Agentic AI — systems that take sequences of actions autonomously, making decisions at each step rather than returning a single output — is arriving in regulated industries. The pilot programmes are running. The production cases are starting to emerge. The governance frameworks are not ready.
This is not a criticism. The technology has moved faster than the regulatory thinking in most jurisdictions. Regulators who were still working out how to treat a single AI decision are now being asked to think about AI systems that make dozens of decisions in sequence, in real time, with compounding effects that are difficult to audit after the fact.
The challenge for organisations deploying agentic systems in regulated contexts is that the existing compliance architecture was designed for a different class of system. Audit trails assume discrete decision points. Explainability requirements assume a single output with traceable inputs. Human oversight assumes a human has enough time to review what the system is doing before it does it.
None of those assumptions hold cleanly for a well-designed agentic system, which is precisely what makes it useful — and precisely what makes it hard to govern.