Aaron Levie runs Box, the enterprise content management platform used by 105,000 organisations worldwide. When he talks about AI agents, he's not thinking about chatbots - he's thinking about access control, identity management, and what happens when autonomous systems start reading, writing, and modifying files across an entire organisation.
His core thesis is simple but critical: agents need workspaces, not just API keys. Every agent operating in an enterprise environment needs its own sandboxed space with explicit permissions, audit trails, and governance controls. Without that infrastructure, you're handing autonomous systems the keys to everything - and hoping nothing breaks.
The governance problem nobody's solving
The challenge with enterprise AI adoption isn't the models - it's what happens when those models need to DO something. An agent that can read every document, write to shared folders, and modify workflows without identity or access controls is a security nightmare waiting to happen.
Levie's insight is that agents need the same infrastructure we built for humans: identity, permissions, activity logging, and the ability to revoke access when something goes wrong. Right now, most agent implementations bypass this entirely - they run with admin-level access and hope the prompt engineering keeps them in line.
That's not a technical solution. That's a prayer.
Box's approach is to treat agents as first-class users within their content management system. An agent gets its own workspace, explicit read-write permissions per folder, and every action it takes is logged with the same audit trail as a human employee. If an agent starts behaving unexpectedly, you can see exactly what it accessed, what it changed, and revoke its permissions immediately.
Context engineering vs prompt engineering
Levie makes a distinction that's worth paying attention to: prompt engineering is about what you tell the model. Context engineering is about what you SHOW it. For enterprise agents, context matters more than prompts.
An agent working with financial documents doesn't need clever prompting - it needs access to the right files, the correct schema for how that data is structured, and clear boundaries about what it can modify. That's context. Get the context right, and the prompts become straightforward.
This is where Box's infrastructure advantage becomes clear. They already have the metadata layer, the permission system, and the content structure. Adding agent identity and workspace controls is an extension of architecture they've been building for years. For companies starting from scratch, this is the hard part - not the AI model itself, but the scaffolding around it.
Read-write workflows and the multi-year transformation
Levie is clear-eyed about timelines. Enterprise AI adoption isn't happening in quarters - it's happening over years. The first phase is read-only: agents that can analyse documents, answer questions, and surface insights without changing anything. That's relatively safe and where most organisations are today.
The second phase is read-write: agents that can create documents, update records, and modify workflows. This is where governance becomes non-negotiable. An agent writing to shared folders needs the same controls as a human employee - probably stricter, given its potential scale and speed.
The third phase, which Levie thinks is still years away for most enterprises, is autonomous decision-making: agents that can initiate processes, approve workflows, and operate with minimal human oversight. That requires trust, and trust requires infrastructure that doesn't exist yet for most organisations.
What this means for builders
If you're building AI agents for enterprise customers, Levie's perspective should inform your architecture from day one. Don't bolt on governance later - build it into the foundation. Every agent needs identity, explicit permissions, activity logging, and revocable access.
For business owners evaluating AI tools, ask the governance questions early: How does this agent authenticate? What can it access? Can I see what it's doing? Can I revoke its permissions without breaking workflows? If the vendor doesn't have clear answers, you're not ready to deploy.
The enterprise AI opportunity is massive, but it's not a land-grab. It's a slow, deliberate transformation that requires infrastructure, governance, and trust. Box is positioning itself as the workspace layer for that transformation - the place where agents live, work, and operate within boundaries.
That's less exciting than autonomous AGI, but it's far more relevant to the 105,000 organisations trying to figure out what AI actually means for their operations. Every agent needs a box. The question is whether you're building the box, or hoping someone else does it for you.