Last week I delivered a Keynote at the Okta AI Identity Summit in London, speaking to a room of IT directors, security leaders and identity professionals about a question that is moving very quickly from the theoretical to the urgent: if an AI agent is authorised to act, who is accountable when it does? I want to share here the core of what I discussed, because it applies far beyond that room. The honest picture is that adoption is real, but it is lopsided. Deployment has run ahead of governance. When I ask a security leader whether they can name every agent running in their organisation, and who owns each one, the response is usually a pause. So the question is not whether this is hype. It is genuinely happening, in more places than most organisations can see. The gap is between how fast we are putting agents to work and how slowly we are learning to answer for them. Let me start with the scale of what we are dealing with. For every human identity in the enterprise today, there are now around 109 non-human ones. These are the service accounts, tokens and, increasingly, the AI agents that quietly run our systems. The agents are the fastest growing part of that picture. Gartner expects the average Fortune 500 organisation to be running over 150,000 of them by 2028, up from fewer than 15 in 2025. But the figure that should stop us in our tracks is this: only 34% of organisations apply the same identity and access controls to their agents as they do to their people. So we have taken on an enormous new workforce, practically overnight, and two thirds of us are not governing it the way we would govern a human employee. That gap, between what our agents can do and what we can answer for, is the whole problem. It helps to separate two ideas that are often confused. Control answers a technical question: can the agent be seen, scoped and stopped? Accountability answers a human one: when it acts, who answers for it, and can you prove it? Those are not the same thing. A system can be perfectly controlled and still leave nobody answerable. You can have full visibility, least privilege access, guardrails and a working off switch, every technical box ticked, and still be unable to say whose name is on the outcome when something goes wrong. Control is a setting. Accountability is a decision, and only people make it. This matters because the liability is not hypothetical, and the law already points squarely at us. An agent has no legal personhood. You cannot sue it and you cannot sanction it, so a human or the organisation is always the liable party. “The AI did it” is not a defence. The Information Commissioner’s Office has been explicit that you answer for the outcome whether a person or an agent carried it out. Human oversight is not merely good practice either; it is a legal duty, with UK GDPR Article 22 giving people rights over decisions that significantly affect them, and a statutory code now in place on AI and automated decisions. The financial exposure is real money: up to 17.5 million pounds, or 4% of turnover, under UK GDPR, and up to 10% of global turnover under the Competition and Markets Authority’s regime. And if you serve customers in the European Union, the EU AI Act reaches you on top of all of that. The liability already exists. The only question is whether you can meet it. People often tell me they are waiting for the law to arrive before they act. The UK does not have a single AI Act, that is true, but what we have instead is a principles based approach, and your agents are already regulated under it. The ICO governs what your agents do with personal data and is updating its automated decision making guidance right now. The National Cyber Security Centre has set clear security expectations. The Competition and Markets Authority now covers traders deploying agents, and the Digital Regulation Cooperation Forum, which brings the CMA, the Financial Conduct Authority, the ICO and Ofcom together, is mapping where all of this overlaps. There may be no single statute, but five principles bind every one of those regulators: safety, transparency, fairness, accountability and contestability. “We are waiting for the law” is not a strategy. The expectations are already here. They are simply spread across the regulators you already answer to. The cyber security community should take some confidence from where this is heading. In May, the National Cyber Security Centre, together with its Five Eyes partners, published guidance on deploying agentic AI. It says that before you deploy an agent you must decide five things: who owns it, who approves its access, who monitors its behaviour, who reviews incidents, and who can stop it when something goes wrong. Its blunt test is that an agent you cannot understand, monitor or contain is not ready to deploy. Notice the pattern in that list. Ownership. Authorisation. Oversight and audit. An off switch. That is not just one speaker’s framework. It is what the country’s own cyber authority now expects of you. The framework I shared distilled into four questions to ask of every single agent you run. First, who owns it? There should be a named, accountable human behind every agent, because if no one’s name is on the door, no one answers when it walks through yours. Second, what can it do? Scoped, least privilege access to the systems the task needs, and nothing more. Do not hand the agent the master key. Third, how do we know what it did? Every action should be logged, attributable and tamper evident, with traceability built in by design rather than reconstructed after an incident. And fourth, when does it stop? A clean lifecycle, in which the agent is provisioned, rotated, revocable and decommissioned, with an off switch you have actually tested. If you can answer all four for an agent, you can be accountable for it. If you cannot answer even one, that is not an agent you have deployed. It is an agent you have lost track of. The principle of least privilege deserves a moment on its own, because it is doing more work than people realise. Least privilege means giving an identity only the access it needs to do its specific job, and nothing more. Not what might be handy, not what is easiest to set up, and not the same access as the team it sits in. Think of a new cleaner who is given a key to the offices they clean, rather than the master key to the building, the safe and the server room. Even if the master key would be more convenient, you do not hand it over, because the risk if it is lost or misused is enormous. For AI agents the same logic applies, and it matters more, because agents act fast, at scale, and often without a human watching each step. An agent built to summarise support tickets needs read access to the ticket system, and that is all. It does not need to write to your customer database, issue refunds or reach your finance data simply because those things happen to be reachable. If it is over provisioned and it misbehaves, or it is hijacked, the blast radius is everything it could touch, not just what it was meant to touch. This is precisely why it is so concerning that 97% of non human identities carry privileges beyond what they actually use. That standing, excess access is the gap attackers exploit, and every unused permission is a door you have left open. Answering those four questions is how you move from authorised to accountable, because accountability you cannot evidence is not accountability at all; it is hope. Four things make it real. Attribution, so that every agent action traces to one identity and one human owner, never blurred across a shared account. Explainability, because if you cannot explain how an output was reached you should not ship it, since opacity is a liability rather than a feature. Audit and escalation, meaning immutable logs, sampled reviews and a fast, human route to challenge or reverse an agent driven outcome. And decision rights, which define the calls an agent may never make on its own, on the basis that the higher the stakes, the more a human stays in command.  The biggest mistake I see is treating all of this as a technology project rather than an accountability one. The Boston Consulting Group has a useful rule of thumb for AI success: roughly 10% is the algorithms, 20% is the technology and data, and 70% is the people and the processes around them. In other words, you can buy the tools, but you cannot buy the culture, the ownership and the judgement that make them safe. The organisations that struggle are the ones that automate first and ask who owns this afterwards. Authorised means an agent is allowed to act. Accountable means you can stand behind what it did. The organisations that will thrive in the agentic era are the ones that treat that distinction as a design principle rather than a clean-up exercise, and that decide, before anything goes live, whose name is on the outcome. The technology is the easy part. The real work, and the real advantage, is human judgement, governance and accountability by default. If you would like to talk about how to put this into practice in your organisation, I would love to hear from you.

It was an inspiring day at Engage London, hosted by Everest Group — an event that brings together leaders and innovators shaping the future of global business services (GBS), sourcing, and technology. I was honoured to deliver the closing Keynote: "The Connected Advantage with AI: From Ambition to Scaled Value." My session explored how organisations can move beyond AI experimentation and isolated pilots, by connecting strategy, data, people, process and governance. The real competitive advantage comes when AI is not treated as a standalone initiative, but as a business-wide capability that delivers trusted, measurable value at scale. I also spoke about the importance of strong leadership, readiness across people and process, and building the right foundations to scale AI responsibly. I've now written three books on applying AI to business — the most recent published in November 2025 — but in a field moving this fast, staying current is a daily discipline, not a one-time effort. Events like Engage London are genuinely invaluable for that reason, and I came away with a great deal to reflect on. The panel sessions were particularly rich, and several themes stood out: GBS leaders are becoming the custodians of experience. They are increasingly orchestrating work with a bird's-eye view across the total workforce — a significant shift in how the function is understood and valued. The "3 Ss" were a standout insight: self-service, self-adaptation, and self-healing. These three principles offer a compelling framework for thinking about where intelligent automation is heading. GBS has a critical role in governing the AI estate. Trusted data, and people and process readiness, were highlighted as non-negotiables — not optional extras — in any serious AI programme. Resilience remains central to sustained competitive advantage. Amid so much disruption and uncertainty, the organisations that build resilience into their operations will be the ones that endure. One comment that particularly resonated was around intellectual curiosity as a leadership quality. In the AI era, the ability and willingness to keep asking questions is arguably as important as any technical skill. Another powerful observation was about the human dimension of AI adoption: enabling humans to act at the pace of AI, while AI strives to act with the empathy of humans. It's a thought-provoking framing that I'll be carrying into future conversations. There were also excellent insights from Rolls-Royce — a company I had the pleasure of collaborating with for my previous book launch. The reflections shared on cultural change driving sustained behavioural change were memorable: embedding the right mindset into hiring, onboarding and assessment criteria; the shift from awareness to daily habits; and ensuring governance is underpinned by constant dialogue and feedback rather than top-down mandates. Well done to the entire Everest Group team for curating such a thought-provoking event and for the excellent organisation throughout the day. To find out more about Katie's keynote topics and availability, visit the Keynotes page.