Field Notes: AI — November 2025
The month in one paragraph
November 2025 was the enterprise-pilot reality check. Agentic coding was no longer judged only by whether it could solve impressive tasks. It was judged by whether a platform, security, or legal team could allow it inside real work. Claude, Codex, Copilot, Cursor, and open agents all had to answer the same questions: what can the agent see, what can it change, how is the run logged, who approves risky actions, and how do you prove what happened later?
Actual field update
- Governance became adoption-critical: admin controls, seat policies, audit trails, and permission boundaries moved from "nice to have" to rollout blockers.
- Enterprise pilots hardened: teams started measuring usage, failure classes, review overhead, and policy-pass rates.
- Tool access became risk: connector surfaces and agent tools created new possibilities for data access, write actions, and cross-system side effects.
- Agent selection became operational: organizations began caring less about model demos and more about manageability.
Robustness check
Strong claim: enterprise adoption depends on governance surfaces.
Strong claim: MCP-style connector growth increases the need for consent, scoped auth, and audit.
Weak claim to avoid: "MCP makes integrations safe." The MCP spec standardizes access patterns, but explicitly puts consent, authorization, access controls, and data protections on implementors.
Agentic design pattern change
The new pattern was:
task request
→ policy check
→ scoped context/tool grant
→ agent run
→ review artifact
→ audit record
The agent became something the organization had to govern, not just something the developer personally used.
Fallout
- Platform teams became owners of agent reliability.
- Security teams moved earlier in the launch path.
- Tool registries started needing provenance and trust tiers.
- Logs and transcripts became procurement artifacts.
What builders should copy
- Implement trust tiers for tools: read-only, reversible write, irreversible write, external side effect.
- Require approval interrupts for destructive or external actions.
- Store consent and approval as events in the run ledger.
- Separate tool discovery from tool authorization.
Resource sources
- MCP Specification 2025-06-18: https://modelcontextprotocol.io/specification/2025-06-18
- MCP Authorization: https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization
- Securing MCP — Risks, Controls, and Governance: https://arxiv.org/abs/2511.20920
- SMCP — Secure Model Context Protocol: https://arxiv.org/abs/2602.01129
