Routing AI agents to the right account

Most agent-risk conversations focus on whether an action is allowed. For anyone running work across multiple clients, there is a second, sneakier failure: the action is allowed, but it lands on the wrong account. The campaign edit was fine — it just hit client B's budget instead of client A's.

Account selection should not live in the prompt

When the target account is a parameter the model fills in, it is one hallucination or one confused context-window away from the wrong customer. The connection — which MCC, which repo, which CRM portal, which workspace — belongs in policy, bound to the worker and the job, not improvised per call.

What good routing looks like

• A worker is scoped to the connections its engagement covers, and no others.
• The right account is selected by role and context, so the agent cannot reach a neighbor's data even by mistake.
• Cross-account calls are impossible by construction, not blocked by a reminder in the system prompt.

In a single-tenant world this is a nicety. In an agency, it is the difference between a tool and a liability.

Isolation as a default

Connection-level access means each worker operates inside one customer boundary unless policy says otherwise. Grantry routes calls to the correct connection by role and scope, so "the wrong client is one call away" stops being true.