Most enterprises deploying autonomous AI agents hit the same wall. The automations are running. And then someone realises that every meaningful action still requires a human to approve it — and that human has become the bottleneck. What was supposed to be an automation layer becomes a very expensive ticketing system.
This is not a model quality problem. It is an architectural one.
The most detailed response to this problem is “Governing the Agentic Enterprise,” published in March 2026 in UC Berkeley’s California Management Review by Sandeep Saini. The paper introduces the Berkeley CMR Agentic Operating Model — a four-layer governance architecture for enterprises deploying AI agents at scale. In this article we’re going to cover the agentic governance gap the AOM was designed to address and map each layer to real enterprise deployments.
The AOM’s core claim: restructure oversight so humans remain in control without being in the way.
What Is the Berkeley CMR Agentic Operating Model and Why Was It Written?
The Berkeley CMR Agentic Operating Model is a governance framework that sets out the minimum structural conditions for responsible enterprise deployment of autonomous AI agents. It was published in response to what Saini calls “compliant failure” — governance on paper, but not running in practice.
Two cases frame the problem. In Moffatt v. Air Canada, the court held Air Canada liable for autonomous commitments its chatbot made — no accountability structure, no mechanism to flag out-of-scope queries. In the DPD rogue chatbot incident, a system update altered the agent’s reasoning boundaries with no monitoring to catch it. Both organisations had policies. Neither had embedded governance in their architecture.
The AOM operationalises ISO/IEC 42001 and the NIST AI Risk Management Framework — addressing why existing frameworks are architecturally inadequate when applied to agents without modification.
What Are the Four Layers of the Berkeley CMR Framework — and What Does Each One Actually Govern?
The AOM has four layers: Cognitive, Coordination, Control, and Governance. They are sequential. Missing one does not produce a partial implementation — it produces a weaker system.
The Cognitive Layer governs how intelligence is instantiated. The AOM favours specialised, domain-specific models over a single general-purpose system. A fraud-detection agent trained on financial data outperforms a general LLM on that task — and is easier to audit and constrain.
The Coordination Layer governs how multiple agents interact. That ranges from centralised Hub-and-Spoke orchestration through to decentralised Swarm Intelligence, where agents coordinate via local rules without a single point of failure. Hub-and-Spoke gives you clean audit trails. Swarm scales further but requires governance to be embedded in the coordination protocol itself.
The Control Layer bounds agent behaviour in real time — replacing reactive audits with proactive mechanisms: confidence thresholds, behavioural baselines, guardrail agents, and circuit breakers.
The Governance Layer assigns accountability. Each agent needs a documented business owner, a defined risk profile, and clear decision boundaries. Without this layer, agents become organisational orphans — active in production, owned by no one.
What Is the Orchestration Gap and Why Does It Break Hub-and-Spoke Agent Management?
The Orchestration Gap is the mismatch that emerges when decentralised software agents outpace centralised human management capacity.
In a Hub-and-Spoke model, every agent action routes through a central orchestrator. At ten agents that is manageable. At hundreds executing thousands of actions per hour, the humans behind it cannot triage the volume. A 20–30 second validation step per transaction, applied across hundreds of thousands of transactions annually, quietly adds thousands of hours of manual effort back into the system.
The AOM’s response: governance travels with the agent rather than waiting at a central checkpoint. In the Human-on-the-Loop (HOTL) model, humans become Switchboard Operators — defining ethical boundaries, confidence thresholds, and escalation rules that govern the entire agent mesh. Human judgement moves upstream into constraint design, not per-transaction approval.
What Is a Guardrail Agent and How Does It Intercept Risky Agent Actions Before They Reach Your Systems?
A guardrail agent is a lightweight interceptor model that sits between a primary agent’s output and a system of record. Before any action executes, it evaluates the action against predefined thresholds and either allows it, escalates it for human review, or blocks it.
Here is a practical example. A Procurement Agent authorised up to $10,000 in vendor spend has a 95% confidence threshold and a $10,000 behavioural baseline. A $14,000 purchase order fails both checks and is held. The system of record never receives the instruction.
This is different from role-based access control (RBAC), which blocks based on identity and permission scope. The guardrail agent blocks based on reasoning confidence and action risk.
The Safe-Action Pipeline extends this to the infrastructure level. For irreversible data changes or large financial commitments, a hard approval is enforced at the system level. Agent logic cannot override it.
What Is the Circuit-Breaker Pattern and How Does It Create Hard Limits Agent Reasoning Cannot Override?
Software engineers will recognise this from microservices architecture. The AOM adapts it for the Control Layer.
The circuit breaker has three states. Closed: agent operates normally. Open: a threshold breach triggers an automatic halt — actions fail fast. Half-Open: a recovery probe tests whether safe operation can resume.
The Open state cannot be bypassed by the agent’s own reasoning. Every state transition is logged with the triggering event and timestamp, producing the digital provenance record that regulated environments require.
How Does Human-on-the-Loop Work in Practice Without Becoming a Governance Bottleneck?
Human-in-the-Loop (HITL): a human approves each agent action before it executes. Fine for a single agent at low volume. At enterprise scale, it is the Orchestration Gap made concrete.
Human-on-the-Loop (HOTL) is the architectural response. Humans define the constraints, thresholds, and escalation rules upfront. Agents operate autonomously within those bounds and humans intervene only when a threshold triggers an escalation.
Lemonade‘s AI Jim is the clearest proof point. A swarm of seven specialised agents verifies policy terms, weather data, and prior claim history in parallel. Approximately one-third of claims are processed autonomously, some settling in three seconds, at roughly 2,300 customers per employee — a ratio that is simply impossible under HITL. Human oversight is embedded in the thresholds that define when AI Jim acts alone and when it cannot.
How Are Lemonade, Maersk, and J.P. Morgan Using Multi-Agent Governance in the Real World?
Each case study maps to a specific AOM layer.
Lemonade (Coordination Layer — Swarm): the seven-agent claims swarm is a Coordination Layer implementation, with HOTL supervision embedded in the swarm’s operating rules.
Maersk — Project Autosub (Coordination Layer — Agentic Mesh): autonomous vessel agents coordinate route optimisation and port scheduling across a global logistics network without human intervention. The result is a 23% reduction in fuel consumption.
J.P. Morgan / Goldman Sachs (Control Layer — Consensus Mechanism): Risk, Compliance, and Audit agents must all agree before a high-risk capital action executes. No single agent can commit capital unilaterally. This is a worked example of the WEF Agentic AI Readiness Framework as a policy companion to the AOM’s Control Layer requirements.
Across all three: autonomy is high and bounded. Governance is embedded in thresholds, consensus rules, and coordination protocols — not bolted on after the fact.
How Do You Classify Agent Risk Level Before Deploying Governance Controls?
Without risk classification, governance controls get applied uniformly — over-controlling low-risk agents or under-controlling dangerous ones. Neither is acceptable.
The AOM specifies four classification dimensions: Autonomy Level, Action Reversibility, Data Sensitivity, and Blast Radius. Tier 1 agents — high autonomy, irreversible actions, sensitive data, large blast radius — require guardrail agents, circuit breakers, and the tightest confidence thresholds. Tier 3 agents — advisory output, reversible, non-sensitive — operate with minimal checkpoints.
Start with the Governance Layer. Build an agent registry — a spreadsheet works — listing every active agent by name, owner, tier, and active governance controls. This resolves the organisational orphan problem and costs nothing but an afternoon. Then apply Control Layer thresholds to Tier 1 agents first.
For the vendor tools implementing what the Berkeley CMR governance layer requires, that registry is also where tooling evaluation begins.
FAQ
What does “compliant failure” mean in the context of agentic AI governance?
Governance documentation and policies exist, but those controls are not embedded in the operating architecture. Agents operate without behavioural monitoring. The governance exists on paper. It does not run in production.
Is the Berkeley CMR Agentic Operating Model peer-reviewed?
The paper was published in UC Berkeley’s California Management Review (Haas School of Business), a peer-reviewed academic management publication. It draws on enterprise deployments — Lemonade, Maersk, J.P. Morgan — as empirical grounding.
What is the difference between a guardrail agent and a content filter?
A content filter screens output for prohibited content after the response is generated. A guardrail agent evaluates action intent and risk before the action executes — it can block, escalate, or allow, and it operates on the action pipeline, not on output text.
How does the circuit-breaker pattern differ from a simple rate limiter or kill switch?
A rate limiter restricts action volume but does not assess risk per action. A kill switch is a binary manual intervention. The circuit breaker is a three-state automated state machine (Closed / Open / Half-Open) that transitions automatically based on threshold events and includes a recovery probe — restoring capability without manual reset.
What is an “organisational orphan” in agentic AI?
An organisational orphan is an autonomous agent active in production with no assigned business owner, no documented decision boundaries, and no accountability structure. The Governance Layer exists to prevent this.
What is the Safe-Action Pipeline and how does it relate to the guardrail agent?
The guardrail agent escalates when confidence thresholds are breached. The Safe-Action Pipeline physically blocks the action at the system level for the highest-risk categories, regardless of confidence score — preventing execution until hard approval is granted.
What is the minimum viable implementation of the Berkeley CMR AOM for a 50-person SaaS startup?
Create an agent registry listing every active agent, its owner, data access scope, and action permissions. This resolves the organisational orphan problem immediately. Then apply Control Layer thresholds to any agent with access to external systems or financial actions.
How does the AOM relate to ISO/IEC 42001 and the NIST AI Risk Management Framework?
The AOM operationalises both standards for an agentic context. The Governance Layer translates them into specific structural requirements: business owner assignment, agent risk profiles, decision boundary documentation, and digital provenance records.
What is “digital provenance” and why does it matter for agentic AI governance?
Digital provenance is the capacity to reconstruct which model version, configuration, and prompt sequence produced a given agent output and triggered a given action. In regulated environments, this is a legal requirement — the Moffatt v. Air Canada precedent established organisational liability for autonomous agent decisions.
