Running scheduled AI agents safely

An interactive agent has a human in the loop by default — someone is reading the output and can yank the cord. A scheduled agent has none of that. It wakes up on a cron, does its job, and goes back to sleep, and whatever permissions it holds are exercised with nobody in the room.

Unattended changes the math

For an unattended worker, the permissions are not a starting point a human will refine — they are the entire control surface. Two things become non-negotiable:

• Tight scope. A scheduled job should hold the narrowest role that completes its task. No "just in case" tools.
• Asynchronous approval gates. Risky actions should queue for a human and wait, not auto-execute because no one was online to say no.

Read-mostly by design

Many scheduled agents only need to read — pull metrics, compile a report, open an issue. Keep them there. If a job genuinely needs to write something risky, let it stage the change and park it for approval, so the mutation happens when a human is around to own it.

The 3 a.m. run is exactly when you find out whether your guardrails were real or decorative.

Audit is how you sleep

Because you were not watching, the log is your only account of what happened. Every scheduled run should leave a complete trail: worker, action, connection, result. Grantry applies the same role, gates, and audit to a cron-triggered worker as to an interactive one — the schedule does not get a pass.