Every large enterprise now runs agents in production. Ask a plain question of each one: who owns it, and who can stop it. Most cannot answer either part.
We build and operate these systems. So we start from the deployment logs, not the governance slide. The logs tell a consistent story this year.
The prevailing narrative points at standards and deadlines. NIST is defining agent identity. The EU AI Act lands enforcement on August 2, 2026. Both matter. Both presume something most enterprises still lack: a register of which agents exist, and a named human accountable for each.
The evidence is about oversight, not capability
MIT Sloan Management Review put the test plainly. Asked who is responsible for shutting down an AI system that is causing harm, most people cannot answer (MIT Sloan Management Review, 2026). The same review found human-in-the-loop review turning performative: approvals waved through at speed, not examined.
NIST is blunt about the mechanics. Its cybersecurity center reports that enterprises commonly treat agents as generic service accounts, granting standing permissions with no way to scope them to a task or a time window (NIST NCCoE, 2026). An unowned agent holding indefinite rights is not a productivity gain. It is an unbounded actor inside your perimeter.
The International AI Safety Report, backed by more than thirty governments and chaired by Yoshua Bengio, records that agents already complete real tasks with limited human oversight (International AI Safety Report, 2026). The capability is here. The accountability is not.
Governance begins with a register and a named owner, not a policy document. You cannot oversee an agent you have never counted. Hikari Blue · operator note
The inventory is the first control
Identity standards and audit trails are downstream controls. They assume you know the population they govern. Most enterprises do not. Shadow agents arrive through business teams, connected tools, and copied service accounts, outside any procurement path.
The first control is boring and decisive: an inventory. Every agent named, each with one accountable human, scoped permissions, and a documented stop path. This is the kill switch as architecture, not feature. It is built before the incident, not bolted on after.
Start with three columns. The agent. The human who owns it. The permissions it holds, and for how long. A blank cell is not paperwork, it is risk you had not seen. Most first passes surface agents that no current employee remembers authorizing.
Then scope authority to the task and the window. An agent that reconciles invoices at month-end does not need standing write access all year. Time-boxed, revocable rights turn a permanent liability into a bounded one (NIST NCCoE, 2026).
What Article 14 actually demands
The EU AI Act requires meaningful human oversight of high-risk systems (EU AI Act, Article 14). Those obligations become enforceable on August 2, 2026. Performative approval does not meet that bar. A regulator asking who stopped an agent, and when, expects a name and a timestamp, not a policy PDF.
For the board, the question moves off technology. It is not which model you run. It is whether every agent in production has an owner who can be named and a switch that can be pulled. That is governance your board can look in the eye.
The question to bring to the next board
Do not ask how many agents you have deployed.
Ask how many you can name, and who stops each one.
An agent no one owns is a decision no one made. Governance is the discipline of never running one.
Sources
- MIT Sloan Management Review (2026). The Real Question to Ask About AI Governance. sloanreview.mit.edu/article/the-real-question-to-ask-about-ai-governance
- NIST NCCoE (2026). Accelerating the Adoption of Software and AI Agent Identity and Authorization, concept paper, February 5, 2026. nccoe.nist.gov/publications/other/accelerating-adoption-software-and-ai-agent-identity-and-authorization-concept
- International AI Safety Report (2026). Chaired by Yoshua Bengio, backed by more than thirty countries and international organizations. internationalaisafetyreport.org
- EU AI Act (2024). Article 14, Human oversight. High-risk obligations enforceable August 2, 2026. artificialintelligenceact.eu/article/14
The Hikari Blue team · Austin, July 2026