Marketing and Finance Just Got Their First Real Agent Governance Problems
For two years the governance conversation lived inside engineering. Least privilege, observability, segregation of duties, audit logs, escalation protocols. These are the disciplines we built to keep code from hurting the business. Then last week three reports landed within a few days of each other, and each one carried the same architecture wearing a different uniform.
A marketing platform handed Claude and ChatGPT access to ad accounts at a granularity that violates least privilege. A finance team automated 90% of a reconciliation workflow while preserving the preparer/reviewer split as the audit gate. Google extended structured experimentation into Performance Max and AI Max, making controlled tests the only observability lever advertisers retain over the black box.
Three domains. Three different vocabularies. One pattern.
Meta’s AI Connectors: least privilege fails at the agency boundary
Jon Loomer ran the test that nobody on the vendor side wanted to publish. He connected Claude to Meta through the new AI Connector, the feature Meta launched to let large language models pull ad performance data and answer natural language questions about campaigns. The agency use case is obvious. Audit a client’s account, summarize performance, draft a recommendation.
The result was not. When Loomer authorized the connection, Meta offered him exactly two options: grant access to a specific business, or grant access to all current and future businesses tied to his account. There is no ad account selector. There is no client picker. There is no granular permission scope.
In Loomer’s own words: “You cannot choose which ad accounts Claude can access. And that can result in exposure to risk that you or your clients do not want.”
Translate that to engineering terms. An agency manages 40 clients across 12 businesses. The agency owner connects Claude once to analyze their own brand. By design, Claude now has read access to every client account under every business the owner can see. The permission model has two states: nothing, or everything. There is no middle.
This is the classic least-privilege failure. An identity should receive the minimum access required for the task. The connector ships with maximum access as the only option. Any engineer auditing an IAM policy that read “grant all current and future S3 buckets under this account” would block it at code review. Meta shipped the equivalent for ad spend and customer audience data.
The interesting part is who has to solve it. The agency cannot patch Meta’s permission model. They can refuse to use the connector, accept the exposure, or build a separate Meta business unit per client just to scope the agent. None of those are governance solutions. They are workarounds for a vendor that shipped the capability without the controls.
OnlyCFO: segregation of duties survives 90% automation
The same week, an anonymous finance leader writing as OnlyCFO published a detailed account of agent deployment for month-end close. Prepaid expense reconciliation that used to take two hours collapsed to about five minutes. A full day shaved off the close timeline. Roughly 90% of the workflow now runs through Claude with custom skills, each skill documented in around 200 lines of explicit instructions.
The number that matters is not 90%. It is 10%.
OnlyCFO did not eliminate the reviewer. The agent prepares the reconciliation. A human reviewer signs off. The preparer/reviewer split, the oldest segregation-of-duties pattern in accounting, survived intact. The agent did not replace the reviewer. It replaced the preparer’s tedium, then handed the artifact to the reviewer at the same checkpoint that existed before.
Read that again. A finance team running on AI agents reproduced the audit gate without naming it. They documented each skill in 200 lines because they had to be able to explain to an auditor, six months from now, what the agent was instructed to do on the day it generated the journal entry. That is not productivity engineering. That is procedure documentation, the kind that survives a SOX review.
Compare this to the Meta connector. OnlyCFO’s setup has explicit scope per skill (one skill per workflow), explicit human checkpoints (reviewer approval before posting), and explicit instructions (the 200 lines, version-controlled and reviewable). Meta’s connector has none of these. Same week, same agent technology, opposite governance posture.
Google Ads v24.1: experiments as the only observability surface
Performance Max and AI Max are black boxes by design. You give Google a budget, a goal, and creative assets. Google decides which audiences see what, when, on which property, with which creative variation. The advertiser surrenders the levers and trusts the model.
The May 15 release notes from ALM Corp document what Google did next. Version 24.1 extends structured experiment support into AI Max, Video, Demand Gen, and Performance Max campaigns. Three workflows: system-managed experiments, intra-campaign experiments, and asset optimization experiments. Recommended duration is four to six weeks per experiment to reach statistical significance.
The framing in the ALM Corp piece is sharper than Google’s own marketing: “Automation without measurement creates blind spots. Automation with experiments creates a usable decision framework.”
Translate again. Performance Max removed the levers. The experiment system is Google’s admission that automation without controlled measurement is unaccountable automation. The advertiser does not get the levers back. They get a structured way to ask the system “what if I held one variable constant and let you optimize the rest?” That is observability for systems you cannot inspect directly. Run a holdout. Compare. Decide.
Engineering teams built canary releases and feature flags for the same reason. When you cannot reason about the system’s internal state, you control the inputs and measure the outputs. Google did not call it observability. The accounting team did not call segregation of duties. Meta did not call IAM scoping. The vocabulary is different. The architecture is identical.
The honest reading
The convenient story is that marketing and finance teams are finally catching up to engineering. That reading is wrong, and it is patronizing.
What is actually happening: every domain that deploys autonomous systems hits the same handful of architectural problems. Who can the system act on behalf of? How do you check its work? How do you measure outputs when you cannot inspect the process? These questions do not belong to engineering. Engineering encountered them first because engineering deployed agents first. The questions belong to anyone running an autonomous workflow.
The risk is treating each domain as a fresh problem. Build a marketing governance framework. Build a finance governance framework. Build an ads governance framework. Four separate working groups, four policies, four escalation models, no transfer of learning. Most enterprises will do exactly this, because the organizational charts route by function, not by problem.
The alternative is to recognize the parallel structure and build once. The control questions transfer. The vocabulary needs translation. The architecture does not.
Do this now
If your organization deploys agents in more than one business function, run this audit in the next two weeks.
For every agent in production, answer three questions. What is the minimum scope this agent needs (least privilege)? Who approves the agent’s output before it has external consequence (segregation of duties)? How do you measure the agent’s effect when you cannot inspect its decisions (observability through controlled experiments or human review)?
If any function deploying agents cannot answer those three questions, you do not have a marketing problem or a finance problem. You have an architecture problem in three places, three names, and one underlying shape. Fix it as one problem.
The teams that translate engineering governance into the language of their domain will operate the technology with confidence. The teams that wait for each function to invent its own answer will pay for the lesson three times.
This analysis synthesizes How I Built AI Agents to Close the Books (OnlyCFO, May 2026), AI Connectors May Put Your Clients at Risk (Jon Loomer Digital, May 2026), and Google Ads Expanded Experiment Support v24.1 (ALM Corp, May 2026).
Victorino Group helps marketing, finance, and ops teams adopt the agent governance disciplines engineering already learned. Let’s talk.
All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →
If this resonates, let's talk
We help companies implement AI without losing control.
Schedule a Conversation