# AI Governance Used to Be a Checklist. Now It’s a Continuous Process > Source: > Published: 2026-06-26 20:30:41+00:00 AI governance used to be a step at the end of a waterfall process; once complete was not revisited. Now, agentic AI capabilities and complex orchestrations of multiple AI agents need dynamic governance that adapts to the changing governance and safety needs as agents from different organizations meet, learn and use tools together. Due to the dynamic nature of AI agent architecture, this means there’s a growing gap between agentic AI activities and effective governance. That gap raises organizations’ risk of poor-quality agentic output that could erode employee and public trust or even cause injury. In fields like medicine and transportation, inadequate governance can pose safety risks to patients, passengers, and others. In the rush and excitement of agentic AI deployment, it’s critical to take a fresh look at governance. Organizations that transform their governance practices alongside their agentic AI transformation are more likely to realize better results from their AI investments and reduce their agent-related risk exposure. **A Recognized Need for a Governance Transformation** Imagine two agents interacting on the open web. They’re shopping for a customer or conducting deep research for a user. These agents weren’t designed to operate together, but due to the flexible architecture of next-generation systems they can communicate and collaborate. When they meet, progressive governance can assess their provenance, authority and autonomy level determining whether it is safe to collaborate, share information and what tasks each AI agent can perform safely and accurately, and more. In its most recent white paper on the subject of AI agents, the World Economic Forum (WEF) offers a playbook of best-in-class governance practices adapted for the complex agentic environments that companies are building today. In their recommendations, we see two main shifts: the move away from basic checklist-based compliance to continuous compliance activities, and the need for cross-functional collaboration to define those governance activities. **Governance at the Speed of Agentic Innovation** In addition to the complexity and constant evolution of agentic systems, the capabilities of individual agents can degrade. For example, if a knowledge store that an AI agent uses is removed or upgraded, the agent’s skills would decrease or increase as a result. Every adaptation requires governance checks to run in near real time to ensure both the AI agent and the broader multi-agent system continue operating as intended. Because these processes will happen too fast for manual human review, people must design friction points into the system, similar to speed bumps and traffic signals on actual roadways. This progressive governance approach requires human-defined rules that AI agents must follow which will provide validation at key checkpoints along the AI agents process to ensure it does not get off track and introduce errors and hallucinations into multi-agent system workflows. In the agentic AI system, evaluations, assessments, and checks with deterministic references of key insights are the friction points that keep AI agents within safe operational parameters. **Collaboration Across Functions for Governance Foundations** Agentic systems often span multiple functions and access datasets across an organization, so governance planning requires input from stakeholders across IT, HR, product teams, risk mitigation, and perhaps other areas. Those conversations should start with deciding whether an agent is the right tool for a given use case. If so, stakeholders can then define the role of the AI agent and develop the rules that will govern it. This practice shifts governance from a siloed technical task to a collaborative design practice. **A Progressive AI Governance Framework** Putting these processes into practice requires a new governance model. The WEF’s progressive governance framework defines four practices where changes can trigger governance reviews. Classification. Defining each agent’s abilities and area of operation will allow for accurate assessment when things change. How will the system certify the legitimacy of the agent, determine the agent’s level of autonomy, set expectations of agent predictability, and decide whether expectations of agent role and performance align across stakeholders? For example, retail marketing and security teams need to align customer experience and data protection goals as they decide what customer and inventory data the company’s new shopping agent can access and how the agent might use that data to complete transactions for customers. Classification discussions may also involve third-party vendors. Evaluation. Once the agent is classified, it needs to be tested in a representative setting. In addition to capabilities, recommended evaluation criteria include task completion time and success rate, types of errors generated, trust indicators, and more. The evaluation team can set up monitoring processes and alerts to assist with ongoing performance evaluation. For example, a coding copilot built to help human developers generate and debug code might be evaluated on its performance on those tasks in a sandbox environment that mirrors the workflows where it will be embedded. That testing should include exposure to conflicting or unclear inputs to understand how the agent responds and adapts to confusing data. It’s important to get feedback from human developers about how much they trust the agent’s output. Risk assessment. Classification and evaluation data feed into risk analysis for each agent, based on the types of data it can access, the tools it can call, its outputs, and the context of its operations. For example, an agent that tracks supply chain inputs for a manufacturer will have different data inputs, risks, and compliance requirements from an agent that helps a global bank settle international financial transactions. Governance. This is the stage where stakeholders implement controls for the agent, based on classification, evaluation, and risk assessment results. Those controls might require the agent to file a request ticket to query a protected database or require human review of especially sensitive data requests or unusual tool calls. Effective governance needs clear guidelines on how and when humans will step in and who will act on sensitive requests and alerts. Changes in any area can require changes in other areas and in the overall governance practice. A simple example is a coding copilot whose performance declines against evaluation metrics. That agent will need to be reassessed for risk exposure and reclassified if the data it draws on has changed. In multi-agent systems, changes that apply to one agent may require real-time governance reviews for other agents. **Scaling Agentic AI Systems Through Human-AI Collaboration** The agentic AI transformation must be capable of scaling beyond human speed to facilitate the movement of knowledge, commerce and more at the speed of the internet. Ensuring safe, reliable, and ethical operation of our digital infrastructure at that speed and scale requires a shared set of human-defined operational “rules of the road” for agentic AI. Having AI regulators and practitioners set the foundation for AI agent operation and governance will allow people to stay in the driver’s seat as agentic AI capabilities accelerate and scale.