Home

/

Blog

/

AI Agents Security

Governing agentic AI

Rodrigo Fernández

Oct 1, 2025

Agentic systems plan, call tools, and act with minimal supervision, which shifts governance from model checks to system assurance. The EU AI Act raises the bar by tying obligations to risk and evidence, yet autonomy and emergent behavior complicate compliance. This article offers a practical path for governing agentic AI: define clear system boundaries, design scalable human oversight, enforce layered controls, and capture audit-ready evidence. You will learn how to interpret the Act for agent workflows, select fit-for-purpose controls, and operationalize compliance without slowing delivery.

Agentic AI in one page: what changes when systems act

Agentic AI combines planning, memory, and tool use to pursue goals across systems. That shift changes governance from checking one model to assuring an end-to-end workflow that can read, decide, and execute in real environments.

Core properties that impact governance

  • Autonomy and planning: Agents break goals into steps, reorder tasks, and continue after partial failure. Controls must account for plans, not just prompts.

  • Tool and API orchestration: Agents call connectors, run code, and move data. Each tool expands the attack surface and the audit scope.

  • Multi-agent delegation: Work passes between agents with different roles. Identity, permissions, and intent must travel with the task.

  • Memory and adaptation: Short- and long-term memory shape future actions. Retention rules and redaction policies need to bind to memory stores.

  • Context fusion: Agents blend inputs from files, chats, and third-party data. Provenance and quality checks become first-class controls.

Why this matters for control design

  • From model to system boundary: Govern the orchestra, not a single instrument. Policies must cover tools, data, and orchestration.

  • Actionable risk, not theory: Classify by impact on people, money, and operations. Tie authority to reversibility and blast radius.

  • Evidence by design: Capture plans, tool calls, inputs, outputs, and approvals as structured, immutable logs.

  • Oversight that scales: Use approval thresholds, safe fallbacks, and containment rules so humans guide outcomes without blocking routine work.

EU AI Act in practice for agentic systems

The EU AI Act is a risk based framework with obligations tied to roles and use context. It became law as Regulation (EU) 2024/1689 after publication in the Official Journal on 12 July 2024. High risk systems face requirements for risk management, documentation, logging, transparency, and human oversight. Market surveillance and post market monitoring complete the loop once systems are in use. 

Provider vs deployer responsibilities

Providers develop or have systems developed, then place them on the market. They must run a continuous risk management process, prepare and maintain technical documentation, and enable automatic event recording for traceability. Deployers use the system under their authority and must ensure human oversight and operational monitoring, while reporting serious incidents. 

Intended purpose vs emergent behavior in risk classification

Risk class is determined by intended purpose and use context. For agentic workflows, document the intended tasks and guardrail scope, then test for behavior that goes beyond that scope. If autonomy increases impact or reduces reversibility, treat the workflow as trending toward high risk and apply stricter oversight and evidence capture.  

Mapping agentic AI to the EU AI Act: a workable interpretation

Agentic workflows can fit the Act if you draw the right boundary, pick the correct risk class, and design oversight that produces evidence. The steps below align with core obligations on risk management, documentation, logging, and human oversight. 

Define the system boundary

Treat the agentic system as the model plus the orchestration layer, tools and APIs, data stores, memories, and deployment runtime. This scope is what you will document and keep current for conformity checks, using Annex IV as your checklist for what technical documentation must contain. Include interaction diagrams, tool permissions, and evaluation methods. 

Practical inclusions

  • Orchestrator and planner

  • Tool connectors and secrets path

  • Memory stores and retention rules

  • Guardrail and policy engines

  • Monitoring, logging, and incident hooks

Select the risk class with autonomy in view

Classify by intended purpose and use context, then stress test for emergent behavior. If the workflow touches Annex III areas such as essential services, employment, or critical infrastructure, treat it as high risk and prepare for tighter obligations. Document reversibility, human impact, and blast radius to justify your choice. 

Checklist

  • Intended tasks and users

  • Decision impact and reversibility

  • Data types processed, including PII

  • Connected tools with real-world effects

Design human oversight that scales

Build meaningful human oversight into the workflow rather than around it. Use approval thresholds for higher risk actions, break-glass routes for containment, and clear fallback behaviors when detections fire. Tie every approval or override to an actor, timestamp, and reason so you can prove control effectiveness. 

Patterns that work

  • Risk scored gates before tool execution

  • Dual control for irreversible actions

  • Safe fallbacks and auto rollback paths

  • Reviewer queues with service level targets

Evidence by design

Whatever you classify, you will need a continuous risk management process, technical documentation, and automatic event logs across the lifecycle. Capture plans, prompts, tool calls, outputs, approvals, and policy hits in immutable logs to satisfy audit and post-incident analysis.  

Governance gaps unique to agentic AI

Agentic workflows behave like living systems. They plan, branch, and call tools without constant supervision. Traditional governance centered on models and prompts misses what happens between steps. Closing that gap requires controls that understand plans, permissions, and consequences.

Measuring autonomy and authority

Define what the agent may decide, where it must ask, and what it must never do. Capture this as a policy that links authority to impact and reversibility. Give each workflow a risk score. Tie higher scores to tighter approvals, stronger logging, and smaller execution windows.

Checklist

  • Allowed actions by risk level

  • Non-negotiable no-go actions

  • Approval thresholds with owners

  • Time limits on unattended runs

Oversight when agents act across tools

Agents traverse apps, data stores, and APIs. Oversight fails if it lives only in one layer. Put control points at the orchestrator, the tool boundary, and the data boundary. Surface a single review view that shows the plan, the tools selected, and the evidence collected so far.

Design moves

  • Pre-execution review for high impact tasks

  • Real time alerts on plan drift

  • Containment rules when risk spikes

  • Reviewer queues with service levels

Tool and API permissioning

Every connector expands both utility and risk. Apply least privilege at the tool level, not only at the agent level. Use granular scopes, short lived credentials, and default deny. Require purpose binding so a token works only for a named workflow and a specific task stage.

Guardrails

  • Whitelisted tools per workflow

  • Read or write scopes split by table or endpoint

  • Secrets kept in a vault with rotation

  • Automatic token revocation on policy hit

Multi-agent handoffs and delegation chains

Work moves between planner, researcher, and executor roles. Identity and intent must follow the task. Stamp each handoff with who initiated, why it was delegated, and what bounds apply. Deny tool calls if the receiving agent lacks the inherited permission.

Evidence items

  • Delegation reason and scope

  • Allowed actions for the receiver

  • Time box for the assignment

  • Final outcome linked to initiator

Dynamic policy enforcement

Static rules cannot keep up with changing context. Use policies that reference risk signals such as sensitivity of input, novelty of the plan, or volume anomalies. Turn those signals into actions like require approval, mask data, or stop and roll back.

Policy triggers

  • Sensitive entity detected in context

  • Tool use outside typical sequence

  • Unusual data movement or rate

  • Confidence drop in intermediate answers

Evidence by design

Audits and incidents demand traceable decisions. Capture the plan, the prompts, the retrieved context, the tool calls, the outputs, and the approvals as structured records. Make logs immutable and searchable. Provide replay so reviewers can step through what happened and why.

Minimum viable evidence

  • Plan versions with timestamps

  • Input provenance and checks applied

  • Tool call parameters and results

  • Approvals, overrides, and reasons

  • Final outcome with success or failure code

Threats that shape governance for agentic AI

Agentic workflows inherit model risks and add tool risks. The same system that answers questions can schedule payments, move files, or modify records. Governance must reflect the ways attackers bend plans, inputs, and tool calls.

Prompt injection and tool poisoning

Attackers hide instructions or payloads in webpages, files, or retrieved notes. The agent follows the trap and executes real actions.

Signals to watch: sudden plan changes, tool calls unrelated to the goal.

Controls to apply: input provenance checks, strict allowlists, pre-execution validation, and execution sandboxes for code or shell steps.

Data exposure and PII sprawl

Agents gather context across mailboxes, drives, and APIs, then store it in memory or logs. Sensitive data leaks through outputs or telemetry.

Signals to watch: transfers of contact, payment, or health fields; large unstructured exports.

Controls to apply: DLP scanning on inputs and outputs, field level masking, purpose bound access tokens, short retention for memory.

Hallucinated actions with real effects

A confident but wrong plan can write to production or post to customer channels.

Signals to watch: low evidence confidence, novel tool sequences, missing approval steps.

Controls to apply: dry run mode with plan previews, reversible changes by default, human approval for irreversible actions.

Model extraction and reconnaissance

Probing queries map your prompts, tools, and policies. Over time, an attacker infers capabilities and weak spots.

Signals to watch: high query volume with minor variations, boundary testing on tool scopes.

Controls to apply: rate limits, query pattern analytics, structured refusals, and redaction of system prompts and connector details in outputs.

Control blueprint: prevent, detect, respond, recover

A practical governance program needs layered controls that create evidence by default. The set below maps cleanly to the Act’s core obligations on risk management, documentation, logging, human oversight, and post-market monitoring.

Prevent

  • Policy engine for actions and content: Enforce what an agent may ask, retrieve, write, or publish. Bind policies to workflow, user role, and data sensitivity.

  • Tool allowlists and scoped permissions: Approve only named tools for each workflow. Grant least privilege on endpoints, tables, and methods.

  • Secrets and connector hygiene: Store credentials in a vault, rotate often, and bind tokens to purpose and time.

  • Pre-deployment red teaming: Abuse-test agent plans, retrieval paths, and tool calls for prompt injection and tool poisoning risks before go-live. Align findings with your risk register.

Detect

  • Behavior analytics on plans and tools: Score plan drift, unusual tool sequences, and escalation loops. Alert when behavior diverges from the approved path.

  • Prompt injection indicators: Flag context that tries to change rules, exfiltrate secrets, or call unapproved tools.

  • Sensitive data detection: Run DLP on inputs, retrieved context, intermediate steps, and outputs. Log redactions and policy hits as evidence.

  • Health and performance monitors: Watch error spikes, retries, and latency that often precede unsafe behavior.

Respond

  • Auto-containment and safe fallbacks: Quarantine the task, roll back tentative changes, and swap to read-only mode on high risk signals.

  • Human approval gates: Route irreversible actions to reviewers with the full plan, context, and tool list attached. Record actor, time, and reason.

  • Runbooks and reporting: Standardize triage for policy hits and suspected incidents. Align timelines with the Act’s serious incident reporting expectations so the team can act without debate.

Recover

  • Immutable decision logs: Preserve plans, prompts, retrieved context, tool calls, results, and approvals. Support replay for audits and post-incident reviews.

  • Post-incident reviews and control tuning: Feed lessons into policy updates, model prompts, and tool scopes.

  • Post-market monitoring: Track real-world performance and drift against intended purpose, then document corrective actions in your evidence pack.

How controls map to obligations

  • Risk management: red teaming, behavior analytics, and corrective actions support a continuous process across the lifecycle.

  • Technical documentation: policies, system boundaries, tool scopes, and test methods fill Annex IV expectations.

  • Logging and traceability: immutable decision logs satisfy record-keeping and enable replay.

  • Human oversight: reviewer gates and break-glass routes operationalize “meaningful oversight.”

  • Post-market duties: monitoring and incident reporting complete the loop once in production.

Operating model and metrics

Governance works when roles, rhythms, and evidence are clear. Give each control an owner, set measurable targets, and keep an audit ready trail that maps to your obligations.

RACI for provider and deployer

  • Provider: risk management design, technical documentation, security testing, release gates

  • Deployer: human oversight in production, incident response, post market monitoring, user training

  • Shared: logging pipeline, policy updates, model and tool inventories, conformity preparation

KPIs and guardrail targets

  • Unsafe action block rate: percentage of blocked high risk actions before execution

  • Approval lead time: median minutes from request to decision for irreversible steps

  • False positive rate: share of alerts that do not require action

  • Data leakage incidents: confirmed events per quarter, target trending down

  • Time to contain: minutes from detection to safe state for agent tasks

Evidence catalog

  • Design artifacts: system boundary, tool scopes, policies, and test plans

  • Runtime records: plans, context sources, tool calls, approvals, and outcomes

  • Assurance packs: red team results, control mappings, KPI trends, and corrective actions

  • Access posture: secrets storage, token lifetimes, rotation logs, and purpose bindings

Implementation roadmap: 30, 60, 90 days

Start small, show control effectiveness, and expand to the highest impact workflows.

Day 0–30

  • Inventory agents, tools, data stores, and external connectors

  • Define system boundaries and intended purpose for top workflows

  • Stand up logging for plans, context, and tool calls

  • Establish policy baselines with allowlists and no go actions

  • Launch initial red teaming focused on prompt injection and tool misuse

Day 31–60

  • Enable approval gates for irreversible actions with reviewer queues

  • Deploy DLP for inputs, retrieved context, and outputs

  • Add behavior analytics for plan drift and unusual tool sequences

  • Tighten secrets handling with vault backed tokens and rotation

  • Pilot incident runbooks with dry run containment exercises

Day 61–90

  • Tune detections to reduce false positives and improve time to contain

  • Finalize evidence packs that map controls to obligations

  • Run a mock conformity review with provider and deployer teams

  • Expand coverage to additional workflows with the same control set

  • Set quarterly review cadences for policy, metrics, and red team scope

Frequently asked questions

Do we need a high risk label for every agentic workflow

No. Classify by intended purpose, impact, and reversibility. Use stricter controls when actions affect people or critical operations.

How do we size human oversight without stalling delivery

Use approval thresholds tied to risk. Routine reads stay automated. Irreversible writes require review with full context.

What evidence convinces auditors

Structured, immutable logs that link plans, inputs, tool calls, outputs, and approvals. Include red team results and control mappings.

How do we govern third party tools connected to agents

Apply least privilege at the tool level, bind tokens to purpose and time, and record every call with parameters and results.

What should we test before go live

Abuse tests for prompt injection, tool poisoning, and unsafe plans. Test rollback paths, containment rules, and reviewer queues.

Conclusion

Agentic AI changes governance by turning single prompts into live workflows that can read, decide, and act. The answer is system level assurance. Draw a clear boundary, set layered controls, and capture evidence by default. Measure what matters and practice response before you need it. Use the 30, 60, 90 day plan to reach a repeatable program, then extend it to your highest impact tasks first.

You can also find tools that automate AI Compliance which can help you save time and effort.

Related Posts

View All

View All

View All

AI Agents Security

Top 10 AI Agent Security Risks

Oct 1, 2025

AI Agents Security

Top 10 AI Agent Security Risks

Oct 1, 2025

AI Agents Security

Top 10 AI Agent Security Risks

Oct 1, 2025

AI Agents Security

Why multi-agent systems fail

Oct 1, 2025

AI Agents Security

Why multi-agent systems fail

Oct 1, 2025

AI Agents Security

Why multi-agent systems fail

Oct 1, 2025

AI Agents Security

Data leakage in AI agents

Oct 1, 2025

AI Agents Security

Data leakage in AI agents

Oct 1, 2025

AI Agents Security

Data leakage in AI agents

Oct 1, 2025

More Article by Rodrigo Fernández

View All

View All

View All

MCP Security

Top 10 MCP Security Risks (and How to Prevent Them)

Oct 1, 2025

MCP Security

Top 10 MCP Security Risks (and How to Prevent Them)

Oct 1, 2025

MCP Security

Top 10 MCP Security Risks (and How to Prevent Them)

Oct 1, 2025

AI Agents Security

Top 10 AI Agent Security Risks

Oct 1, 2025

AI Agents Security

Top 10 AI Agent Security Risks

Oct 1, 2025

AI Agents Security

Top 10 AI Agent Security Risks

Oct 1, 2025

Benchmarks

Top 10 AI Agent Security platforms

Oct 1, 2025

Benchmarks

Top 10 AI Agent Security platforms

Oct 1, 2025

Benchmarks

Top 10 AI Agent Security platforms

Oct 1, 2025

Explore Topics

AI Agents Security

MCP Security

Benchmarks

News

Explore Topics

AI Agents Security

MCP Security

Benchmarks

News

Explore Topics

AI Agents Security

MCP Security

Benchmarks

News

Sponsor

Sponsor

Sponsor