What agentic AI actually is

Agentic AI governance is the set of controls, policies, and oversight mechanisms that organisations need when deploying AI systems capable of autonomous planning, reasoning, multi-step task execution, and real-world action. Unlike traditional AI that responds to individual prompts, agentic AI systems chain actions across systems, call external APIs, make sequential decisions, and operate with limited human intervention, creating privilege, accountability, and structural risks that existing governance frameworks were not designed to manage.

The deployment of AI in agentic configurations has grown rapidly in 2025-2026, driven by the increasing capability of large language models to follow complex instructions, use tools reliably, and maintain coherent behaviour over extended task sequences. Enterprise agentic deployments include: AI research agents that gather and synthesise information; AI coding agents that write, test, and deploy code; AI customer service agents that handle enquiries end-to-end; AI procurement agents that manage supplier interactions; and AI operations agents that monitor systems and take automated responses to alerts.

Why existing governance frameworks fail for agentic AI

Governance frameworks for AI were largely developed in response to specific, bounded AI applications, models that take specific inputs, perform specific functions, and produce specific outputs. The human oversight mechanisms in these frameworks assume that a human can review the AI's output before it has significant consequences. These assumptions break down for agentic AI in two ways. First, the speed problem: agentic AI takes actions faster than human review can keep pace with, an email agent handling customer enquiries may send hundreds of responses per hour, each of which has consequential implications for the organisation. Second, the scope problem: agentic AI may take actions across multiple systems and domains simultaneously, making holistic review by a single human reviewer impossible.

The five governance requirements for agentic AI

Action scope limitation defines the boundaries of what an agentic AI can do without explicit human approval. Each agentic deployment should have a documented action scope: which systems can it access, which actions can it take autonomously, and which actions require human approval. Actions outside the defined scope should require explicit escalation to a human. The scope limitation is both a technical control (implemented through API permissions and action restrictions) and a governance control (documented, reviewed, and enforced).

Pre-execution plan review enables human oversight before the agent begins taking actions. For complex agentic tasks, the agent should be required to produce a plan, the sequence of actions it intends to take, for human review before execution begins. This is particularly important for high-stakes tasks where individual actions may have irreversible consequences. Pre-execution review is less necessary for routine, low-stakes agentic tasks where the action space is well-defined and bounded.

Real-time monitoring with circuit-breakers detects and stops unexpected agent behaviour during execution. The monitoring system should alert on: actions outside the defined scope, unusual frequencies of specific actions, actions in systems the agent has not previously accessed, and actions that exceed defined thresholds (spending above a dollar amount, sending above a number of messages). Circuit-breakers that pause agent execution pending human review are the primary safety mechanism for agentic AI in production.

Comprehensive action logging creates the audit trail necessary for accountability, incident investigation, and regulatory compliance. Every action taken by an agentic AI system, every API call, every message sent, every document accessed or modified, every decision made, should be logged with sufficient detail to reconstruct the agent's reasoning and action sequence after the fact. This logging is required by the EU AI Act's record-keeping obligations for high-risk AI and is increasingly expected by enterprise procurement requirements.

Clear accountability assigns a named human who is responsible for each agentic AI system's behaviour. The accountability must be genuine, not nominal. The accountable person must have the information, authority, and capacity to oversee the agent's operations and to respond when the agent behaves unexpectedly. An accountable owner who is not informed when the agent takes unusual actions, or who lacks the authority to pause the agent, is not providing real accountability.

May 2026: Five Eyes Joint Guidance on Agentic AI Security

On 1 May 2026, six national cybersecurity agencies from the Five Eyes alliance, CISA (US), NSA (US), ASD ACSC (Australia), the Canadian Centre for Cyber Security, NZ NCSC (New Zealand), and UK NCSC (United Kingdom), jointly published “Careful Adoption of Agentic AI Services,” the first coordinated multi-government security guidance specifically addressing agentic AI systems.

The 30-page guidance identifies five categories of risk unique to agentic AI: privilege risks (agents granted excessive system access), design and configuration risks (insecure default settings), behavioural risks (unpredictable agent actions), structural risks (inter-agent trust failures), and accountability risks (unclear responsibility when agents cause harm).

The guidance recommends organisations deploy agentic AI incrementally, beginning with clearly defined low-risk tasks. It emphasises that strong governance, explicit accountability, rigorous monitoring, and human oversight are not obstacles to AI innovation, they are prerequisites for it. Key practical requirements include least-privilege access for all agents, input validation and output monitoring, human approval for high-impact actions, comprehensive logging of all agent activities, and tested incident response plans specific to agentic AI failures.

For Australian organisations, this guidance should be read alongside APRA (Australian Prudential Regulation Authority)’s 30 April 2026 industry letter on AI governance, which identified many of the same gaps in current governance practices. ASIC (Australian Securities and Investments Commission)’s 8 May 2026 cyber resilience letter also directly references AI-enabled threats that agentic systems amplify.

Primary source: ASD ACSC, Careful Adoption of Agentic AI Services, 1 May 2026

Related reading