Building an Agentic Enterprise — a practitioner's report Cover Chapters Reference
Building an Agentic Enterprise  ·  Chapter 08 of 21
Chapter 08

Why Governance Comes First

The work that has to exist before the agent does

12
generative-AI risk categories in NIST AI 600-1
€35M
or 7% of global turnover — EU AI Act prohibited-practice fine ceiling
6mo
minimum logging retention for high-risk EU AI Act systems
Save PDF

There is a version of governance that exists to protect the company from regulators, and a version that exists to protect the company from itself. They share a vocabulary and almost nothing else. Part II is about the second version.

This is the part of the report most often skipped, and it is the part that decides whether the agent you build in Part I survives the contact with reality described in Part III. The teams that ship agentic AI well have something the slides do not show: a small, durable governance structure built before the first agent went into production, run by people who knew where the off-switch was.

The document trap

Most enterprise governance for AI begins as a document. A policy is drafted, approved, posted on an intranet page, and never read. The next time anyone in the organisation thinks about the document is when a regulator asks for it, or an incident forces it. By then, the agent has been live for nine months and the policy bears almost no resemblance to what was actually built.

This is the failure pattern that the NIST AI Risk Management Framework 1.0 was designed to break, although you would not know it from the way most consultancies present it. The framework is not a compliance regime. It is a habit. Read carefully, the four functions — Govern, Map, Measure, Manage — describe a small loop that an actual team runs every week, not a binder a lawyer signs once a year.

The trap is that "governance" sounds like a thing you finish. It is not. It is a thing you operate.

The RMF as a spine, not a checklist

The RMF's four functions are concurrent, not sequential. Govern is the cross-cutting function: the policies, the accountability, the inventory, the kill-switch procedure. Map is the act of writing down, for each agent, what it does, what tools it has, who it acts for, and where it can hurt somebody. Measure is the eval suite, the production monitoring, the drift watch. Manage is the work of responding when one of the other three reports a problem.

If your governance program produces a binder and not a weekly meeting where someone reads the latest measure-output, you have built the document, not the spine. The four-function diagram below is what each of those functions actually contains when it is doing real work.

A practitioner's note

The single highest-leverage RMF practice is the GV 1.6 inventory. Knowing what agents you have, what tools they hold, and who their human principal is — that one document, kept current — prevents more incidents than any other artefact in this report. Most enterprises do not have it. The first quarter of any agent program should produce it before a second agent is built.

The twelve risks, in plain English

In July 2024, NIST released AI 600-1, the Generative AI Profile, naming twelve specific risk categories that the base RMF understood only loosely. The list is the most useful one-page artefact in the entire field. Read it once and you have a vocabulary. The categories are: CBRN information, confabulation (hallucination presented as fact), dangerous or violent content, data privacy, environmental impact, harmful bias, human-AI configuration (over-reliance, automation bias), information integrity, information security, intellectual property, obscene content, and value-chain integration.

Most enterprise programs touch only four or five of those in any serious way: confabulation, data privacy, information security, human-AI configuration, and value-chain. The other seven matter for specific industries or specific deployments. The discipline is to read the list, decide which apply, document the decision, and revisit it when a tool changes. That is governance. The rest is theatre.

Where EU AI Act meets NIST

If your enterprise has any presence in the EU, the EU AI Act is the regulation that will define the next three years of your governance work. Prohibited practices have been enforceable since February 2025, with fines up to €35M or 7% of global turnover. GPAI transparency obligations activated in August 2025. Full high-risk obligations begin August 2, 2026. Annex III high-risk sectors include credit scoring, employment, biometric ID, education, and critical infrastructure. If you deploy an agent there, Articles 9–17 apply: risk management systems, technical documentation, six-month minimum logging, transparency, and human oversight.

The good news, if you accept the framing of this chapter, is that a rigorous NIST RMF program produces most of what the EU AI Act asks for. The Cloud Security Alliance's 2026 analysis is blunt about this: organisations running the RMF as described above are substantially better positioned than those who treated it as paperwork. The difference is whether your inventory is real, your measure outputs are produced, and your manage responses are exercised. That is what the regulator will ask for, in any geography. Build it once, defend it everywhere.

The next chapter is about the second function — Map — and the canvas a team can use on a Monday morning to write down what an agent actually does, before anyone writes a line of code.

The RMF as a spine Govern is the cross-cutting shell. Map–Measure–Manage is the continuous loop that runs inside it. GOVERN policy · accountability · inventory · kill-switch · third-party MAP context · authority action-consequence topology autonomy tier MEASURE golden set offline + online drift detection canary MANAGE incident response rollback (3 layers) kill-switch post-mortem feedback: each Manage event updates Map and Measure
Figure 8.1The four NIST RMF functions, drawn as the cross-cutting Govern shell wrapping a continuous Map–Measure–Manage loop. Concurrent, not sequential.