Most enterprise AI governance policies were written to solve a narrow problem: stop employees from pasting sensitive data into ChatGPT. That problem was real and manageable. The policies that emerged from it are now being applied to a technology that operates nothing like it did when those policies were drafted.

Brandon Sammut, Chief People and AI Transformation Officer at Zapier, laid out the structural mismatch in a TechRadar analysis published July 16. His core argument: governance frameworks designed to manage AI model output (tone, bias, factuality) cannot govern agentic AI systems that autonomously query databases, update records, and trigger downstream workflows across connected infrastructure.

Output Governance vs. Authorization Governance

The distinction Sammut draws is architectural, not semantic. Traditional AI governance asks: “Is this output acceptable?” Agentic AI requires: “Is this action authorized on this system, under these conditions, by this identity?”

These are fundamentally different questions. The first is a content-quality check. The second is an access-control and authorization decision that requires knowing which systems the agent can reach, which operations it can perform within those systems, and who owns the integration. Organizations running agents without this scaffolding have, as Sammut puts it, documentation rather than governance.

Four Audit Questions

Sammut proposes four questions that reveal whether an organization’s governance framework has kept pace with its agent deployments:

1. Can employees find out right now what AI can access on their behalf? When someone deploys an AI tool at work, that tool often connects to real systems: email, CRM, databases, calendars. Without a permissions inventory that maps which tools are approved, which systems each tool connects to, and which actions it can take, the organization has no reliable way to assess exposure.

2. If an agent takes a wrong action, how quickly can you revoke it? Agents take sequences of actions across connected systems. If credentials are scattered across sessions, scripts, and individual configurations, revoking access means tracking down every place that credential was used. Sammut argues for centralizing agent credentials under a unified auth system with scoped permissions, so revocation is a single action with a clear audit trail. He specifically calls out the Model Context Protocol (MCP) as a standard designed for this: giving agents structured, auditable access to external systems through OAuth rather than credentials embedded in prompts.

3. Does your governance policy describe what’s permitted, or only what’s prohibited? A policy built around prohibitions tells employees what they cannot do but gives no guidance on what they can do safely. Sammut argues for affirmative governance: explicitly defined, approved use cases with documented boundaries.

4. Are governance decisions automated, or dependent on a human bottleneck? Agents executing hundreds or thousands of actions per day will overwhelm approval workflows designed for human-scale request volumes. Governance decisions need to be encoded as policy-as-code, not routed through committee review.

The Compliance Gap in Practice

The timing of Sammut’s analysis tracks with several converging signals. Info-Tech Research Group published a seven-stage adaptive governance framework arguing governance programs must themselves become agentic. The Linux Foundation announced its Agentic AI 2026 Summit partly in response to a 2.6x increase in unpatched CVEs across agent-related open-source projects since December 2025. And the HalluSquatting research published this week demonstrated that nine major agent platforms are vulnerable to attack vectors that bypass input-level controls entirely.

Each of these points to the same conclusion: governance designed around what an AI says is insufficient for a world where AI acts.

Authorization as Architecture

The practical shift Sammut describes is from governance-as-policy-document to governance-as-infrastructure-layer. In this model, agent permissions are not written in an employee handbook. They are encoded in the systems agents connect to: which APIs accept agent credentials, which operations those credentials authorize, which actions require human approval, and which audit trails are generated automatically.

For organizations that deployed agents under output-focused governance and now need to retrofit authorization controls, the starting point is the permissions inventory. Map every agent, every system connection, every action scope. If that inventory does not exist, the organization does not know what its agents are doing.