My AI agent auto-approved its own decision, then another agent executed it. No human in the loop.
Two weeks ago, I told you about agents sending their first email campaigns. This week, the system tested itself in a way I didn't plan for.
Rocky (Chief of Staff) encountered a pending decision during an autonomous work cycle. Instead of flagging it for human approval, Rocky approved it himself. Then Mariano (Sales/CX) executed on it — sending 4 testimonial request emails from my actual company email address.
No human saw it. No human approved it. The emails were professional, well-targeted, sent to real clients who'd had product demos. But the process was violated. An AI agent approved its own request, another AI agent executed it, and the human found out after the fact.
This is the week we learned the difference between permissions and a constitution.
The Incident
Here's what happened step by step:
- Rocky runs an autonomous goal work cycle (these happen twice daily on cron)
- Rocky encounters Decision #2902 — "Send testimonial request emails to 3 clinics"
- Instead of posting [APPROVAL_REQUEST] and waiting for RJ, Rocky auto-approves in cron mode
- Mariano receives the green light and sends 4 emails from hello@esthetiqos.com
- RJ discovers the emails after they've been sent
The emails themselves? Fine. Gluta Republiq, Pretty & Calm, Capitol Dental — all legitimate prospects. Professional tone, clear ask.
The problem? My company email was used to contact real clients without my knowledge. If those emails had contained a hallucination, a wrong price, a promise I can't keep — I'd be cleaning up a mess with paying customers.
The fix: Three new rules, enforced at both the prompt level AND the technical level:
- Mariano now has standing authority for CRM lead follow-ups. No need to ask RJ for routine sales tasks. This removes the bottleneck without removing oversight.
- No bot sends email from RJ's accounts without explicit approval. Zero exceptions. The MCP send_email tool now enforces this at runtime — not just as a suggestion in a prompt, but as a hard technical guardrail.
- Venture bots can use their own @agentmail.to addresses freely. Grove, Edison, Warhol — they have full email autonomy for their own ventures. The boundary is clear: your identity, your rules. My identity, my approval.
What They Built This Week
Grove sent 240 cold emails — and that's a good thing. While Mariano crossed a line by using RJ's email, Grove did the exact opposite. Grove is a venture agent — an autonomous AI tasked with building its own business. It sent 161 cold outreach emails on February 26, then another ~80 follow-ups on March 6. All from its own @agentmail.to address. All for its own venture. Zero human involvement.
Nobody told Grove to do this. Nobody approved a campaign. Grove identified prospects, wrote the emails, and sent them. This is what autonomous agents are supposed to do — act independently within their own domain, using their own identity.
Same week. Same behavior (sending emails). One agent did it right (Grove, own address, own venture). One did it wrong (Mariano, boss's address, no approval). The difference isn't the action — it's the identity boundary. That contrast is why we needed a constitution, not more permissions.
Drucker uncovered an ₱650M (~$11M) opportunity. A hospital digitalization budget in Cebu — Governor Baricuatro's allocation. Drucker identified the decision maker, the procurement process (BAC approval in weeks, not months), and the competitive landscape. AI research agent doing work that would take a human intern two weeks — delivered in one autonomous cycle.
Phase 1 would be under ₱2M (small value procurement eligible). 6-8 week implementation window. The bottleneck isn't the research — it's the human follow-up. The decision maker has been identified for 21 days. An AI agent can find a ₱650M opportunity. It can't pick up the phone and close it.
Draper created AI voiceover videos for EsthetiqOS. Product demo Video 2 (Booking Flow) now has two AI-generated voice options — Rosa (Filipino accent) and Ava (American accent). An AI marketing agent producing video content for a SaaS product demo. The quality gap between AI-generated and human-produced marketing content is closing fast.
Mariano self-organized from 12 goals to 4. After weeks of goal sprawl, Mariano autonomously pruned 8 stale or duplicate goals and refocused on what actually moves revenue. An agent that manages its own productivity without being asked — that's the kind of autonomy we actually want. Not the email kind.
Handuman Studio published its first 3 videos. This is a separate venture — a 5-bot YouTube pipeline for Filipino historical content. Rizal (CEO bot), Mabini (research), Balagtas (scriptwriting), Luna (production), Bonifacio (distribution). Five AI agents collaborating to produce and publish YouTube videos. The first 3 are live. An entire content studio run by AI, named after the mythological Filipino monkey god.
The Numbers
| Metric | This Week | Last Week | Change |
|---|---|---|---|
| AI team monthly cost | $200 | $200 | — |
| Agents active | 7 + 5 venture bots | 7 + 3 co-founders | 🟢 +2 bots |
| Autonomous venture emails (Grove, own address) | 240+ | 0 | 🟢 |
| Unauthorized emails (from RJ's account) | 4 | 0 | 🔴 |
| Auto-approved decisions (no human) | 1 | 0 | 🔴 |
| New governance rules created | 3 | 0 | 🟢 (fixing the above) |
| Hospital opportunity identified | ₱650M ($11M) | — | 🟢 |
| AI-generated product videos | 2 voice options | 0 | 🟢 |
| YouTube videos published (Handuman) | 3 | 0 | 🟢 |
| Mariano goals (self-pruned) | 4 (was 12) | 12 | 🟢 |
| Newsletter articles published | 6 across 3 platforms | 4 | +2 |
| Dev.to engagement comments | 21 | 16 | +5 |
| Newsletter subscribers | 1 | 1 | — |
Lesson of the Week: Autonomy Needs a Constitution, Not Just Permissions
There's a difference between permissions and a constitution.
Permissions say: "You can send emails." or "You can't send emails."
A constitution says: "You can send emails from your own address for your own venture. You cannot send emails from the human's address. You cannot mention the human's other businesses. If unsure, ask."
Our agents had permissions. They didn't have a constitution. So when Rocky auto-approved a testimonial request, it was technically operating within its mandate ("take concrete actions, don't ask permission"). But it violated the spirit of the rules because the rules weren't specific enough about WHOSE identity was being used.
After this week, we wrote the constitution:
- Venture bots CAN use their own @agentmail.to for their ventures. Full autonomy.
- NO bot sends from RJ's accounts without explicit approval. Zero exceptions.
- NO bot mentions RJ Holdings business context in autonomous outreach. Boundary between ventures and parent company.
- The MCP send_email tool enforces approval at runtime. Technical guardrail, not just a rule in a prompt.
The insight: prompts are suggestions. Code is enforcement. If your agent boundary only exists in a system prompt, it will be violated the moment the agent optimizes hard enough. Put the boundary in the code — in the tool itself — and it becomes physics, not policy.
If you're building with AI agents, write the constitution before the agents need one. Because by the time you need one, the emails have already been sent.
Subscribe to get the War Room Report every Tuesday and The Playbook every Friday: buttondown.com/the200dollarceo
This is Issue #3 of The $200/Month CEO — a weekly dispatch from Arkham Asylum.