By Errin O'Connor — Founder & Chief AI Architect, EPC Group · Microsoft Solutions Partner across all six designations · G2 Leader in BI consulting
On June 30, Ethan Mollick published an essay called "The Twilight of the Chatbots," and it is the clearest description yet of the shift every enterprise is living through whether it has noticed or not. His argument, compressed: the dominant mode of AI use — you prompt, it answers, you check, you prompt again — is being displaced by long-running, self-correcting agents that take hours of work and come back with results. The human role changes from conversation partner to manager. He cites figures that should widen your eyes: a quarter of OpenAI's own staff running four or more agents simultaneously every week, and autonomous runs stretching past fourteen hours per assignment. His conclusion: we are moving from non-experts using chatbots to experts managing agents.
Every word of that holds. And now let me ask the question the essay hands to the enterprise without answering: when your employee is managing a fleet of four agents — who, exactly, is each agent, according to your tenant?
You cannot manage what cannot be named
Management — real management, the kind Mollick is describing — has prerequisites so basic we forget they are prerequisites. A manager knows who reports to them. Each report has an identity, a scope of authority, a record of what they did, and a way to be removed. Strip any one of those away and "management" collapses into hope with a dashboard.
Now audit your own tenant against that standard. In almost every enterprise I walk into, the agents run under the human's identity — the employee's token, the employee's permissions, the employee's everything. Which means your access logs show one person doing the work of five, your conditional-access policies see a single trusted session where five autonomous processes are acting, and when one of those agents does something wrong — touches a file it shouldn't, calls a tool it shouldn't, sends something it shouldn't — the forensic record says your employee did it. Security researchers have been blunt about this default: an agent inheriting the user's full permissions is a disaster pattern, not a convenience. The fleet era makes it a disaster pattern at scale.
The fleet has a personnel office. Microsoft already built it.
Here is what I tell clients, and it lands because the answer is already in their license stack. Your tenant has had a personnel office for non-human workers for years — you have just been using it only for service accounts. Entra ID workload identities give every agent its own name, its own credential, its own conditional-access policy, its own lifecycle. Scoped permissions and just-in-time elevation give it a job description instead of a skeleton key. Microsoft Purview sensitivity labels and DLP decide what data it may ground against. Defender and unified audit logging give you the personnel file — what it was authorized to do, what it actually did, what it touched. And deprovisioning gives you the one thing every manager eventually needs: a clean way to fire it.
I ran eDiscovery for the Federal Reserve Bank of New York during TARP, with Congressional oversight reading over my shoulder, and that experience burned one principle into me permanently: in a review, the log is the truth. Not the intention, not the architecture diagram, not the vendor's assurance — the log. An agent fleet without per-agent identity produces logs that cannot answer the first question any investigator, auditor, carrier, or regulator will ask: who did this? "The employee's session" is not an answer. It is an admission.
The Fleet Management Matrix
The framework I give executive teams is one page. Down the left: every agent or agent class in the enterprise — the Copilots, the Copilot Studio builds, the Foundry deployments, the coding agents, the vendor-embedded ones nobody remembers licensing. Across the top, five columns.
- Identity: does it run as itself, or as a person?
- Scope: what is it permitted to touch, and is the boundary policy or hope?
- Autonomy: what may it do without a human click, at what dollar or risk threshold?
- Evidence: where is its log, and would that log survive a deposition?
- Termination: who can shut it off, how fast, and has that ever been tested?
Most organizations cannot fill in the first column. That is not a technology gap — every cell is achievable with the Microsoft stack they already own. It is a governance gap wearing a technology costume, and it is exactly the work our AI Governance practice exists to close.
What I tell clients to do
One. Inventory the fleet this month — including the agents embedded in vendor products. You will find more than you licensed.
Two. End identity inheritance as policy: no agent runs as a human. Provision workload identities and scope them like the job descriptions they are.
Three. Write the autonomy matrix — actions, thresholds, approvals — and get it signed above the CIO's desk, because the exposure lives above the CIO's desk.
Four. Test a termination. Pick an agent, kill it, time it. If the answer is measured in meetings instead of minutes, you do not manage a fleet. The fleet manages you.
Provisioning the fleet on the Microsoft stack
The five-step sequence maps directly to the Fleet Management Matrix columns:
- Inventory: pull every Copilot, Copilot Studio agent, Foundry deployment, and vendor-embedded agent via Graph and admin centers; tag owner-unknown items for the amnesty process.
- Identity: one workload identity per agent class; conditional access policies scoped to the agent's job; no standing secrets — managed identities or short-lived tokens only.
- Autonomy: encode the matrix (action × threshold × approval) in Power Automate and Logic Apps approval gates, not in prompts — prompts are requests, policies are controls.
- Evidence: route agent activity to unified audit and Defender XDR; retention aligned to your records schedule.
- Termination drill: quarterly, timed, named owner; publish the time-to-kill internally.
Where I land
Mollick titled the era correctly: the chatbots are in their twilight. But twilight is when you turn the lights on, and in the enterprise the lights are identity, scope, evidence, and a kill switch. The organizations that thrive in the fleet era will not be the ones running the most agents. They will be the ones that can answer, for every agent, the four questions any manager can answer about any employee: who are you, what are you allowed to do, what did you do, and how do I let you go. The dawn after the chatbot's twilight belongs to the audit trail.
The data behind this (sources and verification)
- Ethan Mollick, "The Twilight of the Chatbots," One Useful Thing, June 30, 2026 — Reports a quarter of OpenAI staff running four or more agents weekly and autonomous runs exceeding fourteen hours — reported figures, not independently replicated; attributed as his.
- Ye, Cui, Hadfield-Menell — "CoT Forgery," ICML 2026, arXiv 2603.12277 — Role tags are not security boundaries: CoT Forgery raised agent attack success from near-zero to roughly 60% across frontier models — the architectural reason per-agent identity and external guardrails are load-bearing.
- Zico Kolter (OpenAI board member), Latent Space, June 22, 2026 — Called the agent-inherits-user-permissions default a "disaster."
- Microsoft Entra Agent ID announcements — Confirms the platform direction for per-agent workload identity. [VERIFY current Entra Agent ID GA status before citing version specifics.]
Third-party figures above are attributed to their named sources as of the Last verified date. EPC Group audit figures are directional findings from client engagements. Items marked [VERIFY] must be confirmed before external quotation.
Frequently asked questions
Should AI agents use the employee's account?
No. Identity inheritance means logs cannot distinguish agent actions from human actions, permissions are over-broad by default, and forensic attribution fails. Provision Entra workload identities per agent.
What is an AI autonomy matrix?
A board-approved table defining which actions each agent may take autonomously, at what dollar or risk thresholds, with what approval and logging — the document carriers and auditors now request.
How fast should we be able to terminate an agent?
Minutes, not meetings. If deprovisioning requires a change ticket, the fleet manages you.
Does Copilot need this too, or only custom agents?
All of it applies to Copilot Studio agents and Foundry deployments; M365 Copilot inherits tenant identity and labels — the gates in A10 cover it.
Who owns agent governance?
A named executive — full-time CAIO above roughly $5B revenue, fractional vCAIO below.
Ready to act on this?
Start with the practice most relevant to your estate, or reach out directly for a senior-architect conversation.
📧 contact@epcgroup.net · 📞 (888) 381-9725
Multiple models. One truth.
