The "human approval for high-impact workflows" point is the one most teams are skipping. There's pressure to make AI support feel seamless, so approval gates get cut as "friction." But that friction is actually a security control.
What I see in small business contexts: teams ship an AI support agent that can create refunds, cancel subscriptions, or reset credentials — and the threat model was never written. Not because they're careless, but because they genuinely treated it like a fancier FAQ bot.
The mindset shift needed is: any AI agent with tool-calling capability is an API surface. It needs to be secured like one. Rate limits, permission scoping, audit logs — the same things you'd apply to any integration, but applied to the agent's action layer, not just the prompt layer.