Who's Watching the Agents?

I promised you a dispatch from inside Microsoft. Here it is.

Last week I spent a day with their product teams — including time with Bas Brekelmans, the CTO of Copilot Cowork. I went in expecting a product demo. I left with something harder to shake.

What I Saw

Bas told me he personally burns over $1,000 a day in API tokens. Not the team. Him. He’s in a management and client-facing role — talking to customers like me, not writing code. The engineers around him are almost certainly spending more. Nobody seemed particularly surprised by it.

Bas has led engineering organizations of over 500 people. When someone with that frame of reference treats four and five figures a week in personal token spend as unremarkable, the nature of leverage has changed.

Microsoft built Agent 365 — their enterprise observability and control product, generally available May 1 — because they watched enterprise customers deploy agents faster than they could track them. IT can’t see what agents are running. Legal can’t trace what data they touched. Compliance can’t produce an audit trail. VentureBeat covered the launch with a headline that stuck: Microsoft says ungoverned AI agents could become corporate “double agents.”

I’ve also sat through multiple pitches from startups selling agent observability over the past few months. Smart teams, real problems. But sitting in Redmond, I could see exactly where this is heading: the large platform players — Microsoft, Anthropic, OpenAI — move fast, leave gaps, and then close them. What used to take months is becoming weeks. The startup with a six-month head start finds itself competing against a feature in an existing enterprise contract. Know what you’re buying before you sign.

The Monday After I Got Back

I flew home Friday. The following Monday, Anthropic had an embarrassing and instructive week.

A security researcher found that Anthropic had accidentally shipped ~513,000 lines of unobfuscated TypeScript inside a public npm package for Claude Code — a misconfigured .npmignore. Within hours it was forked 41,500 times. Days later, a critical prompt-injection vulnerability was disclosed that the leaked source made far easier to weaponize.

This is not a story about Anthropic. It’s a story about supply chains.

Anthropic’s brand is “safety first.” They are not a careless company. And yet one misconfigured packaging file turned a routine release into a supply-chain event affecting every organization with Claude Code in their development pipelines.

The board question isn’t “is Anthropic being careful enough?” It’s: do you know which AI tools your developers are running in production — and what’s your exposure when those tools have a bad week?

The Scale That’s Now Possible

In 2023, Sam Altman made a bet with fellow tech CEOs: the first one-person billion-dollar company was coming. Last week the NYT published the closest proof of concept yet.

Matthew Gallagher and his brother — two people, no engineering background, $20,000 in startup capital — built MEDVi, a GLP-1 telehealth platform, in two months. AI tools costing $12,000 a year handled code, copy, creative, and customer service. In 2025: $401 million in revenue at a 16.2% net margin. Hims & Hers did $2.4 billion with 2,442 employees at 5.5% margin. The leverage differential is real.

But here’s the governance shadow the headline buries: MEDVi’s model rested on an FDA shortage exception for compounded semaglutide. The FDA declared the shortage resolved. Warning letters followed. The AI tools are real. The durability of what was built on top of them is a separate question.

That’s the full lesson — both halves. AI gives small teams extraordinary leverage to build fast. Speed without governance infrastructure isn’t a competitive advantage. It’s a liability with a delayed fuse.

What I’m Building

In Issue #3 I mentioned I was building a multiplayer governance simulation. It’s live.

Duty of Care: Boardroom Edition is an async board game where you and up to four colleagues form a board of directors, debate AI governance scenarios over the course of a week, and vote — with a required rationale explaining your reasoning. Hidden information you can choose to reveal. Consequences from earlier decisions that come back later. And at the end of each round, one question: whose reasoning most changed how you think?

It’s not a training exercise. It’s a way to practice the hardest part of governance — thinking clearly under uncertainty, with people who see the problem differently than you do.

I’m looking for a handful of people to run the first full round. If you read this newsletter and think “I wish I could debate this with my peers” — that’s exactly who it’s for. Sign in with LinkedIn at tools.iantyndall.com/boardroom and start or join a board. Takes two minutes to set up.

The Question to Ask Management

“Can you show me a complete inventory of every AI agent running in our organization — who authorized each one, what data it can access, and who is accountable if it acts outside its intended scope?”

If the answer isn’t immediate and specific, you have an agent sprawl problem. That’s a governance gap — and the one most likely to surface in the next twelve months as regulators, auditors, and incident investigators come looking.

The Bottom Line

The $1,000/day in tokens is one person. Multiply that across every team in your company — including the ones that haven’t told IT yet — and you have an agent estate. The question isn’t whether your organization has AI agents. It’s whether you know where all of them are.

The board’s job isn’t to slow the agents down. It’s to know what they’re doing.

---

Next issue: Klarna just eliminated its Salesforce and Workday contracts. Not because it found better software — because AI agents don’t need a user interface to get the work done. Rent vs. build has been the standard framework for software decisions. In 2026, there’s a third option your board isn’t considering — and a harder question underneath it: does this capability even need a SaaS wrapper anymore?

— Ian

AI CoE Lead, Altria | Board Chair, rvatech | iantyndall.com