
Key facts.
- DORA (EU Regulation 2022/2554) requires financial entities to stand up continuous ICT risk management and oversight as a prerequisite, treating resilience as something established before scale rather than retrofitted after a failure. source
- MIT NANDA's "State of AI in Business 2025" found only about 5% of GenAI pilots reached measurable financial impact, with integration and discipline, not raw capability, separating the winners (reported). source
- In Moffatt v Air Canada (2024 BCCRT 149), a tribunal held the company liable for its chatbot's wrong answer, so accountability for an agent lands on the organization whether or not it was assigned in advance, which is the case for settling ownership before scale. source
Why is governance-first cheaper than governance-after?
Reactive governance fires only after the incident, when cost has landed; a stronger model does not buy you out, since MIT NANDA found only 5% of pilots reach impact. (source)
Because controls added before scale shape the agent while it is small and controls added after scale fight an agent that has already spread. Establish ownership, boundaries, approval gates and monitoring during the pilot and they become part of how the agent is built and deployed. Wait until after an incident and you are retrofitting controls onto a system already running in production, already integrated, already trusted by users who will resist the friction and you are doing it under the pressure of the failure that prompted it. DORA frames this for regulated entities by requiring resilience and risk management to be established up front, because inadequate is usually a synonym for late: the controls that would have helped were never built before the agent scaled.
A more capable model does not change the sequencing, because the constraint is organizational readiness, not model performance. Moffatt v Air Canada shows why ownership has to come first: liability for the agent landed on the organization regardless, so deciding who is accountable before scaling is the only way to face that responsibility deliberately, precisely because governance is hard to bolt on. MIT NANDA's finding that only about 5% of pilots reached measurable impact points the same way: the projects that succeeded had integration and discipline from the start, not capability they hoped would carry them. The teams whose agents scale are the ones who decided who owns the agent, what it may do, where the gates are and how it is watched, before they turned the dial up.

What governance has to exist before you scale?
A named owner accountable for the agent's behavior. Documented boundaries on what it does and does not do autonomously. Approval gates on consequential actions. Monitoring that watches behavior, not just uptime. And a review cadence that revisits all of it as the agent grows. None of this requires the agent to be finished; it requires the decisions to be made before scale multiplies the cost of having skipped them.
| Governance-first | Incident-first |
|---|---|
| Controls shape a small agent | Controls retrofitted onto a spread one |
| Built before users depend on it | Added against user resistance |
| Cost stays flat | Cost spikes after the failure |
| Scales on a foundation | Scales then scrambles |
The Pattern Intelligence Layer is where governance gets built before scale. Ownership, boundaries, gates and monitoring are defined at the pattern level during the pilot, so the agent scales on a foundation rather than acquiring controls after an incident demands them. Reliability at the pattern level is what makes governance-first the cheap path it should be.
Frequently asked questions
Doesn't governance slow the pilot down?
Pilot-stage governance is light: an owner, boundaries, gates, monitoring. It is far cheaper than retrofitting controls onto a scaled agent after an incident forces it.
Why not add controls once we know the agent works?
Because by then it is integrated and trusted and adding friction meets resistance. DORA requires resilience up front for this reason: governance is hard to bolt on after scale.
What's the minimum governance before scaling?
A named owner, documented autonomy boundaries, approval gates on consequential actions, behavioral monitoring and a review cadence. Decisions, not a finished product.

