Founding customer program now open Start with an Agent Exposure Review

Executive briefing

The new non-human insider.

AI agents can act with enterprise authority at machine speed. Board oversight must move beyond model accuracy and ask whether consequential actions are bounded, reviewed, contained, and provable.

Published July 16, 2026 · Executive brief · approximately 8 minutes
Request a board briefing
A chatbot can produce a poor answer. An agent with authority can create a poor outcome in a customer account, codebase, financial system, clinical workflow, claims process, or public communication channel.

What changed

Generative AI began as an output problem: organizations focused on hallucinations, inappropriate content, intellectual-property concerns, and sensitive information entering prompts. Agentic systems introduce an action problem. Software can now retrieve records, call tools, send communications, change applications, initiate transactions, modify code, and coordinate other agents.

The risk is not that every agent will become “rogue.” The risk is that an agent may be compromised, misdirected, over-permissioned, poorly supervised, or simply wrong while holding authority that creates material business impact.

The board control model

  1. Inventory: Know which agents exist, where they run, who owns them, what they can reach, and which business outcomes they affect.
  2. Identity: Resolve the agent, initiating human or process, model, deployment, tool, and responsible owner.
  3. Authority: Limit what each agent may read, create, change, send, buy, approve, delete, deploy, or disclose.
  4. Oversight: Require accountable human review for sensitive, high-value, regulated, irreversible, novel, or externally visible actions.
  5. Evidence: Record the complete path from intent and authority through policy, approval, execution, and outcome.
  6. Containment: Revoke the smallest affected component quickly and restore it only after remediation and testing.

Ten questions directors should ask

Which AI agents can take actions that materially affect customers, money, code, regulated data, operations, or public trust?

Require an answer organized by action and business impact, not merely a list of AI applications or model providers.

Does every production agent have a named business owner and technical owner?

Ownership must include authority to approve changes, accept exceptions, fund controls, and stop the workflow.

Can management explain the maximum authority held by each high-impact agent?

Ask what the agent can read, change, send, approve, transact, disclose, delete, and deploy under normal and exceptional conditions.

Which consequential actions require accountable human approval?

Review thresholds, approver independence, decision context, bypass risk, emergency exceptions, and evidence.

How does the organization prevent one agent from crossing customer, tenant, patient, account, repository, or regional boundaries?

Boundary controls should be enforced at data retrieval and action execution, not entrusted to prompt instructions.

What happens when an agent, model, tool, server, or identity is compromised?

Management should demonstrate selective revocation, safe mode, evidence preservation, response ownership, and controlled restoration.

Can investigators reconstruct why an action was allowed and what happened afterward?

Evidence should connect initiating identity, agent, model reference, data, tool, policy, approval, execution, and downstream effects.

How are third-party agents and embedded AI features governed?

Vendor status does not remove the need for inventory, contractual boundaries, technical controls, evidence, testing, and incident obligations.

Which changes can increase agent authority without a security review?

Models, prompts, tools, permissions, MCP servers, data sources, dependencies, destinations, and workflow logic can all change risk.

What evidence shows that controls work under adversarial conditions?

Ask for current tests of prompt injection, goal hijacking, tool poisoning, privilege escalation, data leakage, approval bypass, and containment.

Metrics worth seeing

  • Inventory coverage: Percentage of production and pilot agents with complete owner, model, tool, data, and action records.
  • High-impact action coverage: Percentage of identified consequential actions protected by enforceable policy.
  • Bounded authority: Percentage of agents using narrow, short-lived, task-specific authority rather than broad inherited credentials.
  • Human oversight: Percentage of sensitive and irreversible actions covered by independent approval, with bypass and exception rates.
  • Evidence completeness: Percentage of consequential actions with an end-to-end identity, policy, approval, and outcome record.
  • Control effectiveness: Blocked, constrained, redacted, and escalated actions by severity, cause, tool, and business unit.
  • Change exposure: Material agent, model, tool, permission, data, and server changes awaiting review or regression testing.
  • Containment readiness: Time to identify, selectively revoke, preserve evidence, enter safe mode, and restore a tested workflow.
  • Exception debt: Open policy exceptions by severity, owner, expiration, compensating control, and age.
  • Customer and regulatory impact: Security reviews, audit findings, contract delays, incidents, complaints, and control commitments related to AI agents.

Metrics that can mislead

Counts of prompts scanned, models approved, employees trained, AI policies published, or alerts generated may show activity without demonstrating control over consequential actions. Boards should ask what business effect was prevented, constrained, approved, evidenced, or contained.

Three decisions for management

  1. Define the boundary: Which actions may agents perform autonomously, conditionally, or never?
  2. Choose the enforcement model: Where will identity, authority, policy, approval, evidence, and containment be implemented across the architecture?
  3. Set the proof standard: What evidence must exist before an agent moves into production, gains a new tool, receives broader authority, or handles a new data class?

Recommended first step

Select one production or near-production workflow with clear business impact. Map the complete action path, test its failure modes, define bounded authority, place consequential actions behind enforceable policy, and exercise the kill switch. Use the result as the reference pattern for the rest of the portfolio.

Board-ready summary

“Management is treating AI agents as delegated enterprise actors. The company is inventorying high-impact workflows, limiting authority by action and context, requiring human approval at consequential edges, preserving complete action evidence, and testing selective containment before expanding autonomy.”

Autonomous does not mean unaccountable.
Fugitive Intelligence · Keep AI on mission.