ai-ops / cms

What we do not let an AI agent do in a client's CMS

Our three hard lines for an AI agent in a client's CMS, the principle behind them, and why guardrails are the easy part of running AI in a marketing team.

The first time we pointed an AI agent at a real client’s CMS, nothing broke.

No deleted pages, no rogue publish at two in the morning, no incident report. That is the honest answer and it is an anticlimactic one, but the story you probably expect here, the near-miss that taught us a hard lesson about letting machines near production, did not happen. We are not going to invent one to make the guardrails sound braver than they are.

What we did run into was duller and, honestly, more interesting. Drawing the safety lines took an afternoon. The thing that actually decided whether the output was any good sat somewhere else entirely, and it is the thing nobody asks about.

So why does everyone ask about safety first

Safety is the question buyers actually ask, and it deserves a straight answer before we move past it. Nobody opens a call about agentic content operations by asking what the agent reads from. They ask what happens if the thing goes wrong in a live system with real traffic on it.

Fair question. Here are our lines.

What should an AI agent not be allowed to do in a CMS?

An AI agent working in a client’s CMS should not touch billing, it should not manage users or permissions, and it should not delete content. Everything else it does is recoverable. A bad draft costs a click to discard. A deleted entry, a changed permission, or a charge against a payment method either cannot be walked back or changes who holds power over the system. We draw the line at irreversibility, not at difficulty. An agent may do hard things. It may not do unrecoverable ones.

Three lines, and there is no fourth. A longer list would look more rigorous and would mostly be padding.

Billing. No agent of ours holds a credential that can spend money, upgrade a plan, add a seat, or change a payment method. The agent’s competence is beside the point here. Money leaving an account is not a state you roll back with a revert, and the person whose card it is did not agree to a machine making that call.

User management. Permissions decide who can do what, including what the agent itself can do. An agent that can grant roles can widen its own reach, and a system where the thing being governed edits the governance is not governed. Access changes stay with a human who knows why they are making them.

Deleting content. Drafting is cheap to undo. Deletion, in most CMS setups, is not, and an entry that looks orphaned can still turn out to be referenced from a page nobody thought to check. That possibility is the whole reason the rule exists. Agents archive, unpublish, or flag for review, and the destructive action stays behind a person.

What that leaves the agent is most of the actual work. Two different restrictions live in the table below and it is worth keeping them apart. Billing, user management, and deletion are barred: the agent has no path to them at all. Publishing and changes to the content model are gated: the agent does the work and prepares the change, and a named human is the one who commits it.

Operation Who does it Restriction
Drafting new entries and pages Agent None
Editing existing drafts Agent None
Restructuring content within the model Agent None
Translating into other locales Agent None
Generating previews for review Agent None
Publishing to the live site Agent prepares, human commits Gated on a named approver
Changing the content model itself Agent proposes, engineer commits Gated on an engineer
Deleting entries or assets Human Barred to the agent
Changing roles and permissions Human Barred to the agent
Anything touching billing Human Barred to the agent

If you want the mechanics of that in a specific system, we wrote them up for Storyblok and for DatoCMS. The pattern is the same in both: broad write access to drafts, a hard stop at the irreversible operations, and an approval gate on publish.

Guardrails are the easy part

Here is the thing nobody selling AI governance wants to say out loud. Scoping a token is the same work you do when you hand any third-party service an API key, and any competent engineer can do it in an afternoon. There was no wild animal to tame. We drew sensible boundaries in advance, the way you would for any integration with write access, and then the agent went to work and nothing dramatic happened.

The uncomfortable part turns up the day after you finish drawing the lines. Your agent is now safe, and your output is still inconsistent.

The real failure mode is variance, not catastrophe

Ask David what everyone selling AI into a CMS gets wrong, and the answer has nothing to do with safety:

“team context. individual setups for single persons result in widely different quality from one to another person because of skill”

The market ships AI into a CMS as an individual productivity tool. Every person gets a copilot, every person builds their own prompts, their own habits, their own private stack of context they never wrote down. The predictable consequence is that output quality tracks the individual, so it scatters across the team. One editor’s pages are good. The next editor’s pages are fine at best, and nobody can tell you why, or predict which of the two you are getting next week.

What you have added to the operation is variance, sitting on top of output that used to be at least consistent.

Watch what that does to a marketing lead. Before AI, a weak page was a workload problem with a visible cause, and you could see which writer needed help. After a year of individual copilots, the pages arrive faster, the quality curve is wider, and the cause of the spread is buried inside five private setups nobody else can inspect. An individual copilot buys a team speed and charges it predictability, which is the one thing a marketing lead carrying a quarterly target cannot afford to spend.

Five agents, five different standards, arrived at quietly, with nobody breaking a single rule. That is the failure mode worth worrying about, and no token scope in the world catches it.

Shared team context is the unit that matters

The thing an agent reads from decides the quality of what it writes, more than the prompt does and more than the choice of model does. So the work is to make what it reads from a team asset rather than a personal one.

Concretely, shared team context is made of five things:

  1. The content model. Typed fields, explicit relationships, real entities. This is the substrate, and a strict data model is what makes editors and agents faster rather than slower.
  2. The component library. The agent builds pages out of components the team already approved, so it cannot invent a layout that never passed design review.
  3. The brand and design rulebook, written for machines. Tone rules, banned words, spacing, allowed patterns, all in a form the agent reads on every run rather than a PDF somebody half-remembers.
  4. The QA gate. Automated checks every draft passes regardless of who prompted it: links, alt text, schema validity, translation parity, banned phrases.
  5. The approval step. One named human who signs off on what goes live, every time.

All five describe the environment the agent works in rather than the agent itself, which is why they survive a change of model, a change of tool, and a change of staff. The AI control center is the operating layer that holds them in one place.

Building that environment is unglamorous, and it is most of what we actually do on an agentic setup. We write down the schema documentation, the write patterns, and the component rules, and we get them explicit enough for a model to work from without guessing. It is the same reason we keep saying your website now has two audiences. Your content model is read by machines acting on behalf of your team, and by machines acting on behalf of your customers, and neither of them can read your intentions.

Stop asking whether the agent is safe

Ask what it reads from.

The safety question has a short answer and we gave it to you: billing, users, deletion, all off the table, because those are the operations you cannot undo. Draw those lines, scope the token, keep a human on publish, and you are done with the part everyone worries about. It takes an afternoon.

The part that decides whether any of this is worth doing takes longer. If every person on your marketing team is running their own private AI setup, you are running five AI content operations at five different standards, each of them opaque to the person accountable for the output. Shared context is what turns that back into one system. That is what our agentic marketing automation setup is, if you want to see it running rather than described.

If your website has become a bottleneck, let’s talk.

Start with an Audit Or email me directly