More and more businesses are connecting AI assistants to their Odoo instance via the API or over MCP. But how are you governing that access? I'd love to hear how others are approaching this.

The core governance principles haven't changed: who can access what data, who can approve what actions, how do you enforce segregation of duties. The difference is that AI can execute thousands of actions per hour instead of a few dozen clicks per day. That raises some practical questions:

1. Are you treating AI agents as "users"? Does your AI integration get its own Odoo user account with dedicated roles? Or does it inherit the connected user's session? If an agent acts on behalf of multiple users, whose permissions apply?

2. How do you scope API keys? Odoo's ACLs and record rules apply to API calls the same way they do in the UI. But are you creating dedicated API keys per agent or per task? Least privilege matters even more when an agent with broad access can do a lot of damage very quickly.

3. What about audit trails for AI actions? When a human approves a purchase order, the intent is obvious. When an AI does it, there's an extra layer, why did it suggest this? Are you logging the context that triggered AI actions, or just the database changes?

4. Rate limiting? A human is naturally rate-limited. An AI agent isn't. Have you set any limits on API calls to prevent runaway automation?

5. Data classification? Salary data, payment details, pricing margins, do you have a policy for what your AI integrations can and cannot access? Odoo's field-level security helps, but it requires deliberate configuration.

6. Human-in-the-loop for high-risk actions? For approving invoices, modifying financial records, or changing access rights, do you require human confirmation even when AI initiates the action?

In my experience implementing Odoo, most companies are eager to adopt AI but few have thought through governance. 

Curious to hear your experiences.

Rutger