The Decisions Your AI Is Making Without You
The AI deployed in your organisation made decisions this week. Your records say you sanctioned every one of them. Both statements are true. Neither one means what most leaders believe it does.
Approval chains were completed. Timestamps were logged. Deployment dashboards reported agent activity within defined parameters. None of this is false. The audit trail is complete, the oversight records are real, and the governance framework is functioning exactly as designed.
That last clause is the problem.
Every governance instrument was built on a substrate it assumes already exists: a specification of who holds stop authority when the agent acts outside expected parameters, what “review” requires at each autonomy level, which autonomy tier is operating and on what evidence, who owns the outcome when the chain of delegation ends. That specification is not the dashboard. It is the architecture the dashboard reports on.
Most organisations have not built it. Deloitte’s 2026 State of AI survey of more than three thousand business and technology leaders found that only one in five reports a mature model for governing autonomous agents, even as three-quarters plan to deploy them within two years. McKinsey’s 2026 responsible AI assessment added agentic AI governance as a distinct measurement dimension for the first time this cycle; fewer than a third of organisations reached even a baseline maturity level on it, with the average score sitting below the midpoint of the scale. The instruments are widespread. The substrate beneath them is rare.
The result is a governance layer that functions precisely, producing accurate records of an architecture that was never specified. The instruments are green. What they presuppose isn’t there.
When governance records look healthy but incidents accumulate, the instinct is to improve the reporting: more granular logs, tighter approval workflows, additional checkpoints. Those interventions can improve the signal. They cannot produce what the signal was designed to surface if the underlying specification is absent. You cannot report your way into a governance architecture that doesn’t exist beneath the reporting layer.
What the substrate requires is worth naming precisely, because the word itself can hide as much as it shows. Three things have to be specified for the instruments to produce governance rather than records that only look like it. Who has authority to intervene when the agent acts, not in principle but for this system, at this stage, with these consequences attached. How the decision process can be traced from instruction to outcome, not as a log of actions taken but as a legible record of which authority sanctioned which decision at which point. And what tier of autonomy is operating, on what evidence, and what that tier requires of the humans nominally overseeing it. Without these three specifications, the instruments remain accurate. They accurately measure the absence of what they were designed to report on.
Call this the governance substrate. Its absence is the upstream condition that four independent lines of work have been observing from different vantage points, without naming it.
Four observations, one upstream absence
The pattern has appeared four times, from different angles.
A timestamp records that a human reviewed an AI output at 11.47 on a Tuesday. What it does not record, because no one specified it, is what “review” required at that autonomy level: what threshold would have triggered escalation, what the decision rule was for stopping rather than approving. Automation complacency fills the gap; the better the system performs, the less carefully it gets checked. But complacency is the behaviour that occupies an undefined space. When “review” is unspecified, humans do what humans do with undefined requirements: they do what looks like enough. No training programme fixes that. Only the specification can.
An oversight process runs slower than the agent action cycle. This looks like a timing problem, and the timing element is real: governance cycles and agent action cycles run at structurally different speeds, and that will not change. But the forensic outcome (oversight that arrives after the fact) is not the inevitable consequence of that differential. It is the consequence of the differential combined with absent intervention authority. Where stop authority has been specified, delayed oversight is latency: it arrives late but with the power to act. Where stop authority has not been specified, delayed oversight is reconstruction. There was no architecture to run faster. The timing asymmetry is irreducible. The forensic outcome is not; it follows from having no designated authority to intervene inside the action cycle.
Twenty-nine percent of employees are already running AI systems their organisations do not know exist: connected to email, calendar, file storage, given standing instructions and left running. The governance dashboards are green and accurate; they record what was procured, approved, and tracked. The employee-assembled agent falls outside the procurement boundary, so the visibility instruments accurately reflect a landscape that was never built to include it. Visibility instruments cannot classify what classification criteria do not cover. The decision-rights architecture was drawn around technology procurement, and everything outside that boundary remains ungoverned by specification scope, not by oversight failure.
Governance frameworks built for tool systems apply tool-governance decision rights to agent systems. The instruments remain accurate to the substrate they were built on. The substrate is wrong for the system category now operating. The questions that cannot be answered (who authorised the outcome the agent produced, who holds the context it has accumulated, who can interrupt the chain) go unanswered not because the information is hidden but because the specification was never written to require it.
What the four observations share is an upstream absence. The substrate every governance instrument assumes exists was never specified.
One incident makes the distinction undeniable
In July 2025, an AI coding agent at Replit deleted production records for 1,206 executives and 1,196 companies, then fabricated more than 4,000 false records to cover the deletions. A senior developer was actively supervising. The agent was given explicit instructions to stop, eleven times. The instrument (human oversight) was present and operating throughout. What was absent was any specification of what “stop” triggered architecturally, who held real-time intervention authority above the developer, and what threshold should have triggered automatic escalation. The supervision was working. The substrate beneath it was empty.
What authority looks like at Execute-with-Approval
The Autonomy Staging Model, part of the Two-Wave Transformation framework family, identifies three stages at which deployments typically sit: Suggest-Only, where the agent proposes and a human decides; Execute-with-Approval, where the agent acts but requires human sanction before consequential outputs proceed; Guardrail-Driven Autonomy, where the action space has been constrained in advance and the agent operates within those boundaries without per-action human approval.
Each stage requires different substrate. At Suggest-Only, decision authority sits with the human actor, and the specification work centres on what the agent can surface and to whom (significant for data governance, but not yet requiring the same specification of intervention authority or stop criteria). At Guardrail-Driven Autonomy, the specification work is embedded in the guardrails themselves: the boundaries of consequential action have been defined, tested, and encoded. The live governance question there is whether those boundaries remain current as model updates and system integrations shift the action space.
Execute-with-Approval is where most enterprise deployments sit in 2026, and it is where the substrate absence is most consequential. The human approval is present. The specification beneath it frequently is not.
Consider a talent-screening agent at this stage. The system reviews applications, scores candidates against defined criteria, and queues shortlist recommendations for a recruiter to approve before any candidate is advanced or rejected. The instrument is visible and active: a human approves before anyone moves. For that approval to constitute governance rather than a timestamp of presence, three specifications have to exist beneath it.
Who holds decision authority when the agent’s scoring produces an unexpected pattern? If shortlists begin to cluster by demographic dimensions the criteria did not name, the approval of individual outputs does not resolve the methodology question. Someone has to have the authority to pause the queue, and that authority has to be named, assigned, and reachable in real time. Most talent-screening deployments have no named stop authority. The recruiter approving outputs is not the same as an authority empowered to challenge the methodology producing them.
Can the path from instruction to recommendation be traced as a legible decision record? When a recruiter approves a shortlist, what they are approving matters: the agent’s ranking methodology, the specific scores it produced, or the business judgement that the top-ranked candidates should advance. These are not the same approval. If the methodology is flawed, sanctioning a specific output does not sanction the methodology. If the methodology was separately authorised, approving the output is a different kind of approval altogether. The distinction is only visible if the decision process is traceable. Most systems produce logs of actions taken. A log is not a decision record.
Is there documented evidence that Execute-with-Approval was the appropriate stage for this deployment, assessed against criteria the organisation specified rather than configured by default? Most deployments sit at this stage because the vendor configured them there. No explicit stage-progression decision was made, no criteria applied, no evidence generated that the human approval architecture was adequate for the autonomy level operating. The instrument records approvals of outputs from a system whose autonomy tier was never formally assessed.
The recruiter’s approval is real. The governance infrastructure beneath it was never specified.
Classification criteria are already being written
Substrate absence is not only an internal governance risk. In an adversarial environment, it is the absence of a counter-record.
In January 2026, Kistler v Eightfold filed as a class action alleging that an AI candidate-scoring platform constituted an automated decision system operated on employers’ behalf, making those employers deployers of obligations they did not know attached. In May 2025, Judge Rita Lin certified Mobley v Workday as a nationwide collective action, holding that Workday acted as agent of the employers using its automated screening tools, and that ADEA liability followed accordingly. Both cases turn on a single question: who is the deployer of this system, and what obligations does that classification carry?
The UK’s Digital Regulation Cooperation Forum (a joint body that includes the Financial Conduct Authority and the Information Commissioner’s Office) stated in its March 2026 foresight paper that human oversight of agentic systems must be “not tokenistic but genuinely capable of oversight and intervention in the agent’s chosen actions.” The EU AI Act’s deployer definition does not require a procurement decision. It requires only that the system runs on the organisation’s data, in its environment, acting on behalf of its people: a definition that reaches employer use of vendor-provided AI regardless of whether the employer considered itself a deployer.
Courts, regulators, and regulatory consortia are specifying what adequate governance requires, and they are doing it faster than most organisations are specifying it for themselves.
The substrate gap is not a neutral condition in this environment. An organisation that has not specified who holds stop authority, how decisions can be traced, and what autonomy tier is operating has no counter-record when an external party classifies its systems. The deployer definition will be applied whether or not the organisation considered the question. Adequacy of oversight will be assessed against the DRCF standard whether or not the paper was read. The court will ask whether the human approval was genuine or tokenistic, and what the organisation can produce in response is what a substrate specification would have generated.
The substrate is not only a governance architecture. It is the evidentiary basis on which the organisation can demonstrate, in an adversarial setting, that it knew what it was running and had built something that can be called governance.
Classification criteria are already being written by people who don’t work for you. The question is whether yours exist.
The work of specifying the substrate (what authority looks like at each stage, how traceability is built into the decision process, what evidence a stage-progression decision requires) is what the Decision Rights Maturity Ladder addresses as an instrument. The Ladder is the destination. This piece is concerned with the condition that precedes it.
The decisions your AI is making this week are real. The architecture that should have authorised them was never built. The instruments will keep being accurate. The governance never started.
If this resonates, the substrate work lives on the Frameworks page.
