AI Agents Are Already Making Decisions in Your Organisation. Who Authorised Them?

A practical governance position for boards navigating agentic AI: Before regulators, auditors, and headlines arrive.

By the end of 2025, McKinsey reported that 62% of organisations were experimenting with agentic AI, with 23% already scaling agentic systems in at least one business function. An IBM survey of 1,000 enterprise AI developers found 99% were exploring or building agents. This is not a horizon issue. Agents are being deployed against real decisions in real organisations, including, almost certainly, yours.

The hard question for a board is not whether to permit them. That decision is being made for you, one workflow at a time, often inside SaaS products you have already bought. The question is whether your accountability, oversight and assurance arrive ahead of the agents or behind them.

That gap, between technology and governance, is what this article is about. Not because it is new. Because it is not.

The Delegation Test

If I were to distil twenty years of work on this into a single diagnostic for directors, it is this:

Before your organisation deploys an agent, you should be able to answer the same questions you would answer before delegating authority to a new hire. If you cannot, you do not have governance. You have hope.

If you take nothing else from this article, put these three on the agenda:

1. Where are agents already operating in your environment? Including those inside SaaS products you have already bought. You cannot govern what you do not know about.
2. For each one: who owns its decision rights, and what is their accountability when it acts? If the answer is “the vendor” or “the IT team”, you have a governance gap, not a deployment one.
3. What is your roadmap to a strategic and defensible position on agentic AI? This is not a tooling roadmap. It is a position you can defend to a regulator, an auditor, a board committee, and your own people.

To address these for the board, leadership teams will need to work through the detail:

1. What role does this agent fill?
2. What instructions has it been given?
3. What policies and procedures must it abide by?
4. What decisions is it authorised to make?
5. What are the boundaries of its authority?
6. What happens when it encounters something outside its mandate?
7. Who manages it, reviews its performance, provides it feedback, and how often?
8. How was it onboarded, and under what conditions will it be retired or offboarded?

These are not AI questions. They are management questions. They are governance questions. They are board questions.

These are also some of the same questions I was asking in 2005 (but more on that later).

What Happens If You Do Not Act

The cost of waiting is not theoretical. It shows up in organisational and personal accountability:

1. Uncontrolled agent decisions in regulated workflows. Procurement approvals, customer remediation, hiring screening, credit decisions: places where an agent acting outside its mandate is a regulatory or reputational event, not a software bug.
2. Regulatory exposure that is no longer optional. The EU AI Act, Singapore’s IMDA framework, and Australia’s transition from a voluntary AI Safety Standard towards a mandatory one all assume the organisation can demonstrate role definition, decision rights, and oversight for each deployed agent. If you cannot produce these on request, you are in the wrong defensive position before the conversation starts.
3. Accountability gaps that surface only at audit, breach, or board inquiry. By that point, your position is reactive, and the question is no longer “what is our policy?”. It is “who decided to deploy this, and why was it not governed?”.
4. Australia’s voluntary AI Ethics Principles are being superseded by mandatory obligations. The organisations that can demonstrate governance now will be in a defensible position. Those that cannot will be explaining why not.

In each case, the failure mode is the same: governance arriving after the agents, not ahead of them.

If an agent makes a consequential decision inside your organisation today, and you cannot clearly state who authorised it, what its mandate is, and who is accountable when it acts, then that accountability sits with you by default. Not the vendor. Not the IT team. You.

The Real Shift: From Tool Governance to Partner Governance

Most of the governance trouble organisations are walking into right now traces back to one mental model: the assumption that an AI system is a tool.

When you govern AI as a tool, you evaluate it for accuracy. You control it via prompts. You treat errors as system faults. You ask: “is it working?”.

When you govern AI as a functional partner, the questions shift entirely.

Tool governance	Partner governance
Evaluate for accuracy	Evaluate for judgement and role performance
Control via prompts and configuration	Govern via authority and constraints
Errors are faults	Errors may be decisions taken under uncertainty
Ask: “Is it working?”	Ask: “Is it operating within its mandate?”

The implications are significant. This is not a technology question. It is an accountability question, and accountability is a board-level concern. If an agent can perceive, decide and act within a role to the required standard, it should be governed according to that role. Not dismissed as “just a tool.”

This Is Not New Thinking. And That Is the Problem.

In 2005, I introduced a concept called Fully Equal Partners: artificial agents participating alongside humans as genuine collaborators in shared decision-making, not passive tools. I built and tested this in a system called TeamMATE, where human and artificial agents negotiated resources and pursued shared objectives in a boardroom scenario. What I described was never cognitive equivalence. It was functional equality: an agent able to fulfil a defined role, to the standard required, alongside humans. That distinction is the one the 2026 governance frameworks are now converging on.

The World Is Catching Up

Three major frameworks released in the last 12 months – Singapore’s IMDA, UC Berkeley’s autonomy classifications, and the World Economic Forum’s agent onboarding model – are converging on the same principle: accountability scales with autonomy, and agents need to be governed like staff, not tools.

The vocabulary of agentic governance is forming. It is the vocabulary boards and executive teams will be expected to use.

What to Do This Quarter

A practical 90-day starting point:

1. Discover. Inventory where agents are already operating, including inside SaaS products and embedded vendor capabilities.
2. Assign. For every identified agent, name the human accountable for its decisions. Not a vendor, not a team, not a platform: a name.
3. Test. Run the Delegation Test against your three highest-risk agents. The ones you cannot answer for are your first governance priorities.
4. Baseline. Establish a governance baseline you can defend to a regulator, an auditor, and a board committee. Not perfect. Defensible.

The adoption problem you do not see on the architecture diagram Even a perfectly governed agent fails if the humans around it will not work with it. Introducing an agent into a team is a workforce change, not a software deployment. Existing staff must accept a non-human contributor as a legitimate part of how decisions get made. Trust, transparency about what the agent is and is not doing, and clarity on who is accountable when it acts: these are change-management problems, not technical ones. The legitimacy of an artificial collaborator is a social problem, not just a technical one. See also: Do We Really Need Change Management for Copilot Adoption? by Deborah-Ann Allan, on the Business Aspect insights page.

The Technology Has Changed. The Governance Challenge Has Not

From the early 2000s, when I first started my AI journey, the technology has changed beyond recognition. The governance challenge has not.

The organisations that handle agentic AI well over the next two years will not be the ones with the cleverest models. They will be the ones whose boards and executives treat the agentic question as a workforce and accountability challenge, building a position that is both strategic and defensible before regulators, auditors and headlines arrive.

The Time is Now to Act

If your organisation is already deploying AI agents, and most are, the question is not whether you need governance. It is whether you are already behind.

Business Aspect has been delivering AI governance and strategy engagements for government departments, regulators, and essential service providers across Australia. We work with boards and executive teams to establish a strategic and defensible position on agentic AI, through AI Strategy & Roadmap and AI Governance & Assurance engagements designed to deliver in weeks, not months.

If you cannot answer the Delegation Test today, you do not have governance. You have exposure.

Business Aspect runs the Delegation Test with boards and executive teams as a structured governance assessment, typically completed in two to four weeks. If you are not confident your organisation can pass it today, that is the conversation to have.

Further Reading from Business Aspect

1. Leading Through AI Disruption: Strategic Guidance for Business Leaders by Dave Hanrahan.
2. Maximising AI Investments: Beyond Individual Productivity by Daniel Thomas and Duncan Unwin.
3. Do We Really Need Change Management for Copilot Adoption? by Deborah-Ann Allan.

References

Thomas, D.I. & Vlacic, L.B. (2005). “TeamMATE: Computer game environment for collaborative and social interaction.” IEEE International Conference on Industrial Informatics.

Thomas, D.I. & Vlacic, L.B. (2009). “Toward Societal Acceptance of Artificial Beings.” In M. Khosrow-Pour, D.B.A. (Ed.), Encyclopedia of Information Science and Technology, Second Edition (pp. 3778–3783). IGI Global Scientific Publishing.

Thomas, D.I. & Vlacic, L.B. (2012). “The Business of Collaborating: Designing and Implementing a Group Decision-making Scenario Using the TeamMATE Collaborative Computer Game.” In Handbook of Research on Serious Games as Educational, Business and Research Tools. IGI Global.

IAPP (2025). “AI Governance in the Agentic Era.” International Association of Privacy Professionals.

IMDA (2026). Model AI Governance Framework for Agentic AI. Singapore Infocomm Media Development Authority. Released at the World Economic Forum, Davos, 22 January 2026.

Madkour, N., Newman, J., Raman, D., Jackson, K., Murphy, E.R. & Yuan, C. (2026). Agentic AI Risk-Management Standards Profile. UC Berkeley Center for Long-Term Cybersecurity.

McKinsey Global Institute (2025). “Agents, Robots, and Us: Skill Partnerships in the Age of AI.” McKinsey & Company.

World Economic Forum & Capgemini (2025). AI Agents in Action: Foundations for Evaluation and Governance. White Paper, 27 November 2025.

McKinsey & Company (2025). “The State of AI in 2025: Agents, Innovation, and Transformation.” McKinsey Global Survey, November 2025.

IBM & Morning Consult (2025). “Survey: Generative AI Makes Tasks Simple, But Developing That AI is Anything But.” IBM Newsroom, 8 January 2025.