'/%3e%3cg%20fill='none'%20stroke-linecap='round'%3e%3ccircle%20cx='32'%20cy='32'%20r='22'%20stroke='%239bb2dc'%20stroke-width='1'%20opacity='0.7'/%3e%3cpath%20d='M14%2032%20A18%2018%200%200%201%2032%2014'%20stroke='%230a7ec4'%20stroke-width='1.6'/%3e%3cpath%20d='M50%2032%20A18%2018%200%200%201%2032%2050'%20stroke='%230a7ec4'%20stroke-width='1.6'%20opacity='0.85'/%3e%3ccircle%20cx='32'%20cy='32'%20r='13'%20stroke='%230a7ec4'%20stroke-width='1'%20opacity='0.5'/%3e%3ccircle%20cx='32'%20cy='32'%20r='8'%20stroke='%23d97706'%20stroke-width='2'/%3e%3cpath%20d='M32%206%20v3%20M32%2055%20v3%20M6%2032%20h3%20M55%2032%20h3'%20stroke='%230a7ec4'%20stroke-width='1.2'%20opacity='0.75'/%3e%3c/g%3e%3ccircle%20cx='32'%20cy='32'%20r='2.6'%20fill='%230a7ec4'/%3e%3c/svg%3e){kind=small}
'/%3e%3cg%20fill='none'%20stroke-linecap='round'%3e%3c!--%20outer%20HUD%20arc%20--%3e%3ccircle%20cx='32'%20cy='32'%20r='22'%20stroke='%231e3566'%20stroke-width='1'%20opacity='0.7'/%3e%3cpath%20d='M14%2032%20A18%2018%200%200%201%2032%2014'%20stroke='%235ee9ff'%20stroke-width='1.6'/%3e%3cpath%20d='M50%2032%20A18%2018%200%200%201%2032%2050'%20stroke='%235ee9ff'%20stroke-width='1.6'%20opacity='0.85'/%3e%3c!--%20mid%20arc%20--%3e%3ccircle%20cx='32'%20cy='32'%20r='13'%20stroke='%235ee9ff'%20stroke-width='1'%20opacity='0.45'/%3e%3c!--%20amber%20inner%20ring%20--%3e%3ccircle%20cx='32'%20cy='32'%20r='8'%20stroke='%23f5a524'%20stroke-width='2'/%3e%3c!--%20tick%20marks%20--%3e%3cpath%20d='M32%206%20v3%20M32%2055%20v3%20M6%2032%20h3%20M55%2032%20h3'%20stroke='%235ee9ff'%20stroke-width='1.2'%20opacity='0.7'/%3e%3c/g%3e%3ccircle%20cx='32'%20cy='32'%20r='2.6'%20fill='%235ee9ff'/%3e%3c/svg%3e){kind=small}
Agentic governance without slowing the program down
Most agent governance frameworks fail one of two ways: too loose to defend, or so heavy nothing ships. There's a middle path.
The two failure modes
Loose: every team launches its own agent, no one knows which data they touch, and the first audit creates a six-month freeze. Heavy: a 40-page framework, a fortnightly review board, and a delivery team that quietly stops asking for approval.
Both end in the same place — a stalled program and a board asking what happened to the AI strategy.
Three roles
Accountable executive — the line leader whose P&L the agent moves. Owns the decision to ship.
Data steward — owns the data scope the agent touches and confirms it's allowed for that purpose.
Risk reviewer — single named person from legal/risk who signs the risk register entry. Not a committee.
Three gates
Scope gate (week one): use case, data scope, success metric, risk class — one page, approved by the three roles. No engineering until this is signed.
Pre-launch gate (before production): test results against the success metric, controls in place, kill-switch defined. Same three roles sign.
30-day review: did the metric move, did any control fire, expand or descope. Same three roles.
One register
A single agent register lists every agent in production, owner, data scope, last review date, and risk class. If you can't render it in one screen, the program has scaled past your governance.
How does your governance compare to the peer band?
The diagnostic benchmarks your governance posture and surfaces the controls executives in your industry are actually using.
Run the Agentic Decision Catalog