One control record for Claude Code and enterprise agents

The agent run is not done when the diff compiles.

That is the habit I keep coming back to with Claude Code, MCP tools, and enterprise AI agents. A patch can look clean and still leave the reviewer guessing about the scope, the tools used, the data touched, the tests skipped, or the approval needed before release.

That gap is where Thomas De Vos’s two books meet. Claude Code: Building Production Agents That Actually Scale covers the engineering side: scoped tasks, review packets, evals, observability, cost control, and rollback. The page points readers to the Amazon Kindle edition. Securing Enterprise AI Agents covers the authority side: identity, permissions, MCP and RAG boundaries, audit evidence, policy gates, and incident response. If your team is trying to ship with agents and control the blast radius, the Enterprise AI Agents in Production bundle joins those two problems.

The missing artifact is usually small

Most teams do not need a giant new process for every agent run. They need one artifact that travels with the work.

Call it a control record, a review packet, a run receipt, or something less formal. The name matters less than the answers it preserves.

For Claude Code, the reviewer needs to know what the agent was asked to do, what it inspected, what it changed, which commands ran, which tests failed, and how to roll back. For enterprise agents, security also needs to know which identity acted, which tools were available, which data classes were touched, and who approved any higher risk action.

Those are not separate worlds. A Claude Code run that reads a ticket, queries logs through MCP, edits code, opens a pull request, and triggers a workflow has crossed from coding assistance into delegated authority. The control record is where the team stops pretending those are unrelated.

A diff cannot answer authority questions

A pull request shows files changed. It does not show the full path that produced the change.

That matters when an agent has reach beyond the editor. If the agent used a docs MCP server, the reviewer may not care much. If it used a ticket system full of customer detail, production-like telemetry, a deployment workflow, or a tool that can mutate shared state, the reviewer should care a lot.

A diff also hides negative evidence. It will not tell you that the agent stayed inside the named package. It will not tell you that it refused to read secrets. It will not tell you that it stopped before touching billing code because the task contract said to stop.

If you want agent work to survive serious review, the record has to say those things plainly.

The record should fit into the engineering loop

A useful Claude Code control record can stay short:

Task:
Allowed files and packages:
Allowed tools:
Stop rules:
Files inspected:
Files changed:
Commands run:
Tests passed:
Tests failed or skipped:
Assumptions:
Reviewer questions:
Rollback note:

That is enough for routine engineering work. It gives the human reviewer a path through the change without forcing them to reconstruct the whole session from memory and terminal scrollback.

For enterprise agent work, add the authority fields:

Agent identity:
Human delegator:
MCP servers available:
MCP capabilities used:
Data classes accessed:
Policy checks applied:
Approval owner:
Residual risk:
Incident or rollback path:

This is not paperwork for its own sake. It is the minimum evidence a team needs when an agent has access to tools, data, and workflows that matter.

Use the same record to decide whether to ship

A control record should make the release decision easier.

If the task was scoped, the patch stayed inside scope, the tests passed, no sensitive tool was used, and the rollback note is clear, the reviewer can focus on code quality. That is the fast path.

If the record says the agent touched authentication, billing, customer data, migrations, deployment config, production telemetry, or write-capable MCP tools, the decision changes. The reviewer is no longer only reviewing a patch. They are reviewing delegated authority.

That is the point where the record should trigger a named approval owner. Not a vague “someone from security”. A person or role that accepts the risk and can explain the decision later.

The book pair maps to the same operating model

The Claude Code book is for the delivery loop. It helps teams make agentic coding useful without losing engineering discipline. The questions are practical: What was the task contract? What did the agent change? What evidence came back? What failed? Can we roll it back?

The security book is for the control loop around enterprise agents. It deals with identity, data boundaries, MCP capability design, RAG governance, policy gates, audit trails, and incident response. The questions are different but connected: Who delegated authority? Which tools were reachable? Which data classes were accessed? Which action changed shared state? Who approved it?

One control record lets those loops meet in the same place. Developers get a review packet they can use. Security gets evidence it can audit. Platform teams get a pattern they can later enforce with tooling.

A template to try on the next agent run

Use this for the next serious Claude Code or enterprise agent run:

Agent control record

1. Request
What the agent was asked to do:
Why the work is needed:
Human owner:

2. Scope
Allowed files, repos, systems, and data sources:
Allowed tools and MCP servers:
Explicitly forbidden areas:
Stop rules:

3. Work performed
Files inspected:
Files changed:
Tools used:
Commands run:
Tests passed:
Tests failed or skipped:

4. Authority evidence
Agent identity:
Human delegator:
Data classes accessed:
Policy checks applied:
Approval owner if risk changed:

5. Release decision
Reviewer questions:
Residual risk:
Rollback or abandon path:
Ship, hold, or escalate:

This does not make the agent slower in the places where speed is safe. It makes the boundary visible. In my experience, that is what lets teams give agents more useful work without turning every run into a nervous exception.

If your current problem is making Claude Code produce reviewable, production-shaped work, start with Claude Code: Building Production Agents That Actually Scale. If your problem is identity, permissions, MCP, RAG, audit, and incident response, read Securing Enterprise AI Agents. If your team owns both the delivery loop and the risk model, get the Enterprise AI Agents in Production bundle.

For Kindle readers, the Claude Code book is also available on Amazon: Claude Code: Building Production Agents That Actually Scale.