Governance & guardrails
Agentic AI governance: what changes when an agent can act
Agentic AI governance is the set of controls and oversight for AI systems that don't just answer but act: agents that can browse, call tools, move money, or change records on their own. Governing them is different from governing a chatbot, and this page covers the new risks, the controls to set first, and an authority-scoping checklist you can use, with an honest note that the field is still settling.
What makes agents different
An ordinary AI tool produces something a person reads and decides what to do with. The human is the gate. An agent removes that gate: it plans across steps, calls tools and other systems, and takes actions in the world, often without a person looking at each one. That is the whole appeal, and it is the whole problem. Governance built for "was the answer any good?" does not cover "it just did something, was it allowed to, and can we undo it?"
This is not a hypothetical you have time for. Agent deployment climbed fast across 2025, reaching roughly 42 percent of organizations by the third quarter, while the oversight tooling stayed a step behind (field surveys and the tracking in our own field research). Adoption is outrunning governance, which is exactly when the avoidable incidents happen.
Why the usual governance only half-covers it
Your existing framework still matters. The NIST AI RMF functions, an inventory, risk tiering, human oversight: all of it applies. But those instruments were written for AI systems in general, and the honest read from the literature is that they "only partially address" autonomous, tool-using agents that need continuous oversight rather than a one-time check. The field knows this and is racing to fill the gap. The first artifacts are only months old and they are competing, not settled:
- The OWASP Gen AI Security Project published a Top 10 for agentic applications in December 2025, the first widely used risk taxonomy.
- Singapore released a state-backed Model AI Governance Framework for agentic AI in January 2026.
- Microsoft shipped an Agent Governance Toolkit in April 2026, and the Cloud Security Alliance is building an agentic profile of the NIST AI RMF.
So this is a page written about a moving target on purpose. The controls below are the parts these sources broadly agree on; treat any single framework as input, not a finished answer, and expect to re-read the sources a couple of times a year.
The new risks
| Risk | What it means for an agent |
|---|---|
| Actions, not just words | A chatbot that hallucinates writes a wrong sentence. An agent that hallucinates can send the email, issue the refund, or delete the record. The blast radius is the difference. |
| Excessive authority | Agents are often handed broad permissions and standing credentials so they "just work." That over-provisioning is the agentic version of a user with admin rights they never needed. |
| Chained and compounding errors | Agents plan across many steps and call other tools and agents. A small early mistake propagates, and no single step looks wrong on its own. |
| Prompt injection into actions | A malicious instruction hidden in a web page or document can redirect an agent that is allowed to act, turning a data-retrieval task into an unintended action. |
| Weak identity and traceability | When an agent acts, whose identity did it use, and can you reconstruct what it did and why? Many deployments cannot answer either cleanly. |
| Continuous, not one-time, risk | An agent operating on its own drifts and encounters situations it was never tested on. One-time certification does not cover a system that keeps acting. |
The controls to set first: an authority and approval checklist
You do not need a finished agentic framework to deploy an agent safely. You need four things in place before it acts: a scoped authority, gates on the consequential actions, the ability to see and stop it, and a named owner. Work through this before an agent touches production:
Scope the authority
- Write down exactly what this agent is allowed to do, and what it is not. Default to the narrowest scope that lets it do the job.
- Give it its own identity and least-privilege credentials, not a shared or human account, so its actions are attributable and revocable.
- Set hard limits it cannot exceed: spend caps, rate limits, allowed systems, and data it may touch.
Gate the consequential actions
- List the actions that require a human to approve before they execute (moving money, external messages, deleting or changing records, anything customer-facing).
- Keep low-stakes actions autonomous so the human review means something and is not rubber-stamped 200 times a day.
- Require a second check for irreversible actions specifically; reversibility, not just impact, decides the gate.
See and stop it
- Log every action the agent takes, with enough context to reconstruct the decision after the fact.
- Monitor for anomalies (unusual volume, new tools, off-pattern actions) rather than assuming silence means safe.
- Build a kill switch you have actually tested: one clear way to stop an agent or class of agents fast.
Own it
- Name a human owner accountable for each agent, not the team in general.
- Test against adversarial inputs, including prompt injection, before and after deployment.
- Set a review cadence; agents are continuous systems, so oversight is continuous too.
Human oversight that actually works
"Human in the loop" is easy to say and easy to fake. If an agent asks a person to approve 200 actions a day, the person clicks approve 200 times and the oversight is theater. Real oversight is selective: autonomy for the low-stakes, reversible actions, and a genuine human decision reserved for the consequential and the irreversible ones. Reversibility is the underrated test. An action you can cleanly undo needs far less gating than one you cannot, even at the same dollar value.
The other half is being able to reconstruct what happened. When an agent does something wrong, the questions are always the same: what did it do, on whose authority, and why. If your logs cannot answer those, you do not have oversight, you have hope.
Where this fits your program
Agents are not a separate governance program; they are a higher tier inside the one you already run. Register each agent in your AI inventory, tier it with the extra weight its ability to act deserves, and apply the agent controls above to the ones that clear the bar. The AI governance framework holds it all together, the AI risk assessment template tiers it, and your committee approves the consequential deployments.
If you are putting agents into production and want the controls set before something acts that you cannot undo, the fixed-scope AI risk assessment ($20,000 to $80,000 depending on scope) is the place to start, and the standing version is AI governance consulting.
One line of hygiene: this page is general information, not legal advice, and the agentic field is unsettled. Verify the current frameworks against their sources, and talk to counsel about obligations that apply to your specific systems.
Questions people ask
- What is agentic AI governance?
- Agentic AI governance is the set of controls and oversight for AI systems that take actions on their own, not just generate text: agents that plan, call tools, and change things in the real world. It covers scoping what each agent may do, requiring human approval for consequential actions, logging every action, and being able to stop an agent fast. The core shift from ordinary AI governance is from reviewing outputs to constraining actions.
- How is governing AI agents different from governing generative AI?
- A generative model produces content that a person reads and decides what to do with; the human is the gate by default. An agent removes that gate: it acts. So the risk moves from "was the answer good?" to "what is it allowed to do, and what happens when it does the wrong thing?" That means least-privilege permissions, approval gates on consequential actions, action-level logging, and a kill switch, on top of everything you already do for generative AI.
- What are the biggest risks of agentic AI?
- The recurring ones: agents given more authority than they need, errors that compound across a multi-step plan, prompt injection that hijacks an agent allowed to act, weak identity so you can't tell who did what, and the fact that an autonomous system's risk is continuous rather than one-time. The OWASP Gen AI Security Project published a Top 10 for agentic applications in December 2025 that catalogs these in more detail.
- Is there an agentic AI governance framework yet?
- Several are emerging, and none is settled. OWASP's Top 10 for agentic applications (December 2025) is the first widely cited risk taxonomy; Singapore released a state-backed Model AI Governance Framework for agentic AI in January 2026; Microsoft shipped an Agent Governance Toolkit in April 2026; and the Cloud Security Alliance is building an agentic profile of the NIST AI RMF. They are competing, not converged, so treat any single one as input, not gospel.
- Can existing frameworks like the NIST AI RMF handle AI agents?
- Partly. The NIST AI RMF functions (Govern, Map, Measure, Manage) still apply and are a fine backbone, but they were written for AI systems in general and only partly address autonomous, tool-using agents that need continuous oversight instead of one-time review. The practical answer is to keep your existing framework and add the agent-specific controls (authority scoping, action gates, logging, kill switch) on top.
Tell us about the work.
A few lines is enough. We read every enquiry ourselves and reply within one business day.