Execution risk · Agentic systems

The agent no one owns.

You have agents in production. Ask each one who owns it and who can stop it. In most enterprises, no one can answer. That gap, not the model, is the exposure.

Every large enterprise now runs agents in production. Ask a plain question of each one: who owns it, and who can stop it. Most cannot answer either part.

We build and operate these systems. So we start from the deployment logs, not the governance slide. The logs tell a consistent story this year.

The prevailing narrative points at standards and deadlines. NIST is defining agent identity. The EU AI Act lands enforcement on August 2, 2026. Both matter. Both presume something most enterprises still lack: a register of which agents exist, and a named human accountable for each.

The evidence is about oversight, not capability

MIT Sloan Management Review put the test plainly. Asked who is responsible for shutting down an AI system that is causing harm, most people cannot answer (MIT Sloan Management Review, 2026). The same review found human-in-the-loop review turning performative: approvals waved through at speed, not examined.

NIST is blunt about the mechanics. Its cybersecurity center reports that enterprises commonly treat agents as generic service accounts, granting standing permissions with no way to scope them to a task or a time window (NIST NCCoE, 2026). An unowned agent holding indefinite rights is not a productivity gain. It is an unbounded actor inside your perimeter.

The International AI Safety Report, backed by more than thirty governments and chaired by Yoshua Bengio, records that agents already complete real tasks with limited human oversight (International AI Safety Report, 2026). The capability is here. The accountability is not.

Governance begins with a register and a named owner, not a policy document. You cannot oversee an agent you have never counted. Hikari Blue · operator note

The inventory is the first control

Identity standards and audit trails are downstream controls. They assume you know the population they govern. Most enterprises do not. Shadow agents arrive through business teams, connected tools, and copied service accounts, outside any procurement path.

The first control is boring and decisive: an inventory. Every agent named, each with one accountable human, scoped permissions, and a documented stop path. This is the kill switch as architecture, not feature. It is built before the incident, not bolted on after.

Start with three columns. The agent. The human who owns it. The permissions it holds, and for how long. A blank cell is not paperwork, it is risk you had not seen. Most first passes surface agents that no current employee remembers authorizing.

Then scope authority to the task and the window. An agent that reconciles invoices at month-end does not need standing write access all year. Time-boxed, revocable rights turn a permanent liability into a bounded one (NIST NCCoE, 2026).

What Article 14 actually demands

The EU AI Act requires meaningful human oversight of high-risk systems (EU AI Act, Article 14). Those obligations become enforceable on August 2, 2026. Performative approval does not meet that bar. A regulator asking who stopped an agent, and when, expects a name and a timestamp, not a policy PDF.

For the board, the question moves off technology. It is not which model you run. It is whether every agent in production has an owner who can be named and a switch that can be pulled. That is governance your board can look in the eye.

The question to bring to the next board

Do not ask how many agents you have deployed.

Ask how many you can name, and who stops each one.

An agent no one owns is a decision no one made. Governance is the discipline of never running one.

Sources

The Hikari Blue team · Austin, July 2026

More from the Newsroom

See all articles in the Newsroom →

Map your exposure before the board does.

Thirty minutes with an operator. No slides.

Direct call with one of the partners. We listen, we structure, and we tell you what an agent register would look like (named ownership, scoped and time-boxed permissions, a documented stop path) for your specific stack and regulatory perimeter.