IMHO: Agentic AI – when governance is the guardrail

Nagaja Sanatkumar CMInstD

AI is moving quickly – and not always in a straight line. The rise of agentic AI marks a shift both in what systems do and how they decide.

That changes the nature of oversight. These aren’t just tools that execute tasks when asked. We’re dealing with AI systems that can break down complex objectives, sequence decisions, interact across platforms, learn from results – and improve themselves. These agents are starting to function more like junior executives than digital assistants.

The risk, of course, is they’re doing it at machine speed, and at scale.

The more autonomy we give agentic AI, the faster things can go wrong – and the faster small failures can compound. When that happens, traditional controls may not be fast enough. This forces boards to think about delivering on their governance responsibilities and fiduciary duties differently. If agents operate in ways that can cause material impact, the question isn’t whether we should have trusted the AI – it’s whether we’ve governed it properly.

That doesn’t mean directors need to understand every technical detail. What matters is understanding the implications – and the boundaries – of the organisation’s choices. Most boards now have a broad sense of what AI can do. But there’s still a gap in understanding where it fits best, how to manage the risks, and what to look out for as things move quickly.

Agentic AI is a significant evolution beyond traditional AI. Boards may have already seen generative AI rolled out in small ways – Copilot, content creation support, basic automation. What comes next is a natural progression: more capability, more complexity.

But it’s not always tied back to broader strategy. In many organisations, it’s happening in pockets, led by enthusiastic teams, with the board looped in later – or not at all.

The better question for boards isn’t “What’s our AI strategy?” but “How does this align with our organisational purpose?” If AI is just a tech initiative, the discussion stays tactical. But if it’s tied to how you serve customers or stay competitive, it becomes a governance conversation, under a wider lens of corporate strategy and organisational readiness.

That applies to people, too. I don’t think AI fundamentally changes workforce planning – not in principle. Like any major technology investment, you start with strategy, then consider the capabilities needed now and in the future. What’s different is the speed. AI is advancing faster than traditional workforce planning cycles, and skill sets are shifting in real time.

In New Zealand, we’re often a step removed from where these new competencies are developed. That makes it harder to access the right skills – and harder to know what skills we’ll need in five years’ time.

Another complexity is the interaction between agentic AI and decentralised structures such as Decentralised Autonomous Organisations (DAOs). These use smart contracts and token-based voting to operate without central leadership. If you combine that with agentic AI – giving it tokens and decision rights – you’re handing over control to a system without human safeguards. You’re in the passenger’s seat, hoping the car doesn’t drive off a cliff.

It’s a useful metaphor for what can happen in any organisation, not just a DAO. The more autonomy you allow, the more important it is to know what agents are doing, what data they use, and how feedback loops operate. That’s where governance matters – as the safety net, not the handbrake.

The best examples I’ve seen don’t rush into full automation. They start with honest assessments of data quality and data governance, build confidence and trust through iteration, and choose tasks that make sense. Often that starts in areas such as customer service – where queries are repeatable and risks manageable – and expands into more complex areas, with humans still involved.

Other good examples include software development, where agents write and test code with oversight, or healthcare, where administrative agents support staff without making clinical decisions. These are practical, incremental uses – not grand AI strategies.

Where things go wrong is when agents operate without ethical guardrails. A privacy breach, a poor recommendation, an unexplainable decision – that’s when customer and reputational damage kick in. And because these systems scale quickly, failures can spread rapidly. They’re hard to recover from.

This brings us back to the board’s role. If you’re going to support agentic AI – and most organisations will – then governance needs to evolve, too. That might mean a dedicated risk and technology committee, elevating AI risks beyond traditional audit and risk forums, monitoring new lead and lag indicators of activity, reviewing vendor relationships, security and privacy exposure, and architectural and integration dependencies with existing systems.

The key is to treat AI as an enabler – but never outside the organisation’s ethics, strategy and risk appetite.

If there’s one thing I wish more boards would ask, it’s this:

Are we doing this for the sake of the technology or for the sake of our customers?

That question cuts through complexity quickly. 

Nagaja Sanatkumar CMInstD has more than 25 years’ global executive and leadership experience, including senior roles at Amazon and Expedia. She is a director on the boards of Meridian Energy, ANZ Bank New Zealand, Southern Cross Medical Care Society, Southern Cross Healthcare and Tuatahi First Fibre Ltd.