AI agent customisation: why plug-and-play governance breaks down

TL;DR: Off-the-shelf AI agents fail because business workflows, data, and approval patterns vary by organisation, so generic automation quickly collides with exception handling, grounding gaps, and misaligned expectations, according to Opnova. The governance lesson is that agentic AI must be treated as a bespoke identity and workflow integration problem, not a digital employee shortcut.

NHIMG editorial — based on content published by Opnova: The Fallacy of the Off-the-Shelf AI Agent: Why Your Next Digital Employee Needs More Than a Name

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).

Questions worth separating out

Q: How should security teams govern AI agents that need organisation-specific workflows?

A: Security teams should govern AI agents as workflow-bound machine identities, not reusable digital employees.

Q: Why do generic AI agents create more governance risk in some processes than others?

A: Generic AI agents create more governance risk when a process contains many exceptions, local rules, or hidden approval steps.

Q: What do teams get wrong about off-the-shelf AI agents?

A: Teams often assume that a capable model can be reused safely across different businesses with minimal adjustment.

Practitioner guidance

• Map workflow variance before deployment Document approval thresholds, exception cases, and system-specific branches for each process the agent will touch.
• Ground agent access in explicit business context Limit the agent to the exact data sources, policies, and terminology it needs for one business function.
• Treat naming and persona design as governance inputs Avoid human-like naming that encourages teams to grant vague authority or assume human judgment.

What's in the full article

Opnova's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step explanation of the modelling, grounding, and fine-tuning cycle for AI agents in enterprise workflows
• Concrete examples of workflow exceptions that make generic agents fail in finance, support, and operations
• How the article frames customisation as a prerequisite for business integration rather than a nice-to-have
• The vendor's own language on how its approach fits disconnected applications and identity governance

👉 Read Opnova's analysis of why off-the-shelf AI agents fail in enterprise workflows →

AI agent customisation: why plug-and-play governance breaks down?

Explore further

View Full Forum →  |  NHI Foundation Course →