Your AI Just Started Making Decisions. Who Told It To?

This is part 2 of a series on AI strategy governance.

There are two shifts happening in enterprise AI.

The first one — the move from experimentation to deployment — got all the attention. Every conference, every board meeting, every vendor pitch for the last three years has been about that shift. It's settled. AI is operational. Congratulations.

The second shift is the one nobody in the boardroom is ready for.

AI is no longer a tool inside your workflows. It is becoming an actor within them. Agents plan. Agents decide. Agents act. And increasingly, they do so without waiting for anyone to tell them what to do.

This is not a technology upgrade. This is a change in the nature of what you're governing. And the uncomfortable truth is that most organizations are adopting agentic AI with governance models designed for spreadsheets.

What an Agent Actually Is

Let's be precise, because the language matters.

An AI agent is not a chatbot with better prompts. Google's recently published reference architecture for agent systems makes the engineering explicit: agents are composite systems that combine reasoning models, tool access, persistent memory, orchestration layers, security controls, and observability infrastructure. They interpret goals. They choose actions. They invoke tools, observe outcomes, and adapt — in loops, without continuous human instruction.

This is not speculative architecture. It is being formalized, standardized, and deployed right now, at scale, by the companies building the infrastructure your organization depends on.

And here's what changes when you deploy an agent instead of a tool. A tool does what you tell it. An agent does what it interprets you meant. The gap between those two things is where your next crisis lives.

The System Problem

SURF — the collaborative ICT organization for Dutch education and research — published its Tech Trends 2026 report with a framing that most enterprise strategists haven't absorbed yet. AI is not a standalone innovation. It is a system technology. One that permeates computing layers, data infrastructure, security models, organizational operations, and institutional autonomy simultaneously.

This distinction matters enormously, because system technologies do not fail locally. They fail structurally.

When your AI was a tool — a summarizer, a classifier, a recommendation engine — failure was contained. The tool gave a bad output. Someone caught it. You fixed it. The blast radius was small.

When your AI is a system technology acting through agents, failure propagates. An agent makes a decision based on data from one system, triggers an action in another, and produces an outcome that no single person designed, approved, or — critically — can fully trace back to its origin. The failure doesn't look like a wrong answer. It looks like a quarter where the numbers don't add up and nobody can explain why.

This is not a hypothetical. This is the operational reality that every organization deploying agentic workflows is walking toward. Most of them just don't know it yet, because the agents are still small and the loops are still short. Give it eighteen months.

The Illusion of Control

Most organizations believe they are in control of their AI because they can point to artifacts. We have a platform. We have a model strategy. We have a governance framework. We have a roadmap.

None of these are control. They are intentions about control.

Control, in an agentic context, means something very specific. It means you can detect when an agent's behavior deviates from its intended purpose — not after the fact, not in a quarterly review, but in real time. It means you have instrumentation, telemetry, continuous evaluation, and human feedback loops that actually function under operational pressure. Google's agent architecture literature is explicit about this: Agent Ops is not optional overhead. It is the mechanism that makes agentic deployment governable at all.

Now ask yourself honestly: does your organization have that? Not on the roadmap. Not in the proposal. Right now. Today.

Because here's what happens without it. Agents operate. Outcomes emerge. Some are good, some are ambiguous, some are quietly wrong. But because the system is complex and the agents are acting autonomously, the bad signals don't surface through normal channels. They get filtered. They get rationalized. They get absorbed into the organizational narrative of progress — because momentum exists, investment is visible, and nobody wants to be the person who says "I'm not sure we know what our own systems are doing."

This is not a technical gap. It is an organizational one. And it is the most dangerous kind, because it feels like competence.

The Accountability Void

Enterprise architecture has actually anticipated this problem for longer than the AI discourse suggests. The Open Group's IT4IT standard — now in its third major version — makes one principle central: digital systems must be managed across their entire lifecycle, from evaluation and exploration through integration, operation, and consumption. With clear ownership. With contracts. With feedback loops. Agentic AI stresses every weak seam in that lifecycle.

Who owns an agent's decisions when the agent was designed by engineering, trained on data managed by analytics, deployed by IT, and acts on processes owned by operations? Who is accountable when two agents interact and produce an outcome that neither was individually designed to create? Where is the evidence captured — not in a log file that nobody reads, but in a form that can withstand regulatory scrutiny?

And here is the question that should concern boards most directly: how do you escalate a risk when the system's behavior hasn't technically failed — it has merely drifted? When the agent is still operating within its parameters, still producing outputs, still looking functional — but the gap between what it's doing and what you think it's doing is widening, invisibly, every day?

Without explicit answers to these questions, organizations drift into what looks like progress but behaves like accumulated exposure. Every day the agent runs without incident feels like validation. It isn't. It's just a day where the deviation hasn't become visible yet.

What Agentic AI Actually Demands

The sources converge on a conclusion that most organizations are not yet willing to hear.

Agentic AI does not need better strategy decks. It needs a fundamentally different relationship between the organization and its own assumptions.

In a tool-based world, you could get away with implicit assumptions. The tool was bounded. The human was in the loop. The worst case was a bad output that someone caught.

In an agentic world, implicit assumptions become systemic vulnerabilities. Because the agent acts on them. At speed. At scale. Without checking.

This demands three capabilities that almost no organization has operationalized.

1. First: assumption transparency. Every agentic deployment encodes assumptions — about data quality, about user behavior, about process stability, about what "good" looks like. These assumptions must be made explicit, documented, and testable. Not as a compliance exercise. As a survival mechanism. Because the agent will optimize for whatever reality it perceives, and if that perception is wrong, it will optimize in the wrong direction with perfect confidence.

2. Second: deviation detection. Not error detection — deviation detection. Errors are obvious. Deviations are subtle. The agent produces reasonable-looking outputs that are slightly misaligned with intent, and nobody notices because the output is plausible and the system is complex. By the time the deviation is large enough to trigger an alarm, the damage is structural. You need instrumentation that catches drift, not just failure.

3. Third: adversarial stress testing. Not once. Not annually. Continuously. Because agentic systems interact with changing data, changing environments, and — increasingly — other agents. The conditions under which your agent was validated last month may not be the conditions it's operating in today. If you're not testing against realistic failure scenarios on an ongoing basis, you're relying on the assumption that nothing important has changed. In an agentic world, that assumption is almost always wrong.

Why Strategic Red Teaming

This is the work that Strategic Red Teaming was built for.

Not a compliance audit that checks boxes. Not a risk register that catalogs concerns. A structured, adversarial confrontation between what your organization believes about its AI systems and what those systems are actually doing.

At Apparens, we apply Strategic Red Teaming as an operating discipline — purpose-built for the reality that agentic AI creates. Every assumption is surfaced. Every hypothesis is stress-tested across technology, data, people, governance, and external constraints. Every agent-enabled initiative is examined not just for what it promises, but for what it quietly depends on.

Tens of thousands of scenarios. Hundreds of hypotheses. A diagnostic that goes deeper than any dashboard, any internal review, any governance framework designed for a world where AI waited for instructions.

The output is not certainty. No strategy has that.

The output is clarity. What is evidence-backed. What is still belief. Where control is real. And where it is theater.

Your AI just started making decisions.

The question is whether you decided to let it — or whether it decided for you.

Sources

• Blount, A., Gulli, A., Saboo, S., Zimmermann, M. & Vuskovic, V. (2025). Introduction to Agents and Agent Architectures. Google.

• SURF (2026). SURF Tech Trends 2026.

• The Open Group (2024). IT4IT™ Reference Architecture, Version 3.0.1.