Agentic AI: governing actions, not just decisions

Agentic AIagentic AISystems where a model takes actions — calling tools, executing multi-step plans — amplifying both capability and every failure mode; governed with action allowlists, approvals and full logging.Open full entry → is the integrating element of the GovCompass-7. It sits at the centre of the framework, not on the ring, because it binds the other seven the moment a system stops deciding and starts acting.

Why agentic AI needs its own element

The GovCompass-7 organises responsible AI into seven control domains: fairnessfairnessThe responsible-AI principle that systems should not create or reinforce unjust discrimination; operationalised through bias testing, representative data and per-group thresholds — with multiple, mutually incompatible mathematical definitions.Open full entry →, safety and reliability, privacy, security and robustnesssecurity and robustnessThe principle that an AI system resists attack, manipulation and adversarial or unexpected input. The vectors include data poisoning, model extraction, membership inference and prompt injection; the controls are ML security testing and a hardened data-and-model pipeline.Open full entry →, transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → and explainabilityexplainabilityThe ability to give a meaningful reason for a specific output of an AI system to the people it affects — distinct from transparency, which is disclosure that and how AI is used.Open full entry →, accountabilityaccountabilityThe principle that a named human or organization answers for an AI system's outcomes, through ownership, documentation, audit trails and redress — never the system itself.Open full entry →, and human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry →. Each is a property you establish and then hold in place with preventive, detective, and corrective controls. For a system that produces an output a human then acts on, this is sufficient.

Agentic AI breaks that assumption. An agent does not produce an output for a human to act on. It acts. It calls external services, executes transactions, modifies records, and in multi-agent designs it invokes other agents and spawns sub-tasks. The governance question shifts from "can I trust this decision?" to "can I contain what this system does?" That shift does not replace the seven elements. It stresses all of them at once, continuously, in a setting where the human checkpoint that most controls quietly rely on has been removed.

This is why agentic AI is the eighth element and why it sits at the centre of the framework rather than on the ring. It is not a peer control domain. It is the integrating element: the point where the seven are tested under autonomy, and where they either hold together or fail together.

The three layers

A useful way to place agentic AI is alongside its predecessors:

Data governance governs information. Its question is whether the data can be trusted.

AI governance governs decisions. Its question is whether the decision can be trusted.

Agentic governanceagentic governanceGoverning the actions an autonomous AI system takes, not just the decisions it makes; ensuring those actions can be contained, traced, and reversed.Open full entry → governs actions. Its question is whether the actions an autonomous system takes can be contained, traced, and reversed.

Most organisations have built the first layer and are building the second. The third layer is where most organisations currently have nothing, and it is the layer that agentic deployment makes urgent.

What changes for each of the seven elements

Agentic AI is not abstract. Each of the seven elements acquires a specific agentic dimension:

Human oversight changes shape. The classic "human in the loop", a person who reviews each decision before it takes effect, cannot survive contact with an agent that takes hundreds of actions per minute. Oversight becomes "human on the loop": the human sets boundaries, monitors aggregate behaviour, and holds an intervention right, but is no longer the gate on every action. The control that matters is the escalation triggerescalation triggerA rule that hands a high-consequence action to a human before it executes. The corrective control that keeps human oversight meaningful once per-action review is impossible.Open full entry → for high-consequence actions, not the per-action review.

Accountability is tested by the blurring of roles. The EU AI Act assumes that the providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → and the deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → are distinct, stable roles. An agent configured with broad tool-calling rights, autonomous decision scope, and the ability to spawn sub-agents can push a deployer into provider-level responsibility. Someone has to be answerable for what a sub-agentsub-agentAn agent invoked by another agent or an orchestrator to carry out part of a task. Its actions still inherit the obligations of the stack it belongs to.Open full entry → did three steps into an autonomous chain. Agentic AI forces that question to be answered before deployment, not after an incident.

Security and robustnessrobustnessA system's ability to perform reliably under realistic conditions including noise, edge cases and adversarial pressure — the engineering core of the safety-and-reliability principle.Open full entry → faces an entirely new threat surface. Goal hijackinggoal hijackingAn attack that redirects an agent's objective so it pursues a goal you did not set. Prompt injection combined with autonomy: it changes what the agent does, not just what it says.Open full entry →, tool misusetool misuseAn agent calling a permitted tool in a way that produces an unintended real-world effect. Countered with scoped tool access and approval gates on high-consequence calls.Open full entry →, identity and privilege abuse, memory and context poisoning: these are not variations on prompt injectionprompt injectionSmuggling adversarial instructions into a generative system's input (directly or via retrieved content) to override its intended behaviour.Open full entry →, they are what prompt injection becomes when the model can act. The OWASP Agentic Security Initiative Top 10 catalogues this surface, and every item maps to a control that the GovCompass-7 security element must now carry.

Transparency moves from decision-level to action-level. It is no longer enough to explain why a model produced an output. The agent's chain of actions, which tools it called, with what arguments, in what order, must be logged and reconstructable, because that chain is what an auditor and a supervisory authority will examine.

Safety and reliability has to account for agent driftagent driftThe gradual divergence of an agent's behaviour from its expected envelope over time, surfaced by behavioural monitoring and drift detection across the chain.Open full entry → and cascading failurecascading failureA small error passed along a chain of agents that amplifies into a confident, well-reasoned, wrong action, with no human between the error and its execution.Open full entry →. A single model degrades predictably. A chain of agents passing outputs to one another can amplify a small error into a confident, well-reasoned, entirely wrong action, with no human between the error and its execution.

Fairness can now propagate through action chains without a checkpoint. A biased intermediate decision that a human would have caught becomes an executed action because no human was in the path.

Privacy is stressed by agents with broad data access that combine information autonomously, reaching conclusions and taking actions on data that no single-purpose system would have joined.

Governing the eighth element

Agentic AI is governed through the same three control layers as every other element, applied to autonomous action:

Preventive controls constrain what an agent can do before it does anything: scoped tool access, least-privilegeleast-privilegeGranting each agent only the access its task requires, with no shared credentials and scoped, time-bound permissions. A core preventive control for agentic security.Open full entry → identities for each agent, explicit action boundaries, and a documented autonomy levelautonomy levelThe documented degree of autonomy a deployed agent is permitted, matched to its demonstrated reliability and the controls in place; raised deliberately, not by default.Open full entry → for each deployed agent. Progressive autonomyprogressive autonomyGranting an agent the least autonomy that lets it work, then widening its scope only as evidence of reliable behaviour accumulates. Autonomy is earned, not configured.Open full entry →, starting with a narrow, low-consequence scope and widening it only as evidence accumulates, is the preventive discipline that separates a governed rollout from an ungoverned one.

Detective controls surface what an agent is doing: action-level logging, behavioural monitoring against an expected envelope, and drift detection across multi-agent chains. The detective layer is where agentic programmes are thinnest, because action-level telemetry is harder to build than decision-level logging.

Corrective controls contain and reverse: human escalation triggers for high-consequence actions, the ability to halt an agent or a chain mid-execution, rollback capability for executed actions where the domain allows it, and an incident process that treats an agent's runaway action as a reportable event.

Where the regulation stands

The agentic layer is where regulation is moving fastest. Singapore's Model AI Governance Framework for Agentic AI, published in January 2026, is the first dedicated governance model for autonomous systems and signals a regulatory direction the rest of the world is following. Under the EU AI Act, the Commission's draft guidelines on high-risk classification, published in May 2026, make a point that matters directly for agentic deployments: a complex system made up of several AI components, including an agentic stackagentic stackThe orchestrator, sub-agents, and tools that together perform an autonomous workflow. Under the EU AI Act it is classified and governed as one system, not as separate parts.Open full entry → of orchestrators and sub-agents, is assessed as a whole. Architecture that splits a workflow across several agents does not split the regulatory classification. An orchestratororchestratorThe agent that coordinates other agents and tools toward a combined goal. It is the integration point where stack-level accountability and classification sit.Open full entry → coordinating sub-agents toward a high-risk decision is one high-risk system, and the obligations attach to the stack.

That is the practical core of agentic AI as a governance element. The eighth element is not a future concern. It is the element that determines whether your existing AI governance survives the move from systems that decide to systems that act.

Explore the agentic element

• Why your agentic stack is one high-risk system
• The provider and deployer line breaks under autonomy
• The agentic threat surface, translated for AI Officers
• Progressive autonomy: a maturity model for agent deployment