Agentic governance must go beyond traditional IT practice
Industry experts agree: Agentic AI requires new governance methods, not traditional IT playbooks. The current agentic governance gap threatens to derail enterprise AI adoption.
Autonomous technology needs strong governance policies or it can wreak havoc on systems and workflows. Despite this reality, organizations are woefully behind in implementing effective agentic AI governance.
McKinsey & Co.'s "2026 AI Trust Maturity Survey," which included responses from nearly 500 organizations, highlighted this governance gap. Only a third of respondents said their businesses are taking steps to develop the necessary responsible AI practices concerning strategy, governance and agentic AI controls.
R Systems, which develops SaaS products, including AI systems, for software providers and businesses, in conjunction with global research firm Everest Group, produced the "Agentic AI 2026: A Mid-market Playbook for Adoption and Scale" report. It surveyed 206 organizations across several industries and found that only 7% had agentic-specific policies in place, with another 30% having only generic AI frameworks or none at all. This represents a clear gap in organizational preparedness for agentic AI risk management.
R Systems CEO Nitesh Bansal said that his organization consistently found that people are treating AI governance, security and policy frameworks the same as traditional IT. "People aren't thinking in terms of how an agentic ecosystem needs to be governed, and what kind of controls need to be put in place," he said.
Despite these governance gaps, businesses are adopting agentic AI en masse. McKinsey's report "The state of AI in 2025: Agents, innovation and transformation," surveyed nearly 2,000 respondents; 23% said they're scaling an agentic system somewhere in their business and another 39% said their organizations have begun experimenting with agents.
This contradiction of businesses rushing to adopt agentic AI without strong agentic governance policies in place creates a dangerous agentic governance gap. The main issue is that leaders aren't treating this new technology as a novel challenge; instead, they're using outdated, traditional IT frameworks to build governance policy. Without a solid agentic-focused governance policy, businesses could find they're contending with workflow failures, unintended discriminatory practices and even contractual disputes.
The traditional IT trap
There are several reasons why businesses turn to traditional IT frameworks for agentic governance despite their drawbacks. The tool-adoption mentality that many IT professionals subscribe to is one of them, according to R Systems' Bansal.
"Companies have started adopting AI as if it were tool adoption: 'If I buy the right tool, then half of my problems are solved,'" he said. Organizations that implement agentic AI in a tool-based approach are doing a disservice to broader enterprise adoption because tool implementation and enterprise AI preparedness are different ballgames, he explained.
Policy is one generation behind. Everyone is improvising.
Michael PrivatChief data and engineering officer at Availity
This can lead to further issues as IT and business leaders are still understanding how this new AI technology fits within their existing infrastructure. While trying to keep pace with new technology, businesses can often fall back on traditional adoption and governance practices -- it's easier, and the existing frameworks are already in place. This gives the illusion that they can maintain their agility and competitive advantage in the marketplace. However, lax adoption, ethical and governance policies can create more problems down the line.
Businesses are also trying to approach agentic governance with a one-size-fits-all approach, said Michael Privat, chief data and engineering officer at Availity, which provides independent administrative services to healthcare companies. This becomes another roadblock to enshrining appropriate organizational governance measures.
Teams are trying to stretch the traditional AI governance framework to cover agentic behavior, Privat said. "That doesn't fit. The policy is one generation behind. Everyone is improvising, and some are more disciplined than others," he said.
Bansal echoed this sentiment. "It's still experimentation," he said of agentic governance. "The whole security framework, governance and auditability are an afterthought."
What makes agentic governance different?
Agentic AI is a new technology that presents new dangers to unprepared organizations. The main difference between agentic AI and traditional AI and IT is that agentic can predict and act autonomously, whereas traditional infrastructure systems require human input, especially when making decisions.
"Agentic AI governance is more about actions. Actions are about side effects. That's a different surface entirely," Privat said.
Agentic governance also has a "chain of decisions" problem he explained, and unlike traditional AI and IT systems, it's sequential and emergent. AI agents form chains of decisions to complete their goals, whereas traditional systems focus on a single output. This distinction requires a broader scope of governance where teams have to scrutinize every step of an agent's decision-making process rather than the system's output.
With agentic AI the point of failure is often the sequence of events and not an individual step, Privat added. "The failure isn't in one decision. The failure is in the chain of decisions that each probably looked reasonable at the time, but when you put them together, you have a bigger problem."
How to close the agentic governance gap
The agentic governance gap leaves businesses open to harm and liability. Businesses should focus on three agentic governance issues -- ownership, explainability and oversight -- to ensure tighter control of their systems:
Unclear ownership
Most businesses don't have a clear mandate on ownership of agentic AI. Often everyone in an organization has partial responsibility, Privat said. "Is agentic AI governance an engineering, legal, compliance or production problem? In most organizations that I talk to, the answer right now is 'Yes. It's all of them,'" he said.
However, this mindset can lead to an improvisational form of ownership over AI agents, which is less coordinated and ineffective for careful governance.
"If everyone owns the thing, no one owns the thing," Privat said. "If you don't have a body that's responsible for the governance, and everybody ends up being responsible in some way, you will not have strong governance."
Some considerations regarding ownership include whether providers or users should be held accountable for agents that commit ethical mishaps. Or whether it's the responsibility of employees or their company when an agent experiences scope drift or acts upon incorrect data. While businesses own the outputs of the AI models they use, the model provider is responsible for the underlying infrastructure and training.
In matters of ethical AI, Bansal said, the majority of the responsibility lies with the providers.
"The onus of implementing ethical AI lies a lot more on those who are generating the frontier models … who are building the applications and platforms," he said. "If not done ethically, without bias and in a responsible manner, it can lead to a significant downstream impact which, to some extent, is beyond the control of the consumer of that technology."
Explainability issues
Bansal stressed the importance of explainability within agentic governance policy. "Explainability needs to be added as an architectural principle," he said.
Our understanding of exactly how AI completes its work is still limited, Bansal said. Because businesses are still developing this understanding, it's important that they are able to explain the decision-making process of autonomous AI systems so they can solve problems and prevent errors. Using a human-in-the-loop by design is one of the best ways to accomplish this, Bansal said.
To deal with the chain-of-decision problem, Bansal said, organizations using agentic AI need integrated observability measures that explain an agent's reasoning.
Audit mechanisms
Organizational oversight and monitoring are also important. Many organizations lack capability gates, behavioral guardrails and audit trails to govern agentic AI, according to Privat. It's important for businesses to log every action, tool call and state transition for audit purposes, he added.
Businesses that can develop governance strategies defining ownership of agentic AI tools and providing explainability and audit mechanisms for these tools will better position themselves to manage the risks of agentic AI.
Dangers of the agentic governance gap
Businesses that don't implement governance practices to close the agentic AI governance gap leave themselves open to legal liability, reputational damage and broken workflows. Some companies are already experiencing ethical implications from agentic systems.
As AI evolves, agentic evolves, and new AI comes into being, companies need to adapt, to evolve their policies.
Peter BerkSenior attorney at Clark Hill
Workday is the defendant in the class action lawsuit Mobley v. Workday, allegedly for discriminatory hiring practices in its AI hiring tool. A federal class action suit alleges that major hotel chains' use of an AI pricing platform resulted in what the U.S. Department of Justice and the Federal Trade Commission call price coordination. The DOJ also named a national landlord in an antitrust suit, alleging that the defendants' AI agents ignored legal boundaries to achieve better pricing and revenue for its businesses.
These suits represent real issues businesses are facing with this technology. Without strong governance, agents potentially can act in discriminatory ways. Or they can experience scope drift, skirting laws and regulations to achieve their goals without processing the legal or ethical considerations.
These examples highlight the three issues that are creating the agentic governance gap: unclear ownership, lack of explainability principles and missing audit mechanisms. Without clear ownership, who's responsible when failures occur -- particularly something as life-altering as being locked out of the job market by an allegedly discriminatory AI model? Without clear audit mechanisms and explainability principles, what guardrails can ensure that agents won't experience scope drift, going beyond their specified boundaries and taking rogue actions, like illegal price gouging?
What's next for agentic AI governance?
Agentic governance is a priority now more than ever as the technology evolves from emerging to ubiquitous. Traditional IT guidance is only optimal for systems that produce a single output, not for autonomous systems with complex chains of thought and reasoning. Agentic AI is only improving, and we need to rise to meet it where it's at.
"We're in the early stages of what AI can and will be able to do," said Peter Berk, senior attorney at international law firm Clark Hill. "As AI evolves, agentic evolves, and new AI comes into being, companies need to adapt, to evolve their policies."
Some leaders "are very aware of the risks and are going into this process with their eyes wide open," Berk said, while others "maybe don't have as much information or experience" but are being pushed to adopt it.
Committing to a greater understanding of agentic AI is the key to creating an effective governance strategy. This responsibility lies with leadership and the wider employee base. Without investment from everyone within the organization, even the best governance policy could fall short.
"The policy is only as good as its implementation and adoption by employees and the company," Berk said.
Everett Bishop is an associate site editor for Informa TechTarget's AI & Emerging Tech group, covering AI, quantum computing and other emerging technologies.
