
Key facts.
- BCG's 2025 research found only about 5% of companies generate value from AI at scale while nearly 60% see little or no impact, so every profile needs governance, scaled to its stakes. source
- DORA (EU 2022/2554) imposes ICT risk-management, incident-reporting and resilience requirements on financial entities, a heavier bar than a low-stakes internal tool faces. source
- ISO/IEC 42001:2023 builds risk-based controls into its AI management system, formalizing the principle that control depth should match the agent's risk profile rather than a single template. source
Why does a single governance template fail across industries?
One template is too heavy for the internal tool or too thin for the HIPAA case and an upgrade moves neither bound: BCG found only 5% capture value, so a wrong action costs differently. (source)
Because the consequence of a wrong action is not the same in a finance workflow as in an internal note-taker and governance that ignores that mismatch lands wrong in both directions. Apply the finance-grade controls, full audit trails, dual approval on every action, supervisory reporting, to an internal productivity agent and you bury a low-risk tool under process that destroys its value. Apply the internal-tool controls, light logging, no approval gates, to a finance agent acting on transactions under DORA and you have a regulated system with none of the resilience and reporting the regulation demands. The template that fits one profile is wrong for the other and most organizations run agents across several profiles at once.
A more capable model does not collapse the difference. BCG's value-gap research shows most companies capture little or no value while a small group captures it at scale, so no profile is control-free, but the depth has to match the stakes. A healthcare agent touching protected health information answers to HIPAA's access and audit requirements; a financial agent answers to DORA's resilience and reporting regime; an internal tool answers mainly to common sense and basic logging. The governance that works is comparative: it starts from the industry's risk profile and rules, then sets the control depth to match, so each agent gets the oversight its consequences justify and no more.

How do you set governance by risk profile?
Start with two questions: what is the consequence of a wrong action and what rules apply. A finance agent under DORA: high consequence, heavy rules, so dual approval on transactions, full audit trails, incident reporting, resilience testing. A healthcare agent under HIPAA: high consequence, strict data rules, so access controls, audit logging, oversight on clinical-adjacent decisions. An internal productivity agent: low consequence, few external rules, so basic logging and scope limits, kept light so it stays useful. The depth of every control follows from the profile, which is why the comparison has to happen before the controls are chosen, not after.
| Profile | Primary rules | Control depth |
|---|---|---|
| Finance agent | DORA, ISO/IEC 42001 | Dual approval, audit trails, incident reporting |
| Healthcare agent | HIPAA, ISO/IEC 42001 | Access controls, audit logging, clinical oversight |
| Internal productivity agent | Internal policy | Basic logging, scope limits, kept light |
The Pattern Intelligence Layer is where the profile-specific controls are set and enforced, so a finance agent and an internal tool can run under the same program with the control depth each one's risk justifies. Approval depth, audit detail and reporting are configured at the pattern level per profile, which is what lets one organization govern many kinds of agent without a one-size template that fits none of them. Reliability at the pattern level is matched to the risk, not assumed uniform across it.
Frequently asked questions
Why not standardize governance across all our agents?
Because a finance agent and an internal note-taker carry different consequences and rules. One template is too heavy for the light case and too thin for the regulated one.
What sets the control depth?
Two things: the consequence of a wrong action and the rules that apply. DORA and HIPAA raise the bar; an internal tool stays light by design.
Does every agent need heavy governance?
No. Every agent needs governance matched to its stakes. Over-governing a low-risk tool destroys its value as surely as under-governing a regulated one creates risk.

