Governance and agility are not a trade if you gate by consequence

The fear is that governance slows the agility agents promise. The teams that ship fast and stay safe resolve it the same way: heavy controls where the consequence is high, light controls where it is low.

B

Balagei G Nagarajan

4 MIN READ


A gauge balancing agility and governance, calibrated by the consequence of each action
On a reversible, low-stakes action that error costs almost nothing and a light touch is right.
— from “Governance and agility are not a trade if you gate by consequence”

Key facts.

  • ISO/IEC 42001:2023 frames AI governance as risk-based and proportionate, controls scaled to the risk of the use, rather than uniform overhead on every action. source
  • DORA (EU Regulation 2022/2554) applies proportionality, calibrating ICT resilience requirements to the entity's size and risk profile rather than imposing one heavy standard everywhere. source
  • On WebArena (arXiv:2307.13854), the best evaluated agent reached about 14.4% end-to-end task success versus roughly 78.2% for humans, so high-consequence actions need gates regardless of model capability. source

Why do people think governance kills agility?

Because they have usually seen governance applied uniformly, where every action, trivial or consequential, passes through the same review and that does kill agility while adding little safety. The trivial actions get slowed for no benefit, the team learns to resent the process and the consequential actions get no more scrutiny than the rest. The trade looks real because the implementation made it real. But it is an artifact of uniform controls, not a law. ISO/IEC 42001 and DORA both build in proportionality precisely to avoid it: controls are meant to scale to the risk of the use, heavy where the consequence is high, light where it is low.

A more capable model tempts teams to drop the gates in the name of speed, but capability is not reliability and the high-consequence gate is exactly the one you cannot afford to remove. WebArena measured the best evaluated agent at about 14% on realistic web tasks against a human 78%, which is the error rate a fast, broadly-acting agent brings to its work. On a reversible, low-stakes action that error costs almost nothing and a light touch is right. On an irreversible or high-stakes one it costs a great deal and the gate that catches it is worth every millisecond. Gating by consequence is how the teams that ship quickly also stay safe: they spend their governance where the downside is and they spend almost none of it where it is not.

Gauge diagram mapping action consequence to the weight of governance applied, from light to heavy

How do you gate by consequence in practice?

Classify actions by consequence and reversibility, then assign controls to match. Reversible, low-impact actions run autonomously with logging. Higher-impact or irreversible ones get an approval gate. The genuinely high-stakes ones get an approval plus a second reviewer or a hard policy check. The agent moves fast across the large volume of low-consequence work and slows only at the small number of points where slowing down is the whole value. That is governance that adds safety without spending agility on actions that never needed it.

Action consequenceGovernance weightEffect on agility
Low, reversibleLog onlyFull speed
ModerateApproval gateMinor friction
High / irreversibleApproval + checkFriction where it pays

Priced uniformly governance looks like a tax; priced by consequence it is not and a more capable model still misses, WebArena's best at 14%, so the cost lands either way. (arXiv:2307.13854)

The Pattern Intelligence Layer is where governance gets calibrated to consequence. Each action's stakes and reversibility are tracked at the pattern level, so controls land heavy on the consequential actions and light on the rest and the agent stays fast without going ungoverned. Reliability at the pattern level is what dissolves the false trade between governance and agility.

Frequently asked questions

Doesn't more governance always mean less speed?
Only under uniform controls. Gate by consequence and the agent runs fast on low-stakes work while the heavy controls land only on the actions that warrant them.

Can a capable enough model let us drop the gates?
No. WebArena shows the best evaluated agents fail most real tasks, so high-consequence actions still need gates. Capability is not reliability.

How do I decide what gets a gate?
By consequence and reversibility. Reversible low-impact actions log and run; irreversible or high-stakes ones get approval and a check. Spend governance where the downside is.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.