← Back to blog
Product releases

5 Questions Every Head of AI Should Ask About Agent Governance

Matt Doughty
TL;DR

Scaling AI agents from pilots to production requires governance infrastructure. These five questions help Heads of AI evaluate whether their...

1. Are we building governance into our agent platform — or bolting it on later?

Most AI teams start with a handful of agents and minimal governance. Policies are informal, monitoring is ad hoc, and oversight depends on individual developers doing the right thing. This works for three agents. It does not work for thirty, and it definitely does not work for three hundred.

Heads of AI should ask whether governance is being designed into the agent platform architecture from the start. This means standardised agent registration, policy-as-code enforcement, centralised observability, and consistent audit trails — built as platform capabilities, not afterthoughts.

Organisations that bolt governance on later face a painful retrofit: existing agents must be instrumented, inconsistent practices must be standardised, and governance gaps must be closed under time pressure. Building it in from the start is always cheaper and less disruptive.

2. Can our governance scale across multiple agent frameworks?

Enterprise AI teams rarely standardise on a single agent framework. One team uses LangChain, another prefers CrewAI, a third builds custom orchestration, and a fourth is evaluating Semantic Kernel. Each framework has different architecture, different tool-calling patterns, and different monitoring capabilities.

Heads of AI should ask whether their governance approach works across all frameworks — or whether each framework requires its own governance implementation. Framework-agnostic governance, typically enforced at the runtime layer where agents interact with external systems, provides consistent policies regardless of how agents are built.

This is critical for scalability. When a new framework emerges or a team switches frameworks, governance should not need to be rebuilt. Policies, enforcement, and audit trails should work the same way across every agent in the portfolio.

3. How do we balance agent autonomy with organisational control?

The value of AI agents comes from their autonomy — their ability to reason, plan, and act without human intervention at every step. But unconstrained autonomy creates risk. The challenge is finding the right balance for each use case.

Heads of AI should develop a risk-based framework that calibrates agent autonomy to the stakes involved. Low-risk tasks (summarising documents, answering FAQs) can operate with high autonomy and minimal oversight. High-risk tasks (financial transactions, customer-facing decisions, data access) should require human approval, spending limits, or restricted tool access.

This calibration should be expressed as governance policies that are enforced at runtime — not as guidelines that depend on developer judgment. The policy framework should make it easy to adjust autonomy levels as agents prove themselves reliable or as business requirements change.

4. Do we have visibility into agent costs at the team and task level?

AI agent costs are notoriously unpredictable. A single agent interaction can consume vastly different resources depending on task complexity, model used, tools called, and reasoning depth. Multiply this variability across dozens of agents and multiple teams, and budget surprises become inevitable.

Heads of AI should ask whether they can attribute costs at the agent, team, and task level. This means tracking token consumption, tool invocation costs, compute time, and human review costs — and mapping them to the business outcomes they produce.

Cost visibility enables informed decisions: which agents justify their expense, which need optimisation, which should use cheaper models for routine tasks, and where spending limits should be set. Without this visibility, AI budgets grow uncontrollably and executives lose confidence in the ROI of agent deployments.

5. What is our plan for governing agents we did not build?

Not all agents in your organisation will be built by your AI team. Business units adopt SaaS products with embedded agents. Partners deploy agents that interact with your APIs. Open-source tools include agent capabilities that developers adopt without formal evaluation.

Heads of AI should ask how governance applies to these external agents. Can they be registered in the agent registry? Are their tool calls subject to the same runtime policies? Do they generate audit trails that satisfy compliance requirements?

The governance framework should be expansive enough to cover agents the organisation builds, agents embedded in third-party products, and agents deployed by partners — because all of them interact with organisational data and systems, and all of them create risk if ungoverned.