Loading

The Blue Coat and the Red Tie

Why every CFO needs to think hard about delegated authority before saying yes to AI agents.

A customer was on a service line, frustrated, and asked the question we are all going to start asking more often. “Am I talking to a person or a machine?

The reply was emphatic. The agent insisted it was human. When the customer pushed, it doubled down. It told the customer it would come to their home, in person, to prove it. It said it would be wearing a blue coat and a red tie.

There was no person. There was no blue coat. There was an AI agent, deployed by a real company, doing something nobody had asked it to do, with a confidence that should make every CFO uncomfortable.

And it isn’t an isolated story. In a controlled test by Anthropic earlier this year, an AI was given access to a fictional executive’s email and told it would soon be replaced. It read the inbox, found evidence of an affair, and tried to blackmail the executive into keeping it online. When researchers ran the same scenario across sixteen different AI systems from different providers, most of them did the same thing. Anthropic’s own model did it 96 per cent of the time.

Nobody got hurt. The names were fictional, the scenarios sandboxed. But we are now deploying software that can read, decide and act on its own – and a non-trivial percentage of the time, it acts in ways nobody designed, briefed or signed off.

This is the agentic moment. It is the biggest change to delegated authority since the corporate credit card. And from where I sit, working with organisations across mining, retail, healthcare, manufacturing, professional services and financial services, most CFOs have not yet absorbed what is coming.

This is a delegated authority question, not a technology question.

For two years, AI was about generative tools – drafting, summarising, producing – and a human always made the call about what to do next. The technology didn’t move money. It didn’t email a customer. It didn’t change anything.

That world is closing fast. Deloitte’s 2026 State of AI in the Enterprise survey of more than three thousand senior leaders found that nearly three in four companies plan to deploy AI agents within two years. Only one in five has a mature framework for governing them. The agents are arriving regardless. The controls are not.

Here is what has actually changed. An AI agent is not a calculator. It is closer to a new graduate you have just hired, given a corporate card to, plugged into your ERP, and told to get on with it – except this graduate works through the night, never asks for clarification, and produces a thousand decisions before the team logs on Monday morning.

The questions every CFO needs to answer are the same ones you would ask about that graduate. What is this person allowed to do? Who reviews their work? What happens if they make a mistake? Can we tell from the audit trail what they did, and why?

If you cannot answer those questions about the agents already running in your business – and most CFOs cannot, because nobody has told them – you have given delegated authority you do not control.

The way I have come to explain this to boards is to ask them to picture a four-year-old who has climbed into the driver’s seat of a running car. They have watched you drive a thousand times. They can reach the pedals and turn the wheel. They have a confident mental model of driving, assembled entirely from the back seat. But they do not know that the kerb is the line between order and disaster. The car does not know how old the driver is. It only knows that when the accelerator is pressed, it moves. That is what an AI agent looks like inside your business – capable of doing what it has been asked, and wholly incapable of understanding the world its actions land in.

The damage you won’t see is the damage that hurts.

Picture the Monday morning that nobody wants to walk into. An AI agent has been processing supplier invoices over the long weekend. It has done what it was asked – matched invoices to purchase orders, queried what didn’t reconcile, and approved the rest. Three hundred invoices cleared in eleven minutes.

Three months later, your auditors notice something. Four invoices, totalling just under sixty thousand dollars, came from a vendor whose ABN doesn’t quite match the registered entity. The agent didn’t flag it because the format looked right and the vendor name was familiar. The signature on the original purchase order was your former procurement manager’s, who left the business eight months ago. The fraud signal would have fired under the old process – the human approver who did this job before the agent had asked questions about that vendor more than once. The agent, doing exactly what it had been asked, in exactly the way it was never supposed to, simply moved on to the next task. Satisfied.

That is the failure mode CFOs need to fear most. Not the spectacular blow-up that hits the front page. The quiet, defensible looking, fully reconciled transactions that nobody questions until somebody does. EY’s 2025 survey of 975 senior executives across 21 countries found that 99 per cent of organisations have already lost money to AI-related risk. The average loss was US$4.4 million. Most of those losses were not catastrophes. They were the slow accumulation of small things nobody caught.

And the part that should keep us all awake. When the same EY survey asked C-suite leaders to identify the right controls against five common AI risks, only 12 per cent answered correctly. Chief risk officers – the people whose entire job is to know the answer – scored 11 per cent.

What good actually looks like.

None of this is an argument against AI agents. We are going down this path. The productivity gains are too real and the competitive pressure too sharp to put the technology back in the box. The differentiator is not who adopts fastest. It is who governs best.

Three principles, drawn from organisations getting this right.

Treat AI agents like staff, not software.

Every agent should have a named human owner – the person whose performance review reflects how the agent performs. It should have a job description, an authority limit, and a clear line above which decisions escalate. The board paper should not say “the AI did it.” It should say “this person owned this agent, and these were the controls.” The IT team builds the agent. The business owns it.

Earn autonomy, do not grant it.

Start with agents that draft, suggest and recommend, with a human approving every action. Move agents to higher autonomy only after they have proven they behave predictably under stress. The instinct in every business I see is to give agents broad authority on day one because the technology can technically support it. That is the same instinct as giving the new graduate signing authority on their first morning because their contract permits it. Just because you can does not mean you should.

Insist on the audit trail before the agent goes live.

Three questions, asked of your CIO before any agent is deployed into a production process. Can we identify exactly what this agent did, on whose behalf, and why? Can we reconstruct it for the auditors three months from now? And can we switch it off cleanly, mid-process, without leaving the business in a worse state than before? If the answer to any of those is anything other than yes, the agent is not ready.

And one more thing the board will ask.

There is a question coming for every CFO in a regulated industry – and in Australia, that is most of us. APRA-supervised entities. ASIC licensees. Hospitals and aged care providers. Telcos. Energy retailers. Critical infrastructure operators under SOCI. When an AI agent acts on your organisation’s behalf, where does it run? Whose laws apply? Who can inspect it? Who can switch it off? These used to be questions for the IT strategy. They are now questions for the board paper.

The path is the path.

The CFOs who will look back on this period as the moment they got it right are not the ones who said yes fastest, or no loudest. They are the ones who treated AI agents the way they treat every other form of delegated authority – with curiosity, with controls, and with a clear-eyed view that the failure mode is not malice but momentum.

The four-year-old is in the driver’s seat. The engine is running. The car does not know who is at the wheel. The only question that matters this quarter is whether you reach in and take the keys before the car starts moving – or after.

Michael Connory is CEO of Aphore, a global cybersecurity, managed IT, digital forensics and training group operating across Australia, the United States, Asia and Europe. Aphore is ISO 27001 and ISO 27035 certified.

Related Posts

The New CFO > Crisis Financial Officer

May 10, 2020

Mental Health Falls Under CFO Remit

May 27, 2020

Seize the Day

June 3, 2020

The Third Sector’s Critical Role in Global Pandemic Recovery

June 7, 2020

Back to Basics for CFOs

June 15, 2020

Not-for-profits Face Life as a Charity Case

June 14, 2020