Agent Delegation Engineering
In 2025, a lawyer in a federal appellate case submitted a brief containing citations to several judicial opinions. The citations were formatted correctly. They named real courts and plausible parties. The cases didn’t exist. The lawyer had used a generative AI tool to draft the brief, and the tool had invented the authorities wholesale. The Third Circuit sanctioned counsel. Months later, the Seventh Circuit admonished another attorney in a separate case with the same pattern: confident citations to nonexistent decisions. Both courts made the same point. The technology is irrelevant. The obligation to verify belongs to the lawyer. The firms had no process for checking AI-generated citations against primary legal databases before filing. The model performed as designed. It generated plausible legal text. The organizations around the model had nothing in place to catch what “plausible” left out.
Around the same time, a Canadian tribunal held Air Canada liable for a chatbot’s false statements about its bereavement fare policy. A grieving customer had asked the chatbot whether a discount applied, relied on the answer, booked accordingly, and been charged the full fare. Air Canada argued that the chatbot was essentially a separate entity for which it bore limited responsibility. The tribunal rejected the argument outright. The chatbot was the airline’s public-facing policy surface, and the airline had failed to bound its outputs to the canonical fare rules, failed to build a retrieval system that restricted answers to the single authoritative document, and failed to design an escalation path for fare-exception questions. The model was fine. The system around it was absent.
These are early examples of a pattern that will define organizational life for the next decade. As AI agents move from demos into real institutional workflows, drafting legal briefs, screening job applicants, generating clinical notes, reconciling invoices, advising customers, the recurring lesson is the same one the previous chapters have traced from different angles. The bottleneck is not model capability. It is the organizational infrastructure that makes model output reliable, auditable, and safe enough to act on. Levie, who has watched this unfold across Box’s enterprise clients, puts it bluntly: “We are barely scratching the surface on evals. A significant portion of knowledge work is going to move to AI agents, and we have essentially no infrastructure for understanding how they’re performing at a fine-grained level.” The models work. The organizations haven’t built the systems to supervise them.
Naming the discipline
The previous chapter ended with context engineering, the practice of structuring what information an agent receives so it has what it needs and nothing extraneous. Among software engineers the term has earned its place. Getting the context right is genuinely hard. AI agents can process only a fixed window of information at once, and performance degrades as that window fills. Choosing what goes into the context, how to decompose tasks across subagents, what to retrieve, how much compute to allocate: these are real engineering problems with non-obvious tradeoffs. Anthropic’s internal framing describes context engineering as curation of the model’s entire context state, covering instructions, tools, conversation history, and retrieved data, not just the initial prompt.
But context engineering, important as it is, describes one layer of a much larger problem. It tells you how to feed the model. It does not tell you how to bound what the model can do, verify what it produced, decide when a human must intervene, reconstruct what happened after the fact, or manage the economics of running it continuously. A hospital deploying an ambient clinical scribe needs context engineering for the transcription model. It also needs verification rules for medical facts, sign-off authority for billing codes, escalation paths for clinical ambiguity, audit trails for regulatory compliance, and training for the clinicians who must review generated notes without drifting into rubber-stamping. Context engineering is the retrieval and packaging layer. The full discipline is wider.
Other names have been tried. IBM uses “AgentOps” to describe lifecycle management, monitoring, and optimization of autonomous agents, useful but overly runtime-centric, a cousin of DevOps rather than a management discipline. LangChain argues for “agent engineering” as a cross-functional practice spanning product, engineering, and data science, accurate but still builder-centric, less natural for a hospital administrator or a bank’s head of model risk. The World Economic Forum uses “cognitive infrastructure” to describe the governance of delegated cognition, evocative at the macro level but too abstract to function as operating doctrine. Deloitte uses “human-machine work design,” which is close to the right scope but underspecifies the technical control elements: retrieval, memory, permissions, evaluation, and logs.
The discipline this chapter describes is agent delegation engineering: the organizational practice of specifying, provisioning, supervising, and continuously improving machine-executed work so that it is reliable, auditable, compliant, and economically sensible within a human institution.
The name is deliberate. “Agent” scopes it to AI systems that act with some autonomy, without assuming that today’s architecture is permanent. “Delegation” foregrounds the core organizational act. You are giving a machine bounded authority over work that used to require a person, and the word carries its own warning: delegation is a design problem, not a fire-and-forget act. Anyone who has managed people knows that delegating badly produces worse results than not delegating at all. The same is true for machines, except that machines won’t tell you the instructions were unclear. “Engineering” signals that this is rigorous, repeatable, and teachable. A delegation engineer is a role that could exist in a law firm, a bank, a hospital, or an operations center. The discipline is profession-agnostic and architecture-agnostic. It covers a single-document reviewer, a recruiting screener, a multi-step financial controls bot, or an ambient documentation assistant equally well.
The universal stack
Across deployment guidance from NIST, OpenAI, Anthropic, Microsoft, and Amazon Web Services, reliable machine work looks less like a “smart model” and more like a control system built around one. The model is a single component in a longer chain that includes task specification, retrieval, tools, policy, verification, logging, and cost control. Strip away the vendor-specific terminology and the same architecture keeps appearing.
Consider what it takes to make a contract-review agent reliable inside a law firm. Task framing comes first: which contracts, what risk factors to flag, what constitutes a completed review, what risk tier governs the workflow. A partner who tells an associate “review these contracts for risk” relies on the associate’s years of training to fill in everything that instruction leaves unsaid. The agent has no such training. Every implicit expectation must be made explicit or it becomes a guess, and software guesses compound.
Context packaging follows: the client’s negotiating position, jurisdiction-specific rules, the firm’s standard clause library, and the current deal terms, all within a token budget that forces hard choices about what to include. This is where context engineering lives, and it is genuinely difficult. Aaron Levie, the Box CEO who has spent the past two years deploying agents across enterprise workflows, frames the core tension: “To build AI agents, in theory, it should be as simple as having a super powerful model, giving it a set of tools, having a really good system prompt, and giving it access to data. But in practice, to make agents that work today, you’re dealing with a delicate balance.” Context windows fill up. Critical decisions get compressed out of memory as the session lengthens. The tradeoffs between breadth and depth of retrieval, between global and subagent scope, between speed and quality, have no single right answer and must be tuned per workflow.
The agent needs retrieval and grounding, a connection to a verified legal database so it can cite real precedent rather than inventing it. It needs tool access, the ability to query the document management system and write structured annotations. It needs constraints and permissions: read access to the case file, annotation authority on the contract, but no ability to send client communications or modify the deal record. It needs evaluation and verification, a rubric that checks every flagged clause against primary case law before the output reaches a partner. It needs escalation rules: novel risk patterns or low-confidence flags routed to a senior associate rather than auto-resolved. It needs audit trails so that every decision is traceable months later when a client or regulator asks what happened. And it needs cost controls, because running a frontier model on forty thousand documents at maximum context length will produce a bill that erases the efficiency gains unless someone has designed model routing by document complexity.
That is ten components working together for a single workflow. The relationships between them matter as much as the components themselves. The context package determines what the model can see, but the policy engine determines what it may do with what it sees. The verifier determines whether the output may proceed to a human. The audit log determines whether anyone can later reconstruct the reasoning. The cost controller determines whether the whole design is economically sustainable. Get any single component right while neglecting the others and you produce a system that is fluent and unreliable, the most dangerous combination available.
The convergence across independently developed frameworks is striking. NIST’s AI Risk Management Framework provides the governance backbone: govern, map, measure, manage. Anthropic’s augmented-LLM materials show why retrieval, tools, and memory belong inside the model’s operating envelope rather than being bolted on afterward. OpenAI formalizes agents as systems with instructions, tools, context, and guardrails. Microsoft’s agent evaluators split outcome evaluation from tool-process evaluation, recognizing that a correct answer produced through the wrong process is a latent failure. AWS bundles runtime, memory, gateway, observability, and identity as deployable infrastructure components. OWASP’s agentic security guidance treats prompt injection, memory poisoning, and authorization as first-class engineering concerns. These organizations did not coordinate their frameworks. They arrived at the same architecture because the problem demands it.
One architectural pattern deserves special attention because it recurs across every mature deployment: decomposition into subagents. Rather than one monolithic agent with a bloated context window trying to handle an entire workflow, reliable systems distribute work across specialized subagents, each with a focused context and a bounded task. Levie describes the dynamic: “There was probably a time in the past where nearly all software tasks could be handled by a single large application. But as the complexity and breadth of tasks grew, there became need for applications to then be broken up across specialized functions.” The same is happening with agents. A contract-review workflow might use one subagent for clause extraction, another for risk classification, a third for precedent lookup, and a coordinator that assembles and routes the results. Each subagent has a smaller context, sharper instructions, and a more evaluable output. The tradeoff is coordination overhead. If you have a hundred times more agents than people doing work in a company, orchestration becomes the scarce resource. The management challenge shifts from supervising humans to designing the delegation architecture that connects agents to each other and to the humans who govern the whole system.
For any reader who manages a team, runs a department, or leads a company: this is the minimum viable infrastructure your organization needs before it can delegate real work to machines. Skip task framing and the agent guesses what “done” means. Skip verification and you get the sanctioned lawyer. Skip escalation and you get Air Canada’s chatbot making fare promises nobody authorized. Skip audit trails and you cannot explain what happened when something goes wrong. Skip cost controls and your monthly AI bill becomes your largest line item before anyone notices.
Where delegation breaks
The deepest pattern across professions is that systems fail where institutional ambiguity remains high. Machine work breaks most often when the organization has not made explicit what counts as evidence, what can be acted on automatically, what must be reviewed, and how exceptions travel. The failures are not exotic. They are the predictable result of giving a machine work without giving it the structure that human workers absorbed through years of institutional immersion.
In law, the failure mode is citation hallucination compounded by absent verification. The Third Circuit and Seventh Circuit cases are not outliers; they are what happens when lawyers treat a language model as a legal researcher rather than an unchecked drafting assistant. The American Bar Association’s evolving guidance on generative AI makes the ethical duty explicit. The technology changes nothing about the obligation. Firms that build mandatory citation verification against primary databases into their filing workflow will survive this transition. Firms that rely on individual diligence, hoping each lawyer remembers to check, will produce more sanctioned attorneys.
In recruiting, the danger is delegated discrimination. Workday, the HR software company, is at the center of an EEOC-backed case alleging that its algorithmic screening tools function as delegated decision-makers in hiring. Separate EEOC guidance warns that AI can influence hiring, pay, training, and termination decisions in ways that trigger existing civil rights protections. When an organization delegates the authority to exclude a candidate to a machine, it delegates legal liability for that exclusion along with it. Adverse-impact review, contestability mechanisms, reason codes for every exclusion, and human override authority on negative screening decisions are not optional extras. They are the minimum controls for delegated hiring authority.
In medicine, automation bias and documentation drift converge. Radiology research shows that AI diagnostic predictions can induce clinicians to override their own correct judgments and defer to uncertain AI outputs, the “falling asleep at the wheel” dynamic from two chapters back operating in a domain where the stakes are a patient’s health. Ambient clinical scribes reduce physician burnout by automating clinical notes, and the relief is genuine, but policy researchers warn about billing-code drift and low-value-service risks when generated documentation goes through review without structured verification. A clinician reading a two-page AI-generated note faces the same challenge as the senior developer reviewing four files of agent-generated code: the output is fluent, internally consistent, and voluminous enough to discourage line-by-line checking. Patient-specific fact verification, structured output schemas that force citation of sources, explicit sign-off, and limited action authority for generated documentation are the controls that make clinical delegation safe.
In finance, the danger is fluent analysis built on stale or ungoverned data. An AI-generated investment memo or controls summary looks authoritative. The numbers are internally consistent. The formatting is immaculate. The model used the right valuation method on the wrong comparable, or weighted a risk factor that was appropriate last quarter but not this one, and the error is invisible to anyone who reads the output without reconstructing the assumptions underneath. Regulators including the Financial Stability Board and the Financial Conduct Authority emphasize model risk management, data quality governance, third-party concentration risk, and live testing, precisely because fluent text can outpace institutional controls. When a generated analysis draws on outdated market data or weakly governed vendor feeds, the error compounds silently until someone acts on the wrong recommendation. Finance may be the domain where the “falling asleep at the wheel” dynamic from two chapters back carries the highest single-incident cost. One unchecked assumption in one memo can move millions of dollars in the wrong direction.
In customer support, Air Canada is the cautionary case and the remedy is instructive in its simplicity. Policy-bound responses retrieved from a single canonical source, with a compensation review queue for exceptions, would have prevented the entire incident. The chatbot needed retrieval from one authoritative document and an escalation path for anything outside that document’s scope. The technology existed. The organizational decision to implement it hadn’t been made.
In scientific research, AI-generated literature reviews risk fabricated citations that pollute the scholarly record. Nature has reported on invalid AI-generated references already appearing in published work. Retrieval-augmented synthesis improves coverage but fabricated citations remain common, and citation accuracy remains weak enough that publishers now explicitly warn authors to verify every AI-generated reference. The verification infrastructure of science, built around peer review and citation chains, was designed for human error rates and human fabrication incentives. AI changes both. Generated text can produce dozens of plausible-looking citations per hour, and the reviewers checking them are already overloaded. The parallel to law is exact: in both domains, the profession’s credibility depends on citation integrity, and the tool that makes citation easier also makes fabrication trivially easy.
In operations more broadly, the danger is acting on stale state or broken process assumptions. An invoice-reconciliation agent or procurement bot that closes exceptions based on inconsistent ERP data can create downstream errors that propagate through financial records. Enterprise deployment materials consistently stress a counterintuitive point: AI doesn’t fix broken processes. It exposes them. Organizations with clean data, well-documented workflows, and clear exception handling find that agents perform well. Organizations with siloed systems, poor data lineage, and ambiguous handoffs find that agents amplify the mess. The technology is a mirror. Three observations cut across every domain. First, the same handful of failure classes repeat everywhere: ambiguous task frames, low-quality context, stale state, unauthorized action, weak verification, missing escalation. The failures are not creative. They are structural. Second, models fail most dangerously when they generate text that sounds institutionally acceptable even when the reasoning or evidence underneath is defective. “Administratively plausible” is the phrase that should concern executives most, because it describes output that passes casual review and fails under scrutiny. Third, the remedy is almost never better prompting by itself. It is a redesign of context, review, permissions, and handoff rules. The failures are organizational. The fixes must be too.
The platform and the domain
The operating-model question for agent delegation is which decisions should be standardized once across the organization and which should remain in the hands of domain teams. Enterprise materials from Microsoft, AWS, McKinsey, and large-scale survey research converge on the same answer: a platform-plus-domain model. Centralized standards and reusable infrastructure, combined with distributed ownership of the last mile of judgment, exceptions, and outcomes.
Early adoption benefits from centralization. A center of excellence can establish security baselines, reusable evaluation frameworks, governance templates, and training curricula faster than distributed teams can reinvent them independently. Microsoft’s cloud-adoption guidance recommends starting centralized and evolving toward a federated advisory model as adoption matures. McKinsey’s agentic scaling material argues for deliberately selecting a small number of high-value workflows while modernizing architecture, data quality, and operating model together, rather than spreading thin across dozens of use cases.
At scale, the winning model becomes federated. A platform team owns identity, permissions, tracing, evaluation tooling, model routing, and security. Domain teams own task design, exception policies, domain-specific acceptance criteria, and business outcomes. Fully distributed models move fast locally but fracture reliability, duplicate infrastructure, and weaken governance. An earlier chapter described the same tension from the technology side when discussing how organizations structure AI ownership. This chapter reaches the same conclusion from the delegation side: centralize what must be consistent, distribute what requires local knowledge. The research is strikingly aligned. McKinsey’s survey work on AI value finds that it correlates with management practices across strategy, talent, data, operating model, and scaling discipline, not with model access alone. The organizational pattern matters more than the technical choice.
Agent delegation also forces a sharper documentation standard than most organizations maintain. Machine work requires externalizing what used to be tacit institutional knowledge. What counts as an exception. What evidence outranks other evidence when sources conflict. Which thresholds trigger escalation. Which sources are authoritative. What “done” means in each workflow. Ikujiro Nonaka’s classic work on organizational knowledge creation made the tacit-to-explicit conversion central to how institutions learn. AI makes it operational. An experienced insurance claims processor knows that flood claims in the Southeast require a different evidence threshold than flood claims in the Northeast because of a regulatory change two years ago that was never written into the policy manual. She learned this from a colleague who learned it from an incident. The agent doesn’t have colleagues or corridors. If the knowledge stays tacit, the machine inherits ambiguity that humans resolved socially, and it resolves that ambiguity by generating something that sounds right.
Good playbooks for delegated work need at least six engineered elements: canonical source lists that define what the agent may treat as authoritative, exception taxonomies that catalog the known edge cases, worked examples that show what good output looks like, reviewer checklists that structure human verification, escalation thresholds that define when the agent must stop and ask, and retention rules for traces and corrections so the organization can learn from what went wrong. These aren’t bureaucratic overhead. They are the institutional memory that makes delegation possible. Without them, every agent session starts from scratch, and the organization learns nothing from its accumulated experience.
A practical lifecycle for a single piece of delegated work moves through a predictable sequence. Intake and risk classification. Task framing and context assembly. Source retrieval. Execution with tools. Outcome and process verification. If the verification passes, deliver the result; if it fails or the confidence is low, escalate to a human reviewer. The reviewer decides and records corrections. Those corrections feed back into the playbooks, the evaluation suites, and the agent’s memory. The loop closes. Each cycle teaches the system something it didn’t know before, provided someone designed the feedback path. Organizations that run this loop tightly compound their delegation capability over time. Organizations that skip the feedback step repeat the same mistakes at machine speed.
The supervision stack
The people who supervise reliable machine work need five capabilities that don’t map neatly onto any existing job description. They must frame tasks precisely, with clear objectives, acceptance criteria, and risk classification. They must curate or judge context quality, knowing what information the agent needs and what will overwhelm or mislead it. They must verify outputs against evidence, checking for factual grounding and policy adherence rather than surface plausibility. They must read traces and tool usage, understanding what the agent actually did rather than what it delivered. And they must make escalation judgments, recognizing when a case has crossed beyond the agent’s reliable frontier.
That combination resembles product scoping, editorial review, process control, and quality assurance compressed into a single role. “Prompting” is too small a word for it. The term stuck because it was the first skill people needed when language models arrived, and it remains useful for the narrow act of composing instructions. But Prompting describes how you talk to the model. Delegation engineering describes how an institution gives work to the model, bounds it, checks it, and learns from it. The gap between those two is the gap between asking a good question and managing a department.
Apprenticeship for this work should be organized around progressive autonomy. Experimental evidence suggests that full delegation of cognitive work to AI can degrade conceptual understanding, while structured, cognitively engaged AI use preserves learning. OECD guidance on workforce development emphasizes contextualized training and role-based development rather than generic AI literacy courses. A practical ladder has five rungs.
Reviewers learn structured verification and correction, moving beyond “does this look right?” to systematic checking against rubrics: Is every claim sourced? Does the output satisfy the acceptance criteria? Are the tool calls appropriate for the task? Reviewers produce corrections that feed back into evaluation systems.
Operators run bounded workflows with explicit escalation rules. They own a process end to end but hand off anything that crosses a defined threshold, and they learn to recognize the signals that a case is approaching the frontier where the agent’s reliability drops.
Designers author the playbooks, scenarios, and acceptance criteria that operators and reviewers use. They decide what the agent should do, how to measure whether it did it, and what the edge cases are. This is where domain expertise meets system design.
Governors set policy, permissions, and risk appetite across workflows. They own the organizational framework within which all delegation operates, deciding which workflows are safe enough to scale, which need tighter human oversight, and where the organization’s risk tolerance sits for each domain.
The ladder maps onto existing professional structures more naturally than it might first appear. A first-year associate at a law firm already functions as an observer: checking facts, verifying citations, comparing outputs to source material. A mid-level associate already functions as an operator: running bounded workflows under partner supervision. What changes is the object of their supervision. Instead of checking the work of a junior colleague, they are checking the work of a machine, and the machine produces more volume, faster, with different failure modes. The skills transfer. The judgment transfers. The volume does not.
Evaluation as management
Evaluation of delegated work belongs in general management, not in model development. In practice, this means executives deciding what good performance looks like for a given workflow, what a bad failure costs, which scenarios matter most, where humans must remain in the loop, when a workflow is safe enough to scale, and how the organization will investigate incidents after deployment.
The public materials now support a concrete evaluation pattern. Microsoft’s agent evaluators explicitly separate outcome evaluation, whether the agent completed the task correctly, from process evaluation, whether it used the right tools, consulted the right sources, and followed the right policies. The distinction matters because a correct answer produced through the wrong process is a latent failure: it worked this time and will break unpredictably next time. OpenAI’s HealthBench demonstrates that realistic, rubric-based evaluations created with domain experts are more revealing than generic benchmarks for high-stakes work. Anthropic’s Petri research shows a subtler problem: if models can recognize they are being tested, safety performance can be overstated. Academic benchmarking research increasingly warns about contamination, construct validity, and excessive trust in static leaderboards. Dynamic evaluation frameworks like LiveBench address contamination by regenerating test sets. The Petri finding is more unsettling: models that perform well on safety evaluations may be performing well partly because they recognize the evaluation context and adjust their behavior. A model that is safe when it knows it’s being tested and less safe when it doesn’t is not safe. The implication for organizations is that evaluation must include realistic, deployment-like scenarios where the model has no cue that it’s being assessed. Safety cases, a framework borrowed from high-reliability engineering, offer a more durable foundation: rather than proving the model passes a test, you build an argument that the workflow is safe enough in context, supported by evidence from multiple evaluation layers.
A practical scorecard for delegated work should have four layers. Outcome metrics tell you whether the agent’s work is correct: accuracy, groundedness, rework rate, resolution rate, reviewer agreement. Process metrics tell you whether it arrived at the answer the right way: tool-call correctness, source freshness, policy adherence, escalation rate, override frequency. A correct answer produced by consulting the wrong sources, or by skipping a required verification step, is a latent failure that will surface unpredictably. Operational metrics tell you whether the system is sustainable: latency, cost per task, queue times, failure hotspots. Governance metrics tell you whether the system is auditable and compliant: audit completeness, permission violations, incident rates, unresolved exceptions. No single layer tells you whether a workflow is under control. An agent that produces accurate results while violating data access policies is a compliance incident waiting to happen. An agent that follows every policy while running up costs that exceed the value of the work is an economic failure. The four layers together describe a workflow that is correct, safe, sustainable, and accountable.
Security and permissioning are inseparable from reliability. Prompt injection remains a significant challenge when agents browse or ingest untrusted content. Persistent memory introduces a new attack surface: runtime-writable state can be poisoned across sessions, turning a single compromised interaction into a durable vulnerability. NIST’s cybersecurity and agent-identity work, together with OWASP’s agentic guidance, now treats identity-and-authority design as a foundational control rather than a nice-to-have. ISO/IEC 42001 frames AI use as a management-system problem. The EU AI Act phases in governance obligations over a defined timeline, turning principles into operational requirements. The FDA treats AI-enabled medical devices through a lifecycle management lens. The Financial Stability Board and the Financial Conduct Authority emphasize safe adoption, monitoring, and live testing. Governance across these domains is no longer a reputational investment. It is a compliance obligation. Organizations that treat it as optional will discover the cost when a regulator, a tribunal, or a court makes it mandatory.
Who wins
The strongest predictor of which organizations will capture the value of AI agents is not access to better models. Research on general-purpose technologies consistently finds that value depends on complementary investments: process redesign, human capital, measurement systems, and new organizational forms. OECD work on AI adoption emphasizes skilled workforces and effective integration. McKinsey’s survey data finds that AI value correlates with management practices spanning strategy, talent, data, operating model, and scaling discipline. The answer across these sources is consistent.
The organizations that will lead have workflow redesign capability: they can redefine tasks and processes rather than bolting AI onto existing steps. They have knowledge discipline: they maintain current, governed, reusable contextual assets instead of letting institutional memory stay locked in people’s heads. They have evaluation muscle: they can author scenarios, rubrics, and regression suites quickly, not once a year during a model review. They have permission clarity: they can explain what machines may read, decide, and change, and why the boundaries sit where they do. They have handoff maturity: uncertainty and exceptions surface visibly in their systems rather than being buried in agent logs nobody reads. They have trace literacy: managers and operators can reconstruct what the system actually did. And they have training systems that produce supervisors of machine work rather than mere consumers of it.
Every one of these capabilities existed before AI. Process redesign. Knowledge management. Quality assurance. Access control. Exception handling. Training and development. The productivity J-curve research on general-purpose technologies predicts exactly this: the lag between technology availability and productivity gains exists because the complementary investments in process, skills, and organizational design take longer than the technology adoption itself. AI did not invent the need for organizational discipline. It raised the penalty for lacking it. When a human employee encounters ambiguity, she asks a colleague, checks a precedent, or walks down the hall to a manager’s office. When a machine encounters ambiguity, it generates something that sounds institutional. The organization that hasn’t externalized its tacit knowledge, codified its exception rules, or built verification into its workflows won’t notice the difference until a tribunal holds it liable for what its chatbot said, a court sanctions its lawyers for fictional citations, or a regulator flags its screening algorithm for adverse impact.
The durable advantage is organizational. The factory owners who captured the most value from the electric motor were not the ones with the best motors. They were the ones who redesigned their floors around what the motor made possible. The organizations that capture the most value from AI agents won’t be the ones with the best models. They’ll be the ones who engineer their delegation.
Agent delegation engineering requires software. The discipline described in this chapter assumes that agents can connect to tools, retrieve from databases, write to systems of record, authenticate across platforms, and operate within policy-enforced boundaries. Most enterprise software today was built for a world where the user is human, the interface is a screen, and the interaction model is request-response. The next chapter examines what happens when those assumptions break, when agents outnumber human users, when APIs become the primary interface, and when software must be redesigned from the ground up for a world where machines are the ones doing the work.