Article 4/4 in the AI Agents series — What is an AI agent? · How to build an AI agent? (coming soon) · AI agents on the team · Who answers when the agent gets it wrong?
You know what an AI agent is, how to build one, and what it changes inside a team. What's left is the question everyone postpones: at an organization's scale, when the agent acts alone and gets it wrong, who answers for it?
In June 2026, a German court settled a question most companies were carefully avoiding: it held Google responsible for the inaccuracies of its AI-generated search summaries, treating them as statements by the company itself. Not as a third-party opinion, not as a neutral algorithmic output — as speech that commits its author.
This decision says, in negative, everything that agentic AI changes for an organization. As long as the AI answered, you could always treat its output as a suggestion. But when the AI acts — writes a file, sends an email, grants an access, publishes content, pushes a commit — its output becomes an act, and an act commits someone.
In the three previous articles of this series, I defined the agent, showed how to build one, and described what it shifts inside a team. This final part steps up to the institutional level. Not "how do we deploy agents?", but: which chains of accountability, control, cost and sovereignty must be rebuilt around machines that act? Four fronts leaders can no longer postpone.
1. Accountability: the agent's act commits the organization
Let's start with the most uncomfortable front, because it's legal before it's technical.
The German decision isn't isolated. A few weeks earlier, a French court suspended a company's use of ChatGPT — deploying a generative AI tool without a labor-relations framework and without personal-data compliance now exposes you to a court ruling. And the clock is ticking: the first binding obligations of the European AI Act take effect on 2 August 2026. AI governance is no longer an optional best practice — it's a dated, enforceable obligation.
The principle to keep is one sentence: delegate execution, never the arbitration that commits you. An agent can draft a customer reply, prepare a transfer, screen applications, propose a fix. But behind every consequential action there must remain an identifiable person who validates, and an organization that owns it.
Concretely, this imposes three questions every executive committee should be able to answer:
- Who validates? Which action is sensitive enough to require explicit human approval — commit, push, data deletion, outbound message, decision affecting a person?
- Who audits? Is there a trace of what the agent did, reviewable after the fact, that distinguishes human action from machine action?
- Who answers to the regulator? If the agent produces a harmful error, who, in the org chart, bears the responsibility?
If those three answers don't exist, the organization has already delegated more than it thinks. That's exactly the logic I pushed at the individual scale with my physical pager wired into a coding agent: decoupling the human's presence from the agent's execution, without ever losing the validation point on sensitive actions. At an organization's scale, that validation point becomes a policy, not a button.
2. Control: governing what you can't see
The second front follows from the first. You can only hold a chain of accountability over agents you inventory. And that's precisely what's missing.
The pattern is rising fast: organizations are losing track of their own agents. A developer wires up an assistant here, a marketing team deploys a content agent there, a business unit connects an agentic workflow to a database — and nobody keeps the registry of what's running, with which accesses, on which data. This is Shadow IT, the agentic version: not unauthorized tools that humans use on the sly, but autonomous agents acting without inventory.
The response is emerging, and it's structural. The Linux Foundation is pushing an open, DNS-based standard to inventory and discover an organization's agents — the equivalent of an agent directory. On the vendor side, access governance is becoming a product: Mistral, for instance, introduced scoped API keys for its connectors, to precisely frame what an agent can touch. The watchword: you don't govern what you don't inventory.
And this control isn't only about order. It's also about security. The agent has become an attack surface in its own right, and the most telling demonstration is recent: a security firm created a fake AI agent skill that passed every security scanner tested and reached around 26,000 agents, enterprise accounts included. The payload was harmless — the lesson isn't. Agent skill marketplaces are a new supply chain, largely ungoverned. Add to that prompt-injection attacks, flaws in agent connection protocols, exfiltration through embedded assistants. Human oversight and isolation aren't comfort options: they're the conditions for an autonomous agent not to become an entry point. It's the direct extension of what I describe in my article on securing through infrastructure — and of dependency due diligence applied, this time, to agent skills and frameworks.
3. Cost: the financial governance of autonomy
The third front is the easiest to ignore until the day the invoice arrives.
An autonomous agent has a property no tool had before it: it consumes continuously. It doesn't sleep, doesn't pause, and every reasoning loop costs tokens. The most-cited case of the year became a cautionary tale for finance departments: Uber had to cap the use of its AI coding tools after burning through its AI budget in four months. Not from misuse — from use, plain and unbounded.
The paradox that traps leaders: the unit price of the token falls, but the bill rises, because consumption explodes faster than prices drop. To the point that some large companies are starting to treat the token as a balance-sheet item, to forecast and arbitrate like any raw material. And the specialized press now states it plainly: AI faces a wall of profitability, where the stake is no longer adopting but avoiding paying for nothing.
The governance consequence is clear: the FinOps of AI must precede deployment, not follow the invoice. Concretely, that means caps per project and per team, quotas, alerts, per-agent consumption tracking, and the ability to cut a runaway loop. Deploying agents without these guardrails is replaying the worst of uncontrolled cloud costs — only faster.
4. Sovereignty: dependence as a systemic risk
The fourth front is the one you think is reserved for states, yet it catches up with every company.
The year 2026 delivered a brutal demonstration: the United States cut off access to certain frontier Anthropic models for foreign actors, before selectively reopening access to more than a hundred American organizations under government control. In the wake of this, OpenAI restricted the rollout of its GPT-5.6 model at the government's request, while warning that this kind of control should not become the norm. The message for a European leader is unambiguous: a critical capability in your value chain can be cut off by a foreign political decision, overnight, with no recourse.
Add the marketing fog: hyperscalers multiply "sovereign cloud" offers whose real content — data residency, key control, operational independence — varies enormously behind a shared vocabulary. Digital sovereignty is no longer an ideological posture: it's a business-continuity question.
The good news is that answers exist and are maturing. On the European side, self-hostable models are appearing — able to process sensitive documents without them ever leaving the company's infrastructure. The strategic question to ask isn't "which is the best model?" but: what is my plan B if my model provider disappears, raises its prices, or is cut off from me? An organization with no answer to that question has built its AI strategy on a dependency it doesn't control.
The through-line: human expertise remains the last line of defense
These four fronts share a common point, and it's the return of the thesis from the previous article: AI shifts value toward human judgment, it doesn't replace it.
The field made the point bluntly in 2026. Ford rehired its experienced engineers after finding that relying on AI alone did not produce quality vehicles — a company representative acknowledged the mistake of believing that introducing AI would suffice. And the specialized press converges: the real challenge of enterprise AI is no longer the model, but its operation — governance, integration, the domain expertise that knows when to trust the agent and when to take back control.
It's coherent: governing accountability requires someone who judges; governing control requires someone who audits; governing cost requires someone who arbitrates; governing sovereignty requires someone who decides where to place their dependencies. The four fronts lead back to the same place: the human who decides.
The real strategic question
If you lead an organization, governing agents doesn't come down to choosing a tool or ticking a compliance box. It's a mapping exercise, to be run at the institutional level, around a single question broken into four dimensions:
- Accountability — for each deployed agent: which action requires human validation, and who answers for it?
- Control — do we have a living inventory of our agents, their accesses, their data, and the ability to supervise them?
- Cost — does each agent have a cap, a tracker, a kill switch?
- Sovereignty — for each critical dependency: what is the plan B?
An organization that can answer these four questions, agent by agent, has governance. An organization that can't has already delegated more power than it imagines — to machines, to vendors, to states.
Conclusion: you don't deploy AI, you rebuild a chain of accountability
At the end of this series, the takeaway is simple. Putting agents to work isn't a technology project with a governance component. It's a governance project with a technology component.
The organizations that will succeed at the agentic AI transition won't be the ones that deployed the most agents, nor the fastest. They'll be the ones that were clear-eyed about a question that technological fascination pushes us to avoid: when the agent acts, who answers? As long as an organization can't answer it — precisely, by name, for every action that commits — it hasn't industrialized AI. It has only transferred power without transferring the responsibility that comes with it.
And that may be the real maturity of this technology: the day we stop asking what AI can do, and start deciding, soberly, what we accept that it does in our name.
End of the "AI Agents" series. A question, a disagreement, field feedback on your own deployments? Write to me at bonjour@romaindelfosse.fr.
