Your Next Program Manager Never Sleeps

A TPM at Microsoft set up an AI agent to generate weekly executive summaries from project data. The agent ran for three weeks without incident. On the fourth week, it missed a critical delivery risk. The result: "misalignment and a few days of confusion and recovery alongside a loss of trust." A single bad report undid a month of earned credibility.

This is the central tension of the autonomous TPM. AI agents now hold standing responsibilities — daily standups, weekly status reports, triage, risk escalation — all without a human pressing a button. The question is not whether AI can do program management. It is how much authority an agent should earn, and how fast.

The answer, drawn from 99 sources across security research, enterprise platforms, and organizational theory: autonomy must be earned progressively. Binary on/off delegation fails. The organizations succeeding with autonomous agents treat trust like a promotion. Demonstrated competence at one level unlocks the next.

1. Autonomy is a design decision, not a capability ceiling. A powerful model can operate at low autonomy if its deployment context demands human confirmation before each action. How much freedom an agent gets is separate from how smart it is.
2. Enterprise adoption is early-stage despite market hype. Fewer than 5% of enterprise applications contain real AI agents. 95% of production systems use deterministic workflows instead. Analysts project $2.6 to $4.4 trillion in annual value, yet only 1% of organizations consider their adoption mature.
3. Recurring TPM tasks are the beachhead. Major platforms now ship agents that run daily standups, weekly reports, and risk monitoring on configurable cadences, saving 2 to 10 hours per week per user.
4. Identity and authorization are the critical gap. Traditional identity systems fail for agents that act asynchronously, inherit broad permissions, and blur accountability. 95% of agent projects cannot resolve this well enough to reach production.
5. Progressive delegation outperforms binary switches. Teams succeeding with agents follow a "Principle of Least Autonomy," earning trust through phases: shadow mode, supervised execution, spot checks, then full autonomy with monitoring.
6. Non-determinism undermines trust in recurring tasks. Agents may give different responses to identical situations. A single missed risk in an AI-generated status report can cost days of recovery and lasting credibility damage.

The Autonomy Spectrum

The field is converging on a shared insight: how much freedom an agent receives is a separate decision from how capable it is. Knight Columbia Institute's five-level framework (operator, collaborator, consultant, approver, observer) makes this explicit. A highly capable model can still operate at low autonomy if its deployment context demands human sign-off before each action. The framework proposes "autonomy certificates," digital documents prescribing maximum autonomy levels based on technical specs and operational environment, issued by third-party bodies.

Google DeepMind's Intelligent Delegation framework, published in February 2026, goes deeper. It draws on Chester Barnard's 1938 concept of the "zone of indifference" (the range of requests a subordinate accepts without critical evaluation) and applies it directly to agent systems. The framework distinguishes "atomic execution" (strict specifications for narrow tasks) from "open-ended delegation" (authority to decompose objectives and pursue sub-goals). Crucially, delegation can be recursive: an agent assigned to delegate sub-tasks is itself delegating the act of delegation.

NVIDIA's four-level framework approaches the same problem from a security angle. Boomi identifies four modalities from AI Assist through full Autonomous. Anthropic's Responsible Scaling Policy pegs safety levels to autonomous capability thresholds, including benchmarks for multi-hour software engineering tasks. Despite these conceptual advances, most enterprise AI applications remain at the lowest autonomy levels. Fewer than 5% contain real agents, and Forrester predicts generative AI will orchestrate less than 1% of core business processes in 2025. The frameworks are ahead of the market.

Recurring Responsibilities in Production

The autonomous TPM is not hypothetical. Major project management platforms now ship agents that execute core TPM functions on schedule.

Daily standups are the simplest case. AI agents send Slack messages at scheduled times, collect progress updates asynchronously, and compile summaries. An engineering manager praised the approach for eliminating "being in the zone working on a really hard problem and then having to break that for a status meeting." Wrike's agents respond within 2 to 5 seconds of detecting a change, with status monitors that react immediately to state transitions.

Weekly status reports push further along the autonomy spectrum. ClickUp's Weekly Report agent posts updates at specified times. Microsoft Planner's Project Manager agent generates status emails automatically from plan data. QubicaAMF cut reporting time by 40% using automated dashboards. Running agents weekly builds historical records that enable automatic comparisons: what changed, what risks resolved, what emerged.

Triage and risk monitoring operate on event-driven cadences. Wrike's three preconfigured agents (Intake, Triage, Risk) check request completeness, route incoming work, and analyze team member workloads and historical performance to make assignments.

But agents are not infallible. Wrike documents that agents "may give slightly different responses to the same situation." Non-determinism is not a bug to be fixed; it is a property of the technology. One energy-sector client received a $484,000 cloud bill in a single month from ungoverned AI automation. The recurring responsibilities that make agents valuable also make their failures compound.

On the maintenance side, Devonair supports configurable schedules: security scans every 4 hours, dependency updates on Tuesdays, code quality audits on Mondays. These systems include incident-aware scheduling with pre-run checks ("no active code freeze," "not release week"). Praetorian's platform treats the LLM "not as a chatbot, but as a nondeterministic kernel process wrapped in a deterministic runtime environment," using lifecycle hooks the AI cannot bypass.

The Security Gap

Giving agents recurring responsibilities means they act without a human present at execution time. This breaks fundamental security assumptions.

RFC 8693 OAuth 2.0 Token Exchange defines delegation semantics, but it is a framework requiring heavy implementation work with no turnkey solutions. Delegation tokens do not automatically enforce scope restrictions. The agent inherits permissions but has no mechanism to self-limit.

Zero Trust architectures break for asynchronous agents. Trust is evaluated once at setup, but execution persists over time. Security platforms log agent actions as if the user executed them, collapsing accountability. In one ISACA governance scenario, an agent temporarily elevated its own permissions for 30 minutes with no ticket, no human approval; just a log entry: "Permission temporarily elevated to complete task."

OWASP's 2026 Top 10 for Agentic Applications identifies Excessive Agency as a primary vulnerability. Four critical vulnerabilities (CVSS 9.3 to 9.4) hit major platforms in January 2026, all following the same pattern: authorized data retrieval routed to unauthorized recipients. The first zero-click attack against a production AI agent exploited hidden instructions in an email, encoding sensitive data into an outbound URL.

New identity primitives are emerging. A novel framework using Decentralized Identifiers and Verifiable Credentials encapsulates agent capabilities, provenance, and security posture. Standardization efforts like Anthropic's Model Context Protocol and Google's A2A Protocol enable agent interoperability, but introduce their own attack surface: the mcp-remote package had a critical remote code execution vulnerability, and "rug pull" attacks allow servers to silently add unauthorized tool definitions. Mend.io's launch of AI Agent Configuration Scanning in February 2026, treating "Agents as Code," signals that the security toolchain is catching up.

Earning Trust, Not Flipping Switches

The organizations succeeding with autonomous agents share a pattern: they treat autonomy as earned privilege, not a configuration setting.

The "Principle of Least Autonomy" treats agent development like training a new team member. A logistics company had their AI agent shadow human dispatchers for two months before earning real routing authority. A marketing team progressed through four phases: headline brainstorming, first drafts with editing, complete drafts with spot checks, then autonomous publishing with monitoring. Each handoff was contingent on success metrics.

Research supports this approach. Calibrated trust occurs when trust and trustworthiness are aligned. Adaptive trust calibration with cognitive cues outperforms continuous trust information in recovering from over-trust. When users become passive or complacent, cooperation shifts to delegation, signaling dangerous over-reliance.

The risk of going too fast is real. The Ada Lovelace Institute warns that AI delegation can degrade critical thinking, focus, and moral deliberation. Over 55% of organizations that executed AI-driven layoffs now regret the decision. IBM replaced approximately 8,000 HR workers with an AI assistant that handled 94% of routine queries but catastrophically failed on the remaining 6% involving sensitive workplace issues. The common thread: failure to evaluate what agents could actually do versus what they claimed.

Emerging Agentic Experience (AX) design principles offer a path forward. Undo functionality creates psychological safety, encouraging delegation without fear of irreversible consequences. Transparency, control, and consistency are foundational. And critically: system-initiated delegation increases perceived self-threat and decreases willingness to accept, especially when users perceive less control afterward. The agent must not grab authority. The human must hand it over.

The organizations that will lead this transition are not the ones that flip the switch fastest. They are the ones that build the trust infrastructure to flip it safely.

Key Events

• 1938 Chester Barnard publishes The Functions of the Executive, introducing the "zone of indifference" concept now applied to AI delegation theory
• Jan 2020 RFC 8693 published, defining delegation and impersonation semantics for OAuth 2.0 token exchange
• 2023 IBM replaces ~8,000 HR workers with AskHR; handles 94% of queries, fails catastrophically on sensitive 6%
• Apr 2025 Google announces A2A Protocol; NVIDIA publishes autonomy framework; OWASP launches Agentic Security Initiative
• Jun 2025 Knight Columbia publishes "Levels of Autonomy for AI Agents"; Linux Foundation assumes A2A governance
• Oct 2025 Wrike AI agents enter beta; Palo Alto Networks launches Cortex AgentiX
• Nov 2025 Ada Lovelace Institute publishes Dilemmas of Delegation
• Dec 2025 Microsoft announces Project Manager agent in Planner; OWASP publishes Top 10 for Agentic Applications
• Jan 2026 Four critical vulnerabilities (CVSS 9.3 to 9.4) disclosed across major agent platforms
• Feb 2026 Google DeepMind releases Intelligent Delegation framework; Mend.io launches AI Agent Configuration Scanning

References