The governance frameworks most organisations built for AI assume a human between the model and the world: the model recommends, a person decides. Agentic systems remove that assumption. They plan, call tools, move data, send messages and trigger transactions — sometimes in chains of agents delegating to each other. The risk profile looks less like a faulty calculator and more like an unsupervised employee with system access.
The control question: mandate
Every employee with authority has limits: spending thresholds, approval gates, things they must escalate. An agent needs the same, written down and technically enforced. What may it access? What may it do without a human? What must it never do, even if asked? If the mandate exists only in a prompt, it is a suggestion, not a control — prompts can be overridden; permissions cannot.
The evidence question: logging
When an audit committee asks "why did the system do that?", the answer must come from a log, not a reconstruction. Agentic systems need action-level audit trails: what was attempted, what was executed, what was blocked, and which human (if any) approved. This is also where regulation is heading — evidence of oversight is the common thread in every AI regime we map, from DIFC Regulation 10 to the EU AI Act.
An agent's mandate written only in a prompt is a suggestion, not a control. Prompts can be overridden; permissions cannot.
The failure question: containment
Agent failures compound. A wrong answer is one bad output; a wrong action triggers downstream actions — and in multi-agent systems, errors propagate between agents faster than humans monitor. Containment design matters more than accuracy tuning: blast-radius limits, rate limits, rollback paths, and a kill switch someone is actually authorised to pull at 2 a.m. Tabletop the scenario before it happens; the rehearsal always finds a missing authority.
The accountability question: a person
Every agentic system needs a named human owner accountable for its actions — not its vendor, not a committee. This sounds obvious and is routinely missing. The test is simple: when the agent does something expensive, whose phone rings? If the answer takes more than five seconds, the governance gap is found.
Where to start
Inventory your agents — including the pilots nobody told governance about. For each: document the mandate, verify it is enforced in permissions rather than prompts, confirm the action log exists, and name the owner. Then test the controls the way an auditor would: try to make the agent exceed its mandate, and see what the log shows. That one exercise tells you more than any framework document.
Key takeaways
- Agentic AI shifts the governance question from output quality to action authority.
- Mandates must be enforced in permissions, not prompts — and written down.
- Action-level logging is the evidence base every regulator will ask for.
- Containment beats accuracy: blast-radius limits, rollback, and a kill switch with a named owner.
- Test by attempting to exceed the mandate — the log tells you the truth.