Most organizations running agents have no real governance for them yet

The gap is not awareness. Plenty of teams know they should govern their agents. The gap is maturity: comprehensive, enforced governance is still the exception, and that gap is the strongest predictor of which programs stall.

B

Balagei G Nagarajan

4 MIN READ


A gauge showing governance maturity low for most organizations, with a small high-maturity zone marked as ready

Key facts.

  • The CSA and Google Cloud State of AI Security and Governance survey reports governance maturity as the strongest predictor of AI readiness, with only about 26% of organizations holding comprehensive AI security governance (300 respondents, reported). source
  • ISO/IEC 42001:2023 establishes the requirements for an AI management system, giving organizations a concrete standard to build governance maturity against. source
  • The NIST AI Risk Management Framework defines Govern, Map, Measure, and Manage functions, the operational backbone of mature AI governance. source
  • Only a quarter of firms report comprehensive AI security governance, which CSA found the strongest readiness predictor; you do not outrun that with a better model, an ungoverned agent is a larger exposure. (source)
Assigning ownership, so every agent has an accountable person rather than a diffuse responsibility.
— from "Most organizations running agents have no real governance for them yet"

Why is maturity, not awareness, the gap?

Because awareness is cheap and maturity is work. Most teams know agents need governance; what they lack is governance that is comprehensive and enforced rather than aspirational. The CSA survey draws the line clearly: a minority of organizations have comprehensive governance and that minority is the one most ready to adopt and scale. The difference between the two groups is not whether they value governance, it is whether they have done the organizational work of assigning ownership, defining boundaries, instrumenting measurement and setting a review cadence. That work does not happen by recognizing its importance. It happens by building it, which is why the gap persists even among teams that fully understand it should not.

A more capable model does not close the maturity gap, it raises the cost of having it open. An agent that acts more autonomously and reaches further is a larger exposure when the governance around it is immature, because there is more it can do and less watching it. The reason standards like ISO/IEC 42001 and the NIST framework matter here is that they turn maturity from a vague aspiration into a buildable target: 42001 specifies what an AI management system contains and the NIST functions name what governing and measuring actually require. An organization closing the gap is one moving from knowing it needs these to having them operational, which is the capability that compounds as the agent program grows.

Gauge from ad hoc to comprehensive governance, with most organizations clustered low and a readiness threshold marked

What does closing the maturity gap involve?

Assigning ownership, so every agent has an accountable person rather than a diffuse responsibility. Defining boundaries, so what the agent may do autonomously is decided and enforced. Instrumenting measurement, so whether the agent is working is visible, not assumed. And setting a review cadence, so the controls stay current as the program grows. ISO/IEC 42001 and the NIST framework give the structure for each, which is why mature programs tend to build against them rather than inventing governance from scratch. The organizations that have done this are the ones the CSA survey identifies as ready; the rest are aware but exposed. The move that matters is operationalizing what you already know you need.

DimensionAware but immatureMature governance
OwnershipDiffuseNamed and accountable
BoundariesImpliedDefined and enforced
MeasurementAssumed workingInstrumented
ReviewNone or ad hocOn a cadence

The Pattern Intelligence Layer is where governance maturity becomes operational rather than aspirational. Ownership, boundaries and whether agents are working are tracked at the pattern level, so the comprehensive governance the standards describe has a place to actually live. Reliability at the pattern level is what turns knowing you need mature governance into having it.

Frequently asked questions

Is the governance gap really about maturity, not tools?
Yes. The CSA survey ties readiness to governance maturity, an organizational capability of ownership, boundaries, measurement and review, not to which tool is purchased.

Why does an immature program get riskier with a better model?
Because a more autonomous agent does more and reaches further. Without mature governance watching it, that capability is exposure, not safety.

Where do I start building maturity?
Against a standard. ISO/IEC 42001 specifies an AI management system and the NIST framework names the Govern, Map, Measure, and Manage functions to build toward.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.