We spent the better part of two decades arguing about text files. You can be forgiven for blotting that from your mind, but if you were anywhere near enterprise IT between 2000 and 2020, it’s pretty much all we talked about. GNU General Public License, Apache License, MIT License, etc., etc. That was on the vendor side. On the enterprise side, emergency meetings were held because someone found the wrong copyright header buried in a dependency three levels deep. Entire toolchains and compliance teams sprang up to answer a simple question: What are we allowed to ship?

It felt critically important at the time. In a way, it was—sort of. We were defining the rules of engagement for how software could be shared, reused, and monetized. We were trying to turn a chaotic bazaar of code into something enterprises could trust and weave into their software supply chain.

Surprise! We’re doing it again, except the “code” is no longer a library you link against. Now it is an autonomous system that can take actions on your behalf. This is why the hottest arguments in AI right now are starting to feel like déjà vu. Open weights versus proprietary. Training data provenance. Who can sue whom. Etc.

These are good questions. They just happen to be the wrong questions.

In the agentic AI era, the “license” is not a legal document. It is a technical configuration that defines what the software is allowed to do. Getting those permissions wrong has expensive, potentially destructive consequences. Getting them right…? Well, that turns out to be a very big deal.

The physics of risk

In the open source era, the worst-case scenario for getting licensing wrong was legal. If you shipped GPL code inside a proprietary product, you got a nasty letter, you settled, and you moved on. Lawyers handled it.

Agents change the physics of risk. As I’ve noted, an agent doesn’t just recommend code. It can run the migration, open the ticket, change the permission, send the email, or approve the refund. As such, risk shifts from legal liability to existential reality. If a large language model hallucinates, you get a bad paragraph. If an agent hallucinates, you get a bad SQL query running against production, or an overenthusiastic cloud provisioning event that costs tens of thousands of dollars. This isn’t theoretical. It’s already happening, and it’s exactly why the industry is suddenly obsessed with guardrails, boundaries, and human-in-the-loop controls.

I’ve been arguing for a while that the AI story developers should care about is not replacement but management. If AI is the intern, you are the manager. That is true for code generation, and it is even more true for autonomous systems that can take actions across your stack. The corollary is uncomfortable but unavoidable: If we are “hiring” synthetic employees, we need the equivalent of HR, identity access management (IAM), and internal controls to keep them in check.

All hail the control plane

This shift explains this week’s biggest news. When OpenAI launched Frontier, the most interesting part wasn’t better agents. It was the framing. Frontier is explicitly about moving beyond one-off pilots to something enterprises can deploy, manage, and govern, with permissions and boundaries baked in.

The model is becoming a component, in other words. The differentiator is the enterprise control plane wrapped around it.

The press and analyst commentary immediately reached for the same metaphor: It looks like HR for AI coworkers. Even The Verge picked up OpenAI’s language about being inspired by how enterprises scale people. Outlets covering Frontier emphasized that it is assigning identities and permissions to agents rather than letting them roam free. Then, almost on cue, OpenAI followed with Lockdown Mode, a security posture designed to reduce prompt-injection-driven data exfiltration by constraining how ChatGPT interacts with external systems.

Put those two announcements together and the industry’s direction becomes obvious. We are not racing toward “smarter assistants.” We are racing toward governable, permissioned agents that can be safely wired into systems of record. This is why I keep coming back to the same framing: We are no longer in a model race. We are in a control-plane race.

We are currently in the “Wild West” phase of agent deployment. It’s exciting, but boy, is it stressful if you’re an enterprise that wants to deploy agents safely at scale. Developers are chaining agents together with frameworks, wiring them into enterprise apps, and giving them broad scopes because it is the fastest way to get a demo working. The result isn’t just spaghetti code. It is spaghetti logic. You end up with a swarm of semi-autonomous systems passing state back and forth, with no clean audit trail of who authorized what.

This is where trust collapses, and where costs mushroom.

I have called this the AI trust tax. Every time an AI system makes a mistake that a human has to clean up, the real cost of that system goes up. The only way to lower that tax is to stop treating governance as a policy problem and start treating it as architecture. That means least privilege for agents, not just humans. It means separating “draft” from “send.” It means making “read-only” a first-class capability, not an afterthought. It means auditable action logs and reversible workflows. It means designing your agent system as if it will be attacked because it will be.

This is also why I’ve been hammering on the idea that memory is a database problem. If agent memory is effectively a state store, then it needs the same protections every state store needs: firewalls, audits, and access privileges. Agentic permissions are the natural extension of that argument. Once the agent can act, it needs privilege boundaries as rigorous as those for any database admin.

Permissions are the new copyleft

In the early 2000s, open source licenses did something brilliant. They made reuse frictionless by being standardized and widely understood. The Apache and MIT licenses reduced legal uncertainty. The GPL used legal constraints to enforce a social norm of sharing.

Now we need the equivalent for agents.

Right now, permissions are a mess of vendor-specific toggles. One platform has its own way of scoping actions. Another bolts on an approval workflow. A third punts the problem to your identity and access management team (good luck!). That fragmentation will slow adoption, not accelerate it. Enterprises can’t scale agents until they can express simple rules. We need to be able to say that an agent can read production data but not write to it. We need to say an agent can draft emails but not send them. We need to say an agent can provision infrastructure only inside a sandbox, with quotas, or that it must request human approval before any destructive action.

We need something like a “Creative Commons” for agent behavior: A standard vocabulary for agentic scopes that can travel with the agent across platforms.

Open source eventually got two things that made enterprises comfortable: licenses and the tools to inventory what they were actually using. A software bill of materials (SBOM) is the modern form of that inventory, and standards like System Package Data Exchange (SPDX) exist largely to make licensing and supply-chain tracking interoperable. The agent world needs the same move. We need a machine-readable manifest for what this agent is and what this agent can do. Call it permissions.yaml if you want. The name doesn’t matter. The portability does.

So, yes, we need a new open source, but not that kind of open source. Not the kind that has the same ol’ open source folks haggling over whether you can have open source AI, without the training data, or whatever. That’s a nice question for yesterday’s open source program office to fixate on, but it’s not relevant to where software is going today.

No, where it’s going is all about agents and the permissions that govern them. Back in 2014, I suggested we were already living in a “post–open source world.” I definitely wasn’t thinking of agents when I wrote that “software matters more than ever, but its licensing matters less and less.” I still think that’s true, though perhaps there’s still room for “licensing” discussions as we figure out how to make agents safely interoperate at scale.