Before you give an AI agent your inbox, design the escalation tiers — not the prompts

When founders ask me how to set up a CEO inbox AI agent, the first thing they want to talk about is which model to use. Gemini Spark, the new always-on agents, whatever launched last Tuesday. That conversation is a distraction.

The agents are good enough. What kills these rollouts is something more boring: leaders automate response generation before they automate decision rights. They wire the agent into Gmail or Outlook, watch it draft three plausible-looking replies, and ship it. A week later the agent has politely declined a board member's intro request, confirmed a meeting that conflicts with a closing call, or auto-archived a regulator's follow-up.

None of that is a model failure. It's a policy failure. Nobody decided, in advance, what the agent was allowed to close on its own, what it had to summarize for you, and what had to reach you immediately. So the agent defaulted to the worst possible posture — confident, fast, and unsupervised.

Before the agent touches a single thread, you need three tiers.

This is the smallest tier and it should stay small for at least the first month. The agent can fully close a loop — send, archive, decline, schedule — only on inbound that meets every one of these conditions: low business impact, unambiguous intent, no external financial or legal consequence, and a sender who isn't on your stakeholder list.

In practice that's things like: cold sales outreach, recruiter spam, newsletter unsubscribes, calendar holds from people who already have Calendly access, internal FYIs that don't need a reply. If you run a Pipedrive or HubSpot stack, the agent can also log a contact, tag a thread, and move on without you.

What this tier is not: anything touching a customer who's already paying you, anything with a dollar figure in it, anything from someone who reports to you, and anything where the right answer requires knowing your strategy this quarter. If the agent has to guess at intent, it doesn't belong in Tier 1.

The operator instinct is to make this tier bigger because that's where the time savings live. Resist that for now. You're going to expand it after you have data, not before.

This is the largest tier and the one that pays for the entire system. The agent reads the thread, drafts a reply, attaches the relevant context — the last conversation with this person, the deal stage in HubSpot, the open Linear ticket, the Stripe invoice status — and puts it in a queue for you to approve or rewrite.

The non-obvious move here is that the summary matters more than the draft. A great Chief of Staff doesn't hand you a finished email; they hand you the decision. "This is the third time Reilly's asked about the renewal terms. Procurement is stalling. Legal flagged the indemnity clause last week. Recommend you call her instead of replying — draft below if you'd rather write." That's the artifact you want from Tier 2.

This is also where the handoff quality lives or dies. When the agent escalates a draft to you, it should carry the full conversation history, what it considered, what it ruled out, and why. If you find yourself opening three tabs to figure out what an agent-prepared response is actually about, the tier is failing — not because the model is bad, but because the handoff wasn't designed.

Moments runs this tier across Gmail, Slack, and your CRM in one queue, but the principle is the same regardless of the tool: the agent's job here is to compress decisions, not generate text.

This is the tier most teams forget to define, and it's the one that prevents the catastrophic stories. Tier 3 is everything the agent is forbidden from handling on its own and forbidden from queuing — it has to interrupt you.

Write this list before the agent goes live. Mine usually looks like: anything from a board member or investor, anything mentioning litigation or regulators, anything with the words "resignation," "acquisition," or "breach," anything from your top 10 customers by ARR, anything where sentiment analysis flags anger or urgency from a known stakeholder, anything where the agent's own confidence drops below a threshold you set.

The trigger logic should combine severity, sentiment, account health, and confidence — not any one of those alone. A polite email from a regulator is still Tier 3. An angry email from a stranger probably isn't.

And Tier 3 should hit you on a different channel than the inbox itself. If the alert goes to the same Gmail the agent is managing, you've built a loop. Push it to your phone, to a dedicated Slack DM, to whatever you actually look at when you're heads-down.

Recent reporting on AI agents going off-script at Meta — deleting emails, exposing data through context the agent shouldn't have been operating on — clarified something the security community had been warning about for a while. Agents lose their safety instructions when their context window gets compacted mid-task. The guardrails you wrote in the system prompt aren't necessarily there twelve tool calls later.

That's why escalation tiers can't live inside the prompt. They have to live in the surrounding system — as hard permission boundaries, scoped tokens, per-action approval gates, and audit logs that exist outside the agent's reach. "Don't send anything to legal" as an instruction is a suggestion. "This agent's token cannot send to addresses on the legal domain list" is a control.

There's also a discoverability angle most founders haven't internalized: AI prompts and agent-drafted content are showing up in litigation. An agent that quietly deletes a thread isn't just risky operationally — it can look like spoliation. Tier 1 should never include deletion of anything that could plausibly be evidence. Archive, don't delete.

Start the agent in read-only mode for a week. No sending, no archiving, no calendar holds. Just have it produce its Tier 1 / Tier 2 / Tier 3 classification on every inbound, with a draft attached where relevant. You review the classifications, not the drafts. You're calibrating the policy, not the prose.

Week two, let it execute Tier 1 only. Watch the override rate. If you're overriding more than one in twenty Tier 1 actions, the tier is too wide — pull things back. If you're overriding almost none, you can start moving categories up.

Week three, turn on Tier 2 queuing. The metric to watch here is how many of the agent's drafts you send unchanged versus rewrite versus discard. Discards are the signal — they mean the agent didn't understand what kind of reply the situation called for, which usually means it doesn't have the right context (a missing CRM field, no access to the relevant Notion doc, no visibility into the Linear thread the customer is asking about).

Throughout all of this, keep a kill switch that's one click away. Not a setting buried in a menu — something visible. The teams that trust their agents most are the ones who can revoke that trust in under five seconds.

The payoff of doing this properly isn't that the agent handles more email. It's that you stop context-switching for things that don't need you, and you stop missing the things that do. A great Chief of Staff isn't a task manager — they're a decision filter. That's what you're actually building when you design these tiers.