The governance conversation in enterprise AI has been dominated, reasonably, by conversational AI: chatbots, writing assistants, document summarisers. The risk model for those systems is relatively contained. A user submits a prompt. A model produces a response. The governance layer classifies and logs the exchange. If the response is problematic, it is a text output that a human reads before anything else happens. The blast radius of a governance failure is, in most cases, limited to information.
Agentic AI changes that model in a way that most enterprise governance frameworks have not yet caught up with. An agentic system does not just respond. It acts. It calls APIs. It reads and writes files. It sends messages, schedules tasks, queries databases, and executes multi-step workflows where intermediate outputs become inputs to subsequent steps. The blast radius of a governance failure in an agentic context is not a text output. It is an action taken, possibly irreversibly, in the real world.
This is not a speculative concern. Agentic AI deployments are moving from pilot to production in 2026 across legal, finance, engineering, and operations functions. The governance infrastructure many of those deployments are being built on was designed for a different risk profile. That gap needs to be addressed before the incidents that will eventually close it happen at your organisation rather than someone else's.
What is actually different about agentic systems
Three structural differences separate agentic AI from conversational AI from a governance perspective. They compound: each makes the others harder to manage.
1. Actions, not just outputs
Conversational AI produces text. Agentic AI takes actions: read a calendar, send an email, update a record, commit code, query an external API, trigger a downstream process. Each action is a real-world consequence, not a draft. A conversational AI hallucination is a wrong answer a human can catch before acting on it. An agentic AI hallucination is an action already taken.
This distinction matters for every layer of the governance model. Audit trails need to record not just what the agent said but what it did. Classification needs to cover tool calls and their parameters, not just natural language. Human-in-the-loop gates need to intercept before consequential actions are executed, not after. The entire response-centric governance model needs to become an action-centric one.
2. Extended context windows and multi-step execution
A conversational exchange is typically stateless: one prompt, one response, minimal carry-over between sessions. An agentic workflow maintains context across many steps, and that context includes tool call results, external data retrieved during execution, prior step outputs, and potentially injected content from sources the agent accesses in the course of the task.
This multi-step context creates a substantially larger prompt injection attack surface. The risk is not just that a user crafts a malicious prompt at the start of a session. It is that injected instructions can enter the agent's context at any step: in a document retrieved from a file store, in an email the agent is asked to process, in a webpage it is asked to summarise, in the output of an external API call. By step four of a six-step workflow, the agent may be operating on instructions it received from a source the user never saw.
3. Tool access and permission scope
Agentic systems are granted permissions to call external tools and APIs. The breadth of that permission set is one of the most consequential governance decisions in an agentic deployment, and one of the most commonly underspecified. An agent that can read and write to a file store, send emails on a user's behalf, query a CRM, and commit to a code repository has a large and varied action surface. Any of those permissions, exploited by a prompt injection attack or an unintended instruction, can cause real damage.
OWASP's LLM Top 10 names Excessive Agency (LLM08) as one of the primary agentic AI risk categories: agents with more capability than their intended task requires [1]. An agent that needs to read documents does not need write permissions. An agent that needs to query a database does not need to execute arbitrary SQL. Least-privilege scoping is not just a security hygiene principle for agentic AI. It is a primary control.
#1
Prompt Injection in OWASP LLM Top 10 - agentic context expands attack surface
OWASP
LLM08
Excessive Agency: agents granted more permissions than tasks require
OWASP LLM Top 10
LLM07
Insecure Plugin Design: unsafe tool integration with agentic systems
OWASP LLM Top 10
2026
Year agentic AI deployments are moving from pilot to production in enterprise
Gartner, 2025
What breaks when you apply chatbot governance to agentic systems
Most enterprise AI governance frameworks were designed around the conversational model: classify the prompt, scrub the PII, log the exchange, flag the response if it crosses a threshold. That model is necessary but insufficient for agentic AI. Here is specifically where it breaks.
Input-only classification misses the action layer
Classifying the initial user prompt does not tell you what the agent will actually do. A benign-looking prompt (summarise the client's recent activity and draft a follow-up email) initiates a sequence of tool calls that may collectively touch sensitive data across multiple systems. Classification needs to operate on tool calls and their parameters, not just on the natural language input that initiated the workflow.
HITL gates designed for responses cannot intercept before actions
Human-in-the-loop review workflows built for conversational AI typically flag responses for human review before delivery to the user. In an agentic workflow, the 'response' may be the last event in a sequence. By the time a HITL gate fires on the final output, the tool calls that should have been reviewed have already executed. Agentic HITL gates need to be event-driven at the step level, not response-driven at the workflow level.
Session-bound audit logs miss multi-session state
Agentic workflows may be scheduled to run autonomously, trigger on external events, or span multiple sessions. Audit logs designed around user-initiated conversation sessions will miss autonomous execution entirely. The governance record for an agentic deployment needs to capture what the agent did, when, in what context, and on whose authority, regardless of whether a user was actively in the session when it happened.
Agentic AI in production without agentic governance is an incident waiting to happen
The governance infrastructure adequate for a conversational AI deployment (prompt logging, PII scrubbing, response classification) does not transfer to agentic systems that take real-world actions. Deploying agents with chatbot governance controls is not a defensible posture. It is a deferred risk.
What a defensible agentic governance model looks like
Agentic governance is not a wholly different discipline. It extends and adapts the conversational governance model rather than replacing it. The same principles apply: every interaction logged, sensitive data handled appropriately, human oversight where consequences warrant it. The application of those principles changes.
Govern at the tool call layer, not just the prompt layer
Every tool call is a governance event. The agent's intent, expressed as a natural language query, is one thing; the actual action it takes (which endpoint, with what parameters, on what data) is what matters for audit, classification, and control purposes. Tool call logging should capture the full call signature: tool name, parameters, return value, and any data the return value surfaces into the agent's context.
Least-privilege tool scoping
Define the minimum tool permissions required for each agent's intended task. An agent that summarises documents should have read access to the relevant document store and nothing else. An agent that manages calendar scheduling should have access to calendar APIs and not to email send, file write, or database query. Scope review should be a standing part of agent deployment approval, not a retrospective discovery.
Step-level HITL gates for consequential actions
Configure HITL gates to intercept before high-consequence tool calls are executed, not after workflow completion. Define what constitutes a consequential action for your environment (email send, record update, external API write, code commit, financial transaction) and require human approval at those steps. The gate architecture should be per-tool-call-type, not per-workflow.
Sovereign classification on tool outputs, not just inputs
Data the agent retrieves during execution (documents, database records, API responses) may carry classification levels that should determine what the agent does next. A document retrieved from a file store and classified as sensitive should trigger different downstream handling than an unclassified one. Sovereign classification applied only to initial user prompts misses the data that enters the agent's context at runtime.
Audit trails for autonomous and scheduled execution
Agents that run on a schedule or in response to external triggers need audit trails that are attributed to the schedule or trigger, not to an active user session. Scheduled execution without attribution is effectively ungoverned execution from an audit perspective: you know the agent ran, but the governance record is disconnected from the specific run.
- Log every tool call: name, parameters, return value, and any PII surfaced in the return
- Apply ARGUS-i classification to retrieved data, not just submitted data
- Require human approval before high-consequence tool calls (email send, data write, code commit, financial action)
- Scope agent tool permissions to minimum required for defined task
- Record autonomous and scheduled runs with full attribution: schedule ID, trigger source, agent identity, timestamp
- Test agents for prompt injection via tool output poisoning - not just direct instruction injection
Prompt injection in agentic systems: why it is harder
Prompt injection is harder to defend against in agentic systems for a structural reason: the attack surface is not limited to what users type. It extends to everything the agent reads. A document the agent is asked to summarise. An email thread the agent is asked to reply to. A webpage the agent is asked to research. A database record the agent is asked to process. Any of these can contain injected instructions that, if the agent treats them as legitimate directives, redirect the agent's behaviour in ways the user and the governance layer did not sanction.
MITRE ATLAS catalogs this as an indirect prompt injection attack (AML.T0051): the adversary does not interact with the model directly [2]. They plant instructions in content the model will encounter downstream. For agentic systems operating across multiple external data sources in a single workflow, indirect injection can occur at multiple points in the execution chain.
Defences are not perfect. Instruction-data separation (distinguishing between content the agent is processing and instructions the agent should follow) is a meaningful mitigation, not a complete solution [5]. Governance controls should be designed assuming injection will occur and focused on limiting what an injected instruction can cause: scoped tool permissions, HITL gates on consequential actions, and anomaly detection on tool call patterns that deviate from the agent's defined task.
OBEL's agentic governance model was built for this
OBEL Agentic Foundry applies the same ARGUS-i classification pipeline, PII scrubbing, and HITL gate architecture to every step of every agent workflow - not just the initial prompt. Tool calls are logged with full parameter capture. Scheduled runs are attributed to schedule context. Step-level approval gates intercept before consequential actions. The governance model is designed for what agentic AI actually does, not for what conversational AI does.
The governance maturity question for 2026
Organisations piloting agentic AI in 2026 face a governance maturity question that most have not fully resolved: what does a sufficient governance posture for agentic deployment look like, and are we there yet? The instinct to deploy first and govern later is understandable and consistent with how enterprise technology adoption has always worked. It is also more costly in the agentic context than it was for previous technology transitions, because the thing being deployed can take real-world actions.
The governance baseline that makes conversational AI defensible (logs, classification, scrubbing, HITL) is the foundation for agentic governance, not the ceiling. Extending that foundation to the tool call layer, to autonomous execution, and to least-privilege permission scoping is the work that separates a defensible agentic deployment from an incident deferred. NIST AI RMF's Govern and Map functions explicitly address this extension for action-taking AI systems [4].
References
- [1]OWASP - "Top 10 for Large Language Model Applications" (2025 Edition) - LLM01 Prompt Injection, LLM07 Insecure Plugin Design, LLM08 Excessive Agency
- [2]MITRE ATLAS - "Adversarial Threat Landscape for Artificial Intelligence Systems" - AML.T0051 LLM Prompt Injection
- [3]Gartner - "Emerging Technologies: AI Agents in Enterprise Workflows" (2025) - gated research note
- [4]NIST - "Artificial Intelligence Risk Management Framework (AI RMF 1.0)" - Govern and Map functions
- [5]Simon Willison - "Prompt injection explained" (2023, updated 2025)
More in Intelligence Brief