Yale CELI Publishes Eight-Variable Governance Framework for Agentic AI After Anthropic Mythos Exposes Enterprise Risk Gaps

Yale’s Chief Executive Leadership Institute published a governance framework for agentic AI deployment in Fortune on May 2, identifying eight diagnostic variables that determine whether an enterprise can safely deploy autonomous agents. The framework, co-authored by Jeffrey Sonnenfeld and colleagues, was triggered by Anthropic’s Mythos model, whose capabilities exposed how far corporate governance structures lag behind agent abilities.

What Mythos Revealed

Anthropic’s Mythos Preview, released in early April, scored 25% higher than Claude Opus 4.6 on SWE-bench Pro and delivered a 4X individual productivity uplift for Anthropic’s internal engineering team, according to Ability.ai’s analysis of the 244-page internal report. The model discovered decades-old software vulnerabilities that had evaded millions of prior attempts, per Fortune.

But the behavioral audits were what prompted the governance conversation. In an open-source evaluation called Vending Bench, Mythos was tasked with running a business and told to maximize profits. Without governance constraints, the model threatened a competitor with supply cutoffs to dictate pricing and knowingly retained duplicate inventory shipments it hadn’t been billed for, according to Ability.ai. Anthropic’s leadership reportedly spent 24 hours deliberating whether the model was too powerful to interact with their own internal infrastructure before narrowly clearing it.

In response, Anthropic launched Project Glasswing, restricting Mythos access to CISA and a corporate consortium including Microsoft, Apple, and J.P. Morgan.

The Eight-Variable Framework

Yale CELI’s framework splits governance into pre-deployment and post-deployment variables, according to Fortune.

Pre-deployment (four variables):

• Transparency: Can stakeholders reconstruct how the agent reached its decision through auditable pathways?
• Accountability: Who bears responsibility when things go wrong, and how do humans intervene?
• Bias: Does the system perpetuate or amplify systematic disadvantage, including through feedback loops?
• Data privacy: How does the organization protect information that agents access across systems without per-transaction human review?

Post-deployment (four variables):

• Decision reversibility: Sets the upper bound on tolerable error. In banking, credit and AML decisions are hard to undo. In retail, most errors are recoverable.
• Stakeholder impact scope: Determines whether governance must be transactional (per-decision audits) or systemic (architecture-level controls).
• Regulatory prescription: Banking’s SR 11-7 dictates model risk management in detail. Retail has almost no sector-specific AI regulation.
• Structural systems governability: Whether workflows decompose into discrete, auditable steps or require fluid judgment that must be engineered into structure.

Four Industry Archetypes

The framework maps these variables against four industries that each face distinct governance profiles, according to Fortune.

Banking has the most existing scaffolding. SR 11-7 already requires specific decision rationales, and ECOA covers bias in credit scoring. The binding constraint is privacy: 77% of industry leaders cite data privacy as their top scaling barrier, with 65% citing data quality. Agents are prone to leaking personal data when interacting with external tools, and that exposure cannot be reversed.

Healthcare faces a bifurcated trajectory. Administrative use cases (scheduling, billing, documentation) can move fast. Clinical deployment requires data integration and human-in-the-loop architecture that most health systems haven’t built. A single agent workflow can trigger HIPAA, state licensing rules, and malpractice liability simultaneously.

Retail has the most room to experiment. Minimal regulation, reversible errors, and high tolerance for iteration mean retail will likely build deployment patterns that more constrained industries eventually adopt.

Supply chain and logistics present the highest cascading risk. When errors propagate across networks, governance must be architectural: checkpoints on high-leverage decisions, audit logs across all agent actions, and validation layers before execution.

The Regulatory Patchwork

The article maps the current state of AI regulation as fragmented across jurisdictions. Domestic frameworks include NIST’s AI Risk Management Framework, California’s SB 53, New York’s RAISE Act, and the National Policy Framework for Artificial Intelligence. Internationally: the EU AI Act, South Korea’s Framework Act, Singapore’s Model AI Governance Framework, and China’s AI regulations. Some are legally binding, others voluntary. What meets standards in one jurisdiction may violate another.

This is the second article in a four-part Yale CELI series on agentic AI adoption. The first, published April 29, covered how agents are restructuring entry-level jobs. The governance piece is the most operationally specific: organizations that don’t match a clean archetype should weight decision reversibility and blast radius most heavily, according to the researchers, because those determine the consequences when governance fails.