Governing AI agents: What organisations need to consider

According to PWC’s 2025 AI agent survey, 79% of the senior executives surveyed confirmed that AI agents are already being adopted in their companies. These systems do more than simply support decision-making. Unlike LLMs or chatbots, agents can autonomously retrieve information, interact with systems, and act with limited human input. 

This level of autonomy changes the risk profile and raises new governance, data protection, and accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. challenges. The biggest risk for any organisation is not the use of AI agents, but deploying them without the frameworks, skills, and oversight needed to manage their impact. 

In this blog, we explore what AI agents are, how AI regulation varies across jurisdictions, and the key accountability and data protection considerations organisations should address before deployment. 

• What is an AI agent and why do they change the risk profile? 
• Key governance risks with AI agents and how to mitigate them
• AI regulation around the globe and operating AI agents across borders 
• Tips for robust AI agent governance 

What is an AI Agent and why do they change the risk profile?

An AI agent is a system designed to operate with a degree of autonomy, moving beyond simple prompt-and-response tools. In practice, AI agents can plan and carry out multi-step tasks, make decisions or recommendations, retrieve information from multiple data sources, and interact with internal systems and third-party tools. 

What differentiates AI agents from the more familiar chatbots and LLMs is that they operate within systems, rather than just generating outputs. This makes governance, accountability, and data access essential design considerations. 

Key governance risks with AI agents and how to mitigate them

AI agents may present use case-specific challenges, but several governance risks are common across AI agent deployments in any sector. 

1. Access can extend further than intended 

Over time, more access is added without revisiting the original risk assessment. If access isn’t constrained and reviewed regularly, data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing. is at risk. 

Tip: Apply least-privilege access and periodically review permissions to ensure they remain aligned to the agent’s defined purpose. 

2. AI decisions lack a single accountable owner

Often multiple departments are involved when an agent triggers actions across workflows. The organisation as a whole is accountable, but ownership is fragmented. 

Tip: Assign clear accountability for each AI agent, including responsibility for oversight, escalation, and sign-off. 

3. Lack of traceability in multi-step decision-making 

When agents plan multi-step actions, it can be difficult to show what data was used and why a particular path was chosen. This becomes a problem during audits or when responding to a DSAR. 

Tip: Ensure AI agents generate appropriate audit logs and decision records, so actions can be explained when required. 

4. Changes after deployment 

Updates to prompts, models, data sources, or tools can gradually expand what an agent does, often without a clear reassessment of the associated risks. Over time, this can lead to function creep and unintended processing. 

Tip: Establish formal change controls so that any material updates trigger a review of risk, governance measures, and approvals before changes go live. 

5. Small errors scale immediately  

Where AI-driven decisions affect customers or employees, even small mistakes can propagate quickly. This increases regulatory risk and can swiftly undermine customer and stakeholderAn individual with an interest or concern in something (i.e. a Social Worker, Healthcare Professional, Headteacher etc. in respect of the welfare of a child). trust. 

Tip: Build in safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... such as human review thresholds and escalation mechanisms for higher-risk decisions. 

AI regulation around the globe and operating AI agents across borders

One of the biggest challenges for organisations is that AI governanceThe framework of policies, processes, and roles that ensure Artificial Intelligence (AI) is developed and used responsibly, ethically, and in compliance with applicable laws, societal expectations, and corporate values.  is not standardised internationally. For businesses operating across jurisdictions, this means governance cannot be designed around a single regulatory regime.  

Organisations need AI governance controls that scale across borders, adapt to differing regulatory expectations, and stand up to the most stringent requirements. This is particularly important for AI agents, which often operate across systems, datasets, and geographies simultaneously. 

Below, we explore how AI governance is regulated around the world. 

European Union

The EU has adopted a risk-based approach through the EU AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU., with obligations determined by how AI systems are used and the level of risk they create for individuals. This sits alongside the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)., which continues to govern personal dataInformation which relates to an identified or identifiable natural person. processing. 

Whilst the EU AI Act entered into force in 2024, the majority of its obligations will apply from 2026. This marks a shift from policy development to active enforcement at both EU and national level, signalling increased regulatory scrutiny. 

For organisations deploying AI agents, this means governance must be considered before deployment. How an agent is classified, where it is used, and an organisation’s role in the AI lifecycle all shape the level of oversight, documentation, and control expected. 

Learn more about the EU AI Act 

United Kingdom

The UK has not yet introduced a single AI regulation. Instead, it relies on a principles-based approach supported by existing law, with the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. playing a central role. 

For AI agents, Article 22 of the UK GDPR is often a key pressure point where systems make solely automated decisions that have legal or similarly significant effects on individuals. Organisations must therefore be confident about where automationA process or a system that operates automatically. is occurring, how humans remain involved, and how decisions can be challenged. 

Canada

Canada does not yet have a comprehensive AI-specific law in force. Proposed federal legislation under Bill C-27, including the Artificial IntelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc. and Data Act (AIDA), has stalled, leaving uncertainty around future national AI obligations. 

However, this does not mean AI agents operate in a regulatory vacuum. AI governance in Canada is currently shaped by the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs personal data processing, and provincial regimes such as Quebec’s Law 25.  

For organisations, this means governance approaches need to be robust enough to meet existing obligations while remaining adaptable as regulation evolves. 

United States 

The US does not currently have a single federal AI law. Instead, AI governance is emerging through a patchwork of state-level legislation, alongside privacy, consumer protection, and anti-discrimination law.

In December 2025, President Trump issued an AI Executive Order in a bid to prevent further fragmentation by discouraging state-level divergence. It promotes a single national approach, and although it does not create a binding federal law, it uses executive authority to influence state action and lay the groundwork for potential future legislation.

For organisations deploying AI agents, this creates a period of transition rather than clarity. State requirements continue to apply, particularly in high-risk contexts such as employment, finance, and consumer decision-making. 

For organisations operating across multiple states, scalable governance and reusable documentation remain essential, both for managing current state-level obligations and to adapt quickly as a national framework is developed.

Tips for robust AI agent governance 

• Assign ownership

Organisations should decide who is responsible for approving AI agent use cases, signing off risk assessments, and overseeing ongoing performance and change. This may sit with an AI OfficerAn individual responsible for overseeing the ethical, legal, and effective use of Artificial Intelligence (AI) within an organisation. or form part of an existing role, such as the DPO. What matters most is not the job title, but that accountability is clearly defined.

AI Officers vs DPOs

• Define clear boundaries

Clear limits should be set on what an AI agent is designed to do. This includes documenting the agent’s purpose and intended outcomes, the decisions it can make or influence, actions that are explicitly prohibited, and the data sources and tools it is permitted to access. Defined boundaries help prevent scope creep and support data minimisation. 

• Ensure the right capability is in place

Effective AI governance depends on having the right mix of skills and experience. Organisations should ensure they have access to appropriate technical, product, legal, and compliance expertise to design, assess, and oversee AI agents throughout their lifecycle. In practice, this is often where skills gaps become most visible.  

• Build meaningful human oversight

Human oversight should be proportionate to risk and capable of meaningful intervention. This may include validating outputs, setting escalation routes, enabling overrides, and maintaining audit trails. This is particularly important where automated decision-making may apply. 

• Monitor for biases and unfair outcomes

Organisations should take steps to identify and monitor potential bias or unfair outcomes introduced by AI agents. This includes reviewing outputs over time, assessing patterns in decision-making, and ensuring that automated processes do not disadvantage individuals or groups without justification. 

• Embed governance into existing processes 

AI governance should not sit in isolation. AI agents should be incorporated into existing Records of Processing Activities (RoPAs), risk management, privacy documentation, and security frameworks. Governance should remain live, with risks reviewed regularly as systems, use cases, and regulations evolve. 

The DPO Centre works closely with organisations to assess AI risk and provide practical governance support for deploying AI systems with confidence. Contact us to learn more about our AI services.

In case you missed it…

• Data protection & AI governance 2025-2026
• AI Officer vs DPO: Defining roles in AI governance 
• Using AI for DSAR responses: What every organisation should know