An agent is governed by its gate, its contract, and its mandate
A task delegated to an agent is executed by the agent. The consequences of that execution remain the principal’s. This asymmetry is the entire subject of agentic governance, and it is the one most often misplaced. The reflex is to look for the missing safeguard in a better model, a more attentive human in the loop, or a more complete log. Each of these addresses a fragment of the problem. None closes the question of who answers for what an agent does in the name of an organisation. The position defended here is narrower and, for that reason, operational. An agent that produces effects on the world is governable only when three layers are made explicit at once: a gate that fixes what it can do, a contract that fixes who answers for it, and a mandate that fixes what it is legitimate to delegate to it. Execution is delegable. Responsibility is not.
This thesis concerns agents that act, namely those that draft deliverables, transmit information, trigger operations, take operational decisions, or interact with third parties. It does not concern a passive assistant with no capacity to act.
The structuring distinction is between two verbs the discussion tends to fuse. To delegate is to hand over the carrying-out of a task. To abdicate is to surrender the answering-for it. The first is legitimate and often necessary. The second is never available, whatever the architecture. A human who delegates an action remains, at their level, accountable for choosing to delegate it, for the limits set, and for the consequences when the delegation fails.
The analogy with human organisations is exact up to one point, and that point founds the thesis rather than weakening it. An employee, a lawyer, a corporate officer can act on another’s behalf without becoming the ultimate holder of responsibility, because they are themselves subjects of law who answer for their own acts. The artificial agent is the subject of nothing. It holds no patrimony, no legally recognised will, no capacity to bear a sanction. Precisely because the agent can assume nothing, responsibility never stops at it. It flows back, by construction, to whoever granted it the power to act.
Two reflexes dominate current practice, and both are necessary without being sufficient.
The first reinforces technical controls. An admission gate reduces the attack surface, limits privileges, and blocks out-of-perimeter behaviour. It answers one question only: what can the system do? The second reinforces traceability. Every tool call, every write, every decision is recorded so that events can be reconstructed after the fact. This answers another question: what happened?
Neither answers the question of responsibility, for a reason that can be compressed into two clauses. Authorising is not imputing. Tracing is not answering for. A gate decides which actions are permitted. A log records which actions occurred. Neither necessarily designates who was supposed to control the action, who held the authority to delegate it, or who bears the consequences of failure. This gap becomes critical the moment several actors intervene at once: the model provider, the IT team, the business owner, the end user, the organisation’s leadership. Responsibility does not vanish in such configurations. It dilutes.
A first answer requires that a human owner be named for each agent. The requirement is useful and insufficient. In simple systems a single owner can be designated. In complex ones the representation becomes artificial. Critical infrastructures, from aviation to civil nuclear power, rarely rest on a single responsible party. They organise themselves into distributed chains of responsibility, escalation paths, and clearly bounded roles. The objective is therefore not to assign all responsibility fictitiously to one person. It is to make the structure of delegation explicit.
This is where a more robust notion is needed: the mandate. An agent is not merely a tool. It acts as an artificial mandatary, receiving a bounded authorisation to act in the name of a person or organisation within a defined perimeter. The governing question shifts from “who uses the agent?” to “who granted it the power to act, and within what limits?”
The contract is the second layer. It links the technical action to organisational responsibility, and it breaks down into three minimal clauses, not to be confused with the three layers that encompass them.
The first is information and transparency. Anyone concerned must be able to know when an agent intervenes in a process producing significant effects. Depending on context this takes the form of explicit consent, a duty to inform, or a right to object. The form varies; the principle holds.
The second is imputation. Each action must be linkable to an explicit chain of responsibility, and the technical identity of the agent is never the terminal point of that chain. It must point back to the persons or functions that effectively hold the authority of delegation and the residual responsibility.
The third is control. A governable system must allow interruption, manual takeover, or limitation of its action. This must not be reduced to a stop button. Where execution times are measured in milliseconds, human interruption is illusory, and the real objective becomes control of the blast radius: containment, capping of effects, reversibility of operations, limitation of privileges.
As agents gain autonomy, validating each action by hand becomes economically impracticable. The most valuable systems are precisely those that reduce the frequency of human intervention, which is why governance cannot rest on approval points alone.
The centre of gravity moves. The question is no longer “does a human validate each action?” but “which actions did one authorise the agent to undertake before they even occurred?” Agentic governance is, primarily, a governance of ex ante delegation. The mandate becomes the central object. It defines the perimeter of action, the limits of autonomy, the escalation thresholds, and the conditions of suspension. It converts a series of point-in-time authorisations into a stable framework of responsibility.
The question has left the realm of theory. The EU AI Act, in Article 14, requires effective human oversight of high-risk systems, including the ability to intervene in a system or to interrupt it.
On 22 January 2026, Singapore published its Model AI Governance Framework for Agentic AI, the first national framework devoted to agentic systems. Its structure is worth attention: it explicitly separates effective human accountability from technical controls, and it makes the upfront bounding of risk one of its four dimensions. The distinction defended here is therefore not invented. It is rediscovered, independently, in the first regulatory instrument to confront the problem.
Case law has begun to rule in the same direction. In Moffatt v. Air Canada (2024 BCCRT 149), the British Columbia Civil Resolution Tribunal rejected the company’s argument that its conversational agent was a separate entity answering for its own acts, and held the organisation responsible for the information delivered. A conversational agent is not an agentic system in the sense retained here, and an administrative ruling is not a general precedent. The principle it lays down is nonetheless the one defended throughout: responsibility is not delegated to the technical identity that executes.
PREDICARE, a set of agents dedicated to addressing medical disengagement in the context of metabolic syndrome, illustrates a clinical decision-support case where governance rests simultaneously on the three layers. The gate refuses requests outside the clinical perimeter. The contract guarantees the practitioner’s information, the imputation of recommendations, and the possibility of setting a proposal aside. The mandate defines what the agent is authorised to recommend without further validation.
OCTOPUS, a multi-model orchestration system, is the more demanding case. Several agents contribute to a single output, and technical traceability allows the chain to be reconstructed. Governance becomes effective only when the mandate clearly identifies the entity responsible for the composite output, regardless of how many intermediate agents are involved. These instances illustrate the thesis. They do not claim to exhaust it.
The position carries its own limits, and naming them is part of holding it.
The contract does not replace technical controls. A perfectly attributed responsibility does not repair a dangerous system. The mandate does not eliminate organisational costs; every explicit delegation introduces trade-offs, delays, and supervision mechanisms. Direct human control becomes impracticable when execution times fall to milliseconds, and reversibility and containment then replace interruption. Finally, responsibility remains distributed in complex systems. Governance does not eliminate this distribution. It makes it visible.
The strategic error would be to expect the next model, or the next logging system, to solve a problem that is first of all one of governance. An audit log records who signed. It has never said who should have.
The fundamental question bears neither on what an agent can do, nor on what it has done. The gate and the logs already answer those. It bears on who holds the authority to delegate the action, within what limits, and under what residual responsibility. From the moment an agent acts in the name of an organisation, it becomes a new subject of governance, and the decision ceases to be merely technical. It touches the delegation of authority, legal responsibility, and corporate governance.
An agent is governable only when its architecture explicitly links three things: what it can do, what it is permitted to do, and who answers for it. Execution can be delegated. Responsibility never can.
Regulatory frameworks. Regulation (EU) 2024/1689 (AI Act), Article 14 (human oversight of high-risk systems). Entry into force 1 August 2024. Infocomm Media Development Authority and AI Verify Foundation (Singapore), Model AI Governance Framework for Agentic AI, 22 January 2026.
Case law. Civil Resolution Tribunal of British Columbia, Moffatt v. Air Canada, 2024 BCCRT 149.
Full text freely available in the PDF below (5 pages).
Doctrinal notes and explorations on AI in regulated systems. Once or twice a month. One-click unsubscribe.