Six governments published one document on May 1, 2026. The headlines called it a security advisory. The deeper signal is that agentic AI has become a corporate governance problem, and almost no enterprise has the operating discipline to answer it.

The autonomous governance moment

On May 1, 2026, CISA, the NSA, the Australian Signals Directorate's ACSC, the Canadian Centre for Cyber Security, the New Zealand NCSC, and the UK NCSC jointly published "Careful Adoption of Agentic Artificial Intelligence (AI) Services." Six-agency coordination on a single AI topic is rare. The coordination itself is the signal.

The document names five risk categories: privilege, design and configuration, behavioral, structural, and accountability. It recommends rigorous monitoring, explicit human oversight at sensitive decision points, and the ability to interrupt or reverse an agent's actions in real time. The guidance is plainly worded. It is also extraordinary, because such coordination signals that the gap between adoption and defensibility has reached a national-security-tier concern.

The numbers explain why. Writer's 2026 Enterprise AI Adoption Survey reports that 97 percent of executives say their company deployed AI agents in the past year, while 36 percent of companies have no formal plan for supervising those agents. The day after the Five Eyes guidance dropped, Jeffrey Sonnenfeld and Yale's Chief Executive Leadership Institute called the gap "a crisis in corporate governance" in Fortune. Vendors moved within the week: Cognizant launched Secure AI Services on May 7, and Alation introduced Alation AI Governance at the Gartner Data & Analytics Summit on May 11. The market is racing to sell into a discipline most organizations have not yet built.

Why an agent is not a user, a system, or a process

Classical control design assumes a stable actor with a bounded scope of action and predictable work. Agents satisfy none of those assumptions. The strain on existing controls is not exotic. It is structural.

Consider three mismatches.

The first is identity. Classical identity and access management was built for human users and the systems they touch. An agent is neither. It is a software entity that can carry credentials, request data, invoke tools, and produce decisions under instructions that may have come from a human or from another agent. Treating it as a service account misses the fact that its behavior depends on a prompt, a tool registry, and a model version that can all change without a code release. Treating it as a user misses the fact that it acts at machine speed. Most enterprise identity programs do not yet have a category for what an agent actually is.

The second is authorization. Least-privilege assumes a known scope of action. An agent's scope is not what it is permitted to do at provisioning. It is what the agent ends up doing across every permutation of tools, prompts, and adversarial inputs it encounters in production. The European AI Act gestures at this through Article 14 human-oversight requirements. The Five Eyes guidance names it explicitly. The Singapore IMDA Model AI Governance Framework for Agentic AI, published in January 2026, distinguishes between an agent's "action-space" and its autonomy and treats both as designable variables. Most enterprises have neither concept inside their access reviews.

The third is observability. Classical audit assumes one actor per event, with a clear request, a clear response, and a recoverable trail. An agent's chain of reasoning runs across multiple model calls, tools, and intermediate states, with the relevant evidence scattered across systems that were never meant to be correlated. The Five Eyes document names this directly, describing how "fragmented logs, opaque agent reasoning and emergent interactions obscure the decision path" in agentic systems. Without re-engineered telemetry, after-the-fact reconstruction is not a matter of pulling logs. It is a matter of guessing.

Bounded autonomy as a new operating discipline

The temptation, after reading the Five Eyes guidance, is to conclude that organizations need to apply the controls they already have to a new kind of actor. That reading is dangerous, because it makes the work sound smaller than it is.

Bounded autonomy is not a relabeling of existing controls. It is a deliberately designed operating discipline in which an agent's identity, action-space, decision authority, and oversight are scoped, monitored, and revocable on a per-deployment basis. It uses familiar primitives. It uses them in genuinely novel configurations.

Under bounded autonomy, an agent has an identity distinct from any human user, with explicit credentials, an explicit owner, and a published action-space that defines what it may do, what it may not do, and what triggers human approval. Authorization is enforced not only at the credential layer but at the orchestration layer, with checkpoints inserted at any action that crosses a defined stakes threshold. Observability is engineered, not assumed. Telemetry is designed for an agent's chain of reasoning, not retrofitted from a logging system that was never asked the right questions.

This work overlaps with existing identity, access, monitoring, and assurance functions, but it is not the same as any of them. Pretending otherwise is how organizations ship agents with static-API controls and discover after an incident that they cannot reconstruct what the agent did or whether the human who approved its action understood what they were approving.

Defensibility is designed before the agent ships, evidenced while it operates, and proven when it is challenged.

The sponsor's seven questions

A useful test for whether an organization has begun building this discipline is whether the executive sponsor of a proposed agent deployment can answer seven questions, on the record, before the deployment proceeds. Each is intended to surface where the discipline is real and where it is improvised.

  1. What is the action-space of this agent, expressed as the set of tools and systems it may invoke, and what is explicitly outside that space?
  2. Who is the human owner of this agent, and what is their authority to revoke its credentials, pause its operation, or roll back its actions in production?
  3. What decision thresholds require human approval before the agent acts, and how is that approval evidenced and auditable after the fact?
  4. How are the agent's actions logged, correlated across systems, and reconstructable for a regulator, an auditor, or counsel?
  5. Under what conditions does the agent's behavior get re-validated, and who is accountable for performing that re-validation?
  6. What is the reversibility profile of the actions this agent can take, and how is that profile reflected in the controls placed around each action class?
  7. If this agent's worst plausible failure occurs tomorrow, what is the playbook, who runs it, and what is the maximum exposure between detection and containment?

A sponsor who can answer all seven is operating a real bounded autonomy program. A sponsor who can answer none is deploying on hope. Most are in between, which is exactly the gap the Five Eyes guidance was meant to surface.

The risk function's moment

The default reading of the Five Eyes guidance is that it is a CISO document. It is not, or at least not only. The disciplines it points to (identity, authorization, observability, escalation, recovery) sit at the intersection of cybersecurity, internal audit, compliance, and enterprise risk. The chief risk officer is the right owner because the role sits across all of them. The chief information security officer is the indispensable partner, not the sole owner.

This matters now, because the next eighteen months will separate the organizations that treat agentic AI as a competitive infrastructure question from the ones that treat it as a downstream IT decision. The first group will build the bounded autonomy discipline before they need it. The second will discover it the hard way, in front of a regulator, an auditor, a customer, or a journalist.

EMG Advisory has built the operating system this work requires. The Risk Engine classifies a proposed agent deployment against seven dimensions of suitability (frequency, time intensity, structured inputs, success criteria, precision tolerance, reversibility, and action stakes), scores it against an enterprise risk taxonomy of 140+ specific AI risks, and matches it to a control set drawn from 90+ purpose-built controls. Severity is calibrated to the organization's risk appetite, and crosswalks map one control set across the EU AI Act, NIST AI RMF, ISO 42001, GDPR, and the sector regulators. The output is a clear disposition for each proposed deployment: proceed, proceed with conditions, escalate, or do not proceed. Behind every use-case decision sits the foundation layer this requires: a designated internal governance authority, a codified risk appetite, and a named accountability chain. The methodology refreshes quarterly as regulation, case law, and incident patterns evolve.

This operating system was not built in response to the Five Eyes guidance. It was designed on the principles the guidance now codifies. When the document states that "strong governance, explicit accountability, rigorous monitoring and human oversight are not optional safeguards but essential prerequisites," those are the principles the system was built to operationalize. For an organization that needs to adhere to the guidance, the alignment is built in; the deployment is the adherence.

The board's job here is not to write the program. It is to verify that someone in the organization already has, with named owners, designed controls, and evidence that holds up under scrutiny.

The companies that start this work now will not be the ones retrofitting under deadline.

Andrea Elliott is the Founder & Managing Partner of EMG Advisory.
To explore how this applies to your organization, request a meeting.