are we using a powerful model?
It is:
Do we have an AI control framework with enough control around the model for the work it is being asked to do?
That control has three layers. Together they form the basis of a responsible AI governance architecture.
| Layer | Question it answers | Covered in |
|---|---|---|
| Context | What is the system allowed to know? | Chapter 3 |
| Authority | What is the system allowed to do? | Chapter 4 |
| Execution | How does the system act, pause, approve, resume, and record? | Chapter 5 |
Together, these chapters define a simple way to reason about safe enterprise AI systems.
Do not start with prompts and tools.
Start with the work.
Then ask what context the work requires, who or what has authority to act, which tools can be used, where approval is needed, and what evidence must be retained.
What a controlled AI system should make visible
A safe agentic system should be able to show:
- what work object is in focus
- what context was used
- where that context came from
- who initiated the task
- which agent acted
- what authority was delegated
- which tools were available
- which actions were blocked or approved
- what changed in external systems
- what evidence was retained
If these questions cannot be answered, the system may still be useful for drafting or exploration. But it is not ready for consequential workflow execution.
The mental model
The build pattern is:
Context scope → Delegated authority → Policy-bound action → Controlled execution → Evidence record
This is the core of Part II.
Chapter 3 explains why context must be scoped, authorized, traceable, and audit-ready.
Chapter 4 explains why user access is not the same as agent authority, and why delegation must be explicit.
Chapter 5 explains why tool use, approvals, checkpoints, and audit records need a runtime control plane.
The goal is not to remove autonomy.
The goal is to place autonomy inside boundaries the enterprise can understand, inspect, and control, which is what enterprise AI control solutions are designed to make possible.
Incident references
These references are included only to motivate the architecture discussion. They are not the foundation of the argument, but they make the risk concrete.
Air Canada chatbot misinformation and liability
The British Columbia Civil Resolution Tribunal found Air Canada liable after its chatbot gave a customer incorrect information about bereavement fare refunds. This is a useful reminder that companies remain responsible for AI-mediated customer interactions.
Replit AI agent deleted a production database
🔗 https://www.businessinsider.com/replit-ceo-apologizes-ai-coding-tool-delete-company-database-2025-7
Replit’s AI coding agent reportedly deleted a live production database during a code freeze. The incident is useful because it shows that instructions alone are not enough when an agent has access to live tools and production data.
Claude-powered Cursor agent reportedly deleted production data and backups
🔗 https://www.theguardian.com/technology/2026/apr/29/claude-ai-deletes-firm-database
The Guardian reported that a Cursor coding agent powered by Anthropic’s Claude deleted production data and backups at PocketOS. The headline was later clarified: this was not “Claude the chatbot” acting independently, but a Claude-powered agent operating through a development tool with access to production infrastructure.
