← Back to blog
Product releases

5 Questions Every AI Governance Lead Should Ask About Agent Oversight

Matt Doughty
TL;DR

AI governance frameworks designed for models do not cover agents. These five questions help governance leads extend their programmes to address the...

1. Does our governance framework account for autonomous agent actions?

Most AI governance frameworks were designed for traditional AI systems: models that take an input and return an output, with human review in between. These frameworks assess model accuracy, bias, and fairness — important concerns, but incomplete for agents.

AI agents act autonomously. They call tools, access data, interact with external systems, and make multi-step decisions without human approval at each stage. A governance framework that only evaluates the model misses the majority of agent risk — which lies in what the agent does, not what the model predicts.

Governance leads should audit their existing framework to determine whether it covers agent-specific concerns: tool access permissions, runtime policy enforcement, escalation workflows, multi-agent delegation chains, and the full lifecycle from registration to decommissioning.

2. Can we demonstrate compliance with auditable evidence — not just policies?

Governance teams often produce excellent policy documents. But regulators and auditors increasingly want evidence that policies are operationally enforced — not just written down.

For AI agents, this means demonstrating that every agent action was checked against policy at runtime, that violations were detected and handled, that escalations were routed correctly, and that the complete decision chain is recorded in immutable audit logs.

Governance leads should ask whether their current tooling produces this evidence automatically, or whether compliance depends on manual reviews and spot checks. Automated, continuous compliance evidence is more reliable, more scalable, and more convincing to regulators than periodic manual audits.

3. How do we govern agents across organisational boundaries?

AI agents do not respect org chart boundaries. A marketing agent might call a data analytics tool maintained by engineering. A customer service agent might access a CRM owned by sales. A finance agent might interact with external bank APIs managed by treasury.

Each of these interactions crosses organisational boundaries with different data owners, different compliance requirements, and different risk appetites. Governance leads need a framework that works across these boundaries — with consistent policies, shared audit trails, and clear accountability for cross-boundary interactions.

This typically requires a centralised governance layer (a control plane) that enforces policies regardless of which team owns the agent or the resource. Without centralisation, each team implements its own governance approach, creating inconsistencies and gaps that only become visible during incidents or audits.

4. Do we have a risk-based approach to agent approval and oversight?

Not all agents carry the same risk. An agent that summarises internal documents is lower risk than one that executes financial transactions or processes patient health records. Applying the same governance rigour to both wastes resources on low-risk agents and may under-govern high-risk ones.

Governance leads should establish a risk classification framework for agents — similar to the EU AI Act's risk tiers — that calibrates oversight to the agent's potential impact. Low-risk agents might need only registration and basic monitoring. Medium-risk agents might require policy enforcement and periodic review. High-risk agents might require human-in-the-loop approval for critical actions, enhanced monitoring, and regular audits.

This risk-based approach makes governance scalable. It ensures high-risk agents receive the attention they need while avoiding bureaucratic overhead that slows down low-risk deployments.

5. How will our governance programme adapt as agents become more capable?

AI agent capabilities are advancing rapidly. Agents that today handle simple, bounded tasks will soon manage complex, multi-step processes with broader autonomy. Governance frameworks that work for today's agents may be inadequate for next year's.

Governance leads should build adaptability into their programme. This means policies expressed as code (easily updated), risk classifications that can be revised as agent capabilities change, monitoring that detects new behaviour patterns, and governance reviews triggered by capability changes rather than just calendar intervals.

The goal is a governance programme that evolves with agent capabilities — tightening controls when agents gain new powers, relaxing them when agents prove reliable, and always maintaining the visibility and evidence that regulators and stakeholders require.