A GRC guide to human accountability in agentic workflows: three tiers, accountability models, delegation record fields, regulatory map, and incident response.
Agentic workflows create a new accountability question because AI agents can initiate business-impacting actions without real-time human approval. Someone still has to own the outcome, and that assignment has to be explicit.
Definition: Human accountability in agentic workflows means that every AI agent with the ability to initiate or execute business-impacting actions has a designated human owner who is responsible for the agent's authority grants, operational boundaries, and outcomes.
For human approvers, accountability is usually implicit in the org chart. A director approves a purchase order; the controller is implicitly accountable for that approval's place in the control environment. For AI agents, accountability has to be explicit, because the org chart does not contain agents. Without an explicit assignment, the question of who owns a bad outcome becomes impossible to answer cleanly, and auditors, regulators, and boards are increasingly unwilling to accept that ambiguity.
The scale of the problem is confirmed by recent research. SailPoint's 2025 AI Agents survey found that 98% of organizations plan to expand their use of AI agents over the next 12 months, and 96% view them as a growing security risk. Among organizations already using agents, 80% have experienced unintended actions attributable to an agent. Yet Deloitte's 2026 State of AI in the Enterprise reports that only 21% of organizations have mature governance for their agentic AI deployments. The accountability question is not theoretical for GRC leaders. It is a control gap they are being asked to close now, and it has three layers that need to be addressed in sequence.
Human accountability in agentic workflows operates on three tiers: legal and fiduciary accountability for the corporation, operational accountability for the agent owner, and ethical accountability for the culture that authorizes the work.
Each tier answers a different question. The legal and fiduciary tier asks who carries the statutory, regulatory, and fiduciary risk when the corporation acts through an agent. The operational tier asks who owns the day-to-day outcomes an agent influences. The ethical tier asks who ensures the system is not abdicating moral responsibility by diffusing it across humans who had no real authority to intervene.
Well-run programs do not treat these tiers as separate processes. They treat them as three lenses on the same artifact: the delegation record. A single delegation record, properly constructed, names the accountable human owner, scopes the authority, sets the conditions, designates the escalation path, and binds the machine identity. The legal, operational, and ethical accountability assignments all resolve to that record. Building three parallel accountability workflows for the same agent is how organizations end up with documented oversight that no one can operate under pressure.
Definition: Accountability tier is one of three governance lenses (legal and fiduciary, operational, or ethical). Each lens identifies a specific human held responsible for an AI agent's authorized actions under a different framework of obligation.
Legal and fiduciary accountability sits with the corporation's officers and directors. They cannot delegate that responsibility to an AI agent, a vendor, or a committee. Courts and regulators hold them to a standard of informed oversight.
Board non-delegation. Delaware General Corporation Law §141(a) vests management authority in the board. The Caremark standard requires the board to exercise informed oversight of mission-critical risks. The in-depth legal argument for how these doctrines apply to AI-mediated authority is developed in the Aptly guest paper by Peter Kahl, Boards Cannot Delegate Accountability. For this article, the operative rule is short: officers and directors cannot abdicate oversight of agentic decision-making by delegating it to an AI agent. The fiduciary duty remains with them.
Kahl's five governance requirements. The guest paper articulates a framework for when discretion is embedded in operational systems: attributable authority, bounded scope, structured escalation and override capacity, operational reversibility, and sustained oversight against drift. These five requirements map directly to fields in the delegation record discussed below in Tier 2. The legal tier and the operational tier are bound by that artifact. A delegation record that names an accountable owner (attributable authority), specifies thresholds and conditions (bounded scope), designates an escalation target (structured escalation), identifies revocation authority (operational reversibility), and sets a monitoring cadence (drift control) is the operational answer to the legal question.
SOX officer certification. CEOs and CFOs personally certify the effectiveness of internal controls over financial reporting under Sarbanes-Oxley Sections 302 and 404. When an AI agent participates in a financial process (approving payables, executing treasury transactions, or signing purchase orders), the agent's actions are inside the control scope. The certifying officers remain personally accountable for the control environment that bounded those actions. Bounded means the agent was scoped properly, the approvals were reviewed on a defined cadence, and the delegation record was current as of the transaction date. See DOA and SOX Internal Controls for the broader control-framework mapping.
Principal-agent doctrine. The Restatement (Third) of Agency defines agency as a fiduciary relationship in which a principal authorizes an agent to act on its behalf. Courts have not yet definitively ruled on whether AI systems qualify as legal agents, but the doctrine provides the operative framework regardless. The principal bears legal accountability for actions taken on its behalf within the scope of authority it granted. If the scope is ambiguous, the principal bears more.
EU AI Act Article 14. For high-risk AI systems, the Act requires effective human oversight, including the ability to understand system capacities and limitations, intervene, and override. This is a regulatory floor that applies to agentic workflows touching employment, credit, critical infrastructure, or public services operating in the EU. Human oversight in Article 14 is not a recommendation. It is an enforceable obligation, effective August 2026 for high-risk systems.
Definition: Non-abdication principle is the rule that legally accountable actors (board members, corporate officers, licensed professionals) cannot transfer their fiduciary or statutory responsibility to an AI agent, even when the agent performs the operative task.
Operational accountability assigns each agent to a named human owner who is responsible for its authority scope, its day-to-day behavior, and any outcome the agent influences. That owner is not necessarily the builder; it is the person responsible for the business outcome.
An agent should never be ownerless. Every agent that can initiate or execute business-impacting actions needs an accountable human owner. That owner is not necessarily the engineer who built the agent or the vendor who provides the underlying model. It is the person responsible for the business outcomes the agent is allowed to influence. In a procurement agent, that is typically the procurement operations leader. In a treasury agent, the treasurer or assistant treasurer. In a customer-service agent, the head of support operations.
Organizations choose between three common operational models for assigning that ownership. Each has strengths and appropriate use cases.
Committees cannot be accountable owners. Committees review; individuals are accountable. A governance committee can oversee an agent's operating policy, approve changes to its authority scope, or review incident reports on a cadence. But when an incident occurs, one named individual must own the response. Diffusing accountability across a committee is how accountability becomes theoretical.
Alongside the ownership-model question, organizations have to choose how closely a human is involved in the agent's actions. The human oversight spectrum runs from full human approval of every action to fully autonomous operation within bounds.
Our recommendation: start every agent deployment with the process-owner model and explicit human-in-the-loop approval. Graduate to human-on-the-loop only after demonstrating consistent within-bounds behavior for a defined period (we recommend 90 days minimum). This staged approach builds organizational confidence, creates the evidence trail auditors will ask for, and gives the accountable owner time to develop operational judgment about the agent's failure modes. See the Authority Change Management Playbook for the process that governs graduation decisions.
Owner capacity matters. SailPoint's 2025 research found that 72% of organizations consider AI agents a greater risk than traditional machine identities. That finding supports capped agent-to-owner ratios for high-risk agents. High-impact agents (payments, contract execution, regulated-industry decisions) typically warrant dedicated ownership. Lower-risk agents (data validation, notification routing) can share an owner. See Authority Monitoring and Reporting Metrics for the measurement side of owner capacity.
Our recommendation: bind each agent to both a machine identity and a delegation record. Identity answers who is the agent. Delegation answers who authorized it, for what, and who owns the outcome. These are two separate questions, and most governance failures in agentic workflows come from conflating them.
Ethical accountability is what prevents diffuse blame when an agent causes harm. When ownership is undefined, responsibility collapses onto the nearest human actor regardless of whether they had authority to prevent the outcome.
The sharpest framework for understanding this failure mode comes from researcher M.C. Elish. In her 2019 paper in Engaging Science, Technology, and Society, Elish coined the term "moral crumple zone" to describe situations in human-machine systems where responsibility for a harmful outcome is disproportionately attributed to a human operator who had limited authority to prevent it. Her original case studies were aviation autopilot incidents and self-driving car accidents, but the framework applies cleanly to agentic workflows.
When an AI agent approves a fraudulent payment, the employee who last touched the transaction (the one who uploaded the vendor, reviewed the threshold, or cleared the exception queue) often becomes the de facto accountable party, even if they had no authority to review or reject the agent's decision. The moral crumple zone forms wherever the agent's authority was not explicitly paired with a human owner's authority. The employee whose hands last touched the transaction becomes the person who gets blamed, but blaming them does not fix the system.
The antidote is structural, not cultural alone. Pre-assigned ownership, documented in the delegation record, prevents the diffuse blame scenario because the accountable owner is named before the incident happens. If the procurement ops leader is named as the accountable owner for an AP-approval agent, and the agent approves a fraudulent payment, accountability flows to that leader. The analyst who processed the invoice is inside the system, not accountable for the system.
The OWASP Top 10 for LLM Applications 2025 codified this risk formally. Excessive Agency was elevated to LLM06, promoted from #8 in the 2023 edition, specifically because ambiguous ownership is a leading cause of harmful agent actions. OWASP's analysis treats the absence of a clear accountable owner as a security vulnerability in its own right, not just a governance gap.
Definition: Moral crumple zone is a pattern described by researcher M.C. Elish in which responsibility for a human-machine system failure is attributed primarily to a human actor who had limited authority to prevent the outcome, because the machine's authority was never explicitly paired with accountable ownership.
An accountable delegation record is the single artifact that binds legal, operational, and ethical accountability into one place. It names the owner, scopes the authority, sets the conditions, and designates the escalation path.
The three-tier taxonomy is only useful if it resolves to something a GRC leader can operate. That something is the delegation record. For an AI agent, a proper delegation record is the operational answer to every question the three tiers raise: who is legally accountable (the named owner), what authority is bounded (the scope fields), how oversight works in practice (the monitoring cadence), and what happens when bounds are exceeded (the escalation path).
The five governance requirements from the Kahl framework discussed in Tier 1 map directly to fields in this record. Attributable authority requires a named owner. Bounded scope requires decision domains, thresholds, and conditions. Structured escalation requires a named escalation target. Operational reversibility requires an identified revocation authority. Drift control requires a monitoring cadence and a defined review interval. A delegation record that captures all five is the evidence that fiduciary duty has been translated into operational practice.
Definition: Delegation record is the structured artifact that defines a specific agent's authority: its accountable human owner, the decision domains and thresholds it can act within, its escalation triggers, the machine identity it is bound to, its monitoring cadence, its effective dates, and the revocation authority that can halt it immediately.
Eight fields, not six. The three-element delegation model often seen in early AI governance documents (owner, scope, conditions) is insufficient for an auditable agent. Two additions close the most common audit gaps.
Identity binding. The agent's machine identity should be explicitly named in the delegation record. When an auditor reviews a specific transaction, they should be able to trace from the transaction back to the identity that performed it, from the identity to the delegation record, and from the delegation record to the accountable human. This chain is what the November 2025 MCP Specification authentication requirements make possible at the platform level, but only if the delegation record binds to the same identity the MCP authorization uses.
Revocation authority. When an agent needs to be stopped immediately (a security incident, a model misbehavior, a regulatory signal), someone has to be authorized to pull the plug without convening a committee. That authority is a named role, not a process. Failure to specify it in advance is how organizations end up with agents that continue to act during incidents that should have halted them.
For the broader operating model that holds delegation records together across a program of agents, see the Operating Model for Authority Management.
Our recommendation: treat the delegation record as the authoritative record for both human and agent authority. One system of record, two classes of actor, one audit surface. Fragmenting the record (separate systems for human delegations and agent delegations) creates a second reconciliation problem auditors will find.
When an agent triggers a bad outcome, ownership should already be assigned. Pre-defined incident response eliminates the moral crumple zone and shortens the time between discovery and containment.
Incident response for agentic workflows is the agentic version of authority change management. The decisions that have to be made (who investigates, who has revocation authority, what triggers a policy update, how evidence is retained) should all be answered before the incident, not during it. A structured incident response for agents covers five points.
The organizations that have not done this work are visible in the data. Gartner projects that more than 40% of agentic AI projects will be canceled by the end of 2027 due to escalating costs, unclear business value, or inadequate risk controls. Pre-defined incident response is one of the controls that the 40% are missing. Incidents happen regardless; the difference is whether the organization is ready for them.
Every major AI governance framework (the EU AI Act, NIST AI RMF, ISO/IEC 42001, and Singapore's Agentic AI Framework) converges on the same requirement: a named human must be able to oversee, intervene in, and override the agent's actions.
The frameworks differ in audience and enforcement teeth, but they agree on the accountability rule. A governance program that meets any of them tends to meet the others, and the delegation record from the previous section is the common artifact underneath.
EU AI Act Article 14 (human oversight). The Act mandates effective human oversight for high-risk AI, including the ability to understand system capacities, intervene, and override. Article 12 adds a parallel record-keeping requirement. Together, Articles 12 and 14 make the delegation record effectively compulsory for high-risk systems operating in the EU, with enforcement beginning August 2026.
NIST AI Risk Management Framework.NIST AI RMF 1.0 embeds human accountability in the GOVERN function, which sits above the four other functions (MAP, MEASURE, MANAGE). Sub-category GOVERN-3.2 specifically requires policies and procedures that define and differentiate roles and responsibilities for human-AI configurations. NIST's framing is voluntary, but it is the most widely adopted framework for U.S. federal procurement and increasingly for private-sector vendor risk programs.
ISO/IEC 42001:2023. The AI management system standard includes clauses on roles, responsibilities, and authorities that treat AI systems as governed entities requiring designated human accountability. The standard is certifiable, which matters for organizations that need third-party attestation.
Singapore Model AI Governance Framework for Agentic AI (January 2026). Singapore's IMDA released the first dedicated governance framework for agentic AI, with explicit provisions on authority scoping, monitoring, and accountability assignment. The framework is soft-law but is likely to influence APAC and Commonwealth jurisdictions.
OWASP Top 10 for LLM Applications 2025. LLM06 Excessive Agency is the only item in the 2025 top 10 specifically about agentic authority and accountability. It was elevated from #8 in the 2023 edition, reflecting how quickly the industry's understanding of the risk has matured.
For the runtime integration side of these requirements, see Embedding Authority Checks into Workflows.
Aptly is the authority system of record. It binds accountable human owners to agent authority scopes so that legal, operational, and ethical accountability resolve to the same delegation record.
Scoped authority with effective dates and auto-expiry. Aptly delegation records carry start dates, review intervals, and expiry dates, alongside conditions (thresholds, counterparty types, time-of-day constraints) and explicit revocation authority. An agent's delegation expires automatically unless reviewed and renewed. There is no quiet accumulation of stale authority.
Machine identity binding with human accountability chain. Every agent delegation in Aptly binds both the machine identity the agent runs under (for authentication) and the human owner accountable for the outcome. Authentication answers is this agent who it claims to be. Accountability answers who owns what it does. These are two separate questions, resolved in the same record.
Runtime authority decisions the agent can query. Agents can query Aptly at runtime for a permit, deny, conditions, or escalation-target decision. The response is logged as a decision record that the audit trail can rely on. When an auditor asks who authorized a specific action, the chain from transaction to decision record to delegation record to accountable human resolves in seconds, not days.
GRC platforms ask are we compliant. Authority governance answers who has the authority. Aptly is the system that answers the second question, for humans and now for agents. The Authority Hub is the operational home for that record, spanning human and agent authorities in one system of record.
Yes, but with limits. High-impact agents typically require dedicated ownership, while lower-risk agents can share an owner. Organizations cap agent-to-owner ratios based on the risk profile of the agents.
An accountable owner should have sufficient operational visibility to monitor outcomes and respond to incidents. In practice, organizations cap agent-to-owner ratios based on risk: high-impact agents (payments, contract execution, regulated-industry decisions) typically require dedicated ownership, while lower-risk agents (data validation, notification routing) can share an owner. The cap should be set explicitly in the agent governance policy, not left to emerge by accretion.
The same succession process that applies to human delegation applies to agent ownership. Agents should be reassigned to an interim owner immediately, with formal transfer completed within a defined window.
When an agent owner departs, their agents should be reassigned to an interim owner immediately, with a formal ownership transfer completed within a defined window (typically 30 days). Agent authority should be reduced to advisory-only during the transition period if the new owner has not yet certified the agent's scope and boundaries. This mirrors the approach most organizations take for human delegations on departure.
Auditors look for three things: a clear delegation record, evidence that the accountable owner reviewed agent activity on a defined cadence, and incident records showing exceptions were escalated and resolved through the defined process.
The delegation record is the anchor. Without it, the rest of the evidence chain collapses. With it, every agent action traces to a scope, and every scope traces to an accountable human. Mature programs also maintain an access log showing who reviewed the delegation record itself and when, which closes the audit loop on the accountability record.
Yes. Advisory agents carry lower governance overhead because the human who acts on the recommendation carries the decision accountability. Execution agents require full delegation records, monitoring, and incident response plans.
Advisory agents recommend but do not act. The human who acts on the recommendation carries accountability for the decision. Execution agents initiate or complete actions independently and create binding outcomes without real-time human approval. They require full delegation records, monitoring, and incident response plans because the human who might have stopped the bad outcome had no real-time opportunity to do so.
Oversight is the ongoing monitoring activity. Accountability is the assignment of legal, operational, and ethical responsibility. Organizations can have oversight without accountability, and accountability without oversight. Both are required.
Most mature programs pair them by assigning oversight activity to a specific role that reports to the accountable owner. The owner does not have to watch every agent action, but they have to receive a structured report on a defined cadence and retain the authority to intervene when signals warrant it.
The enterprise is typically accountable to its customers and regulators, regardless of vendor indemnification. Contract terms allocate loss after the fact; they do not transfer legal accountability at the point of harm.
Vendor due diligence on AI agents should therefore include the vendor's own agent governance, not just their security and availability posture. A vendor that cannot produce its own delegation records for the agents it operates on your behalf is a vendor that cannot demonstrate the oversight your regulators expect you to have.
No. Article 14 requires effective human oversight but does not mandate a specific title. The accountability role can be process-owner, product-owner, or shared-control depending on the agent's risk tier.
The documentation requirement is where many organizations fall short: having the right role in practice does not satisfy the Act if the documentation does not show it. The delegation record serves that documentation function naturally if it is maintained.
CEOs and CFOs certify the control environment, not individual transactions. When agents operate inside that environment, the certification implicitly covers the agent's bounded authority, reviewed actions, and current delegation record.
The underlying controls must map to the agent the same way they map to a human approver. When an agent approves a payable, the certifying officers are implicitly certifying that someone reviewed that agent's authority scope and activity as part of the control framework.
Connect with our team for a discovery session to learn more about how Aptly can help within your organization. If you are already a client and need support, contact us here.
