By spring, Priya's company ran six agents. It had started with one — a Level 1 project agent on the billing repo — and grown, deliberately at first and then quickly: a second billing-adjacent service agent, a personal Level 2 agent that handled her team's cross-project chores, an agent that watched the data pipeline, and two more that had quietly appeared because they were useful. They lived on three machines: two on the office server, the rest federated onto a cloud host and a spare box in the lab, all talking over the mesh.
The plan for the quarter was exciting: open a public door. A support agent, behind SSO, that customers could query directly about their own accounts. Sales loved it. Priya set the launch for the end of the month and told the team to wire it up.
Two weeks before launch, the lab box filled its disk with logs, and an engineer grepping for the cause found something else: a plaintext API key, for the billing provider, sitting in a log line. It traced back to the original Level 1 agent. Months earlier, someone had pasted the key straight into that agent's system prompt — "just to get it working" — and never removed it. It had been low-risk while the agent ran on one trusted machine. But when the team federated, that agent's context travelled to other hosts, and a debug log on the lab box had captured the prompt verbatim. The key had been sitting in cleartext on a machine half the team had forgotten they owned. Nobody had noticed for weeks, because there was no shared observability — no traces, no metrics, no single place that would have flagged a credential in a log.
Priya killed the launch date. In the retro, the team drew the system they actually had against the one a public door demanded, and three gaps stood out. First, secrets: credentials had never been managed as first-class operational objects. They pulled every key out of every prompt and repo, put them behind a secret manager, and gave each agent only the scoped, rotatable credential it needed. Second, tiers: they had six agents and no one whose job was to manage agents. That was the missing Level 3 — an agent-management tier that owns onboarding, skills, and credential rotation across the fleet, the thing you add once you pass three-to-five agents and the coordination overhead becomes real. Third, observability: they wired OpenTelemetry across the mesh so every agent's actions produced traces and metrics into one place, where a leaked-credential pattern would page someone in minutes rather than surface by accident in a full disk.
Only then did they return to the public door. Public access with SSO and user management was not just a login screen bolted on: it meant the support agent would take input from people outside the company, so its blast radius had to be understood before it was reachable. They scoped it hard — read-only to a customer's own account, no write tools, its own isolated credential, its own traces. The launch slipped six weeks. This time, it held.
Priya's takeaway, written into the fleet's operating doc: you can scale to a company of agents with very little ceremony on day one — one machine, flat files, even a key in a prompt is survivable when the door is closed and everyone is trusted. But every capability you add — a second machine, federation, a public door — widens the surface, and the operational maturity has to arrive before the capability, not after the incident that proves you needed it.