Somewhere in a Fortune 500 company last week, an AI agent woke up at 6:47am and got to work. By 9am it had processed 340 vendor payment approvals, routed 89 customer escalations, and updated 412 records across three production systems. It operated under a service account with permissions scoped two product cycles ago. The governance program covering it was built around a risk assessment form that a human fills out before deployment. That form had been completed. The agent was technically approved. Nobody had defined what it was authorized to approve autonomously at what dollar threshold, what the escalation path was when it hit an edge case, or who was named as accountable for the decisions it made while the rest of the organization was still asleep.
At 8:23am it approved a vendor payment of $340,000 that matched a spoofed invoice pattern that had been flagged in a threat intelligence feed the previous afternoon. The monitoring dashboard showed green. The governance documentation was complete. The accountability structure for that specific class of agent decision had never been designed — because the governance program was built for humans making decisions, and humans don't work at 6:47am on Tuesday processing payment queues.
Mikko Kämäräinen, AI Governance Architect at Saidot, published a piece this week that gave it one: agent-first AI governance. It's the right term at the right moment — and it opens a door worth walking through completely.
What Saidot Named
Kämäräinen's argument is precise: most enterprises have governance programs designed around humans navigating user interfaces — filling forms, clicking approvals, reviewing documentation. Saidot CEO Meeri Haataja put the shift plainly: "Beautiful UI, easy navigation, none of that matters anymore, because optimisation won't be for humans but for agents." That observation applies to governance with the same force it applies to consumer software. When the person doing the governance work starts working through an agent, the UI stops being the primary interface. What matters is the data layer underneath — and whether it was built for agents to work with directly.
"Beautiful UI, easy navigation, none of that matters anymore, because optimisation won't be for humans but for agents."
Meeri Haataja, CEO, Saidot
Helsingin Sanomat, 2026
Kämäräinen makes three specific architectural arguments for what agent-first governance requires at the data layer. First, governance data needs to be structured as a knowledge graph — systems connect to risks, risks connect to controls, controls connect to regulations, and an agent traversing that graph can answer questions that a folder of documents never could. Second, agents need curated authoritative sources — validated risk libraries and regulatory requirement catalogues — rather than relying on generated plausibility. Third, MCP-based integration means the agent becomes the integration layer itself, replacing brittle point-to-point connections with a queryable interface across governance systems.
These arguments are correct and important But, They're also the starting point for a conversation that governance teams need to complete. The data architecture tells you what the agent can access and reason over. The governance architecture tells you what the agent is authorized to do with what it finds, who owns the outcome, and what the audit trail captures when it acts. Both are required. The term Saidot coined opens the door to both; this piece walks through what's on the other side.
72% of organizations running or testing AI agents in production — Pillar Security, Apr 2026
78% of executives lack confidence they could pass an AI governance audit in 90 days — Grant Thornton 2026
5 specific operational gaps that remain even after the right platform is in place — GAIG analysis
Human-First vs Agent-First Governance
The most useful thing GAIG can add to Kämäräinen's definition is a diagnostic framework that tells enterprises which side of the line their current program sits on. This isn't a maturity model with five levels and a consulting engagement attached. It's a direct comparison across the specific governance functions that break when the system being governed operates at machine speed instead of human speed.
Governance Function | Human-First Program | Agent-First Program |
|---|---|---|
Risk Assessment | Human fills a form before deployment. Assessment reflects what was planned, not what runs in production. | Agent continuously monitors deployed systems against risk thresholds. Assessment reflects current production state in real time. |
Authorization Scope | Documented at deployment. Never formally updated. Effective permissions drift silently as use cases expand. | Sanctioned purpose defined per agent workflow. Scope reviewed on a documented cadence. Drift surfaces as a named Pre-Failure Signal. |
Decision Accountability | Human initiates every action. Accountability is implicit — whoever clicked is responsible. | Named human owner assigned per class of agent decision before deployment. Accountability is explicit, documented, and auditable. |
Audit Trail | Captures system events — what the model produced. Human responses are undocumented. | Captures agent context at decision time, the decision itself, and the named human's documented response. Full chain, not just system logs. |
Monitoring Response | Alerts route to a shared inbox. Response depends on who happens to be watching. No SLA. | Signals route to named owners with documented SLAs. Missed SLAs trigger escalation. Response is accountable, not circumstantial. |
Incident Response | Playbook covers human error and system failure. No category for "agent did exactly what it was configured to do and the outcome was harmful." | Agent-specific incident architecture distinguishes malfunction from authorization design failure. EU AI Act Article 73 documentation built in. |
Integration Architecture | Point-to-point integrations between governance platform and other systems. Brittle, expensive, incomplete. | Agent as integration layer via MCP. Governance data queryable across systems in real time. No custom integration project required. |
Regulatory Evidence | Documentation of what was intended. Reconstructed after the fact if challenged. | Continuous evidence generation from actual system behavior. Audit trail is produced as governance runs, not assembled when auditors arrive. |
Run that framework against your current program. The column your answers land in consistently is the column your program was built for. Most enterprises running serious agentic deployments in 2026 have answers scattered across both columns — specific functions where they've made the shift and others where the human-first architecture is still the foundation. The gaps between columns are where the Pre-Failure Signals accumulate before an incident forces the conversation.
The Diagnostic Test
Kämäräinen's test from Saidot's piece is the right starting question: could your governance specialists do their core work today through a conversation with an AI agent without opening a single dashboard? The governance extension of that test: when your agents made their first hundred decisions this morning, was there a named human accountable for each class of decision, an audit trail capturing what context the agent had, and a documented escalation path for decisions that exceeded the agent's authorization scope? If answering those questions requires a conversation to determine, the program was built for the previous era.
What Agent-First Governance Actually Requires
Building on Saidot's foundational architectural definition, here is how enterprises operationalize agent-first governance in practice. The knowledge graph gives agents something to reason over. The following three elements give the organization something to govern with.
Requirement 1
Sanctioned Purpose — The Authorization Document That Actually Governs
Every agent workflow in production needs a sanctioned purpose document before it goes live. This is not a risk assessment form and it's not a policy statement. It's a specific, operational document that defines three things: what classes of decisions the agent is authorized to make autonomously, what the dollar, data, or access thresholds are at which it must escalate to a named human, and who that named human is by title and name — not by team or function.
The reason this is the first requirement and not a later one is that everything else in agent-first governance depends on it. The monitoring alert routing depends on knowing who owns which class of decision. The audit trail depends on knowing what authorization scope the agent was operating under at the time of the decision. The incident response depends on knowing whether the agent acted within its sanctioned purpose or outside it. Without a sanctioned purpose document, the governance program has no foundation to build on at the agent layer — it has policies that describe what agents should do in general, which is documentation governance, not agent-first governance.
Real-World Failure
The 6:47am payment approval scenario in this article's opening is this failure. The agent had a completed risk assessment. It did not have a sanctioned purpose document defining autonomous approval authority at a specific dollar threshold. The governance program was complete according to its own standards — and structurally incapable of catching what happened.
Pre-Failure Signal: Ownership Ambiguity
This signal fires when no named owner appears in the model registry for a specific class of agent decisions. It's invisible until an incident makes it visible — which is the worst possible time to discover it. The governance check: for every agent workflow in production, can you name the specific human accountable for reviewing its decisions, right now, without a conversation to determine it?
Requirement 2
Agent Cards — The Governance Artifact Built for Machine-Speed Accountability
A model registry tracks what models exist. An agent card governs what a specific deployed agent is authorized to do, what context it has access to, who owns it, and what its current behavioral baseline looks like. These are different things — and the difference matters enormously when an agent is making hundreds of decisions per hour across production systems.
The agent card is the governance artifact that makes machine-speed accountability possible. It contains: the agent's sanctioned purpose, its authorized data access scope, its current credential chain with last-reviewed timestamp, the named human owner with their response SLA, the behavioral baseline against which drift is measured, and the incident escalation path for this specific agent. When a monitoring platform surfaces an anomaly, the agent card is what tells the platform who to route the alert to and what the SLA is for response. Without it, the alert routes to a shared inbox and accountability becomes circumstantial.
Real-World Failure
We documented the permission creep drift pattern in Your Agents Are Running and Nobody Owns What They Do. A new agent workflow needs database access. The service account already has filesystem permissions from a previous project. Nobody revokes the old scope. Six months later the agent has an effective permission set spanning three systems with no documented business justification for the aggregate. No single grant looks wrong. The full picture is a governance failure that only surfaces under audit — or after an incident. An agent card with a last-reviewed credential timestamp and a documented review cadence catches this before it compounds.
Pre-Failure Signal: Permission Creep Drift
The delta between an agent's documented authorization scope and its effective permission set across all systems it touches. When that delta is growing — when new access is being added faster than reviews are clearing it — the drift is accelerating. The agent card makes this delta visible and measurable rather than invisible until an auditor finds it.
Requirement 3
Machine-Speed Monitoring With Human-Speed Accountability Built In
This is where agent-first governance diverges most sharply from human-first governance — and where most programs that have the right platform still fail in practice. An agent that makes 340 payment approvals before 9am cannot be reviewed decision-by-decision. The monitoring architecture has to be designed for that reality from the start, not retrofitted after the agent is already in production.
Machine-speed monitoring with human-speed accountability means three specific things working together. First, behavioral baselines established per agent workflow before deployment — so drift from expected behavior is measurable from day one rather than defined retroactively after something goes wrong. Second, anomaly detection that routes to named owners defined in the agent card, with SLAs that reflect the actual risk profile of the decisions the agent is making — not a generic "review within five business days" policy written for human-paced systems. Third, audit trails that capture not just what the agent did but what context it had at the moment of the decision — what data it accessed, what reasoning it applied, what the state of the systems it touched was at decision time. That's the context layer that makes post-incident reconstruction possible and regulatory evidence defensible.
Real-World Failure
The Gartner finding we covered this week: 73% of organizations experienced outages linked to ignored or suppressed alerts. The monitoring platforms were doing their job. The alerts fired. The outages happened because nobody was organizationally required to act on them within a defined timeframe. An agent making consequential decisions at machine speed with monitoring built for human review cycles is that failure pattern at its most dangerous — the signals are there, the accountability structure to act on them isn't.
Pre-Failure Signal: Signal-to-Incident Collapse
The ratio of alerts fired to investigations opened. When that ratio drops — when alerts are being acknowledged or suppressed without producing governance actions — the monitoring program has effectively stopped generating governance outcomes even though the dashboard shows green. The agent card's named owner and documented SLA is what keeps that ratio from collapsing.
What Having It Right Actually Looks Like
A financial services firm deploying an agent for vendor payment processing builds the governance architecture before the agent goes live. The sanctioned purpose document defines autonomous approval authority up to $50,000. Anything above that threshold requires a named approval from a specific person — the VP of Finance Operations — with a four-hour SLA documented in the agent card. The agent's credential chain is reviewed quarterly; the last review timestamp appears in the agent card and triggers an alert when it ages past 90 days. The behavioral baseline is established in the first two weeks of production with the monitoring platform capturing decision patterns, approval rates, and flag rates across vendor categories. When the agent flags an unusual invoice pattern — as it did three weeks after deployment — the alert routes directly to the named owner, who reviews the context captured at decision time, confirms the spoofing pattern, and escalates to the fraud team within the documented SLA. The audit trail shows what the agent knew, what it flagged, who reviewed it, when, and what they decided. That's a governed agent workflow. The governance program wasn't built around the agent — it was built for the decisions the agent makes.
The contrast with the opening scenario is the point. Same type of agent. Same class of decisions. The difference is entirely in whether the accountability architecture was designed for the agent's operational reality before deployment rather than assumed from a human-first governance program that was already in place.
Why This Term Matters in May 2026 ESPECIALLY
This week produced a convergence of market signals that makes agent-first governance the defining governance concept of the current moment — not a 2027 problem or a 2028 Gartner prediction.
Gartner published two predictions this week that both land on the same underlying gap. The 40% observability prediction measures tool adoption without measuring whether the accountability structure exists to make those tools produce governance outcomes. The 50% talent attrition prediction measures the workforce consequence of governance environments that make serious agentic work structurally difficult. Both predictions are symptoms of organizations running human-first governance programs over agent-first deployments. The Gartner analysts are seeing the consequences. Kämäräinen named the cause.
The Workday lawsuit is the most expensive documented illustration of what happens when a human-first governance program — risk assessments, bias audits, documentation — runs over an AI system making decisions at machine speed with no accountability structure designed for the actual decision being made. The bias audit cleared Workday because it was designed by the party being audited using methodology optimized for the documentation layer. The decisions the system was making happened at a layer the audit never reached. That's human-first governance applied to a machine-speed system. Courts are assigning liability for the gap.
The DCP-AI paper published in March made the architectural argument from first principles: agents operating without institutional infrastructure — verifiable identity, intent declaration, audit chains, lifecycle governance — produce exactly the failure patterns the Workday case documented at the human governance layer. The paper's nine specifications describe the technical substrate of agent-first governance at the protocol level. Saidot's knowledge graph and MCP integration describe it at the platform level. The sanctioned purpose, agent cards, and machine-speed accountability described in this piece describe it. These are the same requirement expressed at three different layers of the stack.
What is Agent-First Governance Is Missing Though?
The CISO's Pre-Failure Signal framework identifies Cross-Layer Convergence as the most dangerous pattern in the governance stack — simultaneous signals across multiple Control Layers that individually appear manageable but together indicate imminent failure. Agent deployments without agent-first governance architecture generate this pattern structurally, before any single thing goes wrong.
At the Governance Layer: Ownership Ambiguity fires because no named owner is assigned to the agent's decision classes. At the Security Layer: Permission Creep Drift fires because the agent's credential chain was never reviewed against its effective scope. At the Monitoring Layer: Signal-to-Incident Collapse fires because alerts are routing to shared inboxes without named SLAs. At the Compliance Layer: Evidence Reconstruction fires because audit trails capture system events without capturing human responses or decision-time context.
All four signals firing simultaneously in the same agent workflow is the Red Code condition — the pre-failure pattern that precedes the most consequential incidents. The governance check isn't whether any one signal is present. It's whether you can confirm that all four are absent for every agent workflow currently in production. In most organizations running agents seriously in 2026, that confirmation requires work that hasn't been done yet. The work is the agent-first governance program. Building it now, before the Red Code condition produces an incident, is the only version of this that doesn't cost significantly more than the governance investment itself.
Our Take
AI Governance Take
Mikko Kämäräinen and Saidot named something the market has been struggling to articulate: the shift from governance built for human-paced workflows to governance built for the systems actually running in production. That's the right name for the right problem at the right moment — and the enterprises that internalize it before an incident forces the conversation will have a fundamentally different governance posture than the ones that don't.
The architectural foundation Saidot describes — knowledge graphs, curated regulatory libraries, MCP integration — is the data layer that makes agent-first governance possible. The sanctioned purpose, agent cards, and machine-speed accountability described here are the operational layer that makes it real. Neither works without the other. A knowledge graph with no accountability structure is a very well-organized documentation problem. An accountability structure with no queryable data layer is a governance program that can't keep pace with its own deployments.
The diagnostic is simple. Pull your current governance program and find the agent workflows in production right now. For each one: is there a sanctioned purpose document defining autonomous decision authority? Is there an agent card with a named owner and a documented SLA? Is there an audit trail that captures decision-time context, not just system events? If those three artifacts don't exist for every production agent workflow, the program was built for the previous era — and the Pre-Failure Signals are accumulating in the gap between the governance architecture and the operational reality.
Agent-first governance isn't a 2028 roadmap item. It's the governance posture that the agents already running in production right now require. The window to build it before something forces the conversation is still open. The organizations that use it will be the ones explaining their governance program to regulators, not reconstructing it for them.
