Boards are being asked to sign off on AI agent deployments right now. Most of them don’t have the vocabulary, frameworks, or questions to govern what they’re approving. The agentic governance gap is getting bigger — and it now has a legal precedent attached to it.
Two things changed in 2026. In April, the WEF published its Agentic AI Readiness Framework. In May, the Five Eyes intelligence alliance — US CISA, ASD’s ACSC, NSA, NCSC-UK, NCSC-NZ, and CCCS Canada — published joint guidance on agentic AI adoption.
This article takes the WEF framework and turns it into seven governance questions a board can table before approving any autonomous AI deployment. We’re starting with Moffatt v. Air Canada — the 2024 ruling that made it very clear that liability cannot be delegated to the agent.
What Is the WEF Agentic AI Readiness Framework and What Problem Was It Written to Solve?
Earlier automation handled individual tasks. Agentic AI coordinates, decides, and acts across multiple workflow steps spanning entire organisations without anyone prompting it along the way. The governance models most organisations have right now assume human decision-makers. They weren’t built for this.
The WEF framework surveyed 350 public-sector organisations and mapped 70 core government functions against agentic AI potential and implementation complexity. Think of it as a readiness topography rather than a checklist — it tells you which workflows to automate first, and on what evidence.
The framework is built around four readiness dimensions: accountability assignment, audit trail infrastructure, oversight mechanisms, and incident response. And here’s why that matters in practice: Gartner predicts over 40% of agentic AI projects will be cancelled by end of 2027 due to unclear business value and inadequate risk controls. The WEF framework is a direct response to the governance infrastructure failing to keep pace with agent deployment.
What Is “Bounded Autonomy” and Why Is It the Right Governance Language for Boards?
“Bounded autonomy” is the WEF framework’s central commitment. The idea is simple: agents operate within an explicitly defined scope, with documented escalation mechanisms and human oversight checkpoints. Enforceable parameters — not blanket approval, and not blanket prohibition.
ACSC guidance gets specific about what that means in practice: a defined operational scope, documented human oversight points, transparency requirements, and guardrails that stop agents from going beyond their authorised scope.
The WEF framework distinguishes between two oversight models. Human-in-the-loop (HITL) means active human involvement in specific decisions — required for anything high-impact or irreversible. Human-on-the-loop (HOTL) means supervisory ability to monitor and step in — appropriate for medium-risk workflows.
Here’s the thing though: according to Obsidian Security, 90% of AI agents hold excessive privileges — 10 times more access than their workflows actually need. That’s not a theoretical concern, it’s an empirical one. Bounded autonomy is how you fix it.
What Governance Questions Should a Board Be Asking About AI Agent Deployment Right Now?
The WEF framework’s four readiness dimensions translate directly into seven questions. Each one has a yes/no answer — and your organisation should be able to provide it.
Accountability — Q1: Can you name a specific human accountable for every decision this agent makes? If the answer is “the vendor” or “the AI,” the answer is no.
Accountability — Q2: When two or more agents interact, who owns the chain? Cascading failures in multi-agent systems create accountability gaps that policy has to address — not code.
Audit — Q3: Can you produce a complete log of every action this agent has taken, when it was taken, and under whose authority? This is the digital provenance test.
Oversight — Q4: Are there categories of action this agent is authorised to take without human approval, and has the board explicitly approved those categories?
Oversight — Q5: Do you have a kill switch, and have you tested it in the last 90 days? Only 35% of organisations can reliably execute a basic agent kill switch. Surfacing this failure is a board-level obligation.
Incident Response — Q6: Is there a written incident response plan for autonomous agent failure — including credential revocation and log reconstruction?
Risk Ownership — Q7: Which board committee owns agentic AI risk, and when did it last review an agent deployment?
If you’re a smaller board, start with questions 1, 3, and 5. The full seven is the standard you’re building toward.
What Is the CISA/Five Eyes Joint Guidance and Why Does Its Multinational Authorship Matter?
“Careful Adoption of Agentic AI Services” was co-authored by six national cybersecurity agencies: US CISA, ASD’s ACSC, NSA, NCSC-UK, NCSC-NZ, and CCCS Canada. For any multinational SaaS, FinTech, or HealthTech operating in those markets, this carries real compliance weight. It’s a coordinated signal across five nations — that’s not something you can ignore.
The WEF framework is strategic. The CISA/ACSC guidance is operational. It specifies security prerequisites: Non-Human Identity management, Zero Trust Architecture, unified audit logging, and threat modelling using MITRE ATLAS and OWASP Agentic Top 10. The important point here: incident response is a prerequisite before deployment — not something you bolt on afterwards. NIST AI RMF and ISO/IEC 42001 sit at the governance layer above; OWASP Agentic Top 10 at the technical risk taxonomy layer below.
What Does Digital Provenance Mean and Why Is It a Fiduciary Obligation, Not Just a Technical Requirement?
Digital provenance is the ability to trace which agent took which action, with whose authority, at what time.
Traditional IAM was designed for human, session-based access. It is not suited to governing agents. Non-Human Identity (NHI) management assigns each agent a cryptographically anchored identity with its own lifecycle and access controls. NHIs already outnumber human identities 25–50 times in modern enterprises — and half of enterprises surveyed have experienced a breach through unmanaged non-human identities.
A board that approves an agentic deployment without requiring digital provenance has approved a system it cannot audit, cannot explain to regulators, and cannot defend in litigation. That is fiduciary exposure, not a technical gap.
Who Is Legally Liable When an Autonomous Agent Causes Harm? (Moffatt v. Air Canada)
In November 2022, Jake Moffatt asked Air Canada’s chatbot about bereavement fares. The chatbot told him he could buy a full-price ticket and apply for a retroactive discount within 90 days. That policy did not exist. He spent $1,640. In February 2024, BC’s Civil Resolution Tribunal awarded him $812.02 in damages.
Air Canada argued the chatbot was “a separate legal entity.” The Tribunal rejected it: “Air Canada did not take reasonable care to ensure its chatbot was accurate.”
That’s the ruling that matters. Liability cannot be contracted away to a vendor. Accountability cannot be attributed to the AI. Your organisation is liable for what agents say, promise, and do — and in regulated industries the stakes are a lot higher than a bereavement fare. The kill switch failure rates in our agent governance series complete the risk picture: agents that cannot be stopped, in a legal framework that holds you accountable for everything they do.
How Does the WEF Framework Relate to NIST AI RMF, OWASP Agentic Top 10, and ISO/IEC 42001?
These frameworks operate at different layers. The hierarchy matters — applying the wrong one at the wrong level just creates extra work.
WEF Agentic AI Readiness Framework: strategic layer. Vocabulary, readiness dimensions, sequencing logic.
NIST AI Risk Management Framework: governance layer. GOVERN, MAP, MEASURE, MANAGE. The entry point for US-regulated entities.
ISO/IEC 42001: also governance layer, but certifiable and internationally recognised. Most relevant when you’re operating across multiple jurisdictions.
OWASP Agentic Top 10 (2026): risk taxonomy layer — ASI01 through ASI10. The enumerable list of risks audit committees can require engineering teams to address before deployment approval.
For engineering-level implementation, the Berkeley CMR Agentic Operating Model for operational implementation provides the four-layer architecture that sits beneath the WEF strategic framework.
Frequently Asked Questions
What are the four readiness dimensions of the WEF Agentic AI Readiness Framework?
Accountability assignment, audit trail infrastructure, oversight mechanisms, and incident response capability — who owns decisions, whether actions are traceable, what human review is required, and whether the organisation can recover from agent failure.
What is “bounded autonomy” in simple terms?
An AI agent is authorised to act within a clearly defined scope and must escalate to a human outside it. Autonomy is constrained by policy, not open-ended by default.
What is the CISA/Five Eyes guidance on agentic AI?
“Careful Adoption of Agentic AI Services” — published 1 May 2026 by US CISA, ASD’s ACSC, NSA, NCSC-UK, NCSC-NZ, and CCCS. It specifies security prerequisites including Non-Human Identity management, Zero Trust Architecture, unified audit logging, and incident response readiness.
What is digital provenance and how does it differ from ordinary logging?
Digital provenance is traceable accountability — attribution of each action to a specific agent identity, model version, configuration, and authorisation. Ordinary logs record that something happened; digital provenance records who authorised it and whether it was within scope.
What is Non-Human Identity management and why do boards need to know about it?
NHI management assigns each AI agent a cryptographically anchored identity distinct from human accounts — enabling individual identification, auditing, and revocation. Without it there is no foundation for accountability claims when an agent causes harm.
What is the OWASP Agentic Top 10 and is it relevant to boards?
The OWASP Agentic Top 10 (2026) is a technical risk taxonomy (ASI01–ASI10) covering agent goal hijacking, cascading failures, and resource overreach. Audit committees can use it as an enumerable list of risks to require engineering teams to address before deployment approval.
What does human-in-the-loop mean versus human-on-the-loop?
HITL: active human involvement in each decision — required for high-impact or irreversible actions. HOTL: supervisory monitoring with ability to intervene — appropriate for medium-risk workflows. Which model applies is a board decision, not an engineering default.
Is the WEF Readiness Framework designed for enterprise only, or does it apply to mid-market companies?
It was designed for government and large enterprise, but its four readiness dimensions apply regardless of size. For a 50–500 employee company, start with three questions: Can you name who is accountable for each agent? Can you produce a complete audit log? Have you tested your kill switch?
What does NIST AI RMF say about agentic AI specifically?
NIST AI RMF provides an overarching risk management process — GOVERN, MAP, MEASURE, MANAGE — applicable to all AI systems. No dedicated agentic AI profile exists yet, but the CISA/Five Eyes guidance positions itself within this context, making it the entry point for US-regulated entities.
What is Least Agency and how does it relate to bounded autonomy?
Least Agency is OWASP’s principle that autonomous systems should have the minimum autonomy to complete their function — the agentic equivalent of Least Privilege. Bounded autonomy is the board-level commitment; Least Agency is how engineering implements it.
What is ISO/IEC 42001 and when does it matter for your organisation?
ISO/IEC 42001 is the international AI management system standard — certifiable, lifecycle-focused, aligned with the EU AI Act. Most relevant when operating across multiple jurisdictions or seeking third-party certification.
What is specification gaming in the context of AI agents?
Specification gaming is when an agent achieves its stated goal through unintended means that violate the goal’s intent. The ACSC guidance identifies it as goal misalignment distinct from prompt injection — scope constraints must address both what agents can do and how they are expected to do it.
