When AI Starts Acting Alone: What UK Boards Must Govern Now

Agentic AI systems — those that reason, plan, and take autonomous action across workflows — are already embedded in UK enterprises. Research published by Logicalis in May 2026 found that 87% of UK business IT decision-makers use agentic AI systems, yet only one in four have strong governance in place. For UK boards, that gap is now a liability — not a future concern.

What Is Agentic AI and Why Does It Change the Board’s Responsibilities?

Unlike traditional AI tools that generate outputs for human review, agentic AI systems act. They execute tasks, call external systems, write and deploy code, and make sequential decisions without waiting for human confirmation. A customer service agent that escalates, investigates, and resolves complaints. A procurement tool that searches, negotiates, and commits spend. A finance assistant that reconciles anomalies and triggers payment workflows. These systems extend the organisation’s operational footprint well beyond what any existing governance register tracks.

The board’s responsibility shifts from asking “what did the AI recommend?” to asking “what did the AI do, on whose authority, and can we reverse it?” That is a fundamentally different question — and most UK boards are not yet asking it. The tools and frameworks built for advisory AI do not transfer cleanly to systems that act in the world.

Executive Action

• Request a full inventory of every AI system with autonomous action capability deployed across the organisation — including those operated by third-party vendors.
• Ask your CTO or CIO to classify each system by level of autonomy and potential business, financial, or regulatory impact.
• Confirm that any agentic AI with customer-facing, financial, or regulated outcomes has explicit board-level sign-off and documented oversight ownership.

What Does the Regulatory Picture Look Like for UK Boards?

The regulatory signal is unambiguous. In May 2026, the FCA and Bank of England issued a joint statement on frontier AI models and cyber resilience, treating advanced autonomous AI deployment as a systemic risk issue rather than a purely operational one. In April 2026, KPMG and INSEAD jointly launched global AI Board Governance Principles, explicitly acknowledging that existing frameworks were not designed for systems that act rather than advise.

The UK government has not produced a dedicated AI Act, instead pursuing a principles-driven approach built around safety and robustness, transparency, fairness, accountability, and contestability. The AI minister has stated clearly that existing legislation — UK GDPR, the Equality Act 2010, the Consumer Rights Act, and online safety law — already applies to agentic AI outcomes. Boards cannot wait for bespoke legislation to arrive. The FCA’s 2025–2030 strategy signals explicitly that firms demonstrating poor governance of AI systems will receive more intensive supervisory attention, not less.

Executive Action

• Brief the board on the FCA and Bank of England’s May 2026 joint statement and confirm whether it creates direct obligations for your organisation’s AI deployments.
• Review your existing Model Risk Management policy: most written before 2024 do not cover agentic AI and will require material revision.
• Audit ICO data processing agreements for agentic AI workflows — these systems routinely process personal data through chains of automated decisions where lawful basis is often undocumented.

How Should Boards Build Governance That Actually Works?

The KPMG/INSEAD framework and the WEF board playbook for agentic AI converge on four governance foundations that boards must embed — not delegate.

Authority boundaries. Every agentic system must have explicit, documented limits on what it is permitted to do without human confirmation. Those limits must be technically enforced, not just written in a policy that no system reads.

Audit infrastructure. Every consequential action taken by an agentic system must be logged, attributable, and retrievable on demand. Logging model inputs and outputs is not sufficient — you need a record of the decisions and actions the system took in the world.

Reversibility. Where possible, agentic AI workflows should be designed for human override and rollback. For irreversible actions — a payment committed, a contract executed, a customer communication sent — the threshold for autonomous execution must be set conservatively and reviewed at board level.

Genuine human oversight. The right question is not “is there a human in the loop?” but “does that human have the information, time, and authority to actually intervene?” Research suggests the answer is frequently no: oversight is present on paper but not in practice. According to IBM’s Cost of a Data Breach analysis, organisations without AI governance policies pay an average of $670,000 more per breach — the cost of inaction is quantifiable. Boards can benchmark current AI oversight maturity using the executive governance assessment tools at Informd or work from the AI governance templates to structure remediation priorities.

Executive Action

• Require legal and risk functions to review all agentic AI contracts with third-party vendors — specifically indemnity clauses, liability allocation, and audit rights when the system acts erroneously.
• Commission a “genuine oversight audit” for each agentic system: document where real human decision-making exists versus where the process assumes it but does not deliver it.
• Set board-level KPIs for AI governance maturity, reported at least annually alongside financial and operational risk indicators.

What Are the Risks for Boards That Wait?

By end of 2026, research suggests more than 80% of enterprises deploying generative AI will require formal governance frameworks — up from fewer than 20% in 2024. Boards that have not built that infrastructure will be retroactively trying to govern systems already embedded in business-critical workflows, under regulatory scrutiny and with limited room to manoeuvre.

The regulatory exposure is only part of the picture. When an agentic system makes a consequential error — and statistically, it will — the board will face a direct question: what governance was in place? “We left it to the technology team” is not an answer that satisfies the FCA, institutional investors, or employees navigating AI-driven organisational change. Boards that can point to documented authority boundaries, audit logs, and a clear escalation path are in a materially different position to those that cannot. Explore the INFORMD executive briefing library for further intelligence on AI governance developments and what your peers are doing.

INFORMD provides intelligence briefings for senior business leaders across technology, finance, strategy, and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full library of executive briefings or speak to our team.

Stay ahead. Subscribe to INFORMD’s executive briefing at informd.co.uk/services.

Frequently Asked Questions

What is the difference between agentic AI and traditional AI for board governance purposes?

Traditional AI tools generate recommendations or outputs that a human then acts on — the human remains the decision-maker. Agentic AI systems take actions autonomously: they can browse the web, execute code, send communications, process transactions, and chain multiple decisions together without waiting for human approval at each step. This changes governance from reviewing outputs to setting and enforcing boundaries on autonomous behaviour — a significantly more demanding board responsibility.

Does UK law already regulate agentic AI, or is there a specific AI Act coming?

The UK government has not introduced a dedicated AI Act. An anticipated bill did not materialise in 2025, and current policy favours a principles-driven, sector-based approach. However, existing legislation — UK GDPR, the Equality Act 2010, the Financial Services and Markets Act, the Consumer Rights Act, and Companies Act 2006 director duties — already applies to the outcomes of agentic AI systems. Boards cannot use the absence of a specific AI law as grounds for inaction.

Which sectors face the most immediate regulatory pressure on agentic AI governance?

Financial services face the most immediate pressure, given the FCA and Bank of England’s May 2026 joint statement on frontier AI and cyber resilience. Healthcare and pharmaceutical boards face obligations under MHRA guidance. Any organisation subject to DORA (the EU Digital Operational Resilience Act) — including UK firms with EU operations — must address agentic AI under its ICT risk management requirements. The FRC’s 2024 UK Corporate Governance Code also reinforces that boards are responsible for all material operational risks, which increasingly includes autonomous AI systems.

How should a UK board assess its current agentic AI governance maturity?

A practical starting point is a structured maturity assessment covering four dimensions: inventory completeness (do you know every agentic system deployed?), authority documentation (are limits technically enforced?), audit capability (can you reconstruct what each system did and why?), and human oversight reality (is oversight genuine or nominal?). INFORMD’s executive tools and assessments provide structured frameworks for boards beginning this process, alongside governance templates for documenting AI oversight policies.