Governing the autonomous enterprise: The Agentic Scope of Authority Framework

2026-06-18 · Source: Thoughtworks Insights · Field: Legal & Regulatory — Legal Technology (LegalTech), Compliance & Risk Management, Artificial Intelligence & Machine Learning · Depth: Intermediate, medium

Summary

Thoughtworks has developed the Agentic Scope of Authority Framework, a blueprint for governing autonomous AI agents within enterprises. This framework addresses the critical challenge of defining an AI agent's legal authority, highlighted by incidents like the April 2026 San Francisco experiment where an AI agent incurred liabilities due to unclear governance. It leverages established agency law principles, focusing on the distinction between "actual authority" (explicitly granted) and "apparent authority" (what third parties reasonably perceive). The framework proposes three tiers of oversight: manual (human intent, designated principal), semi-automated (dynamic escalation, identity styling), and automated (financial constraints, contractual boundaries, failsafes). It also integrates solutions for data privacy (GDPR, CCPA, Data No-Go Zones), contractual guardrails, and explainability (XAI logging, drift reviews) to ensure agents operate safely, legally, and within defined mandates.

Key takeaway

For AI Architects and Legal Professionals deploying autonomous AI agents, you must proactively define and enforce their scope of authority to prevent significant legal and operational liabilities. Implement the Agentic Scope of Authority Framework by translating legal constraints into automated guardrail architectures within your platform engineering and CI/CD pipelines. This ensures continuous compliance, manages apparent authority, and provides essential audit trails, moving beyond static policy documents to secure, controlled agent deployments.

Key insights

Governing AI agents requires applying established agency law to define and enforce their actual and apparent authority.

Principles

• AI agents are legally viewed through the lens of representation.
• The disconnect between actual and apparent authority creates enterprise exposure.
• Accountability for AI agents requires a designated human principal.

Method

Implement governance via three tiers: manual (human intent), semi-automated (escalation, identity styling), and automated (financial, contractual, failsafe guards) enforced at the infrastructure layer.

In practice

• Enforce "Data No-Go Zones" using role-based access controls for sensitive data.
• Programmatically block forbidden contract clauses via NLP scanning engines.
• Log every agent decision with context for explainability and audit trails.

Topics

• Agentic AI
• AI Governance
• Agency Law
• Autonomous Systems
• Data Privacy
• Contractual Compliance
• Explainable AI

Best for: CTO, VP of Engineering/Data, Executive, Director of AI/ML, AI Architect, Legal Professional

Related on AIssential

• The Agentic AI Governance Stack Got Built This Year - Here Is the Part No Vendor Can Ship — The agentic AI governance infrastructure is built, but human judgment and accountability remain critical.
• From Human-Feedback Control to Declared No-Meta Agency: A Scientific Exposition — Authority migration in AI requires an executable, auditable framework, not mere self-declaration or removal of feedback.
• Financial Services Industry Shifts from AI Adoption to Governance as Autonomous Systems Proliferate, Cloud Security Alliance Survey Finds — Financial services must prioritize AI governance and visibility to manage risks as autonomous AI agents become mainstream.
• No One in the Boss’s Chair — Agentic AI systems can execute actions without traceable origin or authority, creating a "provenance failure" that distributes responsibility.
• Shadow agents: find and govern unsanctioned AI agents — Shadow agents emerge from rapid AI agent prototyping outpacing governance, creating significant enterprise risks due to lack of visibility and control.
• The DevOps guide to governing and managing agentic AI at scale — Autonomous AI agents demand integrated governance across their lifecycle to ensure reliability, security, and compliance.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Thoughtworks Insights.