“The biggest challenge is not simply whether an agent produces a good answer,” he says. “It is whether the organization can prove what the agent accessed, what instructions it followed, what tools it invoked, what decisions it made, where a human intervened, and whether it stayed within authorized boundaries.”
Without a full level of runtime visibility, companies are left with screenshots, logs, and after-the-fact explanations that may not meet legal, compliance, or security requirements, he says.
Agents should be continuously verified instead of fully trusted, he adds, with governance engineered into the agent architecture itself. Governance should include role-based access, policy-bound execution, human approval thresholds, source and tool provenance, immutable activity records, confidence scoring, exception handling, and clear escalation paths when an agent reaches the edge of its authority, he recommends.
