An AI employee gets scoped like a human hire: the narrowest access that lets it do one job, accounts you own, logs you can read, and hard lines it never crosses. If a vendor can't tell you exactly what their AI reads, writes, and retains — and prove it in an audit log — that's your answer.
The permission model: least privilege, like any hire
You wouldn't give a new front-desk hire your banking password. Same rule here. A properly installed AI employee touches only what its loop requires:
- ›CRM: read customer records and write call outcomes, bookings, and notes — scoped to the objects its loop owns, not admin access.
- ›Calendar: write bookings into defined slots. It doesn't reorganize your schedule.
- ›Phone + SMS: runs on numbers and accounts you own (your voice provider, your Twilio) — so you can revoke access or switch vendors without losing your number or history.
- ›Hard lines: no card numbers, no bank credentials, no payroll, no signing anything. Payment collection means sending your existing payment link, never taking a card by voice.
Seven questions to ask any AI vendor
- 01Where does my customer data live, and in whose accounts?
- 02Is my data used to train models shared with other customers?
- 03What exactly can the AI write to my CRM, and can I see every write?
- 04What happens on an edge case — who does it escalate to, and how fast?
- 05Are call recordings and transcripts retained, for how long, and can I delete them?
- 06What's the blast radius if credentials leak — what could the AI actually do?
- 07Can I get a full export and a clean shutdown if I leave?
“My rule is boring on purpose: if losing the vendor means losing your phone number, you don't have a vendor. You have a landlord.”
Compliance notes for service businesses
Not legal advice — get counsel before going live. But three areas come up in nearly every install: outbound SMS and calls need documented consent under TCPA rules (reminder cadences are built FDCPA/TCPA-aware, with quiet hours and opt-outs); call-recording consent varies by state (two-party states need disclosure); and licensed trades have state-specific rules about who can quote regulated work — which is one reason quoting stays with humans.
Where humans stay in the loop
Escalation isn't a failure mode — it's a design requirement. Angry customers, quotes on complex jobs, anything involving a dispute or a judgment call: routed to a person, with a transcript, inside minutes. The AI's job is to make sure that handoff arrives with full context instead of a voicemail nobody checks.
The full security posture — data handling, honest scope, and what we deliberately don't do — is public:
Read the security, data & honest scope page
Book a Free Revenue Leak Audit
New to the category? Start with what an AI employee actually is before scoping what it can touch.