Sign in Subscribe
AI

KPMG gave 276,000 people AI agents — after it governed them, not before

Trey Heath

2 min read
Share

The order is the whole lesson.

On June 9, KPMG and Microsoft rolled AI agents out to more than 276,000 staff. They didn't ship the agents first. They built the control plane first, the part that gives every agent an identity, a permission scope, and an off-switch, and only then did they let the agents touch email, files, and systems of record. Governance before authority.

Most operators are doing the reverse.

Your agents are already running. They're reading inboxes. They're writing to your CRM. They're calling other agents. And almost none of them have a name on them or a leash around them.

That's the problem. Not the agents. The order.

Here's why the order matters. An agent with broad access and no owner is a standing liability you can't see. When it misfires, nobody knows who scoped it, who can kill it, or what it touched on the way down. The State of AI Agent Security 2026 reports 88% of organizations had a confirmed or suspected agent security incident in the last year. And 45.6% of teams still wire agent-to-agent traffic with shared API keys, which means one leaked key opens every door at once. Adoption outran control. That's the whole story.

KPMG sells trust. So it deployed the control plane first and the agents second. A firm whose entire product is being trusted with your books and your secrets looked at the agent rush and decided identity comes before capability. Take the hint.

An ungoverned agent isn't a productivity gain. It's an unsigned check.

Now, the objection. "My team can't run a governance program this week." You don't need one. The best governance framework isn't a platform you buy. It's a person with a brain who already knows how to solve the problem the agent is solving. You can automate a lot of the checking. You can't automate the judgment. The point of putting agents in loops is to free those brains for harder work, and then to spend a little of that freed-up time checking what the agents produce.

So it's one person, one afternoon, doing two things to the agents you already run.

Give each agent a named owner. A human being who answers for what it does.

Give each agent the narrowest scope that lets it work, and a kill switch that one person can reach. That's it. You're not building Agent 365. You're putting a name and a leash on what's already loose in your building.

This is how we build every loop at Cosmos. An owner and a kill switch aren't features we add later. They're the price of admission. No loop ships without them. On a CJIS-compliant platform we operate, an agent touches nothing until it has its own scoped identity and an audit trail behind it. No identity, no access. The order is non-negotiable because the data is. Prosecutors don't get to find out later who let an agent into the file.

You run that same discipline everywhere, or you run it nowhere.

So send this to your COO or your head of IT with one question: who owns our agents? If the answer is a shrug, you've found your Monday.

Identity and an off-switch before authority. Every time.

Practical AI in your inbox. Weekly.

Enter your email
Subscribe