How You Handle AI Agents Says More Than You Might Think About Your Company’s Values

I am a board director of a large, listed company. In recent board meetings, we have been discussing how to enhance our CRM system by adding what management calls a “digital workforce.”

Our current SaaS CRM provider has a new agentic AI offering that management is eager to pilot. The promise is attractive: intelligent agents integrated into customer workflows, using real-time data to respond to customer needs, resolve routine issues and escalate more complex matters to human employees. The agents would operate independently within guardrails customized for our company.

Management sees this as a productivity and customer-experience opportunity. The commercial model is appealing, too: We would pay for outcomes or usage, not software licenses.

That raises questions I do not think we have fully examined. How should the board oversee an organization in which human and digital workers operate side by side? Before we commit to buying a digital workforce, I want to understand what ethical responsibilities come with it. What should we be asking? — BF

Your question is an excellent one because management is presenting this as a technology upgrade, while the board should recognize it as something much larger. Managing a workforce that includes both humans and digital workers cannot be confined to a technology implementation project. It is a board-level governance issue for several reasons.

The first reason is because AI is moving here from an assisting role — helping humans with certain tasks — to acting on behalf of them and, in some cases, on behalf of the company as a whole. That calls for a different oversight model, one capable of distinguishing between different levels of AI autonomy and adjusting scrutiny accordingly. Ceteris paribus, the more independently these systems act, the more closely they should be governed.

Second, as your dilemma suggests, the actions of intelligent agents will directly inform the customer’s experience of the organization. Therefore, a useful question for the board to ask, in full honesty, is whether these agents are deployed to serve customers better or to make it harder for customers to reach the company. The commercial model provides an additional insight: If the company pays for “resolved” outcomes, the system may be tuned to classify more issues as resolved regardless of whether the customer would agree.

Third, introducing digital labor will affect human labor in ways management might be understating. The usual promise is that as machines take over mundane tasks, humans will move to more interesting and enriching work full of meaning. That might be the case for some. More often, though, employees are expected to train the agents, manage them, improve them and ultimately compete with them. So, a good board question is whether human work is actually becoming more meaningful, or whether humans are being turned into machine validators until the final phase-out.

One especially revealing area to look at is escalation. What seems a technical detail on the surface, this is where the “ethics of AI” and the company’s values meet.

The agent must know when to stop and hand over to a human, and deciding on the settings says a lot about what the company cares about most. For example:

• If the agent escalates only when there is legal risk, that says the company prioritizes exposure.
• If it escalates when it detects a vulnerable customer, that says the company prioritizes care.
• If it escalates only for high-value clients, that says something else.

This is a non-exhaustive list of issues to consider, but the central point must be clear: Introducing a digital workforce shouldn’t really be wrapped up in the language of a new software feature. In fact, it might be one of the most consequential decisions you take as a board director. Treat it as such.

Ethics

Who’s Really to Blame When a White Hat Goes Gray?

by Vera Cherepanova

April 22, 2026

Coordinated disclosure is a three-cornered relationship; when the company-researcher part collapses, the user is the one left exposed

Read moreDetails

Readers respond

The previous question came from a cybersecurity professional grappling with the fallout of a white-hat disclosure gone wrong. The dilemma revolved around whether a researcher’s decision to release exploit code after feeling mistreated by a company could ever be ethically justified — and whether companies themselves have a duty to handle vulnerability disclosure well enough that frustrated white hats do not turn gray, leaving customers to bear the consequences.

In my response, I noted: “The underlying ethical question is not only was the researcher justified; it is also did the company have an ethical responsibility to its customers to handle the researcher well enough that this did not happen? In that sense, your dilemma is about whether customer protection should include managing the human relationship with white hats well enough that they do not turn gray. Indeed, cyber vulnerability disclosure is a three-cornered relationship, rather than a bilateral one. If the company-researcher part of it collapses, the users will bear the downside.

“The answer is partly yes, though not absolutely. A company does not owe a researcher whatever they demand; that’s why it’s called a coordinated disclosure and not a ransom. It can’t let outsiders dictate internal processes either. But if a company benefits from coordinated disclosure norms, then it does owe customers a disclosure process that is credible, fair, timely and respectful enough that white hats have a realistic reason to stay inside the responsible lane. It is part of the company’s duty of care to users.” Read the full column here.

Is your organization’s vulnerability process creating more risk than it solves? Thanks, Vera, for reminding us that cybersecurity is ultimately a human and ethical challenge, not just a technical one. — CG

Have a response? Share your feedback on what I got right (or wrong). Send me your comments or questions.