Over the last few weeks, we’ve looked at two related questions.
The first was what happens when an AI model goes down. As firms embed AI into business processes, model failure is no longer simply a technology issue. It can quickly become a customer, conduct, supplier, resilience, data and business continuity issue.
The second was why non-financial operational risk is causal by nature. A disruption, control failure or conduct issue should not only prompt firms to ask what happened. It should prompt them to ask what made the event possible in the first place.
This final article brings those two themes together through a newer and more difficult question.
What happens when AI stops simply advising and starts acting?
AI is no longer limited to producing outputs for humans to review. Increasingly, firms are exploring AI agents that can access systems, interpret information, initiate workflows, draft communications, update records, support case management, triage alerts or recommend operational action.
Some of this may be low risk. Some of it may improve efficiency, consistency and speed. But the risk profile changes when AI moves from answer to action.
A model that generates a poor recommendation is one kind of risk. An AI-enabled agent that acts on that recommendation, triggers a process, changes a record, communicates externally or escalates a decision is something else entirely.
At that point, the governance question is no longer simply: can the model be trusted?
It becomes: what is the system permitted to do on behalf of the firm?
The shift from output risk to authority risk
Much of the AI governance debate has understandably focused on model performance. Accuracy, bias, explainability, data quality, hallucination, validation and monitoring all matter. And they still matter.
But agentic AI adds another layer because it introduces the question of authority.
What can the system access? What can it change?
What can it trigger? Who approved that permission?
Where is human judgement required?
Where is it merely optional?
And can the firm evidence all of this after the event?
That is a very different governance challenge from reviewing whether a model’s output was accurate.
The risk is no longer only in the answer the AI gives. It is in the action the organisation allows it to take.
This is where AI governance starts to move more firmly into the territory of non-financial operational risk. The issue is not just whether the technology performs as expected. It is whether the operating model around it is clear, controlled and auditable.
Not all AI agents carry the same risk
One of the dangers in this area is treating AI agents as a single category. They are not.
A read-only agent that summarises internal policy documents is not the same as an agent that can update customer records. An agent that drafts a response for human review is not the same as one that sends the response directly. An agent that recommends a control action is not the same as one that executes it.
The difference is autonomy.
There is a material difference between an AI system that can observe, one that can advise, one that can act with approval, and one that can act autonomously. Each level requires a different control environment.
The higher the autonomy, the more important the questions of access, monitoring, escalation, rollback, accountability and evidence become.
Good governance cannot simply divide AI into approved and unapproved use. It needs to understand the level of autonomy being granted, the systems being accessed and the potential consequences if something goes wrong.
The governance model has to be proportionate not only to the technology, but to the authority being delegated.
When permissions become policy
One of the greatest risks with agentic AI is that authority may not always be granted through a clear governance decision. It may be granted through permissions.
An AI agent is connected to a system. A workflow is integrated. A tool is given access to customer data. An automation is allowed to update a record. A third-party platform is embedded into a process.
At each step, what looks like a technical configuration may also be a governance decision. If permissions are not mapped to business authority, firms may accidentally delegate more operational power than they intended.
That is the risk.
The boundary of what an AI agent can do may not be set by the board, the risk function or the governance committee. It may be set by whoever configured the access rights.
In agentic AI, access is not just a technical setting. It is a delegation of authority. And delegation without clear ownership is a control weakness waiting to surface.
This matters because many firms already struggle to maintain clear visibility of data access, system dependencies, user permissions and third-party integrations. Agentic AI adds a further layer of complexity because the system may not only consume information. It may act on it.
That means risk teams need to look beyond whether an AI tool has been approved. They need to understand what that approval actually permits.
Human-in-the-loop is not always control
Many firms will take comfort from the phrase “human-in-the-loop”. Sometimes that comfort will be justified. Sometimes it will not.
A human review point is only an effective control if the person has the time, expertise, information and authority to challenge what the system is doing. If a human is simply clicking approval because the workflow expects it, that is not meaningful oversight. It is procedural reassurance.
The same is true where an AI system produces a recommendation so quickly, confidently or at such volume that human review becomes superficial. The organisation may still describe the process as human-controlled, but in practice, the system is shaping the decision.
This distinction really matters.
The question is not whether a human appears somewhere in the process. The question is whether human judgement genuinely constrains the action being taken.
For risk, compliance and audit teams, that means testing the control in practice, not accepting the label at face value. They need to ask the causal question: what made the action possible?
If an AI agent creates an operational issue, the firm should not stop at the most obvious explanation.
The agent made an error. The model produced a poor output. The data was incomplete. The workflow failed. The user did not check the result.
Those may all be true. But they may not be the root issue. The stronger questions are:
Why was the agent allowed to act in that context?
Who approved its level of autonomy?
Was its access proportionate to its role?
Were the controls designed for advice or for action?
Was human approval a genuine control, or simply a procedural step?
Could the action be reversed?
Was there a complete audit trail? Did assurance understand the full end-to-end process?
That is the difference between treating an incident as a technology failure and treating it as a non-financial operational risk event.
The technology may have failed. But the organisation may have created the conditions in which that failure could have an operational consequence.
This is why causality matters.
An AI-related incident may appear to sit in the model, the data or the workflow. But the underlying causes may sit in governance, ownership, control design, third-party oversight, access management or operating model complexity.
Unless firms understand those causal factors, they risk fixing the symptom while leaving the exposure intact.
The third-party blind spot
There is also a third-party dimension.
Many firms will not build every AI agent themselves. They will adopt them through software platforms, workflow tools, cloud providers, enterprise applications and specialist vendors.
That may create a blind spot.
The organisation may think it is buying a tool, when in practice it is introducing a decision-support or action-taking capability into a business process.
That changes the third-party risk question.
It is no longer enough to ask whether the supplier is secure, stable and compliant. Firms may also need to ask what autonomous or semi-autonomous functions are embedded in the service, how they are governed, what data they can access, what logs are available, and whether the firm can evidence decisions made through the tool.
If a third-party AI agent becomes part of a critical process, then it is not just a vendor feature. It is part of the firm’s operational risk environment.
The tool may be familiar. The new capability may not be.
What good governance should look like
Good governance does not mean blocking AI agents altogether. Nor does it mean placing every use case under the same level of review.
A stronger approach is proportionate governance based on autonomy, access and consequence.
Firms should start by mapping where AI agents are being used or tested. That should include tools developed internally, capabilities embedded in third-party platforms and local business-led experimentation.
They should then classify those agents by what they are permitted to do. Some may only observe. Some may advise. Some may prepare actions for approval. Some may act independently within defined parameters.
That classification should then be connected to controls.
A low-risk read-only agent may need basic access controls, logging and data protection review. An agent that can change records, trigger customer communications or initiate workflow actions will need stronger approval mechanisms, monitoring, escalation routes, rollback capability and clear ownership.
The firm also needs to define what human oversight means in practice. Human approval should not be treated as a label. It should be tested as a control.
Finally, the organisation needs audit-ready evidence.
If something goes wrong, it should be possible to reconstruct what happened, what the agent did, what data it used, what approval was given, what controls operated and who was accountable for the outcome.
Without that evidence, accountability becomes difficult to prove precisely when it matters most.
Autonomy without accountability is unmanaged delegation
The firms that manage this well will not be the ones that slow AI adoption to a halt. They will be the ones who understand where autonomy exists, what it can affect, and how it is governed before something goes wrong.
Because once AI agents begin to act inside the operating model, the governance issue is no longer just whether the technology is powerful, accurate or resilient. It is whether the organisation has knowingly delegated authority to it.
That is the real shift.
AI agents may help firms move faster. They may reduce manual effort, improve response times and support better operational consistency.
But speed without clear authority, evidence and accountability is not efficiency. It is unmanaged delegation.
And unmanaged delegation has always been a risk issue.
Stay up to date with the latest stories from the world of governance, risk, audit and compliance >>>
