Skip to content
Gabriel Heinemann
FrameworkAuthority and Governance2 min read

Capability Is Not Authority

An AI agent may be able to draft, route, summarize, recommend, or trigger — but the business still needs rules for what it is allowed to do, when humans review, and what evidence is captured.

AI agents are rapidly gaining capability. They can draft documents, route requests, summarize information, recommend actions, and trigger workflows. The technical ability to perform these actions is advancing faster than the organizational readiness to govern them.


The central mistake most organizations make is conflating capability with authority. Just because an agent can act does not mean it should. Just because it can access data does not mean that data is trustworthy enough to act on. Just because it can make a decision does not mean the decision should go unreviewed.


The Seven Gates framework addresses this by requiring every agent action to pass through seven explicit checks before execution:


1.Allowed actions — What is the agent permitted to do without approval?
2.System access — Which tools, records, and systems can it touch?
3.Business context — What information is trusted enough to act on?
4.Risk assessment — What could go wrong if the agent acts?
5.Human review — When does a person need to approve?
6.Evidence capture — What must be recorded before, during, and after?
7.Ownership — Who reviews the result and takes accountability?

These gates are not theoretical. They are implementable in software — and are being implemented in AgentPlugin, the infrastructure layer for governed autonomous systems.


The most dangerous phrase in AI deployment is "the model can do it." The right question is not whether the model can. It is whether the organization is ready for the model to act.