Select Page

Agents Don’t Need Better Models. They Need Payroll.

by lukasz | Jul 9, 2026 | Essays

Or: why the most important AI product of 2026 is an HR system.


Every conversation about enterprise AI starts in the wrong place. Someone asks which model is smartest. Someone benchmarks reasoning. Someone waits for the next release, convinced that this will be the one that finally makes agents work at their company.

Meanwhile, the companies actually deploying agents at scale have quietly stopped talking about models. They're talking about accounts. Permissions. Offboarding. Who signs off when the agent screws up.

They're talking, in other words, about payroll problems.


The bottleneck moved and nobody sent a memo

Here's the thing I keep running into: the models are already good enough for most of what enterprises want agents to do. Read documents, draft responses, reconcile data, monitor systems, escalate anomalies. A 2024-class model handles this. A 2026-class model handles it easily.

So why does the average company have three demos and zero agents in production?

Because the moment an agent stops being a demo, someone in IT asks a question that kills the project: "Under whose identity does this thing run?"

And there's no good answer. So the agent runs under a service account — a shared, over-privileged, never-expiring credential of the kind that security teams have spent twenty years trying to eliminate. Or it runs under the identity of the developer who built it, which works great until she leaves the company and takes the agent's access with her. Or it runs under nothing at all, glued together with API keys in environment variables, invisible to every audit.

None of these are model problems. All of them are identity problems. The bottleneck moved from intelligence to infrastructure, and most of the industry is still staring at the intelligence.


What "hiring" an agent actually means

Think about what happens when a company hires a human.

They get an account. It's provisioned on day one and — this is the important part — deprovisioned on their last day. They get permissions scoped to their role, not to everything the company owns. Their actions are logged under their own name. They have a manager. When they cause damage, there is a chain of accountability that everyone understood before the damage happened.

Boring, right? Decades-old corporate plumbing. Nobody writes think-pieces about employee onboarding.

Now count how many of those properties your agents have.

An identity that isn't shared with other agents? Permissions scoped to the task instead of inherited from whoever deployed it? Automatic deprovisioning when the project ends? A named human who answers for its actions? An audit trail that distinguishes this agent from that agent?

Most companies score zero out of five. They are, in effect, letting contractors into the building without badges, without contracts, and without anyone remembering who invited them. Then they act surprised when the security review fails.


Microsoft figured this out first

I don't say this with any particular affection for Microsoft. But look at what they actually shipped while everyone else was shipping model upgrades: Entra Agent ID — identity accounts for agents, managed like employee accounts. Agent 365— a control plane for entire agent fleets: provisioning, permissions, monitoring, retirement.

That's not an AI product. That's an HR-and-IT product for a workforce that happens to be synthetic. And it's exactly the layer that decides whether a company runs five agents or five thousand.

IDC projects over a billion agents in enterprises by 2028. You can dispute the number — analysts inflate these things — but you can't dispute the direction. And at that scale, the constraint was never going to be "is the model smart enough." It was always going to be "can we manage a workforce that is created in minutes, works around the clock, and multiplies faster than any headcount plan."

The companies that win the agent era won't be the ones with access to the best models. Everyone has access to the best models — that's the whole point of an API. They'll be the ones that solved the boring parts: identity, permissions, lifecycle, accountability.

The moat isn't intelligence. Intelligence is a commodity now. The moat is management.


The fleet nobody approved

There's a second half to this problem, and it's the one that actually keeps security people up at night.

While the official agent projects sit in review, waiting for someone to answer the identity question, employees are not waiting. Anyone with access to Copilot Studio or a ChatGPT workspace can build an agent in an afternoon. Connect it to the CRM. Feed it the sales pipeline. Ship it to their team channel.

No ticket. No review. No identity. No record.

This is shadow IT, except worse — because a forgotten SaaS subscription mostly just sits there costing money, while a forgotten agent acts. It reads data, sends messages, makes changes, twenty-four hours a day, under credentials that belong to someone who may no longer work there.

Ask your IT department how many agents run in your company. If the answer comes quickly and confidently, one of two things is true: they have real agent governance, or they have no idea and don't know it yet. The confident wrong answer and the confident right answer sound identical. That's the problem.


When it breaks, whose name is on it?

Here's the question that separates companies playing with agents from companies deploying them:

The agent sent the wrong data to the wrong client. Who is responsible?

The developer who built it? The manager who requested it? The employee whose account it ran under? The vendor whose model made the call? "The AI"?

If your organization can't answer that in one sentence, it doesn't have an agent problem — it has an accountability vacuum, and the agent is just the thing that will eventually expose it. Responsibility has to be designed before the incident, the same way it is for humans: this agent, this owner, this scope, this escalation path. Companies do this instinctively for a junior hire with access to one shared mailbox. Then they give an autonomous system write-access to production data and call the accountability question a detail to figure out later.

Later is when the lawyers get involved.


The unglamorous conclusion

I get why nobody wants to hear this. "Build an identity layer" is a much worse conference talk than "the new model is superhuman." Governance doesn't demo well. There's no benchmark for offboarding.

But the pattern is old and reliable: every transformative technology ends up bottlenecked not by its capability but by the organization's ability to absorb it. Electricity needed the factory to be redesigned. Computers needed the office to be redesigned. Agents need the org chart to be redesigned — accounts, roles, owners, and yes, something uncomfortably close to payroll.

The next time someone tells you their company isn't ready for AI agents, ask them which part isn't ready: the model, or the management?

It's never the model.


Senteri is about how machines read — and increasingly, work inside — the web and the enterprise. If this resonated, the essay on why MCP won is a good next read.

The Field Guide to Agent-Readiness