What CIOs Get Wrong About AI Agents
Agentic coding has taken off. Agentic knowledge work has not. That gap is the most useful thing a CIO can understand about AI agents right now, and Aaron Levie described it better than anyone I have interviewed.
Levie is the co-founder and CEO of Box, which counts 68 percent of the Fortune 500 among its customers, which means he watches agents meet real enterprise data all day. He joined me on episode 921 of CXOTalk.
A tale of two cities
I asked him to separate the promise of agents for programming from the promise for everything else. His answer drew the line that most vendor demos are careful to blur.
We are still in the very early stages of what agentic work looks like in the enterprise and what the rollout looks like. We have an interesting dynamic, which is sort of a tale of 2 cities. We have AI kind of agentic coding, which has clearly taken off. And it’s within engineering teams, and everybody’s kind of figured out what the new practices are around the future of engineering. And then you kind of get into the real messy environments of knowledge work, where things are just quite a bit different. It’s a lot harder to deploy agents at scale. The agents don’t have always access to the right data. The users are less technical, so they don’t know how to sort of always steer them properly.
Aaron Levie, co-founder and CEO, Box
Read that again with a CIO’s ear. Engineering succeeded with agents because engineers are technical enough to steer a wrong answer back on course, and because the codebase is one clean, well governed body of data. Neither condition holds in finance, legal, HR, or operations. The demo works. The deployment does not.
Agents break your permission model
This is the part I would print out and hand to your security team.
In the enterprise, we’re constantly asking for permission to other systems and other resources and other data environments, and so an agent is only as good as the data that it has access to, but in the enterprise we have lots of systems that are either not well-maintained or the agent can’t get access to the right data, or maybe even worse, you have too much access to information. And we had sort of, you know, security through obscurity in your organizations, and now all of a sudden the agent is leaking data to the wrong people.
Aaron Levie
Security through obscurity is the honest name for how most enterprises actually protect information. The salary spreadsheet is technically readable by half the company, and it stays private because nobody thought to open it. An agent thinks to open it. Then it summarizes it helpfully for someone who should never have seen it.
Nothing was breached. No policy was violated. The permissions were always wrong, and the agent is simply the first employee diligent enough to use them.
The new role nobody has hired yet
Levie’s most concrete prediction was organizational, not technical. He expects enterprises to create an internal version of the forward deployed engineer.
I actually think there’s going to be a role for effectively an internal FDE and this is some kind of IT business AI automation engineer type role. I think often it’s going to live within the technology or IT organization, but be embedded within the actual line of business that it’s trying to bring automation to.
Aaron Levie
It follows directly from the two cities problem. If agents only work where a technical person can steer them, and knowledge workers are not technical, then you either wait for the models to get good enough to need no steering, or you put a technical person inside the business unit. One of those is a plan. The other is a hope.
Why I keep asking about the boring parts
I have spent twenty years writing about why enterprise technology projects fail, and the answer is almost never the technology. It is data nobody maintained, permissions nobody audited, and a business process nobody redesigned. Agents do not fix any of that. They expose all of it, faster and more publicly than the last wave did.
The live audience heard the same thing I did, and the questions that hour were about governance, cost, and access, not about capability. That tells you where the real anxiety sits.
Folks, you can ask your questions. When else will you have the chance to ask Aaron Levie, the CEO of Box, pretty much whatever you want?
Michael Krigsman, CXOTalk episode 921
The CIO checklist from this conversation
Audit permissions before you deploy a single agent, on the assumption that your current model is held together by obscurity rather than policy. Assume knowledge work will be harder than the coding results suggest, and do not let an engineering pilot set the expectation for the rest of the company. Budget for the human in the middle, whatever you end up calling the role, because agents in messy environments still need someone technical standing next to them.
And treat every agent demo you are shown as a demo run in the cleanest data environment its vendor could find.
Watch the full conversation and read the complete transcript: Box CEO Aaron Levie: CIO Advice on Agentic AI and the Enterprise, CXOTalk episode 921.

