• 2 min read
Enterprise AI rules are already lagging behind agents
A TechRadar Pro Perspectives piece argues many AI governance policies were built for ChatGPT-era risks, not autonomous agents.

Image: TechRadar
Many enterprise AI governance policies were written for a much simpler problem: stopping employees from pasting sensitive company data into public models. In a TechRadar Pro Perspectives piece, the author argues those frameworks are now badly out of date as organizations deploy AI agents that can query databases, update records, and trigger workflows across connected systems.
The core problem is speed and specificity. Older governance models were built to limit exposure, not manage software that can act autonomously across email, CRM, databases, and calendars. According to the piece, governance only works if it translates into concrete system controls, including which systems an agent can access, what actions it can take, and under what conditions.
The article lays out four questions companies should use to audit their current approach:
- Can employees quickly see what AI tools can access on their behalf?
- If an agent takes a wrong action, how fast can access be revoked?
- Does policy define only what is forbidden, or also what is allowed?
- Does the framework govern agent behavior at the system level, not just in general terms?
On the first point, the piece recommends maintaining a live permissions inventory covering approved AI tools, the systems each can connect to, what they are authorized to do, and who owns each integration.
For revocation, it argues companies should avoid scattered credentials and move toward centralized authentication, where each agent has a defined identity and scoped permissions. The article specifically points to the Model Context Protocol (MCP) as a standard designed to give agents a structured, auditable way to access external systems through OAuth rather than credentials embedded in prompts or scripts.

Recommended reading
AI coding may be creating a new debt problem
The piece also says governance should define approved use cases clearly, not just list prohibitions. For agents, vague boundaries are not enough; policies need to specify permitted tools, connections, and actions so the governed path becomes the default.
Finally, the argument is that agent governance must be operational, not static: organizations should review access definitions when new tools are deployed, audit permissions when agent capabilities expand, and update permitted-use frameworks as the technology changes. The article’s sharpest point is its simplest one: if governance cannot keep pace with the systems it is meant to control, it is just documentation.
“The principle that holds, regardless of what AI looks like next year, is this: governance that can’t keep pace with the technology it’s supposed to cover isn’t governing anything.”
Enterprise Editor
Marcus follows the money. He covers enterprise software, cloud architecture, and the tectonic shifts in Big Tech strategy. He translates dense earnings calls and complex M&A activity into actionable insights about where the industry is actually heading. If a tech giant makes a silent pivot, Marcus is usually the first to notice.
via TechRadar


