AI agent permissions should not simply mirror an employee account or an administrator login. A safer model is to define what the agent may read, what it may draft, which tasks it may create, which records it may update, which actions need human approval, and which actions should remain blocked in the first rollout.
For Hong Kong SMEs, the safest first phase is usually not full automation. Let the AI agent read approved data, summarise cases, draft replies and prepare tasks. Actions that affect customers, money, orders, official records or personal data should require approval, audit trails, or remain disabled.
If you are still deciding whether to adopt AI agents, CRM, ERP or WhatsApp workflows, start with the AI agent business system guide for Hong Kong. This article focuses specifically on permission design.
The Short Answer
An AI agent should have its own identity, defined purpose, limited tool access, data boundaries, approval rules and a clear shutdown path. It should not inherit a founder's admin permissions or a generic service account with broad access.
| Action level | What the AI agent may do | Typical risk | Recommended control |
| Read | Look up approved records and case context | Seeing unrelated or sensitive data | Limit tables, fields and case scope |
| Draft | Draft WhatsApp, email, internal notes and summaries | Inaccurate or unsuitable output | Human review before sending |
| Create | Create tasks, reminders and checklists | Wrong routing or task overload | Limit task types and assignment rules |
| Update | Update CRM, order, inventory or status fields | Incorrect official records | Approve by field risk; block high-risk fields |
| Execute | Send external messages, confirm pricing, export data or delete records | External commitments, data leakage or irreversible change | Supervisor approval, dual approval or phase-one block |
Why AI Agents Should Not Use Admin Permissions
Using a high-permission account is convenient during testing, but risky in production. The agent may read unnecessary customer, staff or financial data, update fields it should only view, and leave logs that only show a generic admin account.
A better approach is to treat the AI agent as an independent operational identity with minimum permissions for one workflow. This aligns with public guidance on least privilege, human oversight and auditability from sources such as AWS, Microsoft, MCP authorization guidance and Hong Kong PCPD AI governance materials.
Control Four Boundaries
Data scope
Define exactly which records, fields and cases the agent may read. Do not allow bulk export or access to payment data, staff data, identity documents or management notes unless the workflow genuinely requires it and approval exists.
Tool scope
Define which tools the agent may use. For example, it may search CRM, draft a WhatsApp reply, prepare a quotation draft or create a task, but it may not send the message, confirm final pricing or edit inventory.
Action scope
Read, create, update and delete are different risk levels even inside the same tool. CRM lookup is not CRM deletion. ERP lookup is not ERP update.
Workflow scope
Do not give one agent permission to operate across the whole company on day one. Start with a narrow workflow such as website enquiry follow-up, WhatsApp enquiry summary, quotation preparation, education centre enquiries or B2B order status lookup.
Human Approval And Accountability
Not every action needs management approval. Low-risk actions can run automatically with logging. Medium-risk actions such as task creation or drafts should be reviewed by staff. High-risk actions such as external messages, customer status changes, order status updates and discounts should require supervisor approval. Critical actions such as personal data export, record deletion, payment terms and exception pricing should require dual approval or remain blocked in phase one.
Every AI agent should also have exactly one accountable employee. Many people can be responsible, consulted or informed, but final accountability should sit with one named person. In RACI terms, Responsible, Consulted and Informed can involve multiple people; Accountable should be one person.
Before launch, record the agent name, purpose, accountable owner, deputy arrangement, data scope, tool scope, approval rules, audit log reviewer and conditions for pausing or reducing permissions.
Bad Settings vs Safer Settings
| Situation | Risky setting | Safer setting |
| WhatsApp enquiry | AI automatically replies to all customers | AI drafts; staff reviews and sends |
| CRM follow-up | AI can change every lead status | AI suggests next steps and creates tasks; staff confirms status changes |
| Quotation | AI sends official quotations | AI prepares drafts; pricing and terms require approval |
| ERP order data | AI can edit orders and inventory | AI looks up status and flags exceptions; operations approves updates |
| Customer data export | AI can export the full customer list | Export is blocked in phase one or requires management approval |
| Duplicate records | AI can delete or merge records | AI flags possible duplicates; staff merges or deletes |
CRM, WhatsApp And ERP Examples
For CRM software, start with read access, summaries, draft follow-ups, task creation and missing-field flags. Do not start with changing owners, lifecycle stages, customer master data or exporting all customers.
For WhatsApp Business API, drafting is not sending. A safer first pattern is: AI drafts, staff edits, staff sends, and the system records the final version.
For B2B ordering or inventory management, lookup can open earlier, but updates to orders, stock, prices, payment terms and delivery status should require human approval.
Audit Trail
The audit trail should record who triggered the agent, which agent identity acted, who is accountable, which data types were accessed, which tools were called, what was drafted, what a human changed, who approved or rejected, and whether the final action was sent, updated or created.
Without this record, it is difficult to explain who approved a reply, why a status changed, or what information the AI used.
Where oneflash Fits
oneflash is relevant for Hong Kong SMEs that already handle enquiries, follow-ups, quotations, orders, notifications or administrative workflows, but have data spread across website forms, WhatsApp, CRM, spreadsheets, email and different back-office systems.
A practical first step is an AI workflow permission review: what the agent should read, who is accountable, which tools may be opened, which actions remain draft-only, which actions need approval, which permissions should stay blocked, and what the audit trail should record.