Article
When Your AI Agent Joins the Team
From learning to access control
In my previous article, I described building an AI agent that learns between sessions. An agent with structured memory and a self-correction loop. A system for accumulating experience across runs.
The moment other people needed access to it, the problem changed completely. It was no longer about whether the agent could learn. It was about who gets to teach it.
What happens when your team gets access to an AI agent
Most articles about AI agents focus on what the agent can do. Very few talk about what happens when someone other than the builder starts using it.
I built a Slack bot. The idea was simple: give the team a way to interact with the agent directly — ask questions, request analyses, get reports. No terminal. No code. Just Slack.
It worked immediately. And that is when the real problem appeared.
Free chat with an AI agent is a powerful interface. It is also a risk. If anyone on the team can write anything to the agent, anyone can accidentally overwrite its memory or change its behaviour. They can trigger actions that were not intended. The agent does not judge authority. It processes input.
The question was not whether the team should have access. The question was: what kind of access?
Role-based access control for AI agents
I ended up with a role system. Three levels: admin, analyst, viewer.
The viewer can read reports and see what the agent produces. Nothing more. No commands, no chat, no influence on behaviour.
The analyst can do more. They can ask questions. They can run predefined commands. And — this is the important part — they can write to the agent's memory. But only through an explicit command, not through free conversation. If an analyst types a memory instruction in the right format, the agent saves it. If they try to write it as a casual message, the system ignores it.
The admin has unrestricted access. Free chat, direct commands, memory writes, configuration changes.
This sounds like a standard permission model. But the distinction that matters is not who can read or write. It is who can teach. Because every memory entry changes what the agent knows. And what the agent knows shapes every future output.
Why AI agent memory becomes a shared knowledge base
This is something I did not fully appreciate until I saw it in practice.
In the previous article, I described the structured memory layer — a file the agent reads before each run, containing lessons from past sessions. What I did not say is what happens when that memory becomes shared.
The moment multiple people contribute to the agent's memory, it stops being a personal tool. It becomes a shared knowledge base. Every entry affects every future session — not just for the person who wrote it, but for everyone who interacts with the agent.
Uncontrolled access to that memory is a real risk. Not because people have bad intentions. But because the agent does not distinguish between a well-considered methodological insight and a casual remark someone typed without thinking. It treats both as equal truths.
Command-only memory access for analysts was the compromise. You can contribute. But you do it deliberately, in a structured format, and it is logged.
What happens when the agent gets the methodology wrong
This one caught me off guard.
Join the Library
Full access to my thoughts, personal stories, findings, and what I learn from the people I meet.
Join the Library — €29.99 per yearGet the full article by email and feel free to reply if you want to discuss it further.
Summary
Common questions on this article's topic
What is role-based access control for AI agents?
Why is AI agent memory a risk when shared across a team?
Can AI agents get trapped in logical errors?
What is the difference between an AI agent correcting itself and actually learning?
How do you deploy an AI agent for a team safely?
What is the biggest challenge when scaling AI agents from solo use to team use?
If you have any thoughts, questions, or feedback, feel free to drop me a message at mail@richardgolian.com.
Related articles
In April, in the first part of this series, I wrote about an AI prediction system I had started building on my own machine. At the time the software was a few hours old and the prediction record was empty. The record since then has shown one thing — the system does not yet understand the market it is being asked to forecast. It can pull macro context, book value, earnings. But it cannot put those together into something that helps it understand the price.
I am building an AI system to predict the S&P 500. It runs on my own machine, uses free public data — yfinance, FRED, the Shiller dataset — and grades every forecast against reality. This series documents the build itself: the decisions, the methodology, the mistakes. What I will eventually share from the running system is a separate question, and an honest one.
Yesterday I could not tear myself away from the computer. When I lifted my head, it was half past eight in the evening. I had been sitting alone upstairs for about three hours.
More articles
Europe does not have the capacity to face a full-scale, mass drone war of the kind we see in Ukraine. Three dependencies weaken it: China supplies the physical material for defence systems, the United States supplies capabilities Europe does not have, and twenty-seven states cannot agree how fast, or who pays. Rearmament plans exist, but they are being carried out slowly.
AI produces the graphic, the newsletter and the product page faster than a person. What is left for the one who used to do it is the judgement — knowing whether the output is good. But most people have worse judgement than AI. And whoever cannot judge quality cannot delegate either. How do you tell whether yours is the judgement a company relies on, or the kind it can replace?
Prague, 13 May 2026. On my way to work I started thinking about something that stayed with me for days. If most routine work on a computer disappears in the next ten years, and a large share of repetitive manual work disappears with it, what happens to the flow of money? Who pays whom for what? Which economic layers will exist, how large will they be, and what relationships will run between them? This is the six-layer map I sketched as an answer.
Will AI take my job? A certified Google trainer told me in June 2024 that my profession would cease to exist. Twenty-two months later, my job title has not changed — but ninety percent of what I do during the day is different. I have delegated more of my thinking to AI agents than I thought possible. I am not afraid. This is why, and what it means for anyone asking the same question.
One hour. Fifty-five minutes. That is how long it took to build what a Czech software firm had quoted at over €50,000. I built it with Claude Code. Not a prototype. Not a proof of concept. A working tool — the one the company actually needed. By the evening of the same day, it was running on staging. This is not about Claude Code. It is about what Claude Code exposes.
I have conducted roughly one hundred and fifty practical interviews over the past four years. Fifty for data specialist roles. A hundred for advertising and performance marketing specialists. Almost every one of them involved sitting down with a candidate over a practical task — something close to a real problem we actually need to solve at the company. Not theory. Not trivia. Applied problem-solving. Over time, I started noticing a pattern.
Before you can teach AI to understand anything, you need to see what it is hiding from you.
Four days in Catalonia. No computer, no AI, almost no social media. I bought this notebook so that I could write down what I would think about, and what I would come across and learn on the trip.