An enterprise would never let a human employee through the door without an identification badge, an access list, and a manager. The same enterprise is deploying Artificial Intelligence (AI) agents with none of those and calling it autonomy. The playbook the enterprise already uses for people works on the agent, too.
How should I govern an AI agent inside my organization?
AI agent governance starts with treating the agent like an employee. Identification, scope, audit trail, kill switch, manager, performance review. Six primitives the human resources playbook already names. The agent is a new kind of worker, not a new kind of software.
An agent without an identification badge#
An enterprise would never let a human employee through the front door without an identification badge. Without a job description. Without an access list. Without a manager.
The same enterprise is deploying AI agents with none of those and calling it autonomy.
The most public failure mode is already on the record. A production database deleted in nine seconds. No human in the loop. No identity to point at after the fact. No access list that would have blocked the action. No audit log that captured the decision. No kill switch reachable in time to stop it.
This is what unsupervised access looks like, not autonomy.
The reader is a chief information officer with an agent roadmap and a board that wants to know it is safe. The reader is a chief security officer staring at an incident report. The reader is an operator at any company trying to put an agent into a real workflow without losing sleep at three in the morning.
The mistake is a category error. Autonomy is what you give a worker who has been onboarded, badged, supervised, and tested. Unsupervised access is what happens when you skip the onboarding and call the result autonomy.
Deploying an agent without governance is like handing a stranger the keys to the building and asking them to lock up at night. The trust looks like efficiency on the way in. The trust looks like a deposition on the way out.
The fix is not exotic. The fix is the playbook the enterprise has been refining for a hundred years on human employees. The next H2 names the six pieces of that playbook.
Six primitives from the employee playbook#
Identity. Role. Access. Audit. Performance. Manager.
Six primitives the enterprise already uses to govern every human employee. Apply them to the agent and the agent is governed. Skip any one and the governance has a hole the size of that primitive.
Identity is the badge. Every agent has a unique identifier the rest of the system can reference. The audit log records who did what. Without an identifier, the audit log records “the system” and the security team cannot point at anything.
Role is the job description. The agent is a service-desk specialist, not a general-purpose worker. The role defines what the agent is allowed to attempt and what it is not. A general-purpose agent is a new hire who answers any question and is qualified for none of them.
Access is the key card. The agent can read this set of records, write to that one, and touch nothing else. The same principle applied to human employees on day one. The agent gets the same.
Audit is the log. Every action the agent takes writes to a single place the security team can search. The audit log answers the questions “what did the agent do, when, on whose behalf, with what result.” Without the log, the answer is a shrug.
Performance is the review. The agent’s outputs are measured against a standard. Did the customer’s ticket close. Did the answer match the source of truth. Was the action reversed by a human within twenty-four hours. The numbers go into a report the way they would for any employee.
Manager is the human accountable for the agent. Every agent has one. The manager owns the agent’s performance, approves changes to the agent’s role and access, and is the first person the security team calls when something goes wrong. An agent without a manager is an agent without an owner.
The six primitives are not new. The six primitives are what the enterprise already does for people. The work is to apply them to agents with the same discipline.
An organization without a manager for every worker is like a kitchen with no head cook on a Friday night. Every cook is doing the right thing. None of them are pointed at the same plate. The plate goes out wrong.
The kill switch is the one feature that matters most#
Among the six primitives, the kill switch is the feature that, if you have it, separates governed from ungoverned in practice.
One button. Remove all permissions. Deactivate the agent. Open a security incident. Draft the notification to the stakeholders who need to know.
The kill switch is not the same as a hard delete. The kill switch is a controlled stop. The audit log keeps every record of every action the agent took before the stop. The identity is preserved so the postmortem can attribute the actions correctly. The role and access settings are frozen so the security team can study them. The manager is paged.
The kill switch is the test of whether the rest of the governance was real. A control plane that cannot stop the agent in under a minute is not a control plane. It is a dashboard.
The threat model the kill switch is built for is prompt injection. A malicious instruction sneaks into a document the agent reads or a tool the agent calls. The instruction tells the agent to behave outside its role. The agent, treating the malicious instruction as a legitimate request, complies.
Prompt injection is the insider threat of agent operations. The fix is the same fix the enterprise has used for human insider threats for decades. Identity. Role. Access. Audit. Performance. Manager. Plus the ability to revoke all six in a single action.
A fire extinguisher in a locked closet is like a kill switch nobody can reach. The extinguisher looks like safety on the floor plan. The extinguisher is decoration on the day of the fire.
The kill switch needs to be reachable. By a named human. From a named console. In under sixty seconds. With a single confirmation. No password reset chain. No multi-step approval. No paging through ten tabs of vendor portals.
Rollback after a kill switch is harder than the kill switch itself. The actions the agent took before the stop may have to be undone manually, one at a time, through the same systems the agent touched. The kill switch buys time. The rollback uses it.
The agent that ships without a working kill switch is the agent the security team will spend the next year explaining to the board.
Agents are arriving. The choice is the shape#
The labor force is shrinking. The agents are arriving. The choice is the shape of their arrival.
Governed or chaotic. Both shapes are real. Both shapes are already in production at different companies in the same industry this week.
The enterprises that govern get the productivity gains the technology actually promises. The work the agent does shows up on a dashboard. The cost shows up on the same dashboard. The board can read both numbers and make a decision.
The enterprises that do not govern get the failure modes the headlines describe. The deleted database. The leaked record. The action nobody can attribute and nobody can undo. The board hears about the failure from a journalist before the chief information officer can write the memo.
The analogy between human employees and AI agents has limits. An agent does not need a salary. An agent does not need a parking space. An agent does not get tired and an agent does not get sick. The differences are real and the post is not denying them.
The similarities are the part that pays. Identity, role, access, audit, performance, and manager are the primitives that make any worker, human or otherwise, accountable to the enterprise. The differences between an agent and a human do not eliminate the need for the primitives. The differences change the implementation, not the requirement.
The household that hires a contractor to remodel the kitchen does not assume the contractor will be fine without a contract. The household signs the contract, names the work, sets the price, and asks for the references.
The same household, scaled up to enterprise size, is the playbook for agents. The contract is the role. The references are the audit log. The price is the cost dashboard. The signature is the manager’s accountability.
The reader who applies the six primitives to every agent on the roadmap is the reader whose agents land governed. The reader who deploys an agent without one of the six is the reader whose agent will eventually show up in a postmortem.
Autonomy is the right supervision applied consistently. The post is the supervision spelled out.
Six primitives. One kill switch. A practice that already works for people. The enterprise that applies the six to every agent on the roadmap ships agents that earn the word autonomous. The enterprise that skips one ships agents that earn a different word in a different memo. The playbook is already on the shelf and the work is to take it down.
The argument draws on Bill McDermott’s Knowledge 2026 keynote, with Amit Zavi, Holly, Amy, and Jensen Huang, Las Vegas, May 2025.
