· the problem

An AI agent is not a tool. It is a delegation of action. Organisations deploy AI agents capable of acting: accessing systems, sending communications, triggering validations, orchestrating workflows, modifying data. This is no longer a chatbot answering — it is a system doing.

In most cases, nobody has explicitly defined what the agent can do, how far it can go, when it must stop, and who answers for its actions. Any delegation of action requires defined rights, limits, supervision and explicit responsibility. Without this, you have automated the risk, not only the task.

Rights of action architecture

AI agent governance rests on five decisions every organisation must take explicitly — not by default.

Access

Which systems can the agent consult? Which data can it read? Which interfaces can it call?

Actions

Which actions can it trigger? Which actions require prior human validation?

Limits

Which thresholds trigger automatic escalation? Which actions are unconditionally prohibited?

Logging

Which actions are logged? Who can consult logs? How is an action audited after the fact?

Stop

Who can stop the agent? Within what timeframe? How do you regain control in case of error?

Specific risks

Prompt injection — an agent can be manipulated by malicious data injected into its context to trigger unauthorised actions.

Privilege escalation — an agent can obtain access beyond its initial perimeter if rights are not precisely defined.

Fictitious responsibility — if an agent acts without exhaustive logs, proving what happened becomes impossible.

BYOA — employees connecting their personal AI agents to organisational systems create invisible exposures.

· EU AI Act link

Certain AI agents may fall within the scope of high-risk systems depending on their usage and sector. Effective human supervision becomes a governance obligation — not merely a best practice.

· deliverables

Agent case mapping — what is deployed, planned or under evaluation
Rights of action matrix — by agent, by system, by criticality level
Agent governance architecture — rules, limits, escalation, stop, logs
Responsibility model — who answers for what, in which cases, with what evidence
EU AI Act exposure analysis — qualification and required human supervision

· this intervention is right for you if

you are considering AI agents capable of acting autonomously on systems or workflows;
automated actions are triggered without exhaustive logging or documented stop mechanism;
you have not yet defined rights of action, autonomy limits and escalation conditions;
a BYOA risk exists: employees connect personal AI agents to organisational systems;
you want to govern AI agents before the first incident forces you to.

Govern your AI agents
before they govern
for you.

AI Agents: govern rights of actionbefore you delegate.