Why AI agents need controls, not just policies
The UK AI governance conversation has moved. For the last two years, many organisations have focused on acceptable use policies, staff guidance, prompt hygiene, data protection warnings and whether employees should be allowed to use tools such as ChatGPT, Microsoft Copilot or Claude. Those controls still matter. But they are no longer enough.
The emerging governance challenge is agentic AI: AI systems that can plan, act, select tools, make recommendations, interact with customers, query business systems, trigger workflows or initiate downstream processes with varying degrees of autonomy.
This matters because agentic AI changes the control model. A chatbot produces an answer. An AI agent may take an action. That action may affect a customer, employee, supplier, transaction, file, system record, risk assessment, complaint, payment process, recruitment decision, insurance outcome or regulated communication.
That is why the strongest current UK AI GRC topic is not simply “AI policy”. It is agentic AI governance.
On 31 March 2026, the Digital Regulation Cooperation Forum published The Future of Agentic AI, a foresight paper exploring how agentic AI may affect UK regulatory frameworks. The DRCF matters because it brings together the Competition and Markets Authority, Financial Conduct Authority, Information Commissioner’s Office and Ofcom, making it one of the clearest signals of converging UK regulatory thinking across digital markets, financial services, data protection, communications and online harms.
The paper frames agentic AI as a cross-regulatory issue touching governance, data protection, cybersecurity, consumer rights, competition and market dynamics. In practical terms, this means organisations cannot treat AI agents as a narrow technology deployment. They need to treat them as operational actors inside a controlled business environment.
From chatbots to agents: why the risk profile has changed
Traditional AI governance often assumes a relatively simple workflow: a user enters a prompt, the model generates an output, and a human decides what to do with it. That model is already imperfect, but it at least gives governance teams a clear intervention point. Human judgement sits between AI output and business action.
Agentic AI weakens that assumption.
An AI agent might receive a goal, break it into sub-tasks, select tools, call APIs, search internal data, draft customer communications, update records, triage cases, recommend actions, escalate exceptions or trigger automated workflows. The risk is not just that the model may produce incorrect content. The risk is that the system may take, recommend or enable an action before the organisation has properly understood the authority, evidence, impact or accountability chain behind it.
This is the governance shift.
The old question was:
“Can staff use AI?”
The new question is:
“What is this AI system authorised to do, under what conditions, with what data, and with what human oversight?”
That turns AI governance from policy management into operational control.
Why the DRCF paper is a regulatory signal
The DRCF’s agentic AI paper is not a binding rulebook. It is a foresight paper and should not be read as final policy from any one regulator. However, it is still highly significant because it shows where UK regulators are looking before enforcement expectations fully crystallise.
The cross-regulatory nature of the DRCF is the point. Agentic AI does not fit neatly into one compliance bucket. A single AI agent used in customer operations could raise:
Data protection issues if it processes personal data or profiles individuals.
Cybersecurity issues if it has access to systems, credentials, files or APIs.
Consumer protection issues if it makes misleading recommendations or influences decisions.
Financial conduct issues if it affects regulated financial services communications or outcomes.
Competition issues if agents shape market behaviour, pricing, ranking, access or platform dynamics.
Accountability issues if no one can explain why the agent acted in a particular way.
Operational resilience issues if automated workflows fail, loop, duplicate actions or create systemic errors.
This is why boards and executive teams should not treat agentic AI as a productivity feature. It is a governance architecture issue.
The practical control problem
Agentic AI creates a control gap because many organisations are adopting AI through fragmented experimentation. Teams test tools. Vendors add AI features. Microsoft 365, CRM platforms, service desks, HR tools, analytics products and workflow systems increasingly include agent-like capabilities. Business users may see these as helpful automation. GRC teams may not see them at all until the system is already live.
That is a dangerous sequence.
Controls must be designed before deployment, not retrofitted after a failure. Once an AI agent is connected to live systems, customer data, internal records or operational workflows, the organisation needs more than a policy telling people to “use AI responsibly”. It needs defined limits, approvals, evidence trails and intervention points.
The key questions are concrete:
Who authorised the agent?
What business purpose was approved?
What systems can it access?
What data can it use?
Can it access personal, confidential, regulated or special category data?
Can it act externally, or only generate internal recommendations?
Can it update records, send communications, trigger payments, change classifications or escalate cases?
What actions require human approval?
What actions are prohibited?
How is its activity logged?
How are errors detected?
How can a customer, employee or affected person challenge an outcome?
How can a decision or action be reversed?
Who owns the risk if the agent behaves unexpectedly?
These are not theoretical AI ethics questions. They are operating model questions.
Agentic AI and automated decision-making
A closely related UK AI GRC topic is automated decision-making under the Data Use and Access Act 2025. The government’s guidance states that the Act creates a more permissive framework under the UK GDPR for solely automated decisions with legal or similarly significant effects, while still requiring safeguards.
The ICO has also said the Act opens up the range of lawful bases organisations may be able to rely on when using personal information to make significant automated decisions, provided appropriate safeguards continue to apply. The ICO specifically notes that this may include legitimate interests, but that special category data remains more protected.
This matters for agentic AI because an AI agent may not look like an “ADM system” at first glance. It may be described as a workflow assistant, service agent, triage agent, productivity agent, case handling agent or recommendation engine. But if it materially contributes to a significant decision about a person, the organisation may need to assess whether automated decision-making rules, safeguards, transparency duties, DPIA requirements and human review rights are triggered.
The ICO’s 2026 consultation on draft guidance about automated decision-making is aimed at data protection officers, compliance professionals and technical leads overseeing the use or procurement of ADM systems. That audience tells us something important: ADM is no longer just a legal issue. It is a combined legal, compliance, data, technology and operational governance issue.
For enterprise AI governance, this means agentic AI deployments should be screened for ADM risk before they go live.
The new control framework for AI agents
Organisations adopting AI agents need an AI control framework. Not a slide deck. Not a generic acceptable use policy. Not a vendor assurance questionnaire sitting in procurement. A practical control framework that decides which AI agents are allowed, what they can do, how they are monitored and how the organisation can prove control.
A strong framework should include the following components.
1. Use-case approval before deployment
Every AI agent should have a defined business owner, technical owner and risk owner. The use case should be documented before deployment, including its purpose, expected value, affected users, data inputs, system access, action permissions and risk classification.
The approval process should distinguish between low-risk internal productivity use and higher-risk operational use. An agent that summarises internal meeting notes is not the same as an agent that updates customer records, recommends credit actions, triages complaints or sends external communications.
2. Data classification and access control
Agentic AI governance depends on knowing what data the agent can access. Public data, internal business data, confidential commercial data, personal data, special category data and regulated data should not be treated as equivalent.
Access should be minimised. Agents should only have access to the systems and data required for their approved purpose. Where possible, access should be read-only unless write permissions are explicitly justified and approved.
3. Action boundaries
The most important question for an AI agent is not only “what can it know?” but “what can it do?”
Organisations should define permitted, restricted and prohibited actions. For example, an agent may be allowed to draft a response but not send it. It may be allowed to recommend a classification but not apply it. It may be allowed to identify a potential fraud pattern but not close an account. It may be allowed to prepare a supplier comparison but not execute a purchase.
Action boundaries should be technical controls, not just behavioural expectations.
4. Human-in-the-loop thresholds
Human oversight should be risk-based. Not every AI-assisted action requires the same level of review, but high-impact actions should not be left to unreviewed automation.
Human intervention should be mandatory where an agent affects legal rights, financial outcomes, employment decisions, access to services, customer vulnerability, complaints, regulated communications or material commercial commitments.
The human reviewer must have enough information to make a meaningful decision. A rubber stamp is not governance.
5. Audit logging and explainability
Agent activity must be logged. At minimum, logs should capture the initiating user or system, the agent used, the task requested, data sources accessed, tools called, outputs generated, actions taken, approvals required, approvals granted and exceptions triggered.
This is essential for auditability, incident investigation, regulatory response, customer challenge and internal assurance. Without logging, the organisation may know that something happened but be unable to prove why, how or who was accountable.
6. Vendor due diligence
Many organisations will adopt agentic AI through third-party platforms rather than building agents themselves. That does not remove accountability.
Vendor due diligence should cover data retention, model training, subprocessors, access controls, security architecture, incident notification, audit rights, system logs, explainability, data residency, fallback processes, model update management and contractual responsibility for harmful or non-compliant outputs.
Procurement teams should not approve agentic AI tools without AI-specific due diligence.
7. Incident response and reversibility
Agentic AI incident response should be planned before deployment. Organisations need to know how to pause an agent, revoke access, reverse actions, notify affected parties, preserve logs, investigate root cause and report incidents where required.
Reversibility is particularly important. If an AI agent can update records, send messages or trigger workflows, the organisation needs a practical mechanism to identify and unwind incorrect actions.
8. Continuous monitoring
AI agents should not be treated as static systems. Their behaviour may change as models are updated, tools are added, prompts are modified, integrations change or users discover new ways to interact with them.
Monitoring should cover performance, drift, error rates, complaints, override rates, unusual tool use, data access anomalies, escalation volumes and user behaviour.
Governance must continue after go-live.
Board-level accountability
Agentic AI is not just an IT implementation issue. It affects corporate accountability.
Boards and executive teams should ask whether the organisation has a clear register of AI agents, approved use cases, risk ratings, owners, data access rights, action permissions, monitoring controls and incident response procedures.
They should also ask whether agentic AI is being introduced through official transformation programmes or quietly through SaaS feature updates, vendor pilots and departmental experimentation.
The second route is where governance gaps grow.
A board does not need to approve every low-risk AI use case. But it does need assurance that the organisation has a framework capable of identifying, classifying and controlling AI agents before they become embedded in business processes.
The commercial opportunity: controlled adoption creates value
The point of AI governance is not to slow innovation. It is to make innovation safe enough to scale.
Agentic AI has real potential. It can reduce manual work, accelerate service operations, improve knowledge retrieval, support decision-making, streamline compliance workflows, enhance customer journeys and reduce operational friction. But those benefits only materialise sustainably if the organisation can trust the system.
Uncontrolled adoption creates a familiar pattern: pilots everywhere, value unclear, risk ownership confused, procurement fragmented, data exposure uncertain, compliance teams reacting late and executives unable to say which AI deployments are genuinely improving performance.
Controlled adoption creates a different pattern: approved use cases, measurable business value, known risk exposure, clear ownership, auditable decisions, defensible controls and a route to scale.
This is the heart of the current UK AI GRC conversation.
Agentic AI is turning AI governance from policy management into operational control.
What organisations should do now
The practical next step is not to ban AI agents. It is to inventory, classify and control them.
Organisations should start with five actions:
Create an AI agent register covering current, planned and vendor-enabled agentic capabilities.
Define risk tiers based on data sensitivity, system access, autonomy, external impact and decision significance.
Introduce pre-deployment approval for any agent that can access business systems, use personal data or trigger downstream actions.
Screen agentic AI use cases for automated decision-making, DPIA and human review requirements.
Implement minimum control requirements for access, logging, oversight, monitoring, vendor assurance and incident response.
The organisations that do this early will be in a stronger position. They will be able to adopt AI agents with confidence, demonstrate accountability and move faster because their governance model is built into deployment rather than bolted on afterwards.
How Strategic AI Guidance can help
Strategic AI Guidance helps organisations move from informal AI experimentation to controlled AI adoption.
For agentic AI, that means designing governance frameworks that make AI useful, auditable and defensible. The focus is practical: use-case approval, system access controls, data classification, human-in-the-loop thresholds, audit logging, vendor due diligence, incident response, ADM screening, DPIA triggers, model monitoring and board-level accountability.
The organisations that win with agentic AI will not be those that move fastest without controls. They will be those that build the control framework that allows them to move fast safely.
AI agents are coming into enterprise operations. The question is whether they arrive inside a governed operating model or through uncontrolled experimentation.
That decision should be made before deployment, not after something goes wrong.