Your AI SDR is only as safe as its permissions. Ship autonomy with the wrong guardrails and you get a CRM full of junk, angry prospects, and a RevOps team doing incident response instead of revenue.
TL;DR
- Build an AI agent permissions matrix like you build IAM for humans: roles, objects, actions, approvals, logs, limits.
- Split agents by job: Prospecting, Enrichment, Outreach, Routing, Admin. No mega-agent with god mode.
- Use risk tiers for approvals: read-only, write-to-CRM, send email, book meeting, create opp.
- Require forensic logging: action reason, source signal, confidence score, before/after diff.
- Add rate limits: daily caps, per-domain caps, per-account caps, per-workspace caps.
- Run a real incident playbook: pause, rollback, notify, patch prompt and rules, redeploy.
What an AI agent permissions matrix is (and why RevOps needs one)
An AI agent permissions matrix is a table that defines:
- Which agent roles exist
- What each agent can do
- On which CRM objects
- Under what approval rules
- With what required logging
- Within what time and volume limits
This is not paperwork. This is enforcement.
You already know the idea from security frameworks: least privilege, monitoring, incident handling. NIST’s AI Risk Management Framework pushes governance and ongoing monitoring as core, not optional. That maps cleanly to RevOps reality: automated systems need defined controls and auditability. (NIST AI RMF, AI RMF 1.0 PDF)
On the security side, OWASP’s Top 10 for LLM apps calls out classic failures: excessive agency, tool misuse, and insufficient logging and monitoring. Translation: your agent will eventually do something dumb at scale unless you design for containment. (OWASP Top 10 for LLM Applications v2025 PDF, OWASP project page)
You do not need a committee. You need a matrix.
Step 0: Decide the “unit of autonomy”
Before you draft a single cell in the matrix, pick the unit you govern. Use this:
- Agent role (Prospecting, Enrichment, Outreach, Routing, Admin)
- Environment (Prod, Sandbox, Client A, Client B)
- Data boundary (which records, which domains, which segments)
- Tool boundary (CRM write access, email send, calendar booking, enrichment vendors)
If you run an agency, the unit is usually Client workspace plus Client domain. If you run an SMB, it is usually Pipeline segment (Outbound SDR vs Inbound vs Partners).
Microsoft’s Copilot Studio governance guidance leans heavily on environment controls, DLP, auditing, and connector governance. That’s the right mental model even if you are not using Microsoft. (Copilot Studio security and governance, Governance and security guide PDF)
Step 1: Define the 5 agent roles (no “one agent to rule them all”)
1) Prospecting Agent
Outcome: net-new lead list that matches ICP.
- Pulls from sources.
- Filters by ICP rules.
- Creates candidate records in a staging table.
Hard rule: Prospecting does not email. It does not touch opportunities.
If you want the clean version of this in Chronic, start with ICP Builder and keep prospecting scoped to ICP rules only.
2) Enrichment Agent
Outcome: records become usable.
- Finds missing fields.
- Validates emails.
- Adds firmographics and technographics.
- Flags risky data (role-based emails, generic inboxes, student addresses).
In Chronic terms: this is Lead Enrichment with strict write rules.
3) Outreach Agent
Outcome: replies and booked meetings.
- Writes emails.
- Runs sequences.
- Stops when the human says stop, or the rules say stop.
In Chronic terms: this is AI Email Writer plus sequencing. Keep it boxed in.
4) Routing Agent
Outcome: the right human gets the right lead fast.
- Assigns owners.
- Creates tasks.
- Updates lifecycle stage.
- Applies SLAs.
This is where RevOps wins or bleeds. Routing errors silently kill pipeline.
5) Admin Agent
Outcome: operations work gets done without breaking the business.
- Manages fields, lists, sequences, and workflow settings.
- Executes bulk fixes with approvals.
- Handles rollback tasks.
This role is dangerous. Treat it like production access.
Salesforce’s admin community has been blunt about governance for agentic workflows: approvals and guardrails still matter. The tool may be new, the control plane is not. (Salesforce Admins: govern the agentic enterprise)
Step 2: Map objects and actions (the part people skip, then regret)
Your matrix lives at the intersection of:
- Objects: Lead, Contact, Account, Opportunity, Task, Email
- Actions: read, create, update, delete, merge, email send, meeting book
Here’s the rule: actions that change reality need tighter controls than actions that change data.
Reality-changing actions:
- Sending email
- Booking meetings
- Creating opportunities
- Changing owner / routing
- Updating lifecycle stage (because it triggers automations)
Data-changing actions:
- Enrichment updates
- Field normalization
- Dedupe merges
Step 3: Create risk tiers and approval requirements
Use four risk tiers. Keep it boring. Boring scales.
Risk Tier 0: Read-only
No approval.
- Query CRM
- Pull intent signals
- Pull enrichment hints
Risk Tier 1: Write to CRM (non-critical fields)
Auto-approve inside guardrails.
- Update enrichment fields (industry, employee count, LinkedIn URL)
- Add notes
- Create tasks with standard templates
Risk Tier 2: External action (email + calendar)
Pre-send approval or policy-based approval.
- Send email
- Enroll in sequence
- Book meeting
Approval patterns that work:
- Policy-based auto-approve if confidence score is high and the prospect matches ICP and the domain is under cap.
- Human approval if any risk flag triggers (new domain, regulated industry, exec persona, low confidence, missing unsubscribe compliance).
OWASP explicitly recommends limiting tools and requiring approvals for higher-risk tool usage. It is not a “security team thing.” It is basic survival. (OWASP Top 10 for LLM Applications v2025 PDF)
Risk Tier 3: Revenue-impacting changes
Always human approval.
- Create opportunity
- Change opportunity stage
- Change forecast category
- Change account ownership
- Bulk updates to core fields (domain, company name, lifecycle stage)
If your agent can create opps without a human, it will. Then your pipeline turns into performance art.
Step 4: Required logging fields (if you cannot audit it, you cannot automate it)
Every agent action must write an audit log record. Not “some logs in a tool.” A record you can query.
Minimum fields:
- Action reason
Why the agent did it. One sentence. - Source signal
What triggered it (intent event, inbound form, list import, CRM change, website visit). - Confidence score (0-1)
A real number. Not “high/medium/low.” - Before/after diff
Field-level diff, not just “updated Lead.” - Actor + toolchain
Agent role, model version, prompt version, tool name, connector name. - Approval trace
Approved by, timestamp, policy ID, exception reason.
OWASP calls out insufficient logging and monitoring as a top failure mode for LLM systems. If your logs cannot reconstruct the event, you do not have governance. You have vibes. (OWASP project page)
Step 5: Add time-based and volume-based limits (because failure scales)
Agents fail fast. Great. They also fail at 10,000x speed. Not great.
Implement caps at four layers:
1) Daily caps (per agent role)
Examples:
- Outreach: max 200 sends/day
- Enrichment: max 2,000 field updates/day
- Routing: max 500 assignments/day
- Admin: max 50 updates/day, max 5 bulk jobs/day
2) Per-domain caps (email safety)
Examples:
- New domain: max 10/day until warmed and verified
- Any domain: max 50/day unless you run multi-inbox infrastructure correctly
3) Per-account caps (account-based sanity)
Examples:
- Max 5 contacts per account/day
- Max 1 meeting booked per account/week unless flagged “active buying”
4) Time windows (blast radius control)
Examples:
- Outreach sends only 9am-4pm prospect local time
- Admin changes only during RevOps on-call hours
- Routing only on business days, or route to on-call queue after hours
These caps create a kill zone. When things go wrong, they go wrong slowly enough to stop.
Step 6: Build the incident playbook (you will use it)
If you ship autonomy, you ship incidents. Plan it. Do not pretend.
Incident triggers (choose your tripwires)
- Bounce rate spikes above threshold
- Spam complaints exceed threshold
- Unusual write volume to CRM objects
- Sudden drop in reply quality
- Opps created without matching meeting
- Agent touches excluded segments (customers, partners, competitors)
The playbook (copy this into your SOP)
- Pause the agent
- Flip a kill switch.
- Disable send connectors.
- Lock CRM write permissions to read-only.
- Contain
- Stop sequences.
- Quarantine affected records to a “Needs Review” status.
- Rollback
- Use before/after diff logs to revert field updates.
- Remove incorrect task creation.
- Un-enroll sequences where needed.
- Notify
- RevOps owner
- Sales leader
- Security or IT (if data exposure possible)
- Agency client owner (if multi-tenant)
- Root cause
- Bad prompt?
- Bad tool permission?
- Bad segmentation?
- Bad signal source?
- Vendor outage returning garbage enrichment?
- Patch
- Update rules first.
- Update prompt second.
- Update model last.
- Add a regression test
- A fixed dataset of cases the agent must pass before re-enabling.
- Restart in safe mode
- Lower caps.
- Force approvals for Tier 2 and Tier 3 for 48 hours.
- Post-incident review
- What changed in the matrix?
- What alert would have caught it earlier?
This is straight out of modern governance thinking: define guardrails early, monitor, audit, and enforce. (NIST AI RMF)
Copy-paste template: AI agent permissions matrix (RevOps-ready)
Paste this into Google Sheets or Notion. Then fill it this week.
| Agent role | Object | Action | Risk tier | Allowed? (Y/N) | Approval rule | Required logging | Limits | Exceptions |
|---|---|---|---|---|---|---|---|---|
| Prospecting | Lead | Create (staging) | 1 | Y | Auto if ICP match >= 0.8 | reason, signal, confidence, diff | 500/day | New segments require RevOps |
| Prospecting | Lead | Create (prod) | 2 | N | Human only | full audit | 0 | Only via routing agent |
| Enrichment | Lead | Update (firmographics) | 1 | Y | Auto if source in allowlist | full audit | 2,000 fields/day | Regulated accounts: human |
| Enrichment | Contact | Update (email/phone) | 2 | Y | Auto if confidence >= 0.9 else human | full audit + source vendor | 300/day | Exec personas: human |
| Outreach | Send | 2 | Y | Auto if policy pass, else approval queue | full audit + message hash | 200/day + 50/domain/day | New domain: 10/day | |
| Outreach | Task | Create follow-up | 1 | Y | Auto | reason + diff | 500/day | None |
| Routing | Lead | Update owner | 2 | Y | Auto if SLA rules match | full audit | 500/day | Named accounts locked |
| Routing | Opportunity | Create | 3 | N | Human only | full audit | 0 | Only Admin after approval |
| Admin | Account | Merge | 3 | Y | Human + 2-person approval | full audit + backup snapshot | 10/day | Agency: client sign-off |
| Admin | Opportunity | Update stage | 3 | Y | Human only | full audit | 50/day | None |
Required logging (copy-paste list)
- action_reason
- source_signal
- source_signal_url_or_event_id
- confidence_score
- policy_id
- approval_id
- before_json
- after_json
- diff_summary
- agent_role
- agent_version
- model_version
- prompt_version
- tool_name
- connector_name
- timestamp_utc
Minimum viable governance (MVG) for SMBs
You want something you can implement this week. Here it is.
SMB MVG setup (1-2 RevOps people, small SDR team)
Agents enabled
- Prospecting: Yes, staging only
- Enrichment: Yes, restricted fields only
- Outreach: Yes, with Tier 2 controls
- Routing: Yes, strict rules
- Admin: No, or human-only “runbook mode”
Approvals
- Tier 0: none
- Tier 1: auto-approve
- Tier 2: auto-approve only for “Known good” segments, otherwise approval queue
- Tier 3: always human
Logs
- Required logging fields from template, no exceptions
Limits
- Outreach: 50-150/day total until deliverability stabilizes
- Per-domain: 10/day for new domains, 30/day otherwise
- CRM writes: cap by object (prevents mass corruption)
Where Chronic fits
- Use AI Lead Scoring to drive routing and outreach eligibility.
- Keep all activity connected to the Sales Pipeline so logs and handoffs do not vanish into five tools.
If you want the scoring model spelled out, use this as the baseline: fit + intent dual score. It reduces the need for manual approvals because the policy becomes measurable. (Intent + Fit Scoring model)
Minimum viable governance for agencies (multi-client, multi-domain, higher blast radius)
Agencies fail differently. One mistake becomes ten angry clients.
Agency MVG setup (the non-negotiables)
1) Hard tenant isolation
- One workspace per client.
- No shared connector secrets.
- No shared suppression lists.
Microsoft’s governance docs emphasize environment boundaries and DLP policies. Agencies should treat “client” as an environment boundary. (Copilot Studio governance guide PDF)
2) Separate caps per client
- Daily send caps per client
- Per-domain caps per client
- Per-sequence caps per client
3) Mandatory human approval for Tier 2 on new clients First 7-14 days:
- Human approves email sends until you trust the data and ICP.
- Then switch to policy-based auto-approve.
4) Client-visible audit trail Clients ask “why did this lead get emailed?” Your answer cannot be “the agent decided.”
Expose:
- reason
- signal
- confidence
- copy variant ID
- approval trace
5) Kill switch per client Not “pause the system.” Pause Client B only.
How to implement this in 7 days (actual steps)
Day 1: Inventory tools and actions
- List every connector the agent can touch: CRM, email, calendar, enrichment vendors, spreadsheets.
- For each connector, list actions: read, write, send, book, delete.
Deliverable: one page “agent blast radius.”
Day 2: Define roles and split the mega-agent
- Create the 5 roles.
- Move tools to roles.
- Remove “Admin” powers from anything that emails.
Deliverable: role definitions plus tool mapping.
Day 3: Draft the permissions matrix (first pass)
- Fill the table for Lead, Contact, Account, Opp, Task, Email.
- Set risk tier for each action.
Deliverable: version 0.1 matrix.
Day 4: Add approvals and limits
- Pick approval rules.
- Pick caps.
- Add time windows.
Deliverable: matrix 0.2 with enforcement rules.
Day 5: Implement logging
- Create an audit object/table.
- Enforce required fields.
- Store before/after diffs.
Deliverable: queryable audit log.
Day 6: Run a controlled pilot
- One segment.
- One inbox.
- One domain.
- Tight caps.
- Tier 2 approvals on.
Deliverable: real output and real failure modes.
Day 7: Ship MVG and schedule a weekly review
- Expand segments gradually.
- Keep review cadence.
- Update the matrix like code.
Deliverable: governance in production.
If you are operating inside “agentic CRM” trends, read this with your RevOps hat on: platforms will keep pushing autonomy. Your job is to own the work and the risk. (Chronic: CRMs becoming agent platforms, Salesforce Summer ’26 workflows)
The AI agent permissions matrix checks that catch 80% of chaos
Run these weekly:
-
Top changed fields
- Which fields get updated most by agents?
- Are those fields “safe” Tier 1 fields?
-
Approval bypass attempts
- Any Tier 2 action without approval trace = incident.
-
Domain concentration
- Any single domain getting hammered?
-
Opp integrity
- Opps created without meetings booked.
- Opp stage changes without human owner action.
-
Routing drift
- Leads assigned outside territory rules.
-
Confidence vs outcomes
- High confidence emails with low replies means your confidence scoring is lying.
FAQ
What’s the difference between an AI agent permissions matrix and normal CRM permissions?
CRM permissions govern humans. The AI agent permissions matrix governs autonomous actions across tools, with risk tiers, approvals, logging, and rate limits. CRM roles alone do not stop an agent from emailing 200 people because the CRM role has no idea what “safe send volume” means.
Which actions should always require human approval?
Tier 3 actions. Always:
- Create opportunity
- Change opportunity stage or forecast category
- Merge Accounts
- Bulk updates to core identity fields (domain, company name)
- Owner changes for named accounts
What logging is non-negotiable for RevOps?
Four fields make rollback possible:
- action reason
- source signal
- confidence score
- before/after diff
Without those, you cannot explain, fix, or prove what happened. OWASP flags insufficient logging and monitoring as a common failure mode in LLM apps. (OWASP Top 10 for LLM Applications v2025 PDF)
How do we set caps without killing pipeline?
Start low. Increase weekly. Tie caps to outcomes:
- If bounce rate rises, drop send cap.
- If replies rise and complaints stay flat, increase cap. Caps are not punishment. Caps are blast-radius control.
We manage multiple clients. What’s the fastest way to avoid cross-client mistakes?
Hard isolation:
- Separate workspaces/environments per client
- Separate connector secrets per client
- Separate suppression lists per client
- Kill switch per client
Microsoft’s governance approach for Copilot Studio highlights environment controls and DLP as core building blocks. Apply the same pattern to agencies. (Copilot Studio security and governance)
How does this tie into scoring and routing?
Scoring becomes your policy engine.
- Fit score gates enrichment depth.
- Intent score gates outreach eligibility.
- Combined score gates auto-approval for Tier 2 actions.
If you need a concrete scoring model, use a dual score. (Chronic dual-score model, AI Lead Scoring)
Ship the matrix, then ship autonomy
Print the matrix. Treat it like code. Review it weekly. Every new connector, every new workflow, every new client gets a matrix update first.
Autonomous sales is real. So is autonomous damage. The AI agent permissions matrix is how RevOps keeps the first one and avoids the second.