The Enterprise AI Agents: Untangling the Spaghetti
Summarize with
When AI Can Execute, the Rules Change
The "OpenClaw" incident, where Meta’s AI alignment director Summer Yue saw her agent delete emails because a "compaction" event caused it to forget its safety instructions, is not a one-off "oops." It is a preview of the next phase of Enterprise AI.
The culprit wasn't a rogue model or a clever attack, it was a "compaction" event that caused the agent to forget its safety instructions mid-task. The agent still had permission to delete. So it did.
This is the failure mode enterprise leaders need to prepare for right now.
We've spent two years worrying about AI that makes things up. The next risk is AI that acts without the right guardrails in place. The difference matters enormously: a hallucinated fact is embarrassing.
An agent that unpublishes your product catalog, reverts pricing rules, refunds a batch of orders, or overwrites your customer records can cause real operational damage, and it may do so within seconds.
The answer is not to slow down AI adoption. It is to harden the execution layer before agents touch production systems.
Key takeaways
- Execution is the new risk. The real danger is not AI hallucinating leads. It is AI taking the wrong action inside production systems.
- Enterprise “spaghetti” blocks most AI deployments. Messy schemas, custom entities, and legacy logic are why AI often stays limited to safe use cases. Autonomous discovery is a breakthrough.
- Core dna’s MCP-enabled agent navigated complex data structures and produced accurate reports without manual mapping.
- Guardrails must live at the execution layer. Read freely, write carefully, destructive actions require human approval.
- Prompts alone are not enough. The winners will control agents, not just build remember models. Competitive advantage will come from governed, observable AI execution inside real enterprise systems.
Why Most Enterprise AI Stays in the Sandbox
Most enterprise platforms are a decade-plus accumulation of custom entity definitions, messy historical data imports, one-off API integrations, and business logic that has been patched and extended over time. We call this "The Spaghetti", and it's what makes your platform yours.
The problem is that standard AI models are deployed into this environment without a map. They have the capability to act, but no contextual understanding of the system they're operating in.
This is precisely why most enterprise AI implementations stay limited to content generation, search, or summarization. Leadership is, rightly, cautious about what happens when an agent tries to interact with live business data and pulls the wrong string.
The question for enterprise isn't "should we use AI agents?" That decision has already been made by the market. The question is: "How do we give agents access to our systems without losing control of what they do?"
The "Aha!" Moment: Can an AI Agent Actually Navigate Your Messy Enterprise Data?
We recently ran a test at Core dna that changed how we think about this problem.
We gave our AI agent, connected via the Core dna MCP (Model Context Protocol), a deliberately complex task: produce a full revenue report covering sales data and enrollment data, with graphs, insights, and a polished PDF output.
Enrollment data at Core dna lives inside a custom entity structure, it's not a standard module with a ready-made endpoint. Normally, a request like this means calling a developer, waiting days, realizing a field was missed, and starting again.
Quick sneak peek from a recent call with out CTO!
What the Core dna AI Agent Did
The agent had no manual. No pre-mapped schema. It explored the platform's structure on its own, discovered that Enrollments lived inside our custom entity system, and figured out how to query them without being told.
It identified that some records were historical imports rather than real sales, and adjusted its logic to exclude them. When it needed weekly breakdowns - which don't divide neatly by month - it made separate requests for each week rather than approximating.
And when it only needed a count of orders, it requested the absolute minimum data required rather than pulling thousands of full records.
The entire analysis, across multiple data sources, complete with a formatted PDF was done in a few minutes.
What this showed us
In many first-pass implementations, scripts attempt to pull full datasets at once a pattern that can degrade system performance under load. The agent avoided that entirely, using our API more efficiently than most hand-written queries would have.
This is what it looks like when an agent can discover your environment instead of requiring you to teach it your environment. The "Developer Tax" , the weeks of schema documentation, the back-and-forth, the custom report requests shrinks dramatically.
And that capability is precisely why execution guardrails must come first. Autonomous discovery is powerful. An agent that can navigate your Spaghetti without a map can also make decisions you didn't anticipate.
The governance layer isn't a constraint on what agents can do, it's what makes autonomous discovery safe to deploy in production.
Governance Isn't Optional: It's the Whole Point for Enterprise AI Agents Deployment
The enrollment story is compelling, but it only works because the agent operated within a tightly controlled execution environment. This is where most enterprise AI implementations fall short: they grant capability without defining boundaries.

Two Tiers of Control
At Core dna, we structure agent permissions into two distinct categories, enforced at the execution layer — not as guidelines, but as hard controls the platform imposes regardless of what the model's context contains.
Read-only tools are always-allow by default.
The agent can explore, sample data, discover schema relationships, and produce reports without any risk to the live environment. This is the right starting point for any enterprise deployment — let the agent be a powerful analyst before you let it be an operator.
Write tools require human-in-the-loop approval.
If an agent identifies a group of users with lapsed subscriptions and recommends a status update, it cannot execute that change on its own. The platform surfaces the recommendation, explains the agent's reasoning, and waits for a human to confirm. Destructive or irreversible actions such as deletions, overwrites, bulk updates are enforced at the tool level, not just at the prompt level.
Built-In Safeguards
Beyond these two categories, Core dna's governance layer also includes audit logging (so you know what the agent did and why), rate limits (so a runaway query can't hammer your database), and record caps (so a single agent action can't affect thousands of records at once). These aren't configuration options, they should be the default.
The OpenClaw incident wasn't a failure of the AI model. It exposed an environment design gap: safety constraints weren't enforced at execution time. The model had permission to delete, and when its context was disrupted, it exercised that permission. The fix isn't a better prompt. It's a governed execution layer that enforces boundaries regardless of what the model's context contains.
What Being "Agent-Ready" Actually Means
For enterprise leaders, the goal isn't to become an AI researcher. It's to gain the operational efficiency of agents without inheriting their risk profile.
A platform that is genuinely agent-ready has three things in place, and Core dna builds all three into the foundation rather than leaving them to configuration.
A Translator Layer
The Core dna MCP gives the AI a structured, LLM-readable description of your tools and data — so it can navigate your Spaghetti without guessing. Without this, agents operate on assumptions, and assumptions cause errors.
Tool-Level Permissions
These separate what the agent can observe from what it can change. Read access is broad. Write access is narrow, audited, and human-confirmed for anything consequential. This is enforced at execution time, not in the system prompt.
Observable Behavior
A record of what the agent did, what it found, and what it decided, presented in plain language your team can actually review. Not raw logs. Accountable output.
The Efficiency Case
Here's the practical upside for a CEO who gets this right.
Old way: Identify a reporting need → call a developer → wait one to two weeks → realize a field was missed → repeat.
New way: Ask the agent → it discovers the schema → it produces the result in minutes → a human reviews and approves any downstream action.
The value isn't in generating more content. It's in reducing the need of rom every operational question your business needs answered. When an agent can navigate your custom entity structure on its own, the bottleneck between a question and an answer shrinks from weeks to minutes.
That shift compounds. Faster decisions, lower operational overhead, and a business that actually gets easier to run, not just one that generates more copy.
Enterprise AI agents represent a real operational shift, from AI that advises to AI that executes. That shift is already underway.
The competitive advantage will not come from who has the smartest model. It will come from who has the safest, most controllable execution layer, one that lets agents discover, reason, and act inside complex real-world systems while keeping humans accountable for what changes.
The Spaghetti in your platform isn't a barrier to AI adoption. With the right orchestration layer, it becomes the environment the agent learns to navigate. The question isn't whether your business will use agents. It's whether your platform will be ready to govern them when it does.

