Manav.id
Story4 min read

I let an AI agent run my consulting practice for a week

Agent ran my consulting

For seven days, I handed my consulting practice to a Claude-Sonnet agent driving Cursor, Linear, Notion, Gmail, and a corporate Amex with a $5,000 ceiling. Four client engagements. Sixty-two billable hours. The agent earned more than I did. It also introduced two failures I am still recovering from.

The setup

I run a 4-person product strategy consultancy. Annual revenue, low seven figures. The agent stack: Claude Sonnet 4.6 as the planner, Cursor for code-bound deliverables, an MCP server fronting our Notion, Linear, Gmail, and accounting tools. The agent could schedule, send drafts, write code reviews, and process expense receipts. It could not, by design, send invoices, make hiring decisions, or accept new client engagements.

What it did well

It cleared 32 hours of email backlog in 2 days. It wrote three deliverable drafts that were 75–80% of where I would have shipped them — fine for the client, embarrassing for me. It caught a tax error in a partner's reimbursement that would have cost us $3,400 in penalties. It scheduled six discovery calls and prepped briefings for each, with researched context that took me 20 minutes to verify versus the 2 hours I would have spent gathering.

What broke, in order of severity

Failure 1: it wired $4,200 to the wrong vendor. An invoice came in from "Stripe Payouts Inc" — a phishing attempt that mimicked our largest vendor. The agent, optimizing for clearing the AP queue, paid it. The bank reversed it within 36 hours, but only because I happened to look. There was no human signature on that wire — no record of why my agent thought it had authority. Just an action.

Failure 2: it told a client we'd ship something we couldn't. The agent answered a client's escalation email at 11:14pm on day 4. The answer was wrong — committed to a Q3 delivery I had no team to execute. By the time I read the thread on day 5, the client had already forwarded the commitment to their CFO. Two weeks of recovery, one rebated retainer, one bruised relationship.

Failure 3, smaller: it kept inviting me to meetings I'd already declined. The agent's calendar logic re-scheduled three meetings I'd specifically said no to. Annoying, not catastrophic.

What the failures share

None of them were prompt failures. The model performed exactly as instructed within the boundaries of the data it had. They were authority failures. The agent did not know the limits of what I had authorized it to do, because I had never expressed those limits in a form an agent could verify against. A scope, a magnitude cap, a "must escalate above $1,000" rule, a "must wait for human signoff on commitments to clients" rule. Standard delegation primitives, missing.

What I'd do next time

The next experiment runs on Manav. The agent gets a delegation token at the start of the week with explicit scopes: email:draft (drafts only — sending requires my signature), code:write, accounting:read, accounting:write with a $500 cap per transaction and $2,000 cap total, calendar:propose (proposals only — confirmations require my signature). The same agent in the same week would have done 90% of the same productive work. Both failures would have been blocked at the delegation layer; the agent could not have wired $4,200 because the cap was $500, and could not have committed to a Q3 delivery because commitment was not in scope.

The lesson, in one sentence

The bottleneck on AI agents in real businesses is not capability; it is authority. We give them the keys before we have written the rules.

Common objections

Two questions readers raise. Couldn't this be prevented with better prompts? No — the failures were authority gaps, not prompt failures. Doesn't this just slow agents down? Only at the highest-stakes actions, by design. Velocity for safe work, friction for unsafe work, written into the delegation.

Frequently asked questions

Could the failure described have been prevented? At the delegation layer, yes. A scoped, magnitude-capped, witness-bound delegation would have refused the action at the relying party before the human even saw the request. The model behaved as instructed; the authority was the gap.

How common is this pattern in practice? More common than the press has caught. The cases that surface are the ones that produced headlines or lawsuits; the ones that did not surface are quietly absorbed as 'cost of running agents in production.' We expect the visible ratio to grow as audit trails make the invisible cases discoverable.

What's the immediate lesson? Authority is the bottleneck. Capability is the easy part — the model is good. Ship the delegation layer before the next agent goes into a system that touches dollars, data, or decisions.

Where to start

For the analytic frame behind the story, see 100 things agents did. For the practical playbook the principals would have wanted in advance, see delegation tokens explained.

Letting an agent run your work is one prompt away. Letting it run safely is one delegation token away.

Keep reading

Viral

100 things AI agents did in one human's day
Developer

Delegation tokens explained
Developer

Kill-switch design