A chatbot that answers questions is low risk: the worst it can do is get the wording wrong. An AI agent embedded in real processes is a different category: it registers documents, assigns owners, drafts orders. Which means the security requirements must be different too. Here are the principles behind the security of d8n.ai digital employees.
The agent operates strictly under the user’s permissions
A d8n.ai agent has no privileges of its own. It inherits the ACL of a specific employee: it sees the same documents, folders and processes as the person it works for — no more. Change the employee’s rights and the agent’s capabilities change instantly. This removes an entire class of risk: you cannot compromise an “all-seeing AI”, because one doesn’t exist.
Every action lands in the audit feed
Everything the agent does is visible in the action feed: which document it read, what it created, which route it sent it down, who it wrote to. Full traceability means the AI’s work is verifiable exactly like a human’s — both in the moment and retrospectively, during an internal investigation or an external audit.
Critical steps are confirmed by a human
The agent prepares — the human decides. A payment, an outbound document, an HR order, a settings change: the agent never performs these automatically. It builds a draft and submits it for the employee’s confirmation. We consider this human-in-the-loop principle mandatory for trust: AI removes the routine, but responsibility for decisions stays with people.
How we control hallucinations
An agent that gets things wrong is also a security issue. Three mechanisms work here. First, an isolated knowledge base: each customer’s agent is trained only on that customer’s documents and configurations and doesn’t “improvise” from generic data. Second, a golden standard of answers the agent constantly checks itself against. Third, a live feedback loop: the standard is regularly updated from user reactions, so the agent’s knowledge evolves with the company. We battle-tested this approach on our own technical support — and described it in the first build-in-public issue.
What the agent never does
Some actions are architecturally closed to the agent regardless of configuration: it does not sign documents, does not approve on a person’s behalf, does not change access rights, does not send data outside the perimeter without confirmation. We sell transparency and control, not magic — and we believe that is exactly what separates enterprise AI from an experiment.