AI agent governance: are least agency and observability enough?

TL;DR: AI agents now execute multi-step workflows across production systems, and the article argues that governable design depends on least agency and strong observability, according to WorkOS and the OWASP Top 10 for Agentic Applications. The practical lesson is that autonomy must be constrained before it is expanded, or review and audit become too weak to control real runtime behaviour.

NHIMG editorial — based on content published by WorkOS: The architecture of governable AI agents

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

Questions worth separating out

Q: How should security teams govern AI agents that can chain actions across tools?

A: Treat the agent as a runtime identity with bounded agency, not as a user session with extra automation.

Q: Why do AI agents create different identity risk than traditional automation?

A: Traditional automation follows predetermined rules, while an AI agent can choose actions, sequence them, and adapt mid-session.

Q: What do teams get wrong about least privilege for AI agents?

A: They often stop at permission scope and ignore behavioural scope.

Practitioner guidance

• Define agency boundaries before expanding autonomy Document which tools, data sets, and irreversible actions the agent may use, then remove any capability that is not required for the current task scope.
• Instrument identity-layer observability for every action Require each tool call to carry the agent ID, user ID, workflow ID, plan step, authorization decision, and delegation context so you can reconstruct authority later.
• Replace broad tools with narrow functions Break arbitrary APIs into specific actions such as lookup, retrieve, or update so the agent cannot improvise new request shapes outside the approved boundary.

What's in the full article

WorkOS' full blog post covers the implementation detail this post intentionally leaves for the source:

• How WorkOS structures RBAC and fine-grained authorization for tool-level agent control
• How OAuth 2.1 and sender-constrained tokens are used to scope agent credentials
• How the article maps OWASP Top 10 for Agentic Applications risks to agency and observability failures
• How to structure action-layer and identity-layer events for operational querying

👉 Read WorkOS' blog post on governable AI agents and runtime observability →

AI agent governance: are least agency and observability enough?

Explore further

View Full Forum →  |  NHI Foundation Course →