As AI agents gain the power to invoke tools, install software, and coordinate with other agents across your organisation, the policy engines businesses rely on to enforce rules are dangerously out of date — and a new research paper explains exactly why.
The AI Agent Governance Crisis in Plain English
Most enterprise security systems can answer one question: "Is this action permitted or not?" That binary logic worked fine for traditional software. It does not work for an AI agent that can chain dozens of decisions together, notify a regulator after a certain action, or override a policy when two rules conflict.
Researchers from arXiv have proposed a framework called AgenticRei, which introduces what are called deontic policies — rules that go beyond permit/prohibit to encode obligations ("you must notify the CISO after this action"), dispensations ("this rule can be waived under these conditions"), and conflict resolution ("when Policy A and Policy B clash, here's what wins"). The logic engine runs entirely outside the LLM, so the agent cannot reason its way around the rules.
Why Current AI Agent Regulation Tools Are Falling Short
The paper calls out three of the most widely used enterprise policy engines by name — XACML, Rego, and Cedar — and demonstrates that all three only handle the permit/prohibit slice of governance. They have no mechanism for obligation lifecycle management: what happens after an agent acts, not just whether it was allowed to act in the first place.
This is not a theoretical gap. In healthcare, finance, and cybersecurity — exactly the sectors rushing to deploy agentic AI — compliance frameworks like HIPAA and GDPR are built on obligations and conditional waivers, not simple access control lists. An agent that can book a meeting, query a patient record, and send an external API call in a single workflow needs a governance layer that matches that complexity.
The stakes are real for business leaders. If your organisation is deploying multi-agent systems and relying on existing policy infrastructure, you may have a compliance blind spot you haven't audited yet. Understanding multi-agent architecture is no longer just a technical concern — it's a boardroom one.
What This Means for Learners
This story is a signal that AI agent governance is becoming a distinct professional discipline. Whether you're in IT, legal, compliance, or leadership, understanding how agentic AI systems are constrained — and where those constraints break down — is rapidly becoming a core literacy skill.
If you're building or overseeing AI systems, our course on When AI Goes Rogue covers exactly the failure modes that emerge when AI agents operate without robust guardrails. And if you're a senior leader trying to build a responsible AI strategy before regulators force your hand, AI Strategy for Senior Leaders gives you the frameworks to act now rather than react later.
The organisations that win the next phase of AI adoption won't just be the ones who deployed agents fastest — they'll be the ones who governed them best.
