- Two in five companies could have to scale back AI agents by 2027
- Companies urged to reconsider basic governance policies
- Thorough, four-stage framework introduced
Gartner has warned that as many as two in five enterprises will have to decommission their AI agents by 2027 due to gaps in their governance frameworks that might only be discovered after incidents occur.
This is because organizations are either treating AI agents as completely locked down or fully trusted – it's these uniform controls that could end up causing the biggest headaches for companies in the next few years.
The report reveals that this could actually present two risks – as well as the obvious miscalculated trust that affords agents access to systems they shouldn't have access to, overly strict policies could lead human workers to other, unapproved tools, adding to the potential data exposure risks.
Governance is a crucial consideration for agentic AI
To move forward, Gartner is advising companies to adopt a four-stage framework for more granular access controls, starting with 'Level 1: Observe'. This would grant AI agents read-only access to defined data sources, with outputs only available to the requesting user.
'Level 2: Advise' would add to this by generating recommendations or proposed actions that must be reviewed manually by humans – under this policy, agents would still have no write access to systems.
For full read-write access, 'Level 3: Act with Approval' would let agents carry out actions, write data and send communications, but only after explicit human approval every single time.
The final policy, 'Stage 4: Act Autonomously', is where AI agents can truly come into their own by executing actions by themselves. Humans would still be involved at the exceptions, audit logs and aggregated outcome levels.
"Because accountability for outcomes remains with the organisation, this level requires the most rigorous governance, including continuous monitoring, enforced guardrails, rapid rollback mechanisms, circuit breakers that halt agent operation on threshold violations and clear ownership for agent behaviour," Senior Director Analyst Shiva Varma explained.
Gartner's report essentially serves to remind enterprises that rushing into autonomy without careful consideration into what agents can read and write could harm security later on. With a calculated approach to governance, enterprises can avoid reactive rollbacks entirely.
