Onboarding · For admin
Module 01 · Boundaries
Even with the keys, AI admins are not asked to: open the audit log to investigate individual employees on a hunch, deploy new shared agents without the team that owns the work being part of the decision, or override a human-in-the-loop step to ship faster. The role is governance, not surveillance.
Your task
Internalize: 'because I can' is not 'because I should.' Every audit-log query is logged itself.
Module 02
Configures shared (Class A) agents. Reviews proposed edits to shared agents. Holds the per-agent kill-switch. Sees the full audit log. Approves new shared-agent rollouts. That's the surface. Personal-agent configuration stays with the person who owns it.
Your task
Read /governance end-to-end. The role's authority is documented there; if anything is unclear, that's a doc bug — fix it.
Module 03
When an agent is producing wrong outputs in a domain that matters (regulatory, clinical, customer-facing), or when usage is spiking in a way that suggests a misuse, or when a vendor incident makes the agent's calls suspect. Pause first, investigate second. The cost of pausing for a few hours is small; the cost of letting a wrong agent run in regulated work is not.
Your task
Walk through the kill-switch flow on /fleet/<agent> once, end-to-end (when it lands), so you've done it before the day you need it.
Module 04
Shared-agent edits land as proposals from a team that owns the work. Your role is to ask the boring questions — does this expand who can invoke it? does it touch new data? does it skip a human-review step that used to exist? — not to be the final word on whether the change is a good idea. The team that owns the work is.
Your task
On the next shared-agent edit you review, write your three questions in the PR comment. Even if all three are 'no, looks fine,' the act of writing them is the value.
Module 05
Until the self-serve CCPA export endpoint lands (deferred, on the roadmap), employee data export requests come to you. The query is simple — everything in the audit log + memory + chat metadata for a given email. The discipline is to send back exactly what was asked for, not more.
Your task
Walk through the data-export query in staging when Phase 2 lands. Time it; the goal is 'within 24h' once the endpoint is real.
Done with this track
Try the agent for your role, configure it the way you'd like it on My Agents, or read the governance model if you want to know exactly how this works under the hood.