Managing Decision Authority in the Age of Agentic AI

In 2020, no one was asking who authorized the software to act. The question was unnecessary. Software did not initiate spend, modify workflows, or commit the company to anything that mattered. Five years later, that has changed. Enterprises are deploying autonomous agents that move money, approve exceptions, and execute in real time on behalf of the business. The question "who is authorized to do this" just acquired a new class of subject, and most authority frameworks were not designed to answer it for non-humans.

The category that didn't exist five years ago

Recent surveys make the trajectory clear. In SailPoint's research on AI agent deployment, 98% of organizations plan to expand their use of AI agents over the next year, and 96% of technology professionals already consider those agents a growing security risk. The same study found that 80% of organizations have already experienced unintended actions by their agents: an agent accessing data outside its scope, executing a step it was not asked to take, or acting on stale instructions.

That trajectory is not slowing. Microsoft's 2025 Work Trend Index describes a new operating model it calls the Frontier Firm, where every employee leads a hybrid team of humans and AI agents. The framing matters because it concedes something most enterprise software vendors are still avoiding: agents are not assistants, they are co-workers, and co-workers need defined authority.

The security community has reached a similar conclusion through a different path. The OWASP Top 10 for LLM Applications 2025 elevated "Excessive Agency" from the eighth-most-significant risk in 2023 to the sixth in 2025. That re-ranking is not a redesign of the list. It is a recognition that as agents do more, the consequences of letting them act outside their lane have moved up the threat model.

What is new in this category is not the technology. It is the question. Software has been making conditional decisions for decades through workflow engines, rules engines, and approval routing. What changed is that an agent can also discover paths a static workflow never would. It can choose a vendor, modify a contract clause, escalate or de-escalate at its own discretion, and complete a transaction with no human in the loop. The locus of decision shifted from a deterministic rule to a probabilistic actor, and that shift is what created a new category.

Identity governance answers a different question than authority governance

Most enterprises already have an answer to "who is this principal?" Identity platforms govern access. Single sign-on, multi-factor authentication, role-based access control, and just-in-time provisioning have collectively become a mature stack, and the same stack now extends to non-human identities through service accounts and machine identities.

Authority governance asks a different question: "what is this principal authorized to decide, and at what dollar, scope, or time limit?" The two questions sound similar in casual conversation. They diverge sharply in practice.

Identity governance answers whether an agent has the right to read a record, hit an API, or write to a system. Authority governance answers whether the agent is permitted to commit the business to a particular outcome: approving an invoice, modifying a contract, releasing a payment, executing a trade. The first is system access. The second is delegated decision rights.

The conflation costs enterprises real money. A buyer asks an identity governance vendor whether their platform covers AI agent authority. The vendor answers truthfully that the platform manages agent access. The buyer hears that the platform manages agent authority. Six months later the buyer discovers that the access controls are well configured and the approval ceilings are still in spreadsheets.

For agents the gap is not academic. An agent that can hit an API can in principle initiate a fifty-thousand-dollar commitment. The question of whether that commitment requires human review, escalates above a threshold, or carries a time-bound expiration is not solvable with role-based access control. It is the domain of the authority management layer, and that layer is what most enterprise stacks are missing.

What governing agent authority actually requires

Four ingredients sit at the heart of every defensible authority framework, regardless of whether the actor is a human or an agent.

The first is an explicit limit. A delegation that says "the agent can approve expense reports" is not a delegation, it is a permission. A delegation that says "the agent can approve expense reports under five hundred dollars, in budgeted categories, with auto-flagging above two hundred" is a delegation. The unit of governance is not the action, it is the boundary on the action.

The second is a time boundary. Authority that does not expire becomes authority that no one remembers granting. For agents this matters more than it does for humans, because the cost of letting a stale delegation live in production is higher: the agent will keep acting on it until the delegation is revoked.

The third is an escalation trigger. The point of agentic AI is that it can act on the eighty-percent case. The corresponding requirement is that it must hand off cleanly when the case falls outside the boundary. An agent without an escalation path is an agent that will guess.

The fourth is an audit trail. Every action the agent takes should be reconstructable: what authority was in force, who granted it, what conditions applied, and what the agent did. This is not a logging requirement. It is an evidence requirement, and the difference matters when a regulator or auditor asks who decided.

Most enterprises already have versions of these ingredients for human delegation. According to EY's 2025 study with the Society for Corporate Governance, almost ninety percent of public companies maintain a delegation of authority policy, but only about fourteen percent operate it through a dedicated IT system. The rest run authority through spreadsheets, PDFs, and inherited matrices. That gap is manageable for human approvers, who can recover from a fuzzy boundary by asking. It is not manageable for agents, who cannot.

Building the same four ingredients for agents requires more than a new policy document. It requires embedding the authority checks at the point of execution, so that the limit, the time boundary, and the escalation trigger fire at the moment the agent acts, not after.

The accountability question: who answers when the agent acts?

Authority can be specified. Accountability has to be assigned. The two are different problems, and the difference is what makes agentic AI hard to govern.

When a human acts under delegated authority, accountability follows a familiar shape: the actor is accountable for the action, the delegator is accountable for the delegation, and the organization is accountable for the system that produced both. A useful frame is to think in three tiers: legal accountability that holds in court, operational accountability that holds inside the company, and ethical accountability that holds with stakeholders.

The moral crumple zone problem

Agentic AI does not eliminate any of those tiers. It distributes them differently. The agent has no legal personhood, so legal accountability has to land somewhere else: the agent owner, the deploying business unit, the executive who approved the deployment, or the board that delegated the authority chain in the first place. That fan-out is what produces what scholars have called the "moral crumple zone": when something goes wrong, accountability gets diffuse, and diffuse accountability is functionally no accountability.

Two requirements turn the fan-out back into something operable. The first is that every agent action should produce an audit-ready record linking the action to the authority that permitted it and the human who delegated that authority. The second is that the record should be reconstructable on demand, not pieced together from logs after a regulator asks.

The board sits at the top of this structure. As a recent analysis of Caremark and AI governance argues, directors can delegate operational authority but cannot delegate the accountability for oversight. That is not a new principle for AI. It is the same principle that has governed director duty since the Caremark line of cases, applied to a new operating reality.

What regulators expect

The expectation has begun to take statutory form. The NIST AI Risk Management Framework and its 2024 Generative AI Profile both center on the Govern function: mapping risks to accountable owners, documenting decisions, and maintaining traceability. Article 14 of the EU AI Act goes further, requiring human oversight of high-risk AI systems by default. The bar is moving from "we deployed this" to "we governed it, and we can prove it."

Where regulators are converging

Different regulators have arrived at the same conclusion through different routes. The convergence is what makes 2026 a pivotal year for agentic authority management.

The EU AI Act centers high-risk AI on human oversight. Article 14 requires that systems be designed so a natural person can intervene, override, or shut down operation. For agents, "intervene" is not abstract. It means the authority chain has to be inspectable in real time and revocable on contact.

The NIST AI Risk Management Framework, voluntary in form but increasingly the reference for U.S. enterprises, frames AI governance through four functions: Govern, Map, Measure, and Manage. The Govern function pulls authority and accountability questions to the front of the lifecycle, before deployment, not after.

In January 2026, Singapore became the first jurisdiction to publish a governance framework purpose-built for agentic AI, building on its Model AI Governance Framework first issued in 2019. The new framework names autonomous decision-making as a governance object that requires explicit delegation, oversight, and human accountability, not as a property of the underlying model.

The practitioner community has reached the same place from outside the regulatory frame. OWASP's 2025 LLM Top 10 places "Excessive Agency" sixth on the threat list and explicitly recommends limiting agent permissions, scoping agent actions, and requiring human approval for high-impact operations. The recommendations read like a delegation of authority policy.

Across all four sources the underlying object is the same: a record of what the agent is allowed to do, who authorized it, what the limits are, and what evidence exists when it acts. The convergence is structural, not coincidental.

Where to start: the operator's first ninety days

The risk in waiting for a regulator to compel it is straightforward: by the time the compulsion arrives, the agents are already in production. The first ninety days are the window where authority can be designed in rather than bolted on.

Three steps cover most of the ground.

Step one: inventory

List every agent already running in the business, whether it is a vendor product, an internal build, or a workflow tool that quietly upgraded its capabilities. For each, record what systems it touches, what actions it can take, and what dollar or scope limits exist today, even if those limits live in a comment field rather than a system. Most organizations doing this exercise honestly are surprised by the count.

Step two: limits

Decide what each agent should be authorized to do, expressed as boundaries rather than permissions. The right unit is "approve expense reports under five hundred dollars in budgeted categories, escalate above," not "manage expense reports." Reuse the boundaries from the human delegation matrix where they apply, and add new ones where the agent's behavior pattern requires them. The matrix is the source of truth; the agent is a new actor on it.

Step three: records

Define who reviews, who approves, who can revoke, and who is accountable when the boundaries fail. Write the answers down, in a system, not in a memo. A practical reference for sequencing the first ninety days is the launching an authority program guide, and a complementary operational view is the operations-focused take on AI delegation governance, which goes deeper on integration patterns and rollout tactics.

Doing this work pays back beyond the regulatory check. Per West Monroe's 2026 "Speed Wins" research, seventy-three percent of C-suite executives say cutting decision time in half would unlock at least a five percent revenue uplift. That figure is upside potential, not a guaranteed outcome, but the directional signal is clear: the enterprises that govern agent authority well are also the enterprises that decide faster, because the boundaries are explicit and the escalations are clean.

For the platform layer that operates the boundaries, escalations, and audit records described above, see the Aptly delegation of authority system. The point is not which platform; the point is that agents do not govern themselves.

Sources

1. SailPoint / Dimensional Research, "AI Agents: The New Attack Surface" (May 2025): businesswire.com
2. Microsoft, "2025 Work Trend Index: The Year the Frontier Firm Is Born" (April 2025): microsoft.com/worklab
3. OWASP, "Top 10 for Large Language Model Applications 2025": owasp.org
4. EY and Society for Corporate Governance, "The Delegation Edge: A Guide to Successful Delegation and Authority" (January 2025): ey.com
5. NIST, "AI Risk Management Framework" (2023, Generative AI Profile 2024): nist.gov
6. EU AI Act, Article 14 (Human Oversight): artificialintelligenceact.eu
7. Infocomm Media Development Authority (Singapore), Model AI Governance Framework for Agentic AI (January 2026): imda.gov.sg
8. West Monroe, "Speed Wins" (2026): westmonroe.com