Who Answers When the Agent Acts
A tribunal has already held an institution responsible for what its chatbot told a customer. Most institutions still cannot say who, by name, owns the agent.
In brief
A company’s AI no longer just answers questions. It books, buys, provisions access, approves transactions, and ships code. When it acts wrongly, the liability does not attach to the model. It attaches to the institution, and increasingly to a person inside it. Yet 63 percent of organisations cannot enforce limits on what their agents are permitted to do, and 60 percent cannot stop a misbehaving agent once it starts (Kiteworks 2026 Data Security and Compliance Risk Forecast, surveying 225 security, IT, and risk leaders). The distance between the accountability the law already assumes and the control the institution actually holds is the defining governance problem of this cycle.
The position of this edition is one sentence, and it is testable. Within eighteen months, accountability for AI agents will move from the abstract, “the company is responsible,” to the specific, “this named executive is responsible for this agent.” Boards that make that move on their own terms will be in a stronger position than the ones who have it assigned for them, in public, after an incident.
A tribunal already answered the question
In early 2024, a customer relied on Air Canada’s website chatbot, which described a bereavement-fare policy that did not exist. When the airline declined to honour it, the matter went before British Columbia’s Civil Resolution Tribunal. Air Canada argued, in substance, that the chatbot was a separate entity responsible for its own statements. The tribunal rejected that and held the airline responsible for the information on its website, whether a static page or a chatbot produced it.
That ruling already looks modest. The chatbot only gave bad advice. The systems now reaching production do not advise; they act. They move money, change configurations, grant permissions, and deploy code at machine speed. If an institution was held liable for what its chatbot said, the liability it carries for what its agents do follows directly. What remains open is scale and timing.
The law is already moving faster than many governance programmes. In at least one real-world dispute, responsibility stayed with the institution that deployed the system, not the chatbot that produced the answer. What most institutions have not done is build the internal capacity to exercise the control that such responsibility presumes.
The gap underneath the law
Accountability without control is not accountability. It is exposure.
Most organisations have invested in observability: the dashboards, the logging, the alerts that tell you what an agent did. Far fewer have invested in containment: the ability to bind an agent to a purpose, to revoke its authority mid-action, to switch it off. Sixty-three percent cannot enforce purpose limits. Sixty percent cannot terminate a misbehaving agent. In May 2026, ServiceNow’s chief executive framed it in plain commercial terms, arguing that an enterprise needs a way to stop an AI that could act destructively in seconds. When a vendor builds a product category around the off switch, the gap has stopped being theoretical.
The EU AI Act adds to the pressure. From 2 August 2026, the Commission’s enforcement powers for general-purpose AI model obligations enter into application. The Act can reach beyond Europe where AI systems or outputs are placed into, deployed in, or used in the EU market, so a Caribbean, North American, or Asian board can be in scope through its customers and its vendors. Regulators are increasingly asking institutions to identify the parties responsible for governance, deployment, oversight, and assurance. Boards that have not named them internally will find the naming done for them.
The question is no longer whether AI will act inside the institution. It is who answers when it does.
Why this sits with the board, not only the CISO
Three features make accountability a board matter rather than a technical one.
First, the exposure is fiduciary and reputational, not merely operational. An agent that wrongly approves a transaction, exposes regulated data, or takes an action the institution cannot reverse creates a loss the board must answer for. The World Economic Forum’s Global Cybersecurity Outlook 2026 reports that cyber-enabled fraud has overtaken ransomware as the top cyber concern for CEOs, while AI is accelerating the risk landscape around fraud and cyber operations.
Second, ownership left undefined defaults to no one. When an agent spans several teams, drawing on data from one, logic from another, and access granted by a third, accountability diffuses until an incident forces the question. Diffuse accountability is the condition in which serious failures incubate. A board’s job is to assign it before the incident, not during.
Third, this is now a procurement and assurance expectation, not a courtesy. As serious institutions commit to running AI agents inside the access-control model, as Citi has signalled with Arc, its internal agentic AI platform, the audit trail for an action taken by software becomes a board-level artifact. Someone has to own it. The board decides who.
The small-state dimension
For small island developing states and emerging economies, the concentration is sharper, and so is the stake. In a larger jurisdiction, a flawed agent might affect one business unit among many. In a small state, a single national platform can serve the whole population, and a single autonomous process can touch identity, payments, records, and public services at once. The blast radius is national. The redundancy that cushions a large economy is often absent, and the institutional capacity to assign and exercise accountability is frequently stretched.
This is not a reason to move slowly. It is a reason to build accountability into the architecture from the first deployment, while the systems are still small enough to govern cleanly. A government that can name, for each automated process, the official who answers for it holds something many larger states do not yet have. That is governance as a competitive advantage, not a constraint. The institutions that treat it that way will keep public trust through their first serious AI incident. The ones that treat accountability as paperwork will discover its price the hard way.
An accountability operating model
Edition 1 argued that an AI agent that can act is a privileged identity and must be governed like one. This is the next layer: not how to control the agent, but how to own it. Five elements belong in every institution running autonomous systems.
One named owner per agent. Not a committee, not a function, a person. For each autonomous system, a single accountable executive whose name appears in the register and who answers for that agent’s behaviour. Committees dilute accountability by design. Names concentrate it.
A liability map. Awritten account of who answers to whom across the chain: the developer who built it, the business that deployed it, the vendor who supplied the model, and the board that oversees the whole. When the lines are drawn in advance, an incident becomes a response rather than a search for someone to blame.
A decision record. For consequential actions, capture not only what the agent did but what it evaluated, what it decided, and on what basis. An accountable owner cannot answer for a decision they cannot reconstruct.
An escalation and reversal path. Define the actions that always require human authorization, and guarantee the ability to halt and reverse an agent in motion. The off switch is not a technical nicety. It is the precondition of claiming, honestly, that the institution is in control.
Board attestation. The accountable executive attests, on a defined cadence, that each agent under their name is operating within its authorised purpose. The board receives that attestation as a standing item, with the same seriousness it gives to financial controls and material risk.
None of this slows innovation. It is the structure that lets an institution deploy with confidence, because it can say, at any moment, who answers for what.
Signal of the month
The clearest tell that this has crossed from theory to practice is linguistic. The language of AI governance is narrowing. The question is moving from whether AI is being used responsibly to who owns the outcome when it acts. When the framing shifts from a value to a name, the accountable-executive model is becoming the default expectation. Read that as a leading indicator, and move before it becomes a requirement.
What boards and executives should ask this month
Name one autonomous system in our organisation. Who, by name, is accountable if it acts wrongly tomorrow?
For our highest-impact agents, can we reconstruct what the system decided, and reverse what it did?
Which actions in our environment can an agent take today that should always require a human to authorise?
Does this board receive a periodic attestation that each consequential agent is operating within its authorised purpose, and who signs it?
If a regulator or a court asked us tomorrow who owns a specific AI-enabled decision, would our answer be a name, or a shrug?
The mandate
Edition 1 asked whether you had governed the authority you delegated to AI. This edition asks the question underneath it. Authority that no one owns is not delegation. It is abdication.
The institutions that endure their first serious AI-and-agent incident will not be the ones with the largest security budgets. They will be the ones that can name, in writing, who answers for the machine, and prove that the named person had the means to act. The direction of travel is clear: responsibility is staying with the institution that deploys the system. The only open question is whether you decide who, or let the next incident decide for you.
Executive question of the month
Pick one autonomous system in your organisation. Without checking, can you name the person who answers if it acts wrongly tomorrow? If you cannot, that is the work.
Dr. Inshan Meahjohn is Founder and CEO of DAG (Digital Alliance Global Group), a global cybersecurity and digital transformation platform operating across global markets under the operating posture Protect and Transform. He holds a PhD in Entrepreneurship from the University of Trinidad and Tobago and previously served as CEO of iGovTT, Trinidad and Tobago’s national ICT agency. Subscribe to Cyber Governance in the AI Era for monthly, board-level analysis on AI governance, cyber risk, and operational resilience.
Sources
Moffatt v. Air Canada, 2024 BCCRT 149 (14 February 2024); airline held responsible for its chatbot’s representations as part of its website.
Kiteworks 2026 Data Security and Compliance Risk Forecast, survey of 225 security, IT, and risk leaders (63 percent cannot enforce agent purpose limits; 60 percent cannot terminate a misbehaving agent).
World Economic Forum, Global Cybersecurity Outlook 2026 (with Accenture); cyber-enabled fraud now CEOs’ top cyber concern.
CPO Magazine, AI Risk Has an Ownership Problem, and Boards Are About to Discover It.
Fortune, ServiceNow wants to be the kill switch, 6 May 2026.
EU AI Act, enforcement of general-purpose AI obligations from 2 August 2026.
Axios, Citi moves into agentic AI (the Arc platform), 30 April 2026.
