Employers warned against a uniform approach to AI governance
Governance failures will lead to the demotion and decommissioning of AI agents in 40% of enterprises, Gartner has warned, as it underscored the importance of implementing a "proportional governance approach" on the technology.
Gartner is arguing that failures in the deployment of AI agents stem from the application of uniform governance to the technology, regardless of its autonomy level and scope.
"Enterprises are treating AI agent governance as binary, either locked down or fully trusted, and that is the root cause of failure," said Shiva Varma, senior director analyst at Gartner.
Agents operate at different autonomy levels and across different trust boundaries, according to the senior director analyst.
"When the same controls are applied indiscriminately, organisations encounter two common failure modes: over-restriction of simple agents, which slows delivery and drives shadow development, or under-restriction of more autonomous agents, which increases operational, security and compliance risk," he added.
'Proportional governance approach' needed
Gartner advised the application of a "proportional governance approach" in order to reduce the risk of failures in AI agent adoption.
Under this approach, AI agents are classified across distinct autonomy levels, with each level representing a different trust boundary and corresponding governance requirements.
The first autonomy level is Observe, where agents are limited to read-only access to defined data sources. Outputs of these agents are also visible only to the requesting user.
Common uses include document summarisation, data or knowledge retrieval, and code explanation, according to Gartner.
"At this level, governance should focus on baseline controls such as scoped data access, user authentication, usage logging, and basic functional and security testing," Varma said.
"Because risk is limited primarily to data exposure and output accuracy, controls should remain lightweight and targeted."
The second autonomy level is Advise, according to Gartner, which described them as AI agents that are able to generate recommendations, drafts, or proposed actions.
"Governance for advise agents should include all Level 1 controls and extend to addressing output quality and decision influence through accuracy and hallucination testing, domain-specific quality evaluations, and user training on appropriate reliance levels," Varma said.
The third level of autonomy is Act with Approval, where agents can now execute actions such as writing data, sending communications, or modifying configurations.
However, this only comes after explicit human approval for every action, according to Gartner.
"At this level, human review is effective only if it remains a meaningful control," Varma said.
"Without strong security testing, clear approval workflows with audit trails, and agent‑specific incident response procedures, approvals can degrade under time pressure or approval fatigue, creating a false sense of safety while expanding the attack surface."
Meanwhile, the highest level of autonomy sees agents executing actions within defined guardrails, and humans only reviewing exceptions instead of all individual decisions.
Varma said this level requires the "most rigorous governance."
"Because accountability for outcomes remains with the organisation, this level requires the most rigorous governance, including continuous monitoring, enforced guardrails, rapid rollback mechanisms, circuit breakers that halt agent operation on threshold violations and clear ownership for agent behaviour," he said.
