Blog ·
A three-bucket frame for deciding what to automate, delegate, or hand to an AI agent
After 18 years in IT, the most useful frame I've found for triaging repetitive helpdesk work: what to automate, what to delegate, and what to hand to an AI agent.
Most failed helpdesk automation projects I've seen pick the wrong bucket.
After 18 years in IT and watching too many "we tried AI for that" stories end in postmortems, I keep coming back to a three-bucket frame for repetitive helpdesk work. The frame is simple, but most teams get the buckets confused, and that confusion is what kills projects.
1. Automate it (write the script)
Best for deterministic tasks with clear inputs and outputs. Password resets when the user is verified. License assignments based on group membership. Mailbox creation from HRIS events. Offboarding sequences. PowerShell, Logic Apps, Make, n8n, whatever fits.
Failure mode: trying to script things with too many edge cases. You spend 40 hours building something that breaks the first time HR sends a malformed input. The rule of thumb: if you can list the inputs and outputs in a paragraph, automate it. If you find yourself writing "and then it depends on whether..." more than twice, it's probably not an automation problem.
2. Delegate it (give the right human safe access)
Best for low-skill but judgment-required tasks. Resetting a password after verifying the user really is who they say they are. Creating a guest account for a contractor. Restoring a deleted file. These don't need IT involvement, but giving HR or a manager global admin to do them is malpractice.
The right answer is scoped, delegated access: JIT permissions, custom admin roles, or a purpose-built delegation tool. Failure mode: over-delegating (too much access for convenience) or under-delegating (everything still funnels through IT because "we don't trust the controls"). Both are signals that you haven't designed the boundary carefully enough.
3. Hand it to an AI agent
Best for tasks that need natural-language understanding or judgment that's hard to express in code. Routing tickets to the right team. Drafting first-response replies. Summarizing long ticket threads for handoff. Answering "how do I..." questions against your knowledge base.
Failure mode: treating the agent as a deterministic system. When it's wrong, it's confidently wrong, and without a human review loop on the high-impact actions, you'll be writing a postmortem within 90 days. AI agents are useful for the work humans find tedious AND that doesn't fail catastrophically when wrong. If a single wrong answer can trigger a security incident or a regulatory call, the agent doesn't get final authority. It drafts, a human approves.
The mistake I see most often
Most failed helpdesk automation projects I've seen pick the wrong bucket. Usually it's one of two patterns:
- Using AI for something that should've been a script. The team builds an LLM-powered solution for password resets when a deterministic flow + verification step would have worked better and never hallucinated.
- Scripting something that should've been delegated. The team builds elaborate self-service flows when scoped admin access would have given the right person the right tool with less code surface to maintain.
Both patterns waste effort, and both eventually fail in ways that erode the team's confidence in automation entirely.
How to use this in practice
When a new helpdesk-work request comes up, run it through three questions in this order:
- Can I describe the input and output unambiguously? If yes, automate it.
- Is there a human who could safely do this with the right scoped access? If yes, delegate it.
- Does it need language understanding or judgment that's hard to encode? If yes, hand it to an AI agent. Design the review loop before you deploy.
If the answer to all three is no, it's probably not the right work to automate in the first place. Some helpdesk work is meant to be human-to-human, and that's fine.
What's the worst bucket-mismatch you've cleaned up?