Governing the Agentic Enterprise: From Shadow AI to Autonomous Security

The emergence of autonomous AI agents capable of independent decision-making, tool usage, and multi-step reasoning represents a paradigm shift in enterprise technology that existing cybersecurity frameworks were never designed to address. This paper examines the security and governance challenges posed by agentic AI systems, from the proliferation of unsanctioned "shadow AI" agents to the deliberate deployment of autonomous systems in critical business processes.

The paper introduces a governance framework specifically designed for agentic enterprises — organisations where AI agents operate alongside human workers with varying degrees of autonomy. This framework establishes clear boundaries for agent authority, defines escalation pathways for high-risk decisions, and implements continuous monitoring of agent behaviour against established policy guardrails.

Key areas addressed include the taxonomy of enterprise AI agents (from simple chatbots to fully autonomous multi-agent systems), threat models specific to agentic architectures (prompt injection chains, agent impersonation, tool misuse, and cascading failures), and practical controls for managing agent lifecycles. The paper draws particular attention to the risks of agent-to-agent communication in orchestrated workflows, where security failures can propagate across multiple systems without human intervention.

The governance framework is mapped to current and emerging regulations including the EU AI Act's risk classification system, DORA's operational resilience requirements for financial services, and the NIST AI Risk Management Framework. Implementation guidance covers both technical controls (agent sandboxing, permission boundaries, behavioural monitoring) and organisational controls (accountability structures, incident response for autonomous systems, and board-level reporting on AI agent activities).