The Permission Stack

Share
The Permission Stack
"If we get the benchmarks right, the rest is procurement."

Tuesday, 3:47 PM. The Q1 review is running long. The CRO is walking the board through loyalty-programme metrics, smiling at engagement up four points and members-acquired up nine, and the CFO is doing what she always does in these meetings, which is reading the line items.

She is looking at one of them. The line says Loyalty revenue: $87M. It is one of the cleanest revenue lines on the deck. Top-three predictability across the year. Margin-flattering. The board likes it.

What the line does not say is that $87M is the revenue the company keeps because customers who earned loyalty points failed to redeem them. The accounting term is breakage. The economic term is shrouded attribute. Xavier Gabaix and David Laibson published the foundational paper on it in the Quarterly Journal of Economics in 2006, and they named banks specifically. Bounced check fees. ATM fees. Minimum balance fees. JPMorgan Chase collected approximately $1.028 billion in overdraft fees in 2024. Wells Fargo collected approximately $1 billion. The CFPB attempted to cap overdraft fees at $5 in late 2024; Congress overturned the rule in April 2025, with the President signing the joint resolution into law.

The point being: friction is being defended politically, in writing, in the public record. Not because anyone is proud of it but because the alternative is recognizing it as revenue that cannot be replaced.

The CFO on the board call is doing the math the rest of the room is not doing. She knows her $87M loyalty line is the same shape as the bank's overdraft line, the airline's payment-friction line, the telecom's billing-complexity line. She also knows that an agent acting on behalf of the customer does not get tired of redeeming points. The agent reads the terms, finds the optimal redemption path, books it. Every shrouded attribute that depended on consumer myopia depends, in an agent-mediated world, on the agent being myopic. Agents are not myopic. That is the entire point of agents.

She does not raise this at the board meeting. The argument is two quarters too early and one CFO away from being political. She makes a note.

The argument the rest of the company will have, six months from now, is which AI vendor wins the category. It is the wrong argument. The capability is not the constraint. The CFO is the first person in the room to know it, and she will not be the one to say it.

This is the first of five permissions agentic AI will demand of every CX organization. I call it the Permission Stack.

Tech

The protocol layer is closer to settled than most CX leaders realize. The Model Context Protocol's authorisation specification went through a significant update in March 2026, settling on OAuth 2.1 with RFC 8707 Resource Indicators and delegated authorization through third-party servers. The protocol problem has been solved by the people whose job it was to solve it.

What the protocol does not do is make your enterprise ready to receive agent traffic. The MCP maintainers noticed this themselves; the 2026 roadmap explicitly prioritizes enterprise auth readiness, and an Enterprise Working Group was convened to address audit trails, SSO integration, gateway behaviour, and configuration portability. Solo.io, no enemies of the protocol, published a piece in 2026 titled MCP Authorization is a Non-Starter for Enterprise — not because the spec is wrong, but because the gap between "the spec exists" and "your CISO will sign off" is wider than most CX leaders have noticed.

Tech permission, then, is no longer about whether the protocol works. It is about whether your enterprise has done the operational work to be a first-class citizen of an agent-mediated internet. The diagnostic question is mundane: if a customer's personal agent arrived at your front door tomorrow with a valid OAuth 2.1 token, would you authenticate it, authorize it to a specific scope, audit what it did, and route it to a first-class endpoint? Or would your security stack treat it as a bot and block it?

Most companies do not know the answer. That is also the answer.

Of the five permissions, Legal is the one most often dismissed as the lawyers' problem. It is also the one with a date on the calendar.

The EU Artificial Intelligence Act, adopted in 2024, brings the full force of its high-risk provisions to bear on 2 August 2026. From that date, any operator of a high-risk AI system in place before the deadline is subject to the Act, regardless of where the operator is headquartered, provided the system affects EU residents. Penalties run up to €35 million or 7% of worldwide annual turnover, whichever is higher. These are not theoretical numbers. They are larger than the GDPR equivalents that brought the global privacy compliance industry into existence.

The substantive requirement that catches CX leaders by surprise is not the documentation. It is the architecture. The Act requires structured intervention points in the deployment of any high-risk AI system: places in the workflow where a human can monitor, correct, or override an autonomous action. That is not a policy obligation. It is an architectural one. A "human in the loop" framework written into a compliance memo does not survive audit unless the system itself was designed for it.

For financial services specifically, the picture is sharper. The European Banking Authority published AI Act Implications for the EU Banking Sector in November 2025 — a primary source the trade press has covered shallowly and that deserves direct engagement.

Diagnostic: if a customer's agent took a bad action against your system tomorrow, could you say in writing, to a regulator, today, who was liable and what oversight existed at the moment of the action?

If the answer is some version of "the lawyers are looking at it," the lawyers are not the problem. The architecture is.

Cultural

Twelve months ago this section would have been a forecast. Today it is an audit.

The IBM Institute for Business Value reported in January 2026 that 45% of consumers already use AI for at least part of their buying journey. Visa announced, in early 2026, that it had completed hundreds of agent-initiated transactions with partners across its ecosystem. Mastercard published its Verifiable Intent framework in 2026, for cryptographically signed mandates linking consumer intent, cart, and payment. Google shipped the public specification for its Agent Payments Protocol — AP2 — built around the same problem. Three card networks publishing competing agent-payment frameworks within a single quarter is not a forecast. It is the substrate setting.

The Cultural permission, then, is no longer about whether consumers will accept agent-mediated experiences. They have already accepted them, in numbers large enough that the global card networks are racing to be the trust layer underneath. The permission is now about whether your company can identify and serve agent traffic as a first-class category, or whether your security stack still treats it as a bot to be blocked.

Diagnostic: what percentage of your inbound traffic in the last 90 days came from a non-human user agent acting on a customer's behalf?

If your analytics team cannot filter user-agent type with "AI agent" as a discrete category alongside human, bot, and crawler, you are not measuring the substrate. What you are not measuring, you are not serving.

Organizational

The Organizational permission is the one that surprises the CFO. It is also the one most often missed in board-level AI strategy, because it does not appear on any vendor slide.

In 1967, Mel Conway published a paper reducing to a single observation: organisations design systems that mirror their own communication structure. Sixty years later, that observation is the most reliable diagnostic for why a major customer experience initiative fails. The agent-first version of the problem is sharper, and it is already visible. When organizations deploy multiple AI agents across departments, the result is a constellation of agents whose boundaries match the boundaries of the teams that built them. Agents owned by the same team share data and tools easily. Cross-team agent collaboration is brittle or absent. The org chart ships itself, in agentic form.

The strategic move is not new. Skelton and Pais formalized it in Team Topologies in 2019: the Inverse Conway Maneuver. Rather than fighting the architecture-mirrors-org-chart dynamic, deliberately reshape the organization to produce the architecture you want. For agentic CX, that means a platform agent layer with a single executive owner — not three VPs running CRM, CCaaS, and customer-data as separate fiefdoms — and cross-functional capability teams plugging into the platform layer. The companies that have done this quietly are also the companies the rest of the industry references as "doing agent-first well." Klarna, Capital One, and Stripe are three legible examples; the pattern across them is too consistent to be accidental.

Diagnostic: if you drew the customer's actual journey through your product and then drew your org chart on top of it, how many handoffs between teams would you count? And who is the single executive accountable when the journey breaks at one of those handoffs?

If the answer to the second question is "depends which handoff," you have already named the problem.

The scorecard. A single page. Five permissions, four rungs each. Score honestly. Three or more permissions at rung 1 or 2 indicates a strategy problem. Four or more indicates an existential one.


Rung 1

Rung 2

Rung 3

Rung 4

Commercial — Friction-derived revenue

Not measured

Measured, not reported

Reported, target to reduce

Public floor + strategy survives agent-mediated world

Tech — Agent-facing readiness

No agent-callable surface

Internal MCP only

External MCP, named partners

Customer-delegated tokens, role-scoped, audited

Legal — Liability + oversight architecture

"Lawyers looking at it"

Framework, no intervention points

Framework + intervention points + audit

Sector-compliant + accountability owner reporting to board

Cultural — Agent traffic capability

Cannot distinguish agents

Identify and block

Identify and route degraded

First-class agent-native interface, full SLA

Organizational — Conway alignment

Journey owned by nobody

Owner in name, divided platforms

Consolidated platforms, legacy operating model

Inverse Conway: platform agent layer, single owner

The Permission Stack is not a checklist. It is a frame for an honest conversation with the people in your organization who are paid to know the answer to each question and may not have been asked. The conversation is uncomfortable. That is how you know it is the right one.

For the broader publication view — the substrate thesis, the Permission Stack, and Conway's Law as a unified analytical toolkit — see the Frameworks page.

The bridge is being built. The question is whether your organization has the five permissions it needs to walk across.