Thought leadership

AI agents: Build or buy, governance becomes the differentiator

Share on:

Back in December 2024, we started discussing a topic that, at the time, felt slightly ahead of where most organizations were: governing AI agents. Conversations were still largely centered on models and copilots. Agents, systems capable of taking action, orchestrating workflows, and making decisions, were just beginning to emerge.

The question was mostly theoretical: what happens when AI starts acting on its own?

Only a few months later, that question is no longer theoretical. Organizations are now piloting, integrating, and preparing to scale AI agents across core business processes. These systems are steadily embedding themselves into enterprise software and influencing an increasing share of day-to-day decisions. What was recently experimental is quickly becoming operational. In that context, it is tempting to frame the discussion as a technical choice: should we build our own agents, or buy them from vendors? But this is increasingly the wrong question. Most organizations are already doing both, developing internal capabilities while adopting agents embedded in platforms like SAP, Salesforce, or cloud ecosystems. The real challenge lies elsewhere. It is whether you can see what your agents are doing, understand how they behave, and step in when it matters. Because once AI moves from responding to acting, success is no longer defined by how many systems you deploy, it is defined by how well you operate them.

From systems that respond to systems that act

This shift to agentic AI is not incremental; it changes the nature of how systems behave. Traditional AI responds to prompts. Agents pursue goals. They break down tasks, interact with multiple systems, and adapt as conditions evolve. In doing so, they move closer to the core of business operations, where their actions have direct and sometimes irreversible consequences. That is where both the opportunity and the risk accelerate.

Consider a procurement agent designed to optimize supplier selection. At first, it delivers clear benefits, reducing costs and accelerating decision-making. Over time, however, it begins favoring suppliers with incomplete compliance data simply because they appear more competitive. Nothing fails in a visible way. The agent is functioning exactly as designed. But it is operating without sufficient context or constraint. Because its decisions span multiple systems and workflows, the issue remains largely invisible until the impact becomes significant, exposing the organization to compliance, financial, or reputational risk.

The real problem is visibility

As agents scale, the challenge organizations face is not primarily one of volume, but of visibility. Agents tend to proliferate across platforms, teams, and environments.

Some are built internally, others come embedded in third-party solutions. Over time, ownership becomes harder to define, data dependencies harder to trace, and decision paths increasingly difficult to reconstruct.

This fragmentation creates blind spots that traditional governance approaches were never designed to address. The result is often an illusion of control. Policies exist. Frameworks are documented. But they are disconnected from how AI systems actually operate in practice. What happens at runtime, how decisions are made, how data is used, how systems evolve, remains only partially understood. Without a clear, connected view, organizations are left reacting to issues rather than anticipating them.

A unified view of AI systems

To move forward, organizations need to reestablish clarity, starting with a unified view of their AI landscape. This means bringing together use cases, models, and agents into a single, connected system of record.

A unified AI registry enables this by linking each AI system to its purpose, ownership, data inputs, and applicable policies.

At first glance, this may seem like a matter of organization. In practice, it is much more than that. By connecting these elements, organizations gain the ability to understand how systems behave, not just individually, but collectively. They can trace decisions back to their origins, identify dependencies across environments, and maintain a consistent view of risk and compliance. More importantly, this level of visibility creates a shift in posture. AI systems are no longer opaque or distributed black boxes. They become observable, comparable, and ultimately manageable. From there, a new capability begins to emerge: the ability not just to monitor systems, but to interpret what they signal and act with intent.

Scaling through manage by exception

Yet visibility alone is not enough. As AI activity grows, the volume of decisions, interactions, and changes quickly exceeds what any team can manually oversee. Attempting to review everything creates friction and slows down the very innovation organizations are trying to achieve.

This is why governance must evolve toward a different model, one based on managing by exception. Instead of reviewing every action, organizations define what “good” looks like: expected behaviors, acceptable thresholds, and policy boundaries. Systems are then continuously monitored against these expectations.

What matters is not everything that happens, but what deviates. A drop in data quality that affects decision reliability. An agent accessing data outside its expected scope. A shift in behavior that changes the risk profile of a use case. These are the signals that require attention. Everything else continues to operate autonomously, without unnecessary intervention. This approach allows organizations to maintain control while preserving speed. It shifts governance from a manual bottleneck to a scalable, signal-driven capability.

Creating the conditions for safe autonomy

For this model to work, governance cannot be an afterthought. It must be built into how agents operate. As autonomous vehicles rely on the rules of the road, AI systems need a structured environment to guide their behavior. Without it, even well-designed agents can produce unpredictable outcomes.

This starts with clarity on where autonomy makes sense, and strong accountability so every decision has a clear owner. It depends on trusted, well-governed data, ensuring agents act on reliable inputs. And it requires continuous oversight, so deviations can be detected and addressed early.

When these elements come together, autonomy becomes reliable. Without them, it remains fragile.

Continue the conversation

AI agents are quickly becoming part of everyday business operations—and with that shift comes a new set of questions. Not just how to build them, but how to understand their behavior, oversee their decisions, and intervene when it matters.

This is exactly what we explored in our January 2026 global webinar, where the discussion moved beyond the technology itself to what it takes to operate AI systems with confidence.

Because what is changing is not just the technology—it is how we think about operating it.