Whitepaper
Why seeing your AI agents isn't the same as governing them, and what senior leaders should be asking before they trust the answer.
"If there is a consolidated best practice in AI agents, it is the establishment of governance at the very early stages of the initiative — a proactive posture from top management, not an afterthought."
Massimo Pezzini
Workato Head of Research, former Gartner VP Distinguished Analyst
Get the whitepaper
What's inside
The Control Tower vs Control Plane framework
A clear distinction between watching what your AI agents do and being able to prove who authorised it.
The questions senior leaders should be asking
A working set of questions to bring to your next vendor conversation or governance review.
The real cost-efficiency argument
Why most AI cost claims are overstated, and what the orchestration layer actually changes about the shape of the cost curve.
What audit-ready evidence actually looks like
The difference between a log entry and proof of authorisation, and why most "visibility" tools only give you the former.
Get the framework senior leaders are using to ask the right questions before their AI agents act.
Download now
Massimo Pezzini
Workato Head of Research, former Gartner VP Distinguished Analyst
“Undoubtedly, AI agents represent a massive phenomenon, impacting organisations of any size, in any geography and operating in any industry.
AI agents became popular in late 2024/early 2025 and a lot of experimentations, pilot projects, and proof of concepts have been going on ever since. However, in late 2025/early 2026 organizations’ top management started to ask CIOs and AI leaders to hurry away from that “pioneeristic” mindset to focus on delivering demonstrable business outcomes, or, as the popular mantra says “move from PoC to Production”.
Then CIOs and AI leaders attention shifted from the exciting challenge of learning a new shiny technology tool, towards focusing on more operational issues: how to deploy large fleets of AI agents across the organisation, how to make sure security and compliance policies are enforced, how to monitor AI agents execution, how to keep operation costs under control and several others. These challenges are usually referred to as “AI governance”, that is, establishing the technology-enabled rules, practices and processes needed to direct and control the myriad of AI initiatives in place in the organization.
Although definitely not a best practice, in many IT disciplines (for example, API management, application integration or even business applications) implementing governance has often been an afterthought. When the number of deployed assets (APIs, integration flows or applications) is small (say, 10 to 20) organizations don’t see the need for establishing formal governance processes and procedures as they feel they can deal with monitoring, securing and managing the life cycle of these assets in an informal, “spreadsheet-driven” fashion. It’s only when the number of assets grows to the point that this informal approach proves unsustainable (say between 50 and 100) that organizations set in motion formal governance.
This procrastinating approach proved time and again to be an absolute “don’t” in AI agents. Given their autonomous or semi-autonomous nature, the risks of AI agents going rogue and inadvertently leaking sensitive data or breaking compliance or security rules is too high, even for organisations that have deployed only a small number of AI agents. These, in any case, tend towards AI agents proliferating quite quickly (the “AI agent sprawl” phenomenon). This is because of the growing availability of pre-packaged AI agents released by SaaS application vendors and the emergence of “no code agent builder” (NCAB) tools that business teams can leverage to build AI agents by themselves, without support from the IT organisation. AI agent sprawl is very dangerous as it can dramatically increase and inextricably compound risks. When AI agent sprawl kicks in, establishing AI agent governance becomes organisationally very difficult, technically quite costly and requires considerable political capital investments on the part of top management.
Therefore, if there is a consolidated best practice in AI agents it is the establishment of governance at the very early stages of the initiative, which implies a top management, proactive posture.
Goal of AI agent governance
Accountable, observable and auditable AI agents, constrained by processes, policies, security and compliance requirements.
Transform
What must it cover?
Organisation
Who has to own it?
Technology
What does it run on?
This is a quite extensive and complex set of capabilities. Therefore, it’s generally not advisable for organisations to implement such comprehensive AI Agent governance on day one. That would be expensive and risky as they have to climb a steep learning curve to master governance. An incremental, pragmatic approach is preferable to keep costs under control and to securely and comfortably climb the learning curve. However, moving forward through this approach requires top management leadership to avoid the risk of watering down AI developers’ and users’ commitment and ending up with just mediocre, “bare minimal” and unsatisfactory AI agent governance.
The end-game for the organization is to have their end-to-end AI governance organisational and technology platform fully deployed and completely operational in a reasonable timeframe synchronised with the progression of their AI Agent initiative.
This white paper highlights the risks of partial and incomplete implementation of the necessary capabilities for strong Agentic governance, and the questions senior leaders should be asking. Focusing on only some of them may be easier to justify and deliver, however there is a fallacy in neglecting others that are less visible but as critical for the business success of strategic AI agent initiatives.”