AI Adoption's Next Challenge: Verifying Actions, Not Just Outputs

One of the most important adoption challenges for AI is ensuring that output quality is maintained or enhanced through having a clear and robust approach to human verification of the work being done. But with the rise of products like Copilot Cowork, this need has expanded from just requiring human oversight of work product, to having human oversight of work actions along the way.

Where AI tools are taking actions on our behalf, affirmative consent is the responsible and safe approach. But for consent to truly be affirmative, the user must understand what they are being asked to consent to. Yet too often, the approval dialogs that pop up in the flow of a Cowork demo are a quickly clicked away annoyance rather than a feature that's called out as important to take note of.

While Microsoft has not published detailed information about how Cowork's consent model works, we can infer a lot from the mature app management capabilities that already exist in Microsoft 365. Apps are granted scopes of access to the Microsoft Graph. For example, an app with Files. Read. All can read any file it is granted access to within a drive in SharePoint or OneDrive. But these user scoped apps also operate with delegated access, meaning their Files. Read. All only works where the file is accessible by that user. This delegated access pattern is the one that applies across Copilot that means its access is driven by that of the user in the pilot's seat.

There is not a published list of the Graph scopes Cowork has been granted, but if you ask it to list them it will show you access across emails, chats, files (OneDrive and SharePoint), calendar, sites, meetings, and tasks, with varying access between Read and ReadWrite. You always need to take what AI tools self-report about their capabilities with a grain of salt, but the list Cowork provided aligns with the actions I have seen it be able to take.

When Cowork seeks to take an action that could be risky it asks for consent. This appears as a tool-based gate in Cowork's processing loop rather than a full access delegation or scope consent as you might see when giving a service like Calendly access to your account. Remember, Cowork already has these rights, the action consent is probably a deterministic politeness Microsoft's engineers have built in rather than a true surfacing of their granular authorization technology.

This control means that Cowork isn't at risk of running off and deleting your tenant. But it can delete emails, send messages, or take a bunch of other actions. The kinds of thing where thinking about each action individually, rather than just consenting and letting Cowork get on, is something we need to get right. This actions verification is as important as the output verification we've all been working to embed, and must be part of your adoption approach of these new agents.

How are you addressing the issue of action consent? What's working or not in how Cowork surfaces these decisions?

First posted on Linkedin 05/22/2026 → View Linkedin Post Here