When an AI agent acts on its own, the first governance question is who acted, and under whose authority.

AI agents moved from demos into enterprise work in about two years. They plan, call tools, and act across systems without a person in the loop for each step. Gartner reports a 1,445% rise in multi-agent-system inquiries between early 2024 and mid-2025, and projects that over 40% of agentic-AI projects will be cancelled by the end of 2027, citing cost, unclear value, and weak risk controls. The interest is real, and so is the difficulty of running these systems safely.

When an agent acts, the account it uses is rarely a person. The 2026 Verizon Data Breach Investigations Report singles out service and machine accounts as the assets most likely to be leveraged in a potential agentic-AI future. Those non-human identities already outnumber human ones in the enterprise by roughly 25 to 50 times, and 68% of security incidents involve a machine identity. An agent that shares one broad service credential with several others is, from the record’s point of view, indistinguishable from them.

Security teams now have a checklist for this. The OWASP Top 10 for Agentic Applications, published in December 2025, ranks tool misuse and agent identity and privilege abuse among the top risks for autonomous systems. The thread running through the list is attribution. When an action causes harm, you need to know which agent took it, on whose behalf, and whether it stayed inside the authority it was given. Shared credentials erase that answer by construction, which is why the standards work points at unique, scoped identities and a record of delegation.

Regulation is heading the same way. The EU AI Act gives a person subject to a high-risk AI decision a right to meaningful human oversight under Article 14, and a right to an explanation of the decision under Article 86. Guidance on Article 14 is specific that approving every action in seconds, without real review, does not count as oversight. The Act’s high-risk obligations were deferred by the Digital Omnibus package to December 2027 for stand-alone systems and August 2028 for systems embedded in regulated products. Those obligations are unchanged in substance, with a later compliance date, and the control they ask for is a point where a person can hold an action and a record that shows the decision.

The data an agent sends is governed too. The European Data Protection Board’s Opinion 28/2024 holds that an AI model is not automatically anonymous, and in December 2024 Italy’s Garante fined OpenAI €15 million over how ChatGPT handled personal data. For an organization deploying agents, the duty is the same one that applies to a person using a chatbot: control what leaves, and keep a record of it.

Where Mandate fits, and where it does not

Mandate is one control layer, not the whole program. Today it governs the AI traffic your people and applications send to AI services. It enforces your policy on that traffic in real time and keeps a tamper-evident record of what was sent, which policy version applied, and what was decided. That record is hash-chained and can be verified independently, which is the kind of attribution the agentic shift calls for.

Extending that control plane to agent tool calls is on our roadmap, and we describe it in future tense on purpose. The planned work puts a tenant-scoped agent identity on every decision, applies policy to a tool call before it runs, adds a hold-for-human step for high-impact actions, and records the delegation context at the boundary. We will claim it in the present tense when it ships, not before.

What Mandate does not do is worth stating plainly. It does not make a model resistant to prompt injection, which comes from how a model reads instructions and data on a single path; Mandate is one layer in a defence-in-depth design, not a fix for the model. It does not issue agent identities, which stays with your identity provider. And it does not address the frontier-capability risks that sit upstream of any use-time control. For how Mandate maps onto common AI-risk frameworks, including what we leave out of scope, see the FAQ on AI-risk frameworks.