A guide to agentic AI: from principles to practice

In this third article, we look in more detail at agentic AI's ability to plan, act and adapt in live environments and the implications on its governance, particularly the need for this to move beyond static policy into operational control.

The shift from governing AI models in isolation to governing agentic system behaviour in an enterprise context has created a critical gap; governance centred on principles, policy and review now needs to be translated into controls across the full lifecycle of development and production, including important safeguards such as runtime controls.

Building trust and confidence in agentic AI

Trust and confidence in agentic AI are created by the presence of visible, testable and enforceable controls in production. It means being clear about:

• What an agent is authorised to do
• Which tools and data it can access
• When human approval is required
• How its actions are monitored
• How it can be paused, corrected or shut down if something goes wrong.

Scaling agentic AI with control

The twelve steps detailed below are intended to provide the operating disciplines needed to scale agentic AI with control.

If responsible AI sets the intent, Systems Development Lifecycle Controls (SDLC) embed that intent into design, build, testing, release and change.

AgentOps - the emerging cross-functional operational discipline of running agents safely once they are live – sustains it in production through visible behaviour, enforceable boundaries, traceable actions, controlled change and rehearsed intervention.

Taken together, the twelve disciplines below describe the wider control environment needed for that capability to work in practice.

Twelve steps from intent to operational control

The twelve steps are the practical operating disciplines that translate Responsible AI intent into day-to-day control.

They should be applied proportionately depending on the agent’s level of autonomy, authority, business criticality and potential impact if something goes wrong.

Organisations should also consider how humans interact with agents in practice, ensuring users understand their limitations to prevent over-reliance.

• 1

  Authority and autonomy boundary

  From the outset, the organisation should be clear about the agent’s role, what it is allowed to do, what systems and data it can use and where the limits are. One practical way to express this is through an agent constitution, a machine-readable set of rules, constraints and operating boundaries that defines what the agent is there to do and how it is expected to behave. Where agents rely on other agents, tools, or workflows, set clear rules for hand-offs, validation, and escalation so that errors, unsafe assumptions, or unexpected behaviour do not propagate across the chain.
• 2

  Give it only the access it truly needs

  Give every agent its own distinct identity, not a human user’s credentials or a shared account with least-privilege access so that every action is traceable and no permission is granted without explicit need. In zero trust terms, agents should never be trusted by default and access should be continuously verified, tightly constrained and regularly reviewed throughout the agent’s life. Least agency, a new term coined by OWASP, extends least privilege to agentic applications.
• 3

  Control the information it relies on

  Define what information the agent may keep, retrieve, carry forward and use, and for how long. Manage context carefully from one step to the next, and prevent sensitive information from leaking across users, cases, teams, customers or sessions. Poor, outdated, excessive or leaked information can drive poor outcomes just as easily as a flawed model.
• 4

  Put clear ownership in place

  Assign named owners to every agentic use case. Be clear about who is accountable for its purpose, who approves access, who oversees performance, who can intervene if something goes wrong and who signs off major changes. Where the agent relies on third-party models, tools or vendor-supplied agents, ownership should also include who is responsible for vendor due diligence, change notifications, assurance evidence and ongoing oversight of those dependencies.
• 5

  Ensure actions can be traced

  Maintain enough tamper-evident trace, logging, and observability to reconstruct, to an appropriate degree, what the agent did, when it did it, what information it relied on, which tools or systems it used, and who asked it to act.
• 6

  Implement runtime monitoring and intervention

  Monitor the agent continuously for drift, unsafe patterns, policy violations, unexpected tool usage, abnormal escalation, degraded quality or changing risk once live. Put clear intervention measures in place before go-live. Be able to pause the agent, contain the issue and stop harm spreading if it behaves unexpectedly. Test the response in advance and assign clear decision-making authority.
• 7

  Design oversight that scales and stays meaningful

  Define where approval is required before action, where live monitoring is sufficient and where review after the event is appropriate. Keep oversight proportionate and effective at scale, rather than allowing it to become a box-ticking exercise.
• 8

  Set hard limits on spend and consumption

  Set limits not only on actions, but also on the amount of resource consumption and cost the agent can generate before it must pause, alert or seek approval.
• 9

  Assess the impact before go-live

  Be clear about what could happen if the agent makes a poor decision or acts outside its intended role. The greater the potential operational, financial, regulatory or reputational impact, the stronger the governance, oversight and testing should be.
• 10

  Test thoroughly before live use

  Do not allow the agent into production until it has been tested in realistic conditions. Cover normal use, unusual situations, failure scenarios and adversarial testing (e.g. attempts to manipulate, misuse or deliberately break the system).
• 11

  Control change

  Apply governance whenever a material change is made, not just at launch. Treat changes to models, tools, workflows, prompts or connected systems as changes that may alter behaviour, and require review, testing and re-approval before go-live.
• 12

  Keep reviewing it through its full life

  Do not treat the agent as ‘set and forget’. Keep reviewing it through its full life. Review its behaviour, access, risks and ongoing business fit over time and manage retirement carefully so data, access rights and evidence are closed down and preserved properly.  Put in place independent review, challenge and assurance so the organisation can test whether governance remains effective in practice.

These steps are what turn governance from policy into control in live operation. 

An example in practice: AI procurement agent

The example below shows how some of the twelve disciplines work in practice.

It illustrates the difference between giving an agent freedom to act and putting it to work within clear boundaries, ownership and control. 

Imagine an AI procurement agent working inside an ERP system. Its role is to raise purchase orders for approved suppliers within agreed limits.  

This simplified example shows how several of the twelve disciplines work together in practice: 

• Clear scope 
• Named ownership 
• Security-protected delegation 
• Controlled and validated information use 
• Proportionate human oversight 
• Traceability 
• Live monitoring 
• The ability to intervene quickly 

Agentic AI governance maturity self-assessment

We have developed an agentic AI governance maturity assessment to help senior leaders judge whether their organisation is ready to put higher-autonomy and impact agents to work with confidence. It translates the twelve operating disciplines into five practical areas for which to assess maturity. 

The aim is not to be at the highest maturity level overall but whether your current level is strong enough for the agents you are already deploying or planning next. A low-risk assistant may be workable at a lower level of maturity. An agent acting across live systems or handling sensitive data will require a much higher one. The gap between the maturity you have and the maturity your use cases demand becomes the leadership agenda.

Key take-aways from this guide to agentic AI

Agentic AI offers organisations a significant opportunity to improve speed, productivity and decision-making, but it also changes the nature of the governance challenge. Once systems can plan, act and adapt in live environments, trust can no longer rest on policy alone. It depends on whether an organisation can define clear boundaries, maintain visibility, intervene quickly and sustain control as these systems evolve. 

The organisations that succeed with agentic AI will not be those that move fastest without constraint, but those that build confidence alongside capability. Responsible AI principles remain essential, but they must now be embedded through disciplined design, testing, runtime monitoring, change control and clear accountability in live operation. That is what turns ambition into something scalable, defensible and trusted.

How we can help 

We bring together multidisciplinary teams spanning AI, data governance, cyber security, technology risk and legal to help organisations move from AI ambition to controlled, real-world deployment through pragmatic, right-sized governance that builds confidence and trust.

Contact us today