HeyBob. Talk to the founder

Before an AI Agent Touches Your CRM: The Five Controls That Actually Matter

Matthew, founder of Bob · July 6, 2026

Key takeaways: The risk of an AI agent isn't that it's dumb — it's that it's fast. A wrong write to your CRM at machine speed is a bad afternoon; the five controls below are how you get the speed without the afternoon.

The failure mode nobody demos

Every AI agent demo shows the happy path: ask for the report, get the report. Nobody demos the day the agent misreads an instruction and updates 40 CRM records with the wrong close date, or emails a customer list it shouldn't have. Those aren't hypotheticals — they're the documented failure modes of this product category, in public case studies, today.

The answer isn't "better AI." Models will keep improving and will keep occasionally being wrong, the way employees keep occasionally being wrong. The answer is the same one businesses figured out for people: controls proportionate to the blast radius.

  1. Writes pause for a human, by default. Reading your pipeline is low-stakes. Changing it isn't. Bob ships with a default-deny posture on external writes: anything that creates, changes, sends, or deletes in a connected system pauses the run and posts an Approve/Deny button in the Slack thread. Admins can loosen this per tool — mark the safe ones auto-approved, keep the dangerous ones gated, block the ones nobody should touch. The default is the important part. Opt-in safety isn't safety.
  2. The ask is readable. An approval request has to be something a busy human can actually evaluate in five seconds. Bob's approval prompts lead with a plain sentence — what it found, and what will happen if you approve — with the exact operation underneath in fine print. "Found 3 invoices more than 30 days overdue; approving sends each customer a reminder email. Approve/Deny." If your current tool shows you a JSON blob and calls that informed consent, it isn't.
  3. Everything is on the record. Every tool call Bob makes — approved, denied, or automatic — lands in an audit log with who, what, when, and the result. Export it, review it, hand it to the auditor. Trust that can't be verified is just hope with a dashboard.
  4. Spend is capped and itemized. Every run ends with an itemized receipt in the thread: tokens, tool calls, compute time, totalled in credits. The workspace has a monthly cap with a warning at 80% and a hard stop at 100%. An agent that can spend without a ceiling is a liability with an API key.
  5. Execution is sandboxed. Each of Bob's tasks runs in its own isolated sandbox — fresh container, resource limits, controlled network egress — torn down when the run ends. The agent gets a computer; it doesn't get your computer.

The test

Ask your vendor — any vendor, including us — to show you all five in a live workspace, not a slide. The ones who have them will love the question.

FAQ

Doesn't approval friction defeat the point of automation?

No — the point is leverage, not absence of humans. Most reads and routine writes run unattended; the gates catch the 5% with real blast radius. You spend seconds approving, not hours doing.

Can we change which tools need approval?

Yes — approval policies are per tool and per connector, set by your workspace admins.

What about prompt injection from web content?

Bob treats fetched content as data, not instructions, runs in a sandbox with egress controls, and the write-approval gate is precisely the backstop for anything that slips through. Defense in depth, not vibes.

See a receipt for yourself.

The first ten teams onboard with the founder — 50% off Managed for year one and 3× credits for 90 days, in exchange for a monthly 30-minute feedback call.

Talk to the founder See pricing →