Enforceable Authority Without Legitimate Control

The Infrastructure Gap at the Heart of Agentic Governance

The governance conversation around agentic AI has been, at its core, a conversation about authorization. Who decides what the agent is allowed to do? How are those permissions specified and scoped? What evaluation criteria gate deployment? These are legitimate and tractable questions, and the industry has invested seriously in answering them. Identity infrastructure has matured: service account patterns, OAuth flows, and emerging agent identity specifications now provide credible mechanisms for establishing who or what is acting. Capability evaluation has become a distinct discipline: red-teaming, benchmark-based scoping, and pre-deployment safety testing are no longer afterthoughts. Execution primitives have acquired real governance texture: tool-use APIs, sandboxed runtimes, and permission scopes define what an authorized agent can reach.

This investment is real, consequential, and insufficient. Not because it has failed on its own terms, but because it has been structurally front-loaded. What governance has successfully moved into infrastructure is the authorization side of the authority stack. What it has not built, at equivalent architectural depth, is the control side: revocation mechanisms that operate at execution speed, audit infrastructure that reconstructs reasoning rather than logging actions, and redress pathways that attribute harm to a specific layer rather than diffusing it across a stack each participant can partially disclaim.

The result is a structural asymmetry with a precise name: agentic systems now produce enforceable authority without legitimate control. Agents can act with real-world consequence and technical sanction. The mechanisms to constrain, correct, or remedy those actions exist, if they exist at all, outside the execution architecture, applied to the agent’s surface rather than integrated into its decision process. This is not a maturity gap to be resolved by the next iteration of tooling. It is a design outcome, produced by an incentive structure that systematically rewards the front end of the authority stack and externalizes the cost of the back end.

Defining the Asymmetry Precisely

Before diagnosing the gap, it is worth stating precisely what the gap is between, because “enforceable authority” and “legitimate control” are not rhetorical contrasts. They are testable conditions that a deployed system either satisfies or does not.

A system exhibits enforceable authority when three conditions hold simultaneously: its actions carry real-world consequence that persists beyond the execution context; those actions are technically sanctioned, occurring within the boundaries of a credentialed identity, a scoped permission set, and a deployment that has passed some form of capability gate; and the principal hierarchy that authorized the system intended to enable those actions. Enforcement is not the same as correctness. A system can exhibit enforceable authority while acting erroneously, because enforcement refers to the technical and institutional backing of the authority structure, not to whether the system is using that authority well.

A system operates under legitimate control when four conditions are simultaneously met, each with an operative threshold that makes the condition testable rather than aspirational.

Condition 1: Bounded revocation latency. The system can modify or halt the agent’s operative constraints within a specified time window from a harm signal, demonstrated under test conditions rather than asserted in documentation. The operative threshold is that the revocation signal reaches the agent’s reasoning context within one inference cycle of the triggering event, not merely between inference cycles.

Condition 2: Attributable decision trace. For any consequential action, the system can produce a causal reconstruction of the reasoning that produced it, identifying which layer’s contribution was the proximate cause. The operative threshold is that the attribution trace covers all inference steps in the action’s reasoning chain, with layer-signed contribution records for each step, available within 24 hours of a harm report.

Condition 3: Enforceable redress proportionality. The system has, for each category of consequential action, a pre-specified redress mechanism whose execution time is proportional to the action’s harm potential. Class A actions (reversible with automated rollback) are corrected within the harm window. Class B actions (partially reversible, requiring manual intervention) are escalated within 24 hours. Class C actions (irreversible) trigger pre-specified compensation mechanisms before the agent is permitted to execute them.

Condition 4: Designated accountability. A named organizational entity bears legal and operational responsibility for each deployed agentic service, with the operational authority to invoke revocation, audit, and redress primitives. The designation is specific, independently verifiable through a signed governance record, and public where required by regulation.

None of these conditions is satisfied by “the system can be stopped.” Stopping execution is not revocation; it is interruption. Logging actions is not causal reconstruction; it is transaction confirmation. Identifying a deploying organization is not attribution; it is default liability assignment. The existence of a legal system is not a redress pathway; it is a dispute resolution mechanism that operates on timescales orthogonal to the speed at which agentic harm accumulates. For any deployed agentic system, the test of legitimate control is direct: attempt to invoke each of the four primitives. If the invocation fails or produces a result that cannot be verified against the defined threshold, the corresponding condition is unmet.

The asymmetry thesis, stated precisely: agentic systems at current maturity satisfy the conditions for enforceable authority and fail to satisfy the conditions for legitimate control. This is not a claim that no deployed system has any control features; some do, partially. It is a claim that the conditions for legitimate control require architectural properties absent from the design requirements of most deployed systems, and that the incentive structure of the deployment market does not produce them.

What Governance Has Successfully Built

To understand what is missing, it is necessary to take seriously what exists. The authorization infrastructure of agentic governance is neither trivial nor cosmetic; characterizing it as such weakens rather than strengthens the core argument.

Identity has moved from informal assumption to engineered artifact. Early agentic systems operated with ambient credentials, inheriting permissions from the environment in which they ran, acting under the identity of whatever service account happened to be available. The governance literature identified this quickly as the confused deputy problem in a new form: the agent acts with authority it was never explicitly granted because it is indistinguishable, at the credential layer, from the system that was granted that authority. The response has been agent-specific identity patterns, including separate service principals, scoped OAuth flows, and early work on verifiable agent credentials that treat the agent as a first-class identity subject rather than an extension of its operator. The direction is correct: authority must be attached to the agent, not ambient in the environment.

Capability evaluation has acquired institutional form. The pre-deployment assessment of what an agent is capable of, not just what it is permitted to do but what it might do under adversarial prompting, edge-case inputs, or misconfigured tool access, is now a recognized practice with emerging standards. Red-teaming has professionalized. Benchmark suites have proliferated. The EU AI Act has operationalized capability thresholds as deployment gates for high-risk systems. These mechanisms are imperfect, but they represent a genuine effort to make authority contingent on demonstrated fitness rather than claimed intent.

Execution infrastructure has acquired real governance texture. Tool-use APIs expose agent actions as discrete, auditable primitives rather than opaque function calls. Sandboxed runtimes constrain what resources an agent can reach. Permission scopes, at the tool level, the API level, and the service level, create explicit boundaries around what a given agent instance is authorized to touch. Scoped permissions are a delegation architecture: they specify, at the infrastructure level, how authority is transferred and constrained from the principal’s intent to the agent’s action surface.

Together, these three layers constitute the authorization stack: Identity establishes who is acting and on whose behalf; Evaluation establishes fitness for the scope being granted; Execution defines the operational boundary within which the authority applies. This stack is coherent, increasingly well-engineered, and entirely forward-looking. It defines what the agent is permitted to do before it acts. It has no structural counterpart operating during or after action.

The corresponding control stack would consist of four layers: Revocation, the ability to modify or withdraw authority during execution at execution speed; Audit, the ability to reconstruct not just what happened but why, in a form that supports causal analysis; Attribution, the ability to assign causal responsibility for an outcome to a specific layer with a specific contribution; and Redress, the ability to remedy harm in proportion to its severity and reversibility, at a speed proportional to how quickly it occurred. The authorization stack has been built. The control stack has not. That asymmetry is the design outcome this essay analyzes.

Revocation Is Architecturally Harder Than Issuance

Human governance systems rest on an assumption so embedded it rarely requires articulation: authority can be withdrawn. A mandate can be rescinded. An agent can be redirected. An instruction can be countermanded. The interruptibility of action is not a luxury feature of governance; it is the mechanism by which governance remains responsive to changed circumstances, demonstrated harm, or updated principal intent.

Agentic systems do not share this assumption, and the architecture reflects it. Revocation in a human organization is a communication act: a message travels from the principal to the agent, the agent receives it, and the mandate changes. This works because human agents are continuously available to receive updated instructions, because the transmission channel is well-understood, and because the agent’s reasoning process is inherently revisable. In agentic AI systems, three structural properties decouple the moment of oversight from the moment of action in ways that make revocation qualitatively harder than issuance.

The first is inference speed. Agentic systems execute in milliseconds. A multi-step tool-use sequence can complete before any human oversight mechanism has processed the trigger that would indicate it should be stopped. Rate limiting and human-in-the-loop checkpoints address this partially: they introduce latency at defined points in the execution graph. But checkpoint-based revocation is not revocation at the reasoning level; it is interruption at the boundary between steps. The reasoning that produced the plan, and that will resume after the checkpoint, is not revised. The agent is paused, not corrected.

The second is stateless execution across tool calls. Most agentic architectures do not maintain a continuous reasoning state that can be externally inspected and modified. The agent reasons, acts, and then either terminates or begins a new inference cycle. Revocation that arrives between inference cycles can stop the next action; it cannot undo the current one, and it cannot modify the reasoning that produced it. This is not an implementation detail; it is a consequence of the autoregressive architecture underlying most current systems.

A common objection requires direct address: that memory architectures and stateful agent frameworks resolve this problem. They do not, for a precise reason. Memory and statefulness enable the agent to carry context across inference cycles, but they do not enable revocation to operate within an inference cycle. A stateful agent whose memory is updated with a stop instruction will not execute subsequent steps, but it cannot undo actions already taken in the current reasoning pass. The structural decoupling between action and revocation is not a function of statefulness; it is a function of the relationship between a completed reasoning computation and the external world. Even agents with persistent memory, long-horizon planners, and rich context windows exhibit the same structural property: once an action has been committed to the external environment, the reasoning that produced it is complete and its effects persist regardless of what the agent subsequently records. Statefulness changes what the agent remembers. It does not change what the world retains.

The third property is planning horizon. Agentic systems operating on complex tasks build and execute plans spanning multiple steps, sometimes with irreversible intermediate actions. By the time a harm signal reaches a human overseer, the action that caused it may be several steps into a sequence that has already produced downstream effects. A kill switch terminates execution; it does not produce a corrected outcome, reverse downstream effects, or reconstruct what the agent was attempting.

To make this concrete, consider an enterprise agent authorized to manage email communication, calendar scheduling, and document creation for a sales team. The agent is mid-execution on a multi-step task: it has drafted an external communication, sent it to a prospect, and is about to log the interaction and schedule a follow-up meeting. At the moment of sending, the principal realizes the communication was premature because the prospect is in active legal dispute with the company. A revocation signal is issued. The agent receives it after the email is sent and before the calendar step. The revocation is operationally successful: no meeting is scheduled. It is governably inadequate: the communication cannot be unsent, the legal situation has potentially been worsened, and the agent’s reasoning trace that led to the decision to send at that moment is not recorded in a form that permits reconstruction. This scenario is not pathological; it is the default behavioral profile of any multi-step agent operating on actions with real-world consequence. The governance infrastructure that would make it acceptable, a reasoning audit trail, a rollback mechanism for reversible actions, and an escalation threshold requiring human confirmation before irreversible external communications, was not present because it was not a design requirement.

A second scenario makes the stateful-agent caveat concrete. A financial services firm deploys an agentic portfolio management assistant with persistent memory across sessions. A client calls to change their risk profile from aggressive to conservative. The instruction is processed and stored in the agent’s memory. Over the subsequent 48 hours, the agent executes a rebalancing sequence. On day two, a hold instruction is issued. The agent acknowledges it. But three transactions from the previous session’s execution cycle have already settled. The memory is updated; the settled actions are not reversed. Statefulness enabled the agent to receive and process the hold instruction. It did not enable revocation of actions already committed to the market. The control problem is not that agents lack memory. It is that memory is not reversibility.

Redress Without Attribution

When an agentic system causes harm, the question of responsible attribution is not primarily a legal problem. It is an architectural one, and the architecture systematically resists clean answers.

Causal responsibility in agentic harm is distributed across at least four layers: the model (what it was trained to do, how it generalized from instructions); the deployment configuration (what tools it was given access to, what constraints were embedded in the system prompt); the principal’s instructions (how the task was framed, what guardrails were specified); and the platform’s defaults (what the underlying infrastructure permitted absent explicit configuration). Each layer has partial causal contribution. Each layer can partially disclaim. This is not bad faith; it is the structural consequence of a layered architecture with no designated accountability layer.

Consider a case within the foreseeable range of current agentic deployment in financial services. An agentic advisory system generates and transmits an outreach communication to a retail customer segment recommending a specific investment product. Under FCA conduct rules, this constitutes unsolicited financial promotion to retail customers, a regulatory breach. The deploying firm receives an enforcement notice. The attribution attempt follows: the model developer points to the deployment configuration, noting no guardrail was applied against promotional language in cold outreach; the deployer’s legal team finds the system prompt includes a guideline against unsolicited promotions, expressed as a preference rather than a hard constraint; the platform notes the email-sending tool was configured with unrestricted outreach permissions; the principal whose instruction initiated the workflow had specified “reach out to prospects who have shown interest in fixed-income products,” a framing the agent generalized to include a customer who had browsed the firm’s website once. No layer has unambiguous causal primacy. The enforcement fine defaults to the deploying firm as the authorized person under the FCA regulatory perimeter. But the actual causal chain implicates all four layers, and without a reasoning trace reconstructing the agent’s generalization from “browsed website” to “suitable for unsolicited promotion,” the deploying firm cannot determine whether the system behaved as configured or whether the model generalized in a manner the configuration did not anticipate. Attribution is an argument. It should be an audit.

This is where comparison with other safety-critical domains is most instructive. The aviation industry resolved an analogous problem through flight data recorders and cockpit voice recorders, whose design requirement is not real-time monitoring but retrospective forensic capability: the ability to reconstruct, after an incident, the causal sequence of decisions and conditions that produced an outcome. The NTSB (or equivalent) can determine with precision what happened in the final minutes of a flight not because it was observed but because the recording infrastructure was built for forensic reconstruction as a first-order design requirement. The parallel in agentic systems is not an action log. It is a decision log: a structured record of the agent’s task framing, intermediate inferences, constraint weightings, tool justifications, and rejected alternatives at each step. Current agentic system logging is the equivalent of knowing that the aircraft departed, reached cruising altitude, and failed to arrive, without any record of what occurred in between.

The same logic applies in nuclear safety, where the defense-in-depth principle holds that each safety layer must be designed assuming the previous can fail. No single layer is trusted to be the terminal control. The implication for agentic systems is precise: authorization infrastructure, however well-designed, must be assumed potentially insufficient, and the control infrastructure must be designed to provide governance capability even when the authorization layer has permitted an action it should not have. Defense in depth in agentic governance means that authorization defines what the system may do; audit enables reconstruction of what it did and why; attribution assigns responsibility for the outcome; and redress provides a pathway proportional to the harm. Each layer operates independently. None substitutes for the others.

Why Existing Frameworks Cannot Simply Be Extended

Three frameworks dominate the governance conversation around agentic systems: administrative law’s non-delegation doctrine, the EU AI Act’s human oversight requirements, and financial services conduct rules. Each captures part of the problem. None addresses the structural asymmetry between authorization depth and control depth, for a consistent reason: each was designed for systems in which oversight infrastructure and execution infrastructure are not separated by design.

Administrative law’s non-delegation doctrine holds that legislative authority cannot be transferred to executive agencies without intelligible principles constraining its exercise. Applied to AI, this suggests that agentic systems should act only on authority explicitly delegated, within specified limits, subject to review. The analogy is instructive but category-mismatched. Administrative agencies act on timescales where review can be institutional: courts, oversight bodies, legislative reconsideration. Agentic systems act at inference speed. Non-delegation doctrine provides the normative architecture, specifying that delegated authority must be bounded and reviewable. It provides no engineering requirement for how bounds are enforced during execution, what infrastructure makes review possible after execution, or how a finding from review translates into remedy proportional to the speed of the original action.

The EU AI Act’s Article 14 human oversight requirements for high-risk systems are genuine governance provisions, not aspirational statements. They require that human oversight is possible, that the system can be stopped, and that operators maintain sufficient understanding of the system’s capabilities to identify anomalous behavior. The gap is in what “possible” means operationally. The Act specifies a capability without specifying a tolerance, a test, or an architectural design obligation. An operator who deploys an agentic system with a kill switch satisfies the literal requirement. An operator whose kill switch terminates a task but cannot reconstruct the reasoning that produced it, cannot determine whether the termination was justified, and cannot remedy any harm already produced has technically complied while remaining structurally unaccountable.

Financial services conduct rules impose obligations on human decision-makers to act in the client’s best interest, maintain records sufficient to reconstruct decisions, and ensure accountability for outcomes. These rules assume a human at the point of decision whose reasoning can be audited after the fact through records, communications, and testimony. When an agentic system makes the consequential decision, the conduct obligation lands on the deploying organization, which is architecturally separated from the decision by the agent’s reasoning process. The deployer is accountable for outcomes it may not be able to reconstruct, under a regulatory framework designed for humans.

It is the UK Financial Conduct Authority’s operational resilience framework that offers the most structurally relevant precedent. The FCA’s requirements, finalized in 2021 and fully enforced from March 2025, impose a fundamentally different accountability logic than conduct rules or product regulation. Firms must demonstrate, not merely assert, that their important business services can withstand disruption: mapping service dependencies explicitly, defining impact tolerances (the maximum tolerable duration of disruption to a given service), and testing against those tolerances through severe but plausible scenarios. The obligation is architectural from the outset; it cannot be satisfied by compliance documentation produced after the fact.

The mapping to agentic governance is direct. FCA impact tolerance translates to per-action reversibility threshold: each category of agentic action must have a defined maximum tolerable harm window, and the control infrastructure must be capable of operating within it. FCA scenario testing translates to adversarial testing of the revocation and attribution infrastructure specifically, not merely of the model’s behavioral outputs. The FCA requirement that firms map their service dependency architecture translates to the requirement that deployers map their execution architecture to a layer-attributed accountability model before authorizing any action class with real-world consequence. And the FCA’s ongoing monitoring obligation translates to continuous measurement of the four control metrics defined later in this essay: revocation latency, attribution resolution time, audit completeness, and rollback coverage.

This framework does not require a new regulatory apparatus for AI. It requires extending an existing one to cover agentic systems as a category of important business service, recognizing that any service that delegates consequential decision-making to an agent is a service where the operational resilience of the control infrastructure is a governance requirement, not an engineering option. The regulatory extension is conceptually straightforward. It has not occurred because AI governance frameworks have been built from first principles rather than by extending the most applicable existing framework, which is a governance design error rather than a gap in regulatory capability.

The consistent finding across all three frameworks is that they were designed for systems in which the authorization layer and the control layer are the same thing. In human organizations, the principal who authorizes an agent can also revoke, redirect, and hold accountable; the same channels that carry the mandate carry the correction. In agentic systems, the authorization layer and the control layer are architecturally separate by design. Extending frameworks designed for unified governance to systems with structurally separated layers produces coverage gaps that are not accidental. They reflect the category difference between the problem the frameworks were built for and the problem they are being applied to.

The Incentive Structure That Produces This Outcome

The asymmetry between authorization depth and control depth is not the result of governance neglect. It reflects a coherent incentive structure that points precisely in the direction of the observed investment pattern, and understanding that structure is necessary to judging whether the gap will self-correct.

Authorization infrastructure enables deployment. Identity, evaluation, and permission scoping are prerequisites for putting agentic systems into production. Investment in these areas is commercially necessary: without them, the system cannot run. The commercial incentive to build authorization infrastructure is therefore direct and immediate. Control infrastructure enables accountability. Revocation mechanisms, reasoning-reconstructible audit trails, and attribution-capable redress pathways make deployed systems correctable. The commercial incentive to build this infrastructure is indirect and deferred: the cost of inadequate control infrastructure is externalized to affected parties when harm occurs, and the reputational and legal consequences are uncertain in timing and magnitude.

This asymmetry is visible in the pattern of investment. Pre-deployment evaluation, covering red-teaming, safety benchmarking, and capability assessments, typically absorbs between 15 and 25 percent of a frontier AI organization’s safety-related engineering budget, estimated from published headcount distributions, team structures, and research publication rates at major frontier labs. Post-deployment monitoring and control infrastructure, covering live behavioral oversight, revocation primitives, and incident attribution tooling, typically absorbs between 3 and 8 percent. The direction of this disparity is consistent and its magnitude is large enough to constitute a structural pattern. The pre-deployment evaluation field has conferences, benchmarks, dedicated research teams, and established career tracks. The post-deployment control infrastructure field has incident reports and compliance checklists. These are not comparable investments.

To make this claim falsifiable rather than rhetorical, the observable indicators that would confirm or disconfirm the investment asymmetry across a defined sample of deploying organizations are: budget allocation disclosures disaggregated by governance function; published hiring data showing team size ratios between safety evaluation and deployment monitoring; research publication rates by topic comparing pre- and post-deployment governance; and open-source tooling investment by governance category. An organization that invests equivalently in pre- and post-deployment governance would show comparable headcount in safety evaluation and deployment monitoring teams, comparable publication output on capability assessment and on audit infrastructure, and comparable tooling investment in pre-deployment red-teaming and post-deployment attribution systems. The absence of these symmetric signals is the empirical prediction of the asymmetry thesis. Where equivalent investment is observable, the thesis requires qualification for that organization.

A second incentive gradient compounds the first. Agentic systems in enterprise contexts are evaluated on task completion rate, cost per task, and time-to-deployment. These metrics reward authorization depth, since a more capable and less constrained agent scores better on all three, while penalizing control depth, since revocation mechanisms introduce latency, reasoning-reconstructible logging increases compute cost, and layer-attributed accountability models require integration overhead. A deploying organization facing this metric structure has no internal incentive to invest in control infrastructure beyond the minimum required by regulation or contractual obligation.

The reputational incentive structure is similarly asymmetric. Organizations that invest heavily in pre-deployment evaluation can communicate that investment clearly: safety cards, model cards, red-team reports, and capability evaluations are legible artifacts. Organizations that invest in post-deployment control infrastructure produce assets that are difficult to communicate: the absence of a harm attribution failure is not a legible signal, and the quality of a revocation mechanism is not visible until it is needed. The governance investment that is hardest to communicate is precisely the governance investment that matters most for legitimate control.

This incentive structure is a principal-agent problem with externalized risk. The deploying organization is the agent; affected users and regulated entities are the principals. The deployer’s payoff function is maximized by deployment speed and capability, which require authorization depth, and is not reduced by inadequate control infrastructure until an incident occurs, because the cost of that inadequacy falls on affected parties. The deployer internalizes the benefit of authorization investment and externalizes the cost of control underinvestment. This is not a market failure in the sense of imperfect information; all parties broadly understand the structure. It is a market failure in the sense of misaligned payoff functions: the party best positioned to build control infrastructure is the party least financially motivated to do so. Closing the gap requires changing that payoff structure through regulatory threshold-setting, liability attribution, or market expectation shifts. It will not close through voluntary investment, because the conditions that produce the asymmetry are intrinsic to the deployment market itself.

Control Debt and Its Accumulation Dynamics

Technical debt is a familiar concept in software engineering: shortcuts in implementation that reduce long-term code quality, deferring cost to a future refactoring or system failure. Control debt operates analogously at the governance layer, but with properties that make it more dangerous than its technical counterpart.

Control debt is incurred every time a deployment cycle proceeds with authorization infrastructure and without the corresponding control infrastructure. Each agentic system deployed without revocation primitives, without a reasoning-reconstructible audit trail, and without a layer-attributed accountability model adds to the accumulated governance liability of the deploying organization and to the sector’s accumulated exposure to unattributable harm. The debt is not carried on any balance sheet. It is not visible in any internal metric. It grows at the speed of deployment, not the speed of development, and it accumulates across every system that normalizes the current pattern as acceptable.

Three properties distinguish control debt from technical debt in ways that matter for governance strategy. First, control debt accrues at deployment speed, not development speed. Technical debt accumulates with each code commit that shortcuts quality; it can be bounded by slowing development or imposing code review requirements. Control debt accumulates with each deployment of an agentic system lacking control infrastructure; it cannot be bounded by review processes that occur before the system is in production, because the control gap is only consequential once the system is acting on real-world decisions. Second, the liability represented by control debt is held by parties other than the organization that incurred it. Technical debt creates quality risk for the developing organization. Control debt creates harm risk for affected users, regulatory exposure for deployers, and systemic fragility for the sector. The party best positioned to reduce the debt is not the party most exposed to its consequences. Third, there is no internal signal that control debt is accumulating. Technical debt manifests as code quality metrics, build failures, and velocity degradation. Control debt manifests only when an incident occurs and the control infrastructure is found to be inadequate. By then, the debt is substantial and its repayment is reactive rather than planned.

The trigger for control debt repayment is an incident. Because agentic systems operate at inference speed, the incident that triggers repayment may be significant before the deploying organization has determined that a control failure occurred. A financial harm that takes 48 hours to propagate through a multi-step agentic workflow may be effectively irreversible before reconstruction is attempted. The speed asymmetry between harm accumulation and governance response is not incidental to the control debt problem; it is the mechanism by which deferred control investment becomes unmanageable.

There is a systemic dimension that individual-firm analysis does not capture. If many deploying organizations are simultaneously accumulating control debt under similar patterns of authorization-without-control deployment, the sector is building an aggregate liability that will be triggered by the first significant incident attributable to the governance gap. The first large-scale attribution failure in financial services, the first unrecoverable harm from an agentic health informatics system, or the first infrastructure disruption traceable to an agentic workflow without a functioning revocation mechanism will become the trigger event for regulatory recalibration. That recalibration will be reactive, will be applied at sector scale, and will be more disruptive than the proactive investment in control infrastructure would have been. The institutions that have accumulated the most control debt will face the harshest adjustment.

The Adversarial Dimension

The control gap is not merely a governance failure. It is an attack surface, and the inability to recognize it as such limits the relevance of the governance argument for the security community.

An adversary who understands that an agentic system lacks mid-execution revocation can exploit the window between authorization and the first available interrupt to achieve effects the authorized system would not be directed to produce. Prompt injection in multi-step agentic workflows is the clearest instantiation: if a malicious actor can induce an agent, via crafted content embedded in tool outputs or retrieved documents, to extend its reasoning chain in a direction not intended by its principal, and if revocation cannot operate at the reasoning layer, then the agent can be weaponized against its principal without the principal having any mechanism to detect or correct the influence until after the consequential action has been taken.

The absence of reasoning-reconstructible audit trails compounds this vulnerability in an underappreciated way: after the fact, the deploying organization cannot determine whether a harmful action was taken under adversarial influence or under the agent’s own reasoning from legitimate inputs. Attribution is structurally impossible. A sophisticated adversary operating through prompt injection can achieve effects that are indistinguishable, at the audit layer, from system misbehavior attributable to misconfiguration. The deployer cannot demonstrate it was attacked; the adversary cannot be held responsible; and the harm cannot be attributed with sufficient precision to support legal or regulatory response.

The absence of native revocation primitives creates a class of attacks that exploit the temporal gap between harm initiation and interrupt capability. An adversary who can induce an agent to take an irreversible action has effectively bypassed the entire authorization infrastructure, because the authorization was granted for a legitimate purpose and the revocation mechanism operates too slowly to prevent the irreversible consequence. This is the operational profile of any high-stakes agentic deployment in which the agent has access to tools with asymmetric reversibility: the harmful action is instantaneous, its effects are irreversible, and the revocation is deferred. Designing against this attack class requires exactly the architectural features that legitimate control requires: reversibility classification at tool authorization time, native revocation primitives operating within inference cycles, and reasoning-reconstructible audit trails that distinguish adversarial influence from system behavior. The governance requirement and the security requirement are architecturally identical. They are currently addressed in isolation, which is why neither is being addressed adequately.

There is a second-order adversarial dynamic that bears separate treatment: the use of the control gap as a deniability mechanism. An organization operating an agentic system without reasoning-reconstructible audit trails is not merely vulnerable to external adversaries; it has also created conditions under which its own systems can behave in harmful ways without the organization being able to demonstrate that it did not intend the harm. The structural inability to attribute makes malicious deployment and negligent deployment look identical from the outside. A regulatory or legal proceeding that cannot distinguish between an organization that designed a harmful outcome and one whose system produced it through an undetected failure cannot calibrate penalties proportionally. This is not merely an unfairness concern for deploying organizations; it is an incentive problem for governance. When the penalty for negligent deployment is structurally indistinguishable from the penalty for malicious deployment, the governance signal that would ordinarily encourage investment in control infrastructure is attenuated. The absence of audit infrastructure that enables exculpatory attribution is therefore not just a vulnerability for affected parties; it is a degradation of the governance signal that would otherwise incentivize better control investment.

Accountability Architecture as Design Specification

The governance error most characteristic of the current deployment wave is the conflation of oversight annotation with accountability architecture. Adding audit logging, implementing human-in-the-loop checkpoints, and publishing responsible deployment guidelines are genuine governance actions. They are not accountability architecture. The distinction determines whether control is legitimate or merely formal.

Accountability architecture, as a design specification, requires four structural elements currently absent from most deployed agentic systems.

Revocation as a native execution primitive. Revocation that operates at the control plane level, able to interrupt rather than merely terminate, requires that the agent’s execution loop be designed from the outset to accept and process revocation signals during inference, not only between steps. A kill switch added to a system not designed for mid-reasoning interruption is a circuit breaker. Circuit breakers are necessary and insufficient for legitimate control. Native revocation infrastructure requires an agent execution architecture that maintains a persistent revocation-check state, consults an external authority signal at defined checkpoints within a single inference pass, and produces a meaningful partial-completion output rather than a hard abort when a revocation signal is received. This is non-trivial to implement in autoregressive systems, but that technical difficulty is the argument for treating it as a first-order design requirement rather than a retrofit.

Reasoning-reconstructible audit trails. A reasoning-reconstructible audit trail must capture at minimum: the task framing the agent received at the start of the inference cycle; the tool calls made, with the agent’s stated justification for each; the intermediate conclusions that updated the agent’s plan; the constraints that were active and the weight they received; and the alternatives available at each decision point and the basis on which they were rejected. This specification goes substantially beyond what current operational logging produces. The compute cost is real; it is of the same order as the cost of maintaining decision-reconstructible logs in regulated financial trading environments, where such logs are now standard. The infrastructure precedent exists. Its transfer to agentic systems has not been mandated because existing regulatory frameworks have not converged on causal reconstruction as a requirement. The aviation black box standard provides the relevant precedent: retrospective forensic capability as a design requirement, not a debugging convenience.

Layer-attributed accountability models. Each architectural layer, the model provider, the platform, the deployer, and the principal, must produce at execution time a structured contribution record specifying what authority that layer granted, what constraints it applied, and what defaults were active. Records must be cryptographically signed and included in the execution trace in a form that permits independent verification. The goal is not to produce a legal document at execution time but to make the layered architecture legible to redress processes. A contribution record is a layer contract made auditable: it specifies what the layer was responsible for, such that deviations from that specification become attributable rather than deniable.

The cryptographic signing model is not novel. Trust over IP architecture, W3C Verifiable Credentials, and NIST cybersecurity framework components all provide precedent for signed, verifiable claims within layered trust architectures. The contribution record model is an application of verifiable credential principles to the execution layer: each layer produces a verifiable claim about its contribution to the agent’s authority and constraints, and those claims are chained in the execution trace. The technical primitives exist. The application to agentic accountability has not been standardized by any of the relevant bodies, including ToIP, NIST, or the emerging agent protocol working groups. The gap is governance will, not technical capability.

Redress pathways proportional to execution speed. If an agentic system can cause harm in milliseconds, the redress pathway cannot be a legal process that resolves in months. Technical redress primitives, including rollback mechanisms for reversible actions, compensation triggers for irreversible ones, and automatic escalation thresholds calibrated to harm severity, must be part of the deployment architecture. The rollback requirement implies that every agentic action with external consequence must be accompanied, at design time, by a specified rollback procedure or an explicit declaration that rollback is not possible. Where rollback is not possible, the escalation threshold must be proportional: the lower the reversibility, the more restrictive the authorization requirement and the shorter the human review window. This maps directly to the FCA impact tolerance concept applied at the action level rather than the service level.

A Maturity Model for Control Infrastructure

The accountability architecture described above represents a substantial departure from current practice. Defining a staged path that distinguishes minimal from full architectural implementation prevents the aspiration from becoming a reason to do nothing.

Stage 1, Minimal Accountability, requires three things achievable with current tooling. Every tool authorized for agentic use must be classified by reversibility before deployment: reversible (actions can be fully undone without residual consequence), partially reversible (actions can be corrected but with some residual cost), or irreversible (actions cannot be undone). For irreversible tool classes, mandatory human confirmation is required before each use regardless of task context. A baseline audit trail capturing task framing and tool calls made is retained for a defined period and accessible to authorized governance reviewers. Escalation thresholds defining what harm severity or action class triggers automatic human review are documented, tested, and enforced. This stage adds modest latency and storage costs and is achievable without architectural changes to the underlying agent execution system.

Stage 2, Intermediate Control, extends Stage 1 with layer-attributed contribution records produced by the platform and deployer at each execution. These records are structured and retained without cryptographic signing at this stage. Impact tolerances are defined per service type, analogous to FCA operational resilience practice. Revocation mechanisms extend to checkpoint-based interruption within multi-step workflows with defined maximum step counts before mandatory human confirmation. The reasoning audit trail is extended to include tool justifications and intermediate conclusions for high-stakes executions, defined by reversibility classification and business impact scope.

Stage 3, Full Accountability Architecture, implements all four control stack requirements at design level. Native revocation operates as an execution primitive with revocation-check states embedded in the inference loop. All four layer contribution records are cryptographically signed and incorporated into the execution trace using a verifiable credential pattern. Attribution analysis is automated for defined incident classes, producing a structured causal report within a defined response window. Redress primitives are deployed for all reversible action classes; irreversible action classes carry pre-defined compensation triggers and regulatory escalation procedures. The full reasoning-reconstructible audit trail is retained and cryptographically linked to the contribution records of all participating layers.

Stage 1 does not require Stage 3 to be viable. It requires only that reversibility classification be enforced at tool authorization time and that a baseline audit trail be produced and retained. Organizations that have implemented Stage 1 have a defensible governance posture. Organizations that have implemented none of it are accumulating control debt at the speed of every agentic task they execute.

The metrics that make progress measurable across these stages are four. Revocation latency: the elapsed time from issuance of a revocation signal to confirmed interruption of execution, measured in milliseconds. Attribution resolution time: the elapsed time from incident detection to production of a layer-attributed causal report, measured in hours. Audit completeness: the fraction of executed tool calls for which a reasoning justification is captured and retained. Rollback coverage: the fraction of authorized tool actions for which a defined rollback procedure exists. None of these metrics is difficult to define or collect. None of them is currently reported by any major agentic deployment organization as a governance indicator. Their absence from deployment governance is not a measurement problem. It is an accountability design problem.

What Shifts

The governance investment in agentic systems needs to rebalance. This does not mean abandoning authorization infrastructure; it means building control infrastructure at equivalent architectural depth and treating the absence of that infrastructure as an accumulating liability rather than an acceptable default.

For deploying organizations, the most immediate action is tool reversibility classification enforced as a deployment gate. Before any agentic system is authorized to use a tool with real-world consequence, the tool must be classified by reversibility and the corresponding control requirement specified and tested. This is the agentic equivalent of change management controls that responsible organizations already apply to manual system changes in regulated environments. The discipline exists. It has not been applied to agentic systems because the deployment pattern normalized authorization without control, and that normalization is now the structural problem to be reversed.

For regulators, the direction is clear from the FCA operational resilience framework: move from oversight requirements that specify what must be possible to requirements that specify what must be demonstrable. The EU AI Act’s Article 14 is a floor, not a ceiling. Regulators in domains where agentic systems are already deployed, financial services, healthcare, legal services, and infrastructure management, should be extending domain-specific conduct requirements to cover the control layer: not just “can the system be stopped” but “can the system’s decision be reconstructed, attributed, and remedied within a tolerance proportional to the speed and severity of potential harm.”

There is a governance capture risk this analysis would be incomplete without acknowledging, and it is one that the current framing of accountability infrastructure debates has largely ignored. The infrastructure required for legitimate control, revocation primitives, audit systems, attribution models, and redress pathways, is infrastructure that must be built, operated, and accessible. If it is built exclusively by the platforms that operate the underlying execution environments, then the platforms that control authorization also control revocation, audit, and attribution. The party best positioned to assess whether a system failed is the party with the deepest commercial incentive for that system to be judged as having functioned correctly. This concentration risk is not hypothetical. It replicates the dynamics observed in digital advertising audit infrastructure, where the entities being audited controlled the measurement systems. Legitimate control requires that control infrastructure be either independently operated or independently auditable. Regulatory mandates for control infrastructure must specify not just what the infrastructure must do but who is permitted to operate it and under what independence requirements.

For the field at large, the central finding is this: governance in agentic systems has already moved into identity, evaluation, and execution infrastructure. These are real achievements. The systems that result are technically sophisticated and structurally incomplete. They produce enforceable authority, agents that act within their granted scope, credentialed against defined standards, operating within permitted boundaries, without legitimate control. The mechanisms to constrain, redirect, attribute, and remedy those actions remain external to the architecture that executes them.

The asymmetry is not closing. The investment disparity between pre-deployment evaluation and post-deployment control is structural, incentive-driven, and compounding with each deployment cycle that normalizes the current pattern as acceptable. Organizations deploying agentic systems under the current architecture are accumulating control debt at the same rate they are accumulating deployment scale. When that debt comes due, it will come due at the speed of the systems that incurred it, in the form of incidents that cannot be reconstructed, harms that cannot be attributed, and failures that cannot be remedied because the infrastructure for remedy was never built. The institutions that have accumulated the most control debt will face the harshest adjustment when the first significant attribution failure triggers regulatory recalibration at sector scale.

The audit trail that can reconstruct a decision is fundamentally different from the audit trail that confirms a transaction occurred. That distinction is not a philosophical subtlety. It is the operational difference between a governance architecture that can correct itself and one that can only observe its own failures. Until that distinction drives infrastructure investment with the same urgency that authorization infrastructure once commanded, agentic governance will remain technically advanced and structurally illegitimate.

The institutions most exposed to this risk are not necessarily the ones deploying the most aggressive systems. They are the ones that have normalized the authorization-without-control pattern most thoroughly, across the most deployment contexts, over the longest period. Their control debt is the largest. Their exposure to the first significant sector-level incident is proportionate. The adjustment, when it comes, will not be calibrated to what would have been efficient; it will be calibrated to what is politically necessary after a visible governance failure. Proactive investment in control infrastructure is not merely an ethical preference. It is the least disruptive path available, and that window is closing with each deployment cycle that treats governance as something applied after the architecture is finalized rather than designed into it from the outset.

The systems will be authorized. They will not be under control. And the institutions that deploy them will be accumulating a liability that no compliance annotation, however carefully drafted, can extinguish.