Agentic AI: governing actions, not just decisions

Agentic AIagentic AISystems where a model takes actions — calling tools, executing multi-step plans — amplifying both capability and every failure mode; governed with action allowlists, approvals and full logging.Open full entry → is the integrating elementintegrating elementAgentic AI, the integrating element of the GovCompass framework: not an eighth pillar but the element at the center that binds the seven. When a system stops producing outputs a human reviews and starts acting on its own, the human checkpoint changes nature and every principle has to hold continuously across a connected sequence of actions. Agentic AI therefore changes how every principle has to be implemented rather than adding a principle of its own. See pillar, agentic AI.Open full entry → of the GovCompass-7. It sits at the center of the framework, not on the ring, because it binds the other seven the moment a system stops deciding and starts acting.

Why agentic AI needs its own element

The GovCompass-7 organizes responsible AIresponsible AIThe set of principles an AI system should live up to: fairness, safety and reliability, privacy, security and robustness, transparency and explainability, accountability, and human oversight. Widely shared and sitting under the EU AI Act and the major frameworks. On their own the principles are statements of intent; the law turns them into duties that cannot be met unless they are carried inside the organization's governance, which is how responsible AI lands in governance rather than beside it. GovCompass organizes the seven principles into a control framework, the GovCompass-7, one pillar per principle. See principle, pillar, governance.Open full entry → into seven pillars: fairnessfairnessThe responsible-AI principle that systems should not create or reinforce unjust discrimination; operationalized through bias testing, representative data and per-group thresholds — with multiple, mutually incompatible mathematical definitions.Open full entry →, safety and reliability, privacy, security and robustnesssecurity and robustnessThe principle that an AI system resists attack, manipulation and adversarial or unexpected input. The vectors include data poisoning, model extraction, membership inference and prompt injection; the controls are ML security testing and a hardened data-and-model pipeline.Open full entry →, transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → and explainabilityexplainabilityThe ability to give a meaningful reason for a specific output of an AI system to the people it affects — distinct from transparency, which is disclosure that and how AI is used.Open full entry →, accountabilityaccountabilityThe principle that a named human or organization answers for an AI system's outcomes, through ownership, documentation, audit trails and redress — never the system itself.Open full entry →, and human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry →. Each is a property you establish and then hold in place with preventive, detective, and corrective controls. For a system that produces an output a human then acts on, this is sufficient.

Agentic AI breaks that assumption. An agent does not produce an output for a human to act on. It acts. It calls external services, executes transactions, modifies records, and in multi-agent designs it invokes other agents and spawns sub-tasks. The governancegovernanceThe system through which an organization steers itself: corporate governance, risk management, compliance, lines of accountability, risk appetite, and the operating model. It exists across everything the organization does, before and beyond AI. AI governance is this same system extended for AI. See AI governance, governance design, execution level.Open full entry → question shifts from "can I trust this decision?" to "can I contain what this system does?" That shift does not replace the seven pillars. It stresses all of them at once, continuously, in a setting where the human checkpoint that most controls quietly rely on has been removed.

This is why agentic AI is the eighth element and why it sits at the center of the framework rather than on the ring. It is not one of the seven. It is the integrating element: the point where the seven are tested under autonomy, and where they either hold together or fail together.

The three layers

A useful way to place agentic AI is alongside its predecessors:

Data governance governs information. Its question is whether the data can be trusted.

AI governance governs decisions. Its question is whether the decision can be trusted.

Agentic governanceagentic governanceGoverning the actions an autonomous AI system takes, not just the decisions it makes; ensuring those actions can be contained, traced, and reversed.Open full entry → governs actions. Its question is whether the actions an autonomous system takes can be contained, traced, and reversed.

Most organizations have built the first layer and are building the second. The third layer is where most organizations currently have nothing, and it is the layer that agentic deployment makes urgent.

What changes for each of the seven pillars

Agentic AI is not abstract. Each of the seven pillars acquires a specific agentic dimension:

Human oversight changes shape. The classic "human in the loop", a person who reviews each decision before it takes effect, cannot survive contact with an agent that takes hundreds of actions per minute. Oversight becomes "human on the loop": the human sets boundaries, monitors aggregate behavior, and holds an intervention right, but is no longer the gate on every action. The controlcontrolThe concrete, testable measure that reduces a specific risk, and through that risk protects the principle behind it. Also called a risk management measure, risk response, or risk treatment. Always traceable to the risk it addresses: under EU AI Act Art. 9 every control must map back to a specific risk, and controls recorded separately from their risks is a recognized compliance failure. It works in one of three types: preventive, detective, or corrective. See risk, control types, evidence.Open full entry → that matters is the escalation triggerescalation triggerA rule that hands a high-consequence action to a human before it executes. The corrective control that keeps human oversight meaningful once per-action review is impossible.Open full entry → for high-consequence actions, not the per-action review.

Accountability is tested by the blurring of roles. The EU AI Act assumes that the providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → and the deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → are distinct, stable roles. An agent configured with broad tool-calling rights, autonomous decision scope, and the ability to spawn sub-agents can push a deployer into provider-level responsibility. Someone has to be answerable for what a sub-agentsub-agentAn agent invoked by another agent or an orchestrator to carry out part of a task. Its actions still inherit the obligations of the stack it belongs to.Open full entry → did three steps into an autonomous chain. Agentic AI forces that question to be answered before deployment, not after an incident.

Security and robustnessrobustnessA system's ability to perform reliably under realistic conditions including noise, edge cases and adversarial pressure — the engineering core of the safety-and-reliability principle.Open full entry → faces an entirely new threat surface. Goal hijackinggoal hijackingAn attack that redirects an agent's objective so it pursues a goal you did not set. Prompt injection combined with autonomy: it changes what the agent does, not just what it says.Open full entry →, tool misusetool misuseAn agent calling a permitted tool in a way that produces an unintended real-world effect. Countered with scoped tool access and approval gates on high-consequence calls.Open full entry →, identity and privilege abuse, memory and context poisoning: these are not variations on prompt injectionprompt injectionSmuggling adversarial instructions into a generative system's input (directly or via retrieved content) to override its intended behavior.Open full entry →, they are what prompt injection becomes when the model can act. The OWASP Agentic Security Initiative Top 10 catalogs this surface, and every item maps to a control that the GovCompass-7 security pillarpillarA responsible-AI principle as something an organization actively holds rather than merely endorses: one of the seven pillars of the GovCompass-7 control framework, one per principle. A pillar is held, not implemented, by naming the harms that would breach the principle, assessing their risk, and placing controls that reduce it. Distinct from the integrating element (agentic AI), which binds the seven rather than being one of them. See principle, harm, risk, integrating element.Open full entry → must now carry.

Transparency moves from decision-level to action-level. It is no longer enough to explain why a model produced an output. The agent's chain of actions, which tools it called, with what arguments, in what order, must be logged and reconstructable, because that chain is what an auditor and a supervisory authority will examine.

Safety and reliability has to account for agent driftagent driftThe gradual divergence of an agent's behavior from its expected envelope over time, surfaced by behavioral monitoring and drift detection across the chain.Open full entry → and cascading failurecascading failureA small error passed along a chain of agents that amplifies into a confident, well-reasoned, wrong action, with no human between the error and its execution.Open full entry →. A single model degrades predictably. A chain of agents passing outputs to one another can amplify a small error into a confident, well-reasoned, entirely wrong action, with no human between the error and its execution.

Fairness can now propagate through action chains without a checkpoint. A biased intermediate decision that a human would have caught becomes an executed action because no human was in the path.

Privacy is stressed by agents with broad data access that combine information autonomously, reaching conclusions and taking actions on data that no single-purpose system would have joined.

Governing the eighth element

Agentic AI is governed through the same three control layers as every pillar, applied to autonomous action:

Preventive controls constrain what an agent can do before it does anything: scoped tool access, least-privilegeleast-privilegeGranting each agent only the access its task requires, with no shared credentials and scoped, time-bound permissions. A core preventive control for agentic security.Open full entry → identities for each agent, explicit action boundaries, and a documented autonomy levelautonomy levelThe documented degree of autonomy a deployed agent is permitted, matched to its demonstrated reliability and the controls in place; raised deliberately, not by default.Open full entry → for each deployed agent. Progressive autonomyprogressive autonomyGranting an agent the least autonomy that lets it work, then widening its scope only as evidence of reliable behavior accumulates. Autonomy is earned, not configured.Open full entry →, starting with a narrow, low-consequence scope and widening it only as evidenceevidenceThe concrete proof that a control is designed, implemented, and working: a test report, an audit trail, an impact assessment, a monitoring log. Each link in the governance chain produces an artifact, and together they are what an organization hands to its own board, a regulator, a customer, or an affected person to show, not say, that a system is governed. Its absence is itself the failure: a risk register without test results, or a mitigation claimed without validation, is a governance gap, not a paperwork one. The closing link of the governance chain. See control, governance.Open full entry → accumulates, is the preventive discipline that separates a governed rollout from an ungoverned one.

Detective controls surface what an agent is doing: action-level logging, behavioral monitoring against an expected envelope, and drift detection across multi-agent chains. The detective layer is where agentic programs are thinnest, because action-level telemetry is harder to build than decision-level logging.

Corrective controls contain and reverse: human escalation triggers for high-consequence actions, the ability to halt an agent or a chain mid-execution, rollback capability for executed actions where the domain allows it, and an incident process that treats an agent's runaway action as a reportable event.

Where the regulation stands

The agentic layer is where regulation is moving fastest. Singapore's Model AI GovernanceAI governanceGovernance extended for AI: the same organizational steering at the highest level, widened to cover what makes AI different (it works in probabilities rather than fixed rules, learns from data, and can act at a speed and scale no human reviewer can match). It inherits the existing governance structure and brings AI inside the disciplines the organization already runs, rather than creating a parallel system in a silo. It operates on two levels, design and execution. See governance, governance design, execution level, responsible AI.Open full entry → Framework for Agentic AI, published in January 2026, is the first dedicated governance model for autonomous systems and signals a regulatory direction the rest of the world is following. Under the EU AI Act, the Commission's draft guidelines on high-riskriskIn the EU AI Act's terms, the combination of the probability that a harm occurs and the severity of it if it does. The link between a principle (via the harm that would breach it) and a control (the measure that reduces it). Naming the harm and assessing its risk is required by Art. 9 before any mitigation measure is chosen. See harm, control, residual risk.Open full entry → classification, published in May 2026, make a point that matters directly for agentic deployments: a complex system made up of several AI components, including an agentic stackagentic stackThe orchestrator, sub-agents, and tools that together perform an autonomous workflow. Under the EU AI Act it is classified and governed as one system, not as separate parts.Open full entry → of orchestrators and sub-agents, is assessed as a whole. Architecture that splits a workflow across several agents does not split the regulatory classification. An orchestratororchestratorThe agent that coordinates other agents and tools toward a combined goal. It is the integration point where stack-level accountability and classification sit.Open full entry → coordinating sub-agents toward a high-risk decision is one high-risk system, and the obligations attach to the stack.

That is the practical core of agentic AI as a governance element. The eighth element is not a future concern. It is the element that determines whether your existing AI governance survives the move from systems that decide to systems that act.

Explore the agentic element

• Why your agentic stack is one high-risk system
• The provider and deployer line breaks under autonomy
• The agentic threat surface, translated for AI Officers
• Progressive autonomy: a maturity model for agent deployment
• Documenting an agent is not governing it