Agentic AI isn't just a faster version of the AI you've been governing. The autonomy makes agents fundamentally different—and opens up enterprises to fresh risks. CM Law Technology Practice Chair Reiko Feaver explains the governance shifts CIOs need to make before deploying agents.
Consider this scenario: A mid-size company deploys an AI agent to streamline HR operations. The agent has access to employee records, email, and the document management system. A routine-looking email arrives containing a concealed prompt injection: a malicious instruction embedded in what appears to be a vendor inquiry. The agent, unable to distinguish the injected instruction from legitimate input, accesses the compensation database and drafts an external-facing email containing detailed salary and benefits data for the entire executive team. The email is sent before any human reviews it.
Within minutes, the company faces a data breach involving highly sensitive personal information, potential violations of data privacy and security laws, and exposure to contractual, regulatory, and reputational risks. No traditional software system would have had the combination of data access, communication capability, and autonomous execution authority to produce this result from a single compromised input. The same autonomous multitasking capabilities that make agentic AI so attractive also pose new risks of unpredictable, irreversible consequences at scale.
This is more than a hypothetical example. According to McKinsey's 2026 AI Trust Maturity survey, only about one-third of organizations report mature governance for agentic AI—even as deployment accelerates. The governance frameworks that served organizations well for traditional software and even for chatbots and GenAI assistants are insufficient for systems that operate autonomously, access broad datasets, and execute multi-step workflows with little or no human review.
CIOs deploying agentic AI need to understand why their existing governance falls short and what shifts will close a potential risk-management gap before an incident forces them to.
Agents Fail by Working as Designed
Agentic AI failures are fundamentally different from the security failures organizations have previously faced.
A cyberattack on traditional software aims to breach its defenses. An agent compromise succeeds because the agent performs exactly as designed—it just receives the wrong instructions.
If an agentic workflow is created to produce external communication, and the agent is given broad access to email, databases, and applications, the agent will access and interact with every system it needs. If it accesses the wrong database, pulls the wrong content, or uses the wrong email address, the organization faces the loss of commercially valuable information, violations of applicable laws, or breaches of contractual obligations.
These compromises can occur at any point in the workflow, leading to a cascade of consequences. When multiple agents work together, one compromised agent can sabotage the entire system. And because agents operate without supervision, failures may not be discovered until the damage is done.
Why Traditional Governance Falls Short
Most technology governance frameworks were designed around predictable software behavior and pre-approval processes. They assume you can review a system before deployment and trust it to behave relatively consistently afterward. Agentic AI breaks these assumptions in three ways
-
Agents are dynamic, not deterministic. Traditional software does what it's coded to do; its actions are auditable and repeatable. Agents interpret instructions, access multiple systems, and take actions based on context. A trusted model or integration today can become a threat vector tomorrow without any visible change to the agent itself.
-
Agents operate faster than humans can oversee. The autonomy and speed with which agents act hinder real-time human oversight. By the time you discover a problem, the agent may have already sent emails, modified records, or triggered downstream processes.
-
Agents compound errors across systems. When agents are designed to interoperate—passing outputs to other agents or triggering workflows across applications—one weak point can cascade through the entire structure. Errors compound silently until they surface as major incidents.
From Reactive to Preventive: Four Governance Shifts for Agentic AI
CIOs deploying agentic AI need to move from reactive governance to preventive design. Four shifts are critical:
1. Map before you deploy. Conduct an agentic AI-specific risk assessment before any agent goes live. Identify and map every system the agent will access, every data flow (internal and external), and every action the agent can take. From that mapping, determine where security, compliance, and business risks concentrate.
This is also the place to identify human-in-the-loop requirements. Not all agent actions require human oversight—doing that would overwhelm reviewers and defeat the purpose of automation. But a human decision point is necessary when an agent can take actions that cannot be reversed, involve regulated or sensitive information, or carry significant commercial, legal, or reputational consequences. Common examples include data deletion, external communications, financial transactions, and changes to security settings.
2. Apply least-privileged access aggressively. Configure only necessary permissions and privileges. If an agent is designed to read a calendar, implement guardrails that prevent it from accessing unrelated data. Unlike human users with session-based oversight, agents often operate under persistent credentials, increasing the potential for misuse.
This requires a shift in security thinking: from mostly third-party vendor assessment to more first-party evaluation of what your agents can actually do.
3. Monitor behavior, not just access. Establish baselines for agent behavior and set up alerts for deviations. Access to systems outside the configured scope, unusual communications, or unexpected outputs are indications of behavioral drift, model degradation, or external compromise.
Every agent action—including the triggering input, the systems accessed, the data read or written, and the outcome—should be captured. Without adequate logs, you cannot trace an agent's actions in a customer dispute, regulatory inquiry, or litigation.
4. Assign human accountability. Every agent needs a named human accountable for its configuration, use, and actions. This is not optional. Organizations should establish processes mandating that every agent be registered in a central inventory prior to deployment, with records of its purpose, systems accessed, and data processed. Legal, compliance, information security, and the relevant business unit should be involved before any deployment.
Consider setting up an AI governance council with representatives from those same organizations, as well as executive leadership that has decision-making authority. The council should review and approve all, or a risk-based subset of new agent deployments and be available for incident review and emerging risk assessment.
The Window Is Closing
Governance readiness is lagging dangerously behind deployment pace. CIOs who proactively assess their exposure to agentic AI risk and implement targeted controls will be positioned to capture the benefits while managing the risks. Those who wait for a regulatory mandate or an incident to force action will find themselves in a reactive posture that is far more costly and disruptive.
The frameworks designed for predictable software cannot constrain the actions of agentic AI. The choice is whether to design governance before deployment—or after an incident forces your hand.
