When Action Becomes Standard, Governance Becomes the Product

Over the last few weeks I have watched a lot of people react to computer use in AI agents as if it were the main event. The reaction has been some version of the same thing. The model can click. The model can type. The model can operate software on your behalf. Impressive.

I think the industry is about to walk past the actual story.

The real story is not that AI agents can now act. The real story is that action is quickly becoming a baseline capability. Every serious agent will have it. Every serious agent will be able to click, type, navigate, edit files, read screens, call APIs, and chain operations across tools. When that is true, the ability to act stops being the thing that separates one agent from another. And if you are building a company on top of agents, or more importantly deciding which agents your company is going to trust with real work, you should be paying attention to what comes next.

Here is the question I keep returning to. Once every agent can do things, which ones can you trust to operate?

That is not a rhetorical move. It is an operational problem, and it is the problem my time at Restaurant Brands International pushed me into faster than I expected. When you are responsible for AI across four brands and more than 2,000 employees, you do not get to pretend governance is a compliance conversation that happens at the end. It is the whole product. The first time an AI agent takes an action on your behalf in a real workflow, you stop caring about model benchmarks and start asking a very different set of questions. What did it just do. Who authorized it. What did it see to decide. What did it remember from last week. Can I undo it. Can I prove what happened when the auditor shows up in six months.

Most of the teams I talk to have not sat with those questions yet. They are still in demo mode. A demo is where you watch an agent book a flight and feel impressed. Production is where you watch an agent book the wrong flight for the CEO, on a corporate card, with a memory of preferences it picked up from a stale thread, and nobody on the team can reconstruct why it did that. The distance between those two scenes is not a model capability gap. It is the absence of the infrastructure that makes action safe.

I have started calling this infrastructure by a specific name in my own work. Action governance. It is a different thing from data governance, which is the conversation most enterprises have been having for the last decade. Data governance asks who can see what. Action governance asks a set of questions that are harder and, right now, mostly unanswered in most organizations.

The questions, roughly in the order I think about them.

What context does the agent have at the moment it acts. Which systems can it reach, and which ones are explicitly off limits. What policy gates its actions, and what triggers a human in the loop. What does it retain between sessions, how long does it retain it, and under what rules can that memory be used or forgotten. How are the agent's decisions audited, not just the inputs and outputs but the intermediate reasoning. And when something goes wrong, which it will, how does the agent recover, and how do you roll back the state of the world to where it should be.

None of those questions are theoretical. Every one of them maps to a concrete design decision somebody has to make before a production workflow goes live. And the uncomfortable truth is that very few platforms are shipping the primitives you would need to answer them cleanly. You mostly have to assemble the answers yourself, out of policy frameworks, tool permissions, memory stores, approval queues, logging infrastructure, and a lot of careful thinking about who is actually accountable when an agent acts.

Which is where I land. The AI agent market is going to split. On one side, the vendors who ship raw capability and trust you to figure out the governance layer. On the other side, the ones who ship the governance layer as the product and make capability table stakes. The second group will win the enterprise. I am fairly confident about that. The first group will keep dominating the demos and the hackathons for another year or two, and then the conversation will move.

I want to be honest about what I do not know. I do not know exactly how the tooling layer is going to shake out. I do not know whether the governance primitives will end up living inside the agent platforms themselves, inside a new category of observability and policy tooling, or inside the existing identity and audit stacks that every large enterprise already runs. I have seen arguments for all three and I have not heard one that settled the question for me. What I do know is that somebody in your organization is going to own this, and the sooner you name who that person is, the less painful the next twelve months will be.

The operational move I would make if I were sitting inside an enterprise right now is not glamorous. Before you scale your agent deployments, before you add the next use case, before you green light the pilot that finance is asking for, I would write down the action governance model in plain language. Who can the agent act on behalf of. What is it allowed to do without a human. What is it never allowed to do. How does it log its decisions in a way that is auditable six months later. What is the rollback story. Who owns the policy when it needs to change. How do we know when the policy is wrong.

That document will feel like bureaucracy on day one. It will feel like the most valuable thing you own by month three.

If action is about to be free, then governance is the product. The companies that internalize that early are the ones I expect to be operating real AI in production by the end of next year. The ones that keep watching demos will still be watching demos.

I am interested in how other operators are thinking about where the moat moves once computer use becomes expected. If this is a live conversation in your organization, I would welcome the chance to compare notes.