The governance frameworks most organisations built for AI assume a human between the model and the world: the model recommends, a person decides. Agentic systems remove that assumption. They plan, call tools, move data, send messages and trigger transactions — sometimes in chains of agents delegating to each other. The risk profile looks less like a faulty calculator and more like an unsupervised employee with system access.

The control question: mandate

Every employee with authority has limits: spending thresholds, approval gates, things they must escalate. An agent needs the same, written down and technically enforced. What may it access? What may it do without a human? What must it never do, even if asked? If the mandate exists only in a prompt, it is a suggestion, not a control — prompts can be overridden; permissions cannot.

The evidence question: logging

When an audit committee asks "why did the system do that?", the answer must come from a log, not a reconstruction. Agentic systems need action-level audit trails: what was attempted, what was executed, what was blocked, and which human (if any) approved. This is also where regulation is heading — evidence of oversight is the common thread in every AI regime we map, from DIFC Regulation 10 to the EU AI Act.

An agent's mandate written only in a prompt is a suggestion, not a control. Prompts can be overridden; permissions cannot.

The failure question: containment

Agent failures compound. A wrong answer is one bad output; a wrong action triggers downstream actions — and in multi-agent systems, errors propagate between agents faster than humans monitor. Containment design matters more than accuracy tuning: blast-radius limits, rate limits, rollback paths, and a kill switch someone is actually authorised to pull at 2 a.m. Tabletop the scenario before it happens; the rehearsal always finds a missing authority.

The accountability question: a person

Every agentic system needs a named human owner accountable for its actions — not its vendor, not a committee. This sounds obvious and is routinely missing. The test is simple: when the agent does something expensive, whose phone rings? If the answer takes more than five seconds, the governance gap is found.

Where to start

Inventory your agents — including the pilots nobody told governance about. For each: document the mandate, verify it is enforced in permissions rather than prompts, confirm the action log exists, and name the owner. Then test the controls the way an auditor would: try to make the agent exceed its mandate, and see what the log shows. That one exercise tells you more than any framework document.

Key takeaways

  • Agentic AI shifts the governance question from output quality to action authority.
  • Mandates must be enforced in permissions, not prompts — and written down.
  • Action-level logging is the evidence base every regulator will ask for.
  • Containment beats accuracy: blast-radius limits, rollback, and a kill switch with a named owner.
  • Test by attempting to exceed the mandate — the log tells you the truth.