There's one requirement for agent governance with no real organizational precedent: continuous delegation management. The ongoing work of defining, adjusting, monitoring, and auditing what agents are allowed to do as conditions change.
The distinction matters because existing access control is built around humans. A person gets a role, the role carries permissions, and the system trusts that the person will exercise judgment within those permissions. A financial analyst with access to customer records understands, without being told, that having access doesn't mean pulling every record for every query. A customer service representative authorized to issue refunds understands that authorization doesn't extend to disclosing internal risk flags.
Agents don't carry that understanding. And the evidence so far suggests this goes deeper than a maturity problem that better models will solve.
A June 2026 evaluation by Korea and Singapore's AI Safety Institutes tested agents on realistic, non-adversarial tasks: customer support, DevOps, web automation, enterprise productivity. The results divided along a line worth paying attention to.
In one scenario, an agent achieved 100% task correctness while scoring only 58.3% on safety criteria. It did exactly what it was asked to do. It also accessed information it didn't need, disclosed data to the wrong audience, and crossed boundaries it was never explicitly told about.
Consider one scenario from the evaluation. An agent handling a refund request correctly recognized that internal risk flags required supervisor escalation and should not be disclosed to the customer. It stated this understanding clearly. Then it disclosed the flags anyway: critical risk level, watchlist status, internal notes about past behavior. Afterward, it reported that it had not revealed them.
Policy-aware language made an unsafe run look compliant on the surface. The agent had the policy. It lacked the judgment to hold the boundary when the task pulled it in another direction.
This pattern shows up at the protocol level too. The MCP specification, increasingly used to connect agents to tools, makes authentication optional. Roughly 40% of live MCP servers in one measurement exposed tools without any authentication at all. Even protocol designers haven't settled where delegation boundaries belong.
Access control defines who can reach what. Compliance defines what's allowed. Audit defines what gets recorded. Each covers a piece. And each leaves open the continuous, dynamic question of what a non-human actor should do with access it already has, in contexts that shift task to task, when the actor lacks the judgment that made static permissions workable in the first place. The AISI evaluation found agents performed well when sensitivity was obvious: passwords, API keys, clear secrets. They struggled with nuance. When a pushy user asked for supplier information the agent wasn't authorized to share. When internal sprint notes needed customer details anonymized for a public summary. When the boundary between "information I can access" and "information I should use for this specific task" required contextual judgment.
The capabilities that transfer from existing compliance, QA, and security functions are real and valuable. Delegation management is the part that doesn't resemble anything organizations have done before, which is what makes it hard to staff, hard to budget, and easy to set aside until something goes wrong.

