For most of last year, if you wanted to watch an AI agent work – plan a task, open files, run for an hour, come back with something finished – you had to look over a software developer's shoulder at a terminal window. Developers were the test market for delegation, and the results reshaped their profession in about eighteen months.
That containment just ended. Anthropic's Claude Cowork, in preview since January, is essentially the agent experience rebuilt for people who have never opened a terminal: point it at a folder, describe an outcome, let it work. Google's Gemini 3.1, released in February, pushes long-running agentic workflows deeper into the Workspace apps your organisation already runs. Every major vendor is converging on the same shape: the AI stops being a chat partner and becomes a delegate.
We've now watched non-technical teams meet these tools in our training rooms for a couple of months. Herewith, the field notes.
Delegation is a different skill from promptingLink to this section
Prompt training taught people to have a good exchange: give context, ask clearly, iterate on the reply. Delegation is a different contract. You're specifying an outcome, granting access, and walking away – the skills involved are the ones we associate with managing people, and they are unevenly distributed in every workforce we've ever trained:
- Specifying done. "Tidy up the contracts folder" produces chaos; "list duplicates and near-duplicates in this folder with your reasoning, change nothing" produces value. People who write good briefs for colleagues write good briefs for agents. Everyone else needs the skill taught explicitly.
- Setting boundaries. A delegate needs to know what it may touch and what it must never do. The best habit we've seen: every task brief states an explicit don't list. Agents respect fences far more reliably than they infer them.
- Reviewing proportionally. An agent returns a finished artefact, and finished-looking things get waved through. The review gate has to scale with blast radius: skim the summary, but line-by-line the thing being sent to a client, filed with a regulator, or executed against a system.
The three failure modes, so farLink to this section
Every one of these is from a real session, lightly disguised.
Over-delegation. Asked to "resolve" a folder of duplicate supplier records, an agent cheerfully picked winners – making judgement calls about which entity records were authoritative that the business had never made itself. The agent didn't overstep; the brief under-specified where judgement was reserved. Decisions about people, money, and records stay named-human decisions unless explicitly ruled otherwise.
The accountability vacuum. "The agent did it" is already appearing as an explanation, said with a straight face. It cannot be allowed to function as one. The rule we push: every agent task has an owner, and the owner answers for the output exactly as if a junior had produced it under their supervision. No new principle – just one people need to hear said out loud, early, before the first incident makes it awkward.
Inherited over-access. An agent asked one narrow question answered it using everything its user could open – including a folder that user should never have retained access to. The agent didn't breach anything; it revealed the standing breach at machine speed. Access hygiene issues you've deferred for years become visible the week agents arrive. Schedule the access review before the rollout, not after the surprise.
Your AUP was written for chatbotsLink to this section
Most AI acceptable-use policies we review – including good ones we helped write – regulate a paste. What data may be shared, which tools are approved, verify before use. Necessary, still true, and now insufficient. A chatbot-era policy has literally nothing to say about:
| New question | Needs an answer |
|---|---|
| May an agent read an entire drive to answer one question? | Scope rules for granted access, not just pasted data |
| What may an agent do unattended – send, file, delete, buy? | Action tiers: autonomous / confirm-first / never |
| Who owns an agent's output and its mistakes? | Named human owner per task, no exceptions |
| What record survives the agent's work? | Logs of actions taken, kept where a reviewer can see them |
Four rows. An afternoon with your policy owner. Do it before the tools finish arriving, because they are arriving regardless.
The quiet upside for compliance teamsLink to this section
One genuinely pleasant surprise: agents leave better paper trails than people. A well-configured agent logs what it read, what it did, and in what order – evidence most manual processes never produced. Teams that set the logging habits now will find audits easier in the agent era, not harder. That only happens by design, though; it's the configured default, never the accidental one.
Start where the stakes are boringLink to this section
Our rollout advice, compressed: begin with read-only tasks on low-sensitivity data – summaries, comparisons, drafts, triage – and let your people build the specification-and-review muscle where errors cost embarrassment, not incidents. Widen access and autonomy as the briefs get sharper and the review habits prove out. Train the delegation skills deliberately; they do not arrive with the licence.
The developers already ran this experiment for you and the lesson was unambiguous: the gains are real, they compound, and they went to the people who learned to direct the work rather than merely watch it happen. This year, that lesson is everyone's.