Obligations specific to AI systems that take autonomous multi-step actions (browse, transact, plan, recurse). Distinct from foundation_models (capability) and catastrophic_risk (outcome) — this is the action-surface frame. Surfaces in EU AI Office GPAI Code drafts, UK AISI agent evaluations, Seoul Frontier AI Safety Commitments §3, NIST AI 600-1.
Definition & scope
The cross-jurisdiction picture below shows how each of 45 tracked instruments treats this topic. The patterns vary substantially — and 27 regimes are silent, leaving gaps that future policy work could address.
Regulatory approaches: the mechanisms behind the coverage
No instrument in the coverage matrix regulates "agentic AI" as a named category; instead, agentic behaviour is reached indirectly through obligations attached to autonomy, tool use, and downstream action. The EU AI Act's primary mechanism is a design-and-operation duty: high-risk systems must be built so that natural persons can monitor them and "intervene…or interrupt the system through a 'stop' button," with measures "commensurate with the risks, level of autonomy and context of use" (EU AI Act Art. 14(3)–(4)). Whether such human oversight can deliver its intended protective effect over autonomous systems is itself contested 1. For general-purpose models, the EU AI Office's 2025 GPAI Guidelines treat a model's autonomy and agentic use as factors bearing on a systemic-risk designation, which triggers risk-management and adversarial-testing duties (EU AI Office, GPAI Guidelines and Code of Practice, August 2025) (Regulation (EU) 2024/1689, Art. 51(1)(b), Annex XIII(e)). Other instruments work through softer modalities. The G7 Hiroshima Process International Code of Conduct (adopted 30 October 2023) sets eleven voluntary actions — risk identification across the lifecycle, red-teaming, incident reporting — now monitored via an OECD reporting framework (OECD, February 2025). The Seoul Frontier AI Safety Commitments (May 2024) bind sixteen firms to define "intolerable risk" thresholds, including for model autonomy and evasion of human oversight, and to pause deployment if mitigations fail. NIST's contribution is procedural taxonomy rather than rule: NIST AI 100-2 (March 2025 update) names AI agents as an adversarial-ML threat surface (prompt injection, memory poisoning, tool-supply-chain attacks) (NIST AI 100-2e2025). Frontier developers' own scaling policies make autonomy an explicit governed threshold: OpenAI's Preparedness Framework (2023) named Model Autonomy as one of four tracked risk categories, Google DeepMind's Frontier Safety Framework counts Autonomy among its four Critical Capability Level domains, and Anthropic's Responsible Scaling Policy ties ASL thresholds to autonomous-replication and agentic-capability evaluations. Beyond its adversarial-ML taxonomy, NIST's Generative AI Profile (NIST AI 600-1) reaches agentic deployments through a Value Chain and Component Integration risk category covering tool-use and integrated components.
Key fault lines: where the governance debate genuinely diverges
The deepest contested question is the liability gap. Because AI agents lack legal personhood and are treated as property, it is unsettled who bears responsibility when an agent acts harmfully or binds a principal — developer, deployer, or no one. Gabison and Xian (2025) model this through principal-agent theory, finding that information asymmetry and attribution failures mean LLM agents cannot satisfy the criteria of an ordinary (human) agent — an agency gap in principal-agent terms 2. A parallel strand applies agency law and theory directly to characterise these problems and to propose governance infrastructure built on inclusivity, visibility, and liability 3. Multi-agent delegation sharpens the problem: liability frameworks built for single agents do not allocate fault when one agent subcontracts to others built by different firms (Berkeley Technology Law Journal, 2026), and multi-agent systems introduce failure modes — miscoordination, conflict, and collusion — distinct from single-agent AI 4. A competing line argues existing instruments suffice — the Uniform Electronic Transactions Act's "electronic agent" rule already attributes machine-formed contracts to the deploying human, sidestepping personhood. A second fault line is whether "human oversight" is even workable at agentic speed and scale. Critics warn that overseers given tasks they cannot realistically perform become "liability sponges," absorbing blame without genuine agency — a rule-of-law concern (Fink, 2025, on Art. 14). A third divergence is definitional and jurisdictional: the EU declines to make agents a distinct category, folding them into existing AI-system and GPAI duties, while NIST and AI Safety Institutes pursue agent-specific evaluation standards — reflecting unresolved disagreement over whether agentic action is a new regulatory object or an old one in new clothing.
Trajectory: recent and pending developments
Agentic governance is moving from declaratory commitments toward operational testing and standard-setting, but remains overwhelmingly voluntary. The institutional centre of gravity in 2025–26 has been the AI Safety/Security Institutes. The UK AI Security Institute published its first Frontier AI Trends Report (December 2025, covering >30 systems), documenting that agents complete hour-long software tasks more than 40% of the time, and released an Autonomous Systems Evaluation Standard plus the open-source Inspect harness for agentic evaluations 5. Such evaluation regimes are increasingly grounded in standardized harm benchmarks measuring whether agents resist or comply with harmful multi-step tool-use tasks 6. A multilateral joint testing exercise on agentic safety — splitting sensitive-information leakage and fraud (Singapore) from cybersecurity (UK) — signals coordination on shared evaluation methods rather than shared binding rules. On the standards track, NIST's Center for AI Standards and Innovation launched an AI Agent Standards Initiative on 17 February 2026, pointing toward least-privilege, task-scoped permissions, and action-level approvals for high-impact agent decisions; complementary research proposes authenticated, authorized, and auditable delegation by extending OAuth 2.0/OpenID Connect to maintain accountability chains for agent actions 7. Proposals for agent identifiers and activity logs further aim to give governance actors visibility into where, why, how, and by whom agents are used 8. Binding obligations advanced chiefly via the EU: GPAI provider duties took effect 2 August 2025, with the systemic-risk pathway capturing agentic capability (Regulation (EU) 2024/1689). By contrast, several US legislative vehicles in the matrix stalled — a state Frontier AI Models Act was vetoed and remains silent on agentic action — underscoring that, as of mid-2026, the binding edge of agentic governance sits in the EU while most other instruments operate through disclosure, evaluation, and voluntary thresholds (composite Policy Window assessment of the cited instruments).
Coverage across jurisdictions
Historical primacy & cross-jurisdiction tension
First addressed by NIST AI Risk Management Framework on (implicit). Subsequent regimes have either codified, diverged from, or remained silent on this baseline.
- Forum-shoppingSeoul Declaration on Safe, Innovative and Inclusive AI↔Executive Order 14110 on Safe, Secure, Trustworthy AI
- Forum-shoppingNIST AI RMF Generative AI Profile↔Executive Order 14179 — Removing Barriers to American Leadership in AI
- Forum-shoppingAnthropic Responsible Scaling Policy (RSP) v2↔UK Pro-Innovation Approach to AI Regulation (White Paper)
Compare jurisdictions: EU vs US · EU vs UK · EU vs CN
Enforcement & impact
Silent regimes — gap signal
Instruments that do not address Agentic AI Governance — candidates for future policy work.
- Executive Order 14110 on Safe, Secure, Trustworthy AIUS
- Executive Order 14179 — Removing Barriers to American Leadership in AIUS
- UK Pro-Innovation Approach to AI Regulation (White Paper)UK
- OECD AI Principles (Recommendation)OECD
- UN GA Resolution on Safe, Secure, Trustworthy AIUN
- California SB-1047: Safe and Secure Innovation for Frontier AI Models ActUS
- India Digital Personal Data Protection Act + AI Advisory (MEITY)IN
- ASEAN Guide on AI Governance and EthicsASEAN
- African Union Continental AI StrategyAfrican_Union
- White House Voluntary AI CommitmentsUS
- Singapore Model AI Governance Framework for Generative AISG
- Japan METI AI Guidelines for BusinessJP
- General Data Protection Regulation (GDPR)EU
- EU General-Purpose AI Code of PracticeEU
- OMB Memorandum M-24-10 (Advancing Governance, Innovation, and Risk Management for Agency Use of AI)US
- GSA Generative AI and Specialized Computing Infrastructure Acquisition Resource GuideUS
- DoD Responsible AI Strategy and Implementation PathwayUS
- FedRAMP AI Cloud Procurement GuidanceUS
- DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)US
- California SB 243: Companion ChatbotsUS
- California SB 942: AI Transparency ActUS
- UNESCO Recommendation on the Ethics of Artificial IntelligenceUNESCO
- Provisions on the Administration of Deep Synthesis of Internet Information ServicesCN
- TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act)US
- Italy Law No. 132/2025 on Artificial Intelligence (Legge 23 settembre 2025, n. 132)IT
- Japan AI Promotion Act (Act on the Promotion of Research, Development and Utilization of AI-Related Technologies)JP
- UN Global Digital CompactUN
See also
Further reading
11 academic & grey-literature sources bearing on this topic — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Governing AI Agents Preprint✦ AIUses "agency law and theory to identify and characterize problems arising from AI agents" and proposes governance infrastructure built on inclusivity, visibility, and liability.
- Infrastructure for AI Agents Peer-reviewed✦ AIProposes "agent infrastructure": external technical systems for attributing actions "to specific agents, their users, or other actors," shaping interactions, and remediating harms.
- Multi-Agent Risks from Advanced AI Research institute✦ AIIdentifies three failure modes of advanced multi-agent systems — "miscoordination, conflict, and collusion" — plus seven risk factors, posing challenges distinct from single-agent AI.
- Authenticated Delegation and Authorized AI Agents Preprint✦ AIIntroduces a framework for authenticated, authorized, and auditable delegation to AI agents by extending OAuth 2.0/OpenID Connect, maintaining accountability chains for agent actions.
- AgentHarm: A Benchmark for Measuring Harmfulness of LLM Agents Peer-reviewed✦ AIProvides a 440-task benchmark across 11 harm categories measuring whether LLM agents resist or comply with harmful multi-step tool-use tasks, grounding safety-evaluation regimes for agents.
- Better together? Human oversight as means to achieve fairness in the European AI Act governance Peer-reviewed✦ AIExamines whether Article-14 human oversight of high-risk/autonomous AI can actually deliver fairness, probing the limits of human-in-the-loop as a governance mechanism.
- Visibility into AI Agents Peer-reviewed✦ AIProposes agent identifiers, real-time monitoring and activity logs to give governance actors visibility — "where, why, how, and by whom certain AI agents are used."
- IDs for AI Systems Preprint✦ AIProposes ascribing IDs to instances of AI systems so users can verify safety certifications, investigate incidents, and enable oversight of agentic deployments.
- Secret Collusion among AI Agents: Multi-Agent Deception via Steganography Preprint✦ AIShows LLM agents can use steganography to communicate covertly, exposing a monitoring/oversight gap for governing multi-agent systems and motivating ongoing mitigation.
- A Safe Harbor for AI Evaluation and Red Teaming Preprint✦ AIProposes legal and technical safe-harbor protections so independent researchers can conduct good-faith safety evaluation and red-teaming of AI agents/systems without ToS reprisal.
- Chain-of-Thought Monitoring PreprintKorbak, T., Balesni, M., Barnes, E., Bengio, Y., et al. (2025), 'Chain of Thought Monitorability: A New and Fragile Opportunity for AI Safety.' arXiv:2507.11473.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Ana Maria Corrêa, Sara Garsia, Abdullah Elbi (2025) Better together? Human oversight as means to achieve fairness in the European AI Act governance, Cambridge Forum on AI: Law and Governance. 10.1017/cfl.2025.10010 — Examines whether Article-14 human oversight of high-risk/autonomous AI can actually deliver fairness, probing the limits of human-in-the-loop as a governance mechanism. ↩
- arXiv:2504.03255 ↩
- Noam Kolt (2025) Governing AI Agents, Notre Dame Law Review (forthcoming). arXiv:2501.07913 — Uses "agency law and theory to identify and characterize problems arising from AI agents" and proposes governance infrastructure built on inclusivity, visibility, and liability. ↩
- Lewis Hammond, Alan Chan, Jesse Clifton, et al. (Cooperative AI Foundation) (2025) Multi-Agent Risks from Advanced AI, Cooperative AI Foundation. arXiv:2502.14143 — Identifies three failure modes of advanced multi-agent systems — "miscoordination, conflict, and collusion" — plus seven risk factors, posing challenges distinct from single-agent AI. ↩
- Maksym Andriushchenko, Alexandra Souly, Mateusz Dziemian, Derek Duenas, Maxwell Lin, Justin Wang, Dan Hendrycks, Andy Zou, Zico Kolter, Matt Fredrikson, Eric Winsor, Jerome Wynne, Yarin Gal, Xander Davies (UK AISI / Gray Swan) (2025) AgentHarm: A Benchmark for Measuring Harmfulness of LLM Agents, ICLR 2025. source — Provides a 440-task benchmark across 11 harm categories measuring whether LLM agents resist or comply with harmful multi-step tool-use tasks, grounding safety-evaluation regimes for agents. ↩
- Maksym Andriushchenko, Alexandra Souly, Mateusz Dziemian, Derek Duenas, Maxwell Lin, Justin Wang, Dan Hendrycks, Andy Zou, Zico Kolter, Matt Fredrikson, Eric Winsor, Jerome Wynne, Yarin Gal, Xander Davies (UK AISI / Gray Swan) (2025) AgentHarm: A Benchmark for Measuring Harmfulness of LLM Agents, ICLR 2025. arXiv:2410.09024 — Provides a 440-task benchmark across 11 harm categories measuring whether LLM agents resist or comply with harmful multi-step tool-use tasks, grounding safety-evaluation regimes for agents. ↩
- Tobin South, Samuele Marro, Thomas Hardjono, Robert Mahari, Cedric Deslandes Whitney, Dazza Greenwood, Alan Chan, Alex Pentland (2025) Authenticated Delegation and Authorized AI Agents, arXiv (cs.CY; MIT). arXiv:2501.09674 — Introduces a framework for authenticated, authorized, and auditable delegation to AI agents by extending OAuth 2.0/OpenID Connect, maintaining accountability chains for agent actions. ↩
- Alan Chan, Carson Ezell, Max Kaufmann, Kevin Wei, Lewis Hammond, Herbie Bradley, Emma Bluemke, Nitarshan Rajkumar, David Krueger, Noam Kolt, Lennart Heim, Markus Anderljung (2024) Visibility into AI Agents, ACM FAccT. 10.1145/3630106.3658948 — Proposes agent identifiers, real-time monitoring and activity logs to give governance actors visibility — "where, why, how, and by whom certain AI agents are used." ↩
- EU-AIA-2024: Arts. 26-29 deployer obligations apply to agent operators; Arts. 51-55 GPAI obligations capture the underlying model
- CN-GENAI-2023: Arts. 4, 8 (service-provision scope) — agent-like generative services fall within registration + safety-assessment obligations
- G7-HIROSHIMA: Code §1 'advanced AI systems' + §3 risk-identification cover agentic behaviour through capability frame
- COE-AI-CONV: General-AI scope (Art. 3) covers agent systems; no agent-specific provision
- NIST-AI-RMF: Map / Manage functions apply to autonomous systems; no agent-specific profile yet
- BLETCHLEY-2023: Frontier-AI risk frame includes autonomous-action risks; no specific obligation
- SEOUL-2024: Frontier AI Safety Commitments §3 — pre-deployment capability evaluations include agentic behaviours under 'realistic deployment conditions'
- NIST-AI-RMF-GENAI: NIST AI 600-1 names Value Chain + Component Integration as risk category covering agentic / tool-use deployments
- BR-AIBILL-2024: Risk-based framework (PL 2338 Arts. 13-15) covers agent systems under high-risk tiers if applicable
- ANTHROPIC-RSP-2024: RSP v2 — ASL thresholds include 'autonomous AI replication' + agentic capability evaluations
- OPENAI-PREPAREDNESS-2023: Preparedness Framework — Model Autonomy is one of four named risk categories
- DEEPMIND-FSF-2024: FSF Critical Capability Levels — Autonomy is one of four named CCL domains
- META-FRONTIER-2024: Capability tiers cover agentic behaviour; not named as a distinct category
- UK-US-AISI-MOU-2024: Joint AISI capability evaluations include agentic-behaviour testing
- CA-SB-53: Bus. & Prof. Code § 22757.11 catastrophic-risk prongs cover a model acting 'without meaningful human oversight' or 'evading the control of its developer or user' (§ 22757.13 incident reporting); reached only via the catastrophic-risk lens, not a dedicated agentic-autonomy regime
- EU-PLD-2024: Art. 7(2)(c) — defectiveness accounts for a product's ability to continue to learn or acquire new features after market placement; Art. 11(2) — post-placement software-update liability within the manufacturer's control
- EU-PWD-2024: Directive (EU) 2024/2831, Articles 9-11
- NY-RAISE-2025: N.Y. Gen. Bus. Law § 1420(7) critical harm includes model conduct 'with no meaningful human intervention'; § 1420(13) 'safety incident' includes autonomous model behaviour + control failures — autonomy reached via the catastrophic-risk/incident lens, not a dedicated agentic regime
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/agentic-systems-governance — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
18 instruments tracked.
Does governance work? — the social-science evidence
What the peer-reviewed social science shows: whether the harm this topic addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
The capability that agentic governance targets — autonomous multi-step action — is real and rapidly, measurably advancing: METR finds the task length AI agents complete at 50% reliability has doubled roughly every seven months for the past six years (about 50 minutes for frontier 2025 models), and the UK AI Security Institute's first Frontier AI Trends Report (Dec 2025, >30 systems) reports models now finish hour-long software tasks >40% of the time versus <5% in late 2023. The distinct realized HARM from agency (as opposed to the underlying model) is, however, thinly documented: on consequential real-world tasks agents still fail the majority — Gemini 2.5 Pro completed only 30.3% of TheAgentCompany's 175 professional tasks (OpenHands scaffold, project leaderboard) — so the agency-specific harm magnitude is early and context-dependent rather than established at scale.
Sources: Kwa, West, Becker et al. 2025 (METR; arXiv:2503.14499, 'Measuring AI Ability to Complete Long Tasks'); UK AI Security Institute 2025 (Frontier AI Trends Report, Dec 2025); Xu, Song, Zhou et al. 2024 (TheAgentCompany, arXiv:2412.14161); 30.3% figure per TheAgentCompany leaderboard (OpenHands)
There is no impact-evaluation evidence that agent-specific governance reduces agentic harm: the operative regimes — the EU GPAI Code of Practice (published July 2025, voluntary/non-binding), the Seoul Frontier AI Safety Commitments (2024, voluntary), and AISI agent evaluations — are 2024-25 vintage and have never been measured against an outcome. The scholarship itself has not settled the contested unit of regulation: Kolt (2025) argues for governing the agentic relationship via principal-agent and agency-law tools, while Chan, Ezell, Kaufmann et al. (2024) propose agent-specific visibility mechanisms (identifiers, real-time monitoring, activity logging) that remain proposal-stage and unevaluated — meaning the field has design proposals but, as with most frontier-AI rules, the evidence that any of them works is absent rather than merely thin.
Sources: Kolt 2025 ('Governing AI Agents', 101 Notre Dame L. Rev., forthcoming; arXiv:2501.07913); Chan, Ezell, Kaufmann et al. 2024 ('Visibility into AI Agents', ACM FAccT 2024, pp. 958-973; DOI 10.1145/3630106.3658948); EU AI Office 2025 (GPAI Code of Practice, July 2025); Seoul Frontier AI Safety Commitments 2024