63% of Organizations Can't Control Their Own AI Agents

The headline your board saw

Kiteworks published their 2026 Data Security and Compliance Risk Forecast this week, and one number stopped me: 63% of organizations cannot enforce purpose limitations on what their AI agents are authorized to do. Sixty percent cannot terminate a misbehaving agent.

Every organization they surveyed has agentic AI on its roadmap. Fifty-one percent already have agents in production. These aren’t startups experimenting with chatbots. These are organizations with agents handling real workflows, real data, and real decisions. The question is whether anyone defined what those agents are allowed to do once they started.

What it actually means

The distance between “we deployed AI agents” and “we govern AI agents” is now measurable. It’s wider than most leadership teams realize.

A piece published in the California Management Review on March 20 frames this precisely. Sandeep Saini, a technical lead at Google who specializes in AI infrastructure, argues that AI has crossed a line from “tools” to “actors” that independently perceive, decide, and act. Traditional governance designed for deterministic software is, in his words, “increasingly inadequate” for systems that make their own decisions.

His solution is a four-layered Agentic Operating Model. A cognitive layer deploys specialized models instead of general-purpose ones, improving auditability. A coordination layer manages agent-to-agent communication with conflict resolution protocols. A control layer implements real-time guardrails, including what he calls “guardrail agents” that physically block high-risk actions before execution. And a governance layer establishes clear business ownership for each agent’s entire lifecycle.

The important shift here: from Human-in-the-Loop, where someone approves every action, to Human-on-the-Loop, where humans set boundaries and controls intervene only when something exceeds predefined thresholds. It’s the difference between standing over every decision and building a system that knows when to escalate. Most companies haven’t made this distinction yet. They’re either bottlenecking every action through a human checkpoint, which doesn’t scale, or they’ve given agents free rein, which doesn’t govern.

The vendor market noticed. This week alone, Netzilo launched MCP tool governance and Shadow AI visibility features for enterprises. Microsoft’s Power Platform March update introduced tenant-level controls for agentic apps. These products exist because the problem is real enough to sell solutions for.

Three questions your board will ask

Do we know what our AI agents are actually doing?

Most organizations don’t. A Coalfire survey published on March 19 found that only 1 in 10 organizations are deploying AI securely. Nearly 90% have faced an AI-driven incident in the past 18 months. The core issue is visibility. Security teams can’t see how agentic tools operate across business workflows. The threat category even has a name now: “agentic insider risk.” That’s when a trusted AI agent becomes a compromised actor, chaining actions across multiple services at machine speed, without anyone noticing. This isn’t a hypothetical attack vector. It’s happening.

Are we legally liable for what our agents promise?

Yes. The California Management Review piece cites Moffatt v. Air Canada, a 2024 case establishing organizational liability for autonomous agent decisions, even when those decisions contradicted internal policy. A chatbot made a promise. The company didn’t authorize it. The court held the company responsible. That precedent now applies to agentic systems operating with far more authority than a customer service bot. The same article cites the DPD chatbot incident, where a lack of real-time behavioral monitoring allowed an agent to publicly criticize its own company after a routine system update. Real-time guardrails would have caught it before it became a headline.

What does good governance actually look like?

The companies getting this right share a pattern: autonomy within structure. J.P. Morgan and Goldman Sachs require agent consensus before high-risk capital commitments. Lemonade processes a third of insurance claims autonomously with three-second settlements, but within clearly defined guardrails. Maersk’s autonomous vessel routing cut fuel consumption by 23%. None of these organizations handed their agents a blank check. They defined boundaries, built control layers, and monitor continuously.

The 60-second brief

The governance gap for agentic AI is quantified and growing. Sixty-three percent of organizations can’t enforce limits on agent behavior. Sixty percent can’t shut down a misbehaving agent. Ninety percent have already had an AI-driven incident.

The fix isn’t slowing down deployment. It’s building what the California Management Review calls an Agentic Operating Model: clear ownership per agent, real-time control layers, and Human-on-the-Loop supervision instead of Human-in-the-Loop bottlenecks. That’s a structural solution, not a bureaucratic one.

The organizations succeeding with agentic AI aren’t the ones with the most agents. They’re the ones who can tell their board exactly what each agent is authorized to do, and prove it.

What to watch

Singapore published an operational governance framework for agentic AI in January. NIST is running listening sessions through April on AI agent standards, with submission deadlines falling this month. Regulatory expectations for agent governance are forming now, not next year. Getting your governance structure right today means compliance becomes a natural extension later, not a scramble.