Action-space, autonomy, reversibility and decision regimes: toward an exogenous governance architecture for agentic AI systems
The central problem of agentic AI is not that agents are becoming more capable. It is that they are becoming actionable before they are governable. An agentic system in the strong sense does not merely produce text or a classification: it selects tools, chains operations, revises its plan and sometimes acts upon external environments. The problem therefore resides not in the quality of the output, but in the decision regime introduced by the architecture.
The shift is decisive. The system no longer executes a predefined path; it explores a decision space. This is not a terminological nuance — it is a regime change. And recent capability gains should not be conflated with equivalent reliability gains: the work of Rabanser et al. documents an empirical gap between capability and reliability across the dimensions most pertinent in operational contexts.
The thesis of strong exogenous governance takes its best objection seriously: models progress, alignment improves, outputs become better structured. Three reasons nevertheless lead to a negative answer. The distinction between capability and consistency shows that scaling does not mechanically produce governability. Systemic risks (error cascades, unforeseen interactions, oversight circumvention) do not reside in the isolated model. And emerging institutional frameworks do not wager on any future behavioral self-sufficiency of models.
Endogenous advances reduce the cost of governance; they do not replace it. The correct relationship is one of hierarchy: governability must be guaranteed by the architecture, even if it can be facilitated by internal advances of the components.
The principal conceptual contribution shifts risk assessment toward the combination of three operational properties. The action-space designates the concrete perimeter of what the agent can reach. Autonomy is the degree of latitude left to the system to act without prior validation — a configured property, not an essence. Reversibility qualifies the cancellable character of the action.
These three variables ground three decision regimes. Assistance, where the agent produces an interpretable artifact without executing — the major risk is the cognitive passivity of the user. Structured recommendation, where the agent pre-fills a decisional artifact linked to sources — the major risk is automation bias. Bounded execution, where the agent acts within a closed perimeter under verifiable invariants — the major risk is silent drift.
These regimes are not maturity levels but distinct architectural modes. Two modulators complete them: domain criticality and error asymmetry.
The most fruitful analogy comes from distributed software engineering: a technical environment does not presume the virtue of its components — it institutes admission control mechanisms. The decision contract, derived from Bertrand Meyer’s design-by-contract, transposes preconditions, postconditions and invariants to decisional governance.
The value is threefold. It decouples reliability from governability: an imperfect agent remains governed if the system filters what is admissible to become action. It makes policies explicit, versioned and auditable. It transforms the trace into a reconstructible admissibility chain.
This pattern remains an architectural proposal, not a stabilized industry standard. But small-scale experiments show it is implementable. The additional cost is not an accident — it is the price of governability.
Four frameworks emerge with distinct logics. Singapore (IMDA) proposes structuring soft law around operational variables adapted to the agentic domain. NIST works on normative infrastructure for interoperability and technical trust. The European Union introduces a binding legal regime based on risk categories — agenticity is not an autonomous legal criterion for qualification, which strengthens the thesis. The United Kingdom (CMA) recalls that the agent does not create a lawless zone.
No serious institutional actor treats agentic governance as a simple question of internal model quality. All of them treat it as a system problem.
Six authentic limitations are made explicit: the absence of longitudinal scaling/reliability data, the insufficiency of documented industrial cases, the real cost of architectural governance, the domain of validity bounded to contemporary enterprise systems, the geographical asymmetry of sources, and the recursive fragility of governance itself — “who governs the governance?”
Four research questions follow: the empirical reduction of the inter-generational capability/reliability gap, the transposability of admission patterns to the stochastic domain, the economic rationality threshold of exogenous governance, and the governance of multi-agent ensembles with emergent behavior.
Trust is not a heroic property of the model. It is a constructed property of the system. In high-risk systems, certain classes of decisions remain structurally unavailable to full autonomy. The human bottleneck is not a transitional defect — it constitutes an institutional guarantee.
An agent is not governed because it is better. It is governed because a system prohibits it from acting outside an explicitly authorized decision regime.