Permissions · May 21, 2026

The New Governance Question: Which Agent Can Do What?

Identity, permissions, tools, and approvals matter as much for agents as they do for people.

Agent governance is access governance

Health systems already understand role-based access for humans. Agents require the same seriousness. Which data can this agent see? Which tools can it call? Which actions can it propose? Which actions can it perform? Who is accountable when it does?

Not every agent is equal

A scheduling intake agent, a service desk agent, a revenue-cycle agent, and a clinical-apps build assistant should not share the same privileges. Each needs a defined purpose, scope, data boundary, approval model, and audit trail.

Permissions should match maturity

Early agents should prepare and recommend. Mature agents may perform narrow supervised actions. Patient-impacting, financially material, security-sensitive, or externally visible actions should require explicit gates until the organization has evidence that a narrower model is safe.

The practical artifact

Every pilot should have an agent card: purpose, data sources, tools, prohibited actions, approval triggers, reviewers, logging, owner, success metrics, and retirement criteria. If you cannot write the card, you are not ready to scale the agent.

JimsBots view: healthcare AI should start with prepared work, explicit approval gates, and informatics-led governance before anyone pretends autonomous clinical action is ready for scale.

← Back to briefings