Beyond AI Theatre - Towards a Governed Agentic Architecture for Governance, Risk and Compliance

Abstract

The emergence of agentic artificial intelligence (AI) is reshaping organisational expectations regarding the future of Governance, Risk and Compliance (GRC). While advances in generative AI have enhanced capabilities such as regulatory analysis, policy drafting, evidence review, and compliance monitoring, many solutions currently marketed as “agentic” remain fundamentally assistive rather than genuinely autonomous. This distinction is particularly significant in governance environments where accountability, transparency, and regulatory compliance are critical organisational requirements.

This paper develops a conceptual framework for Agentic Governance, Risk and Compliance (AGRC) by synthesising insights from AI governance, enterprise risk management, knowledge graph research, and agentic systems theory. Drawing upon contemporary literature, the paper argues that authentic organisational agency requires substantially more than conversational intelligence or workflow automation. Instead, trustworthy agentic systems must combine six interconnected capabilities: observation, contextualisation, reasoning, decision support, governed action, and organisational learning.

The proposed AGRC framework conceptualises governance as a closed-loop socio-technical system in which continuous evidence collection, contextual intelligence, adaptive reasoning, and governance-constrained autonomy operate together to support organisational objectives. The paper further identifies five foundational governance requirements for agentic GRC systems: explainability, accountability, assurance, human oversight, and operational resilience. These mechanisms are presented as essential safeguards for maintaining trust, transparency, and control as organisations increase the autonomy of governance technologies.

The study contributes to the emerging literature on agentic AI by providing a framework for distinguishing genuine agency from advanced automation and by establishing a governance architecture through which organisations can evaluate, deploy, and govern agentic systems responsibly. The findings suggest that the future of GRC lies not in replacing human judgement but in creating governed partnerships between human decision-makers and intelligent systems capable of contextual understanding, adaptive action, and continuous organisational learning.

Keywords: Agentic AI, Governance Risk and Compliance, AI Governance, Enterprise Risk Management, Knowledge Graphs, Autonomous Agents, Explainable AI, Digital Governance

1. Introduction

Artificial intelligence (AI) is rapidly transforming governance, risk management, and compliance (GRC) functions across both public and private sector organisations. Advances in generative AI have enabled organisations to automate and augment activities such as regulatory analysis, policy drafting, control mapping, audit evidence review, risk assessment, and compliance monitoring. These capabilities promise significant improvements in efficiency, consistency, and decision support, particularly in environments characterised by increasing regulatory complexity and growing volumes of operational data (Batool, Zowghi and Bano, 2025).

The emergence of large language models (LLMs) and foundation models has accelerated organisational interest in AI-enabled governance capabilities. However, a growing distinction has emerged between systems that assist human decision-makers and systems that exhibit genuine agency. Recent developments in agentic AI have introduced architectures capable of reasoning across multiple steps, maintaining memory, invoking external tools, coordinating workflows, and taking actions in pursuit of defined objectives (Bommarito, Katz and Bommarito, 2025; Raza et al., 2025). These capabilities have prompted many technology vendors to position their offerings as “agentic” solutions capable of transforming governance and compliance operations.

Despite the growing use of the term, there remains considerable ambiguity regarding what constitutes genuine agency in enterprise environments. Much of the current market discourse conflates conversational interaction, workflow automation, and generative content creation with autonomous reasoning and action. Industry analysis suggests that many products marketed as agentic AI are, in practice, enhanced user interfaces layered onto existing systems of record rather than architectures capable of contextual reasoning, autonomous planning, and governed execution (GRC 20/20 Research, 2026). This phenomenon risks creating unrealistic expectations regarding both the capabilities and limitations of AI-enabled governance technologies.

The distinction between assistive and agentic AI is particularly significant within GRC functions because governance activities operate under conditions of accountability, regulatory scrutiny, and organisational risk. Unlike general productivity applications, GRC systems influence decisions related to regulatory compliance, operational resilience, risk treatment, internal controls, third-party oversight, and corporate governance. Consequently, organisations require systems that can not only generate outputs but also demonstrate traceable reasoning, maintain evidence-based decision processes, operate within predefined governance boundaries, and support independent assurance activities (Batool, Zowghi and Bano, 2025).

At the same time, the increasing complexity of organisational ecosystems presents challenges that exceed the capabilities of traditional rule-based automation. Modern enterprises operate through interconnected networks of business processes, technologies, suppliers, regulations, controls, assets, and stakeholders. Risks propagate through these interconnected relationships rather than existing as isolated events. Recent research suggests that graph-based representations and contextual knowledge architectures offer significant advantages for modelling such complexity and supporting enterprise-wide risk intelligence (Li et al., 2024). These developments create an opportunity to rethink how AI can support governance functions by moving beyond static systems of record towards systems capable of contextual understanding and adaptive decision support.

The emergence of agentic AI therefore raises a fundamental question for both researchers and practitioners: what architectural, governance, and assurance capabilities are required before AI systems can be considered genuinely agentic within Governance, Risk and Compliance environments? Existing literature provides valuable insights into AI governance, enterprise risk management, explainable AI, and autonomous systems, yet there remains limited research integrating these domains into a coherent framework specifically designed for GRC operations (Batool, Zowghi and Bano, 2025; Raza et al., 2025).

This paper addresses that gap by developing a conceptual framework for Agentic Governance, Risk and Compliance (AGRC). The framework argues that authentic agency requires substantially more than language generation or workflow automation. Instead, agentic GRC systems must combine continuous observation, contextual intelligence, reasoning, decision support, governed action, and organisational learning within a controlled governance architecture. By integrating concepts from AI governance, enterprise risk management, knowledge graph research, and agentic systems theory, the paper proposes a structured model through which organisations can evaluate claims of agentic capability while maintaining accountability, transparency, and regulatory compliance.

Accordingly, the paper addresses three research questions:

1. What differentiates agentic AI from assistive AI within Governance, Risk and Compliance contexts?

2. What architectural components are necessary to support trustworthy and effective agentic GRC systems?

3. How can organisations govern agentic systems while maintaining accountability, transparency, and regulatory compliance?

By answering these questions, the study contributes to the emerging literature on agentic AI governance and provides a practical framework for organisations seeking to move beyond AI experimentation towards governed operational deployment.

2. Literature Review

2.1 AI Governance and Enterprise Risk

The rapid adoption of artificial intelligence has elevated AI governance from a technical concern to a strategic organisational imperative. AI governance encompasses the policies, processes, controls, and accountability mechanisms required to ensure that AI systems operate in a safe, ethical, transparent, and legally compliant manner (Batool, Zowghi and Bano, 2025). As organisations increasingly rely on AI-driven decision-making, governance frameworks have evolved beyond model performance considerations to include issues of explainability, accountability, fairness, security, privacy, and organisational oversight.

Recent scholarship highlights that effective AI governance requires a socio-technical perspective in which technical controls are complemented by organisational structures, policies, and assurance mechanisms (Mökander and Floridi, 2021). This perspective has become particularly important as AI systems move from predictive analytics toward increasingly autonomous forms of operation. While traditional machine learning systems typically generate recommendations that remain subject to human interpretation, emerging agentic systems may independently plan, reason, invoke tools, and execute actions in pursuit of predefined goals (Bommarito, Katz and Bommarito, 2025).

The governance implications of this transition are substantial. Existing governance frameworks, including the NIST AI Risk Management Framework and OECD AI Principles, emphasise transparency, accountability, robustness, and human oversight as foundational requirements for trustworthy AI deployment (NIST, 2023; OECD, 2024). However, these frameworks were largely developed during an era dominated by predictive and generative AI systems rather than autonomous agents capable of dynamic decision-making. Consequently, emerging research increasingly focuses on runtime governance, behavioural monitoring, and continuous assurance mechanisms capable of managing autonomous AI behaviour (Raza et al., 2025).

From a governance perspective, the challenge is not simply whether AI systems produce accurate outputs but whether their behaviour remains aligned with organisational objectives, regulatory obligations, and risk tolerances. This introduces a need for governance architectures capable of monitoring not only model performance but also agent behaviour, decision pathways, and operational consequences.

2.2 Enterprise Risk Management and Contextual Intelligence

Enterprise Risk Management (ERM) has evolved significantly over the past two decades. Traditional risk management approaches often treated risks as discrete events managed within organisational silos. Contemporary ERM frameworks, by contrast, recognise risk as an interconnected organisational phenomenon that emerges through relationships among processes, assets, stakeholders, technologies, suppliers, regulations, and strategic objectives (COSO, 2017).

The interconnected nature of modern enterprises creates significant challenges for conventional governance technologies. Risks rarely occur in isolation; rather, they propagate through complex networks of dependencies. Cybersecurity incidents may trigger operational disruptions, regulatory breaches, reputational damage, and financial losses simultaneously. Similarly, changes in regulatory obligations may affect multiple business processes, control frameworks, and third-party relationships.

To address this complexity, researchers have increasingly explored contextual intelligence approaches that emphasise relationships rather than isolated data elements. Contextual intelligence refers to the ability to understand information within its broader organisational environment and to interpret events in relation to objectives, dependencies, and constraints (Iansiti and Lakhani, 2020).

Knowledge graph technologies have emerged as a particularly promising mechanism for supporting contextual intelligence within risk management environments. Knowledge graphs represent entities and their relationships as interconnected networks, enabling organisations to model dependencies among risks, controls, policies, regulations, assets, and business processes (Hogan et al., 2021). Unlike traditional relational databases, graph structures preserve semantic relationships and support complex reasoning across organisational domains.

Li et al. (2024) argue that knowledge graphs can significantly enhance enterprise risk management by enabling contextual reasoning, improved risk identification, impact analysis, and more effective decision support. Their findings suggest that graph-based architectures are particularly valuable in environments characterised by high complexity, uncertainty, and interdependence. Such capabilities are increasingly relevant as organisations seek to deploy AI systems capable of understanding organisational context rather than merely processing isolated data points.

2.3 Agentic AI and Organisational Decision-Making

The emergence of agentic AI represents one of the most significant developments in contemporary artificial intelligence research. While generative AI systems focus primarily on content creation and conversational interaction, agentic systems seek to combine reasoning, planning, memory, tool utilisation, and autonomous action within a unified operational framework (Bommarito, Katz and Bommarito, 2025).

Recent advances in large language models have enabled the development of AI agents capable of decomposing complex tasks, selecting tools, coordinating workflows, retrieving information, and adapting behaviour based on environmental feedback (Wang et al., 2024). Such systems increasingly resemble goal-directed actors rather than traditional software applications. This shift has generated significant interest among organisations seeking to automate knowledge-intensive business processes.

However, autonomy introduces substantial governance and risk management challenges. Agentic systems may exhibit emergent behaviours that were not explicitly programmed by their designers. They may interact with external systems, access organisational resources, initiate transactions, or influence business decisions. Consequently, evaluating agentic systems requires broader criteria than traditional measures of model accuracy or linguistic performance.

Research increasingly suggests that trustworthiness in agentic systems depends upon explainability, observability, controllability, and auditability (Raza et al., 2025). Explainability enables stakeholders to understand how decisions are reached. Observability provides visibility into agent behaviour and system interactions. Controllability ensures that organisational actors can constrain or intervene in agent actions when necessary. Auditability supports retrospective examination and regulatory accountability.

These requirements are particularly important within GRC environments where decisions often carry legal, financial, operational, and reputational consequences. Unlike customer-service applications or productivity tools, governance systems operate within highly regulated contexts where evidence, traceability, and accountability are essential. Autonomous decision-making therefore cannot be separated from governance considerations.

The literature consequently suggests that successful deployment of agentic AI in GRC environments requires architectures that combine autonomous capability with governance controls. Agency without governance creates unacceptable organisational risk, while governance without contextual intelligence limits the potential value of AI-enabled decision support.

2.4 Research Gap

Although significant advances have been made in AI governance, enterprise risk management, knowledge graph technologies, and agentic AI research, these streams of literature remain largely disconnected. Existing AI governance research focuses primarily on oversight and risk mitigation. Enterprise risk management research emphasises contextual understanding and organisational resilience. Agentic AI literature concentrates on autonomous reasoning and action. Knowledge graph research addresses contextual representation and semantic reasoning.

Few studies have examined how these domains can be integrated into a unified architecture specifically designed for Governance, Risk and Compliance functions. Consequently, there remains limited guidance regarding how organisations can deploy agentic systems capable of reasoning, acting, and learning while maintaining accountability, transparency, and regulatory compliance.

This gap is particularly significant given increasing industry claims regarding agentic GRC solutions. Existing literature provides limited frameworks for distinguishing genuine organisational agency from advanced workflow automation or conversational AI. There is therefore a need for a conceptual model that integrates contextual intelligence, autonomous reasoning, governed action, and organisational learning within a coherent governance architecture.

The Agentic Governance, Risk and Compliance (AGRC) framework proposed in this paper seeks to address this gap by synthesising insights from AI governance, enterprise risk management, knowledge graph research, and agentic systems theory into a unified model for trustworthy agentic GRC.

3. From Assistive AI to Agentic GRC

The evolution of artificial intelligence within Governance, Risk and Compliance (GRC) functions can be understood as a progression from information support toward autonomous organisational action. While contemporary AI technologies have significantly enhanced productivity within governance processes, most enterprise deployments remain fundamentally assistive rather than agentic. Understanding this distinction is essential because it shapes both organisational expectations and governance requirements.

Historically, GRC technologies were designed as systems of record. Their primary purpose was to document risks, controls, policies, incidents, audits, and compliance obligations. Subsequent generations of workflow automation introduced rule-based processes capable of executing predefined actions under specified conditions. Although these technologies improved efficiency, they remained dependent upon human-defined logic and largely lacked the ability to reason about changing circumstances.

The emergence of generative AI has introduced a further layer of capability. Large language models can summarise regulations, classify evidence, draft policies, answer compliance questions, and support audit activities through natural language interaction. These capabilities have significantly improved knowledge accessibility and operational efficiency across governance functions (Batool, Zowghi and Bano, 2025). However, despite their sophistication, generative AI systems primarily function as assistive technologies. They generate outputs in response to prompts but generally do not maintain objectives, independently formulate plans, evaluate alternatives, or execute actions within organisational environments.

Recent advances in agentic AI seek to address these limitations by integrating reasoning, planning, memory, tool utilisation, and action execution into a unified operational framework (Wang et al., 2024). Rather than simply responding to requests, agentic systems are designed to pursue goals, adapt to changing circumstances, and coordinate multiple activities to achieve desired outcomes. In this sense, agency refers not merely to intelligence but to the capacity for goal-directed behaviour within a defined environment.

This distinction is particularly important because linguistic fluency is often mistaken for operational capability. Large language models can generate highly persuasive explanations and recommendations, creating the impression of deep understanding. Yet fluency alone does not constitute agency. Genuine agency requires the ability to observe environmental conditions, maintain contextual awareness, evaluate alternatives, select appropriate actions, and assess outcomes against objectives (Bommarito, Katz and Bommarito, 2025). A system that can explain a remediation strategy is fundamentally different from a system that can determine when remediation is necessary, initiate corrective actions, monitor implementation, and evaluate effectiveness.

Consequently, AI-enabled GRC systems can be conceptualised as existing along a continuum of increasing autonomy rather than within discrete categories. At the lowest level are assistive systems that augment human activities through information retrieval, summarisation, classification, and recommendation. These systems improve productivity but remain dependent upon human judgement and intervention. The next stage consists of automated systems that execute predefined workflows and decision rules. Such systems reduce operational effort but remain constrained by explicit programming and lack adaptive reasoning capabilities.

Agentic systems occupy a more advanced position on this continuum. They possess the ability to integrate information from multiple sources, maintain contextual awareness, reason about objectives, formulate plans, invoke tools, and execute actions subject to governance constraints (Raza et al., 2025). Importantly, agency does not imply unrestricted autonomy. Rather, effective enterprise agents operate within clearly defined boundaries established through governance policies, risk tolerances, authority limits, and accountability mechanisms.

Within GRC environments, autonomy without governance creates unacceptable organisational risk. Decisions related to compliance obligations, risk treatment strategies, regulatory reporting, and internal controls carry legal, financial, operational, and reputational consequences. Consequently, increasing levels of autonomy must be accompanied by corresponding increases in oversight, transparency, and assurance mechanisms. The challenge is therefore not simply to create more autonomous systems but to create systems whose autonomy remains observable, explainable, controllable, and auditable.

This requirement aligns with emerging Trust, Risk and Security Management (TRiSM) research, which emphasises that trustworthy autonomous systems require continuous monitoring, behavioural controls, explainability mechanisms, and human oversight structures (Raza et al., 2025). In highly regulated environments, governance must evolve from oversight of static systems to governance of dynamic decision-making agents. This represents a significant shift in both technology architecture and organisational accountability.

The limitations of many current "agentic" offerings become apparent when viewed through this lens. While numerous solutions provide conversational interfaces, workflow orchestration, or AI-assisted recommendations, relatively few demonstrate the capabilities associated with genuine organisational agency. Industry research suggests that many products marketed as agentic remain dependent upon predefined workflows, isolated data sources, and human-directed execution rather than autonomous contextual reasoning and governed action (GRC 20/20 Research, 2026). As a result, organisations require a more rigorous framework for evaluating claims of agency and distinguishing meaningful innovation from technological theatre.

The argument advanced in this paper is that genuine Agentic Governance, Risk and Compliance (AGRC) requires more than enhanced automation or conversational intelligence. It requires the integration of six interconnected capabilities: observation, contextualisation, reasoning, decision support, governed action, and organisational learning. Together, these capabilities enable AI systems not only to analyse governance information but also to operate as accountable participants within governance processes. The following chapter develops this proposition through a conceptual framework for AGRC designed to balance organisational autonomy with governance, accountability, and trust.

4. A Conceptual Framework for Agentic GRC

Building on the preceding discussion, this paper proposes the Agentic Governance, Risk and Compliance (AGRC) Framework as a conceptual architecture for trustworthy agentic systems operating within governance environments. The framework is designed to address a fundamental limitation of many contemporary GRC technologies: their inability to transform organisational information into governed action while maintaining accountability, transparency, and compliance.

Existing GRC platforms primarily function as systems of record, storing information relating to risks, controls, policies, incidents, audits, and regulatory obligations. While these platforms provide valuable visibility and reporting capabilities, they often rely upon human interpretation and intervention to transform information into decisions and actions. Agentic AI introduces the possibility of augmenting this process through systems capable of contextual reasoning, adaptive decision support, and controlled execution. However, autonomy alone is insufficient. To be trustworthy within governance environments, agentic systems must operate within explicit organisational boundaries and remain subject to oversight and assurance mechanisms.

The AGRC framework conceptualises governance as a continuous organisational learning cycle consisting of six interconnected capabilities: Observation, Contextualisation, Reasoning, Decision Support, Governed Action, and Organisational Learning. Together, these capabilities form a closed-loop architecture through which evidence is transformed into organisational outcomes and those outcomes subsequently inform future governance decisions.

Unlike traditional automation architectures, which typically follow predefined rules and workflows, AGRC emphasises contextual intelligence, adaptive reasoning, and governance-constrained autonomy. The framework therefore integrates insights from enterprise risk management, knowledge graph research, AI governance, cybernetic control theory, and agentic systems literature into a unified model specifically designed for governance functions (COSO, 2017; Li et al., 2024; Batool, Zowghi and Bano, 2025).

4.1 Observation

Observation constitutes the foundation of the AGRC framework. Effective governance requires awareness of organisational reality, and such awareness depends upon the continuous collection of evidence from across the enterprise. Traditional governance programmes often rely upon periodic assessments, manual reviews, and retrospective reporting. While these approaches provide valuable insights, they may fail to capture rapidly evolving operational conditions.

Within AGRC, observation refers to the continuous acquisition of evidence from both internal and external sources. These evidence streams may include operational telemetry, security events, transaction records, compliance monitoring data, audit findings, regulatory updates, supplier assessments, and third-party assurance reports. Continuous observation transforms governance from a periodic activity into an ongoing organisational capability.

The importance of observation is consistent with contemporary approaches to continuous controls monitoring and operational resilience, both of which emphasise real-time visibility into organisational risk conditions (COSO, 2017). Without observational capability, agentic systems reason over static representations of reality rather than current organisational conditions. Consequently, observation serves as the primary mechanism through which AGRC systems maintain situational awareness.

4.2 Contextualisation

Observation alone does not create understanding. Governance decisions require interpretation of evidence within organisational context. The same event may carry different implications depending upon regulatory obligations, business objectives, control environments, risk appetites, or operational dependencies.

Contextualisation refers to the process through which observed evidence is connected to organisational knowledge structures. This capability transforms isolated data points into meaningful information by establishing relationships among risks, controls, policies, regulations, assets, business processes, stakeholders, and strategic objectives.

Knowledge graph architectures provide a particularly effective foundation for contextualisation because they represent organisational knowledge as networks of interconnected entities and relationships (Hogan et al., 2021). Recent research demonstrates that graph-based approaches improve enterprise risk management by enabling reasoning across complex organisational dependencies and facilitating impact analysis across multiple domains (Li et al., 2024).

Within the AGRC framework, contextualisation functions as the organisational memory layer. It provides the semantic structure necessary for understanding how events relate to governance objectives and allows agentic systems to reason about consequences rather than merely identifying occurrences. This capability distinguishes contextual intelligence from conventional data management approaches that treat governance artefacts as isolated records.

4.3 Reasoning

Reasoning represents the analytical core of the AGRC framework. Once evidence has been contextualised, the system must evaluate its significance, identify potential implications, and determine appropriate courses of action.

The AGRC framework adopts a pluralistic view of reasoning. No single AI paradigm is sufficient to address the full range of governance challenges. Different forms of reasoning are appropriate for different governance tasks.

Large language models provide capabilities for interpreting regulations, summarising evidence, and facilitating human communication. Machine learning techniques support anomaly detection, predictive analysis, and pattern recognition. Rules engines enforce policy requirements and regulatory obligations. Optimisation algorithms assist with resource allocation and prioritisation decisions. Knowledge graphs enable relationship-based reasoning across organisational dependencies.

This multi-model approach reflects emerging consensus that enterprise AI architectures increasingly rely upon the orchestration of complementary reasoning mechanisms rather than dependence upon a single technology stack (Wang et al., 2024). Within AGRC, reasoning is therefore viewed as an ensemble capability that combines symbolic, statistical, and generative methods to support governance objectives.

Importantly, reasoning within governance environments must remain explainable. Organisational stakeholders require visibility into how conclusions are reached, which evidence was considered, and which assumptions influenced recommendations. Explainability therefore becomes a functional requirement rather than a desirable feature.

4.4 Decision Support

Traditional AI systems frequently generate recommendations without explicitly evaluating alternatives. Governance decision-making, however, requires comparison among competing options, each of which may involve different costs, risks, benefits, and regulatory implications.

Decision support within AGRC therefore extends beyond recommendation generation. The objective is to assist decision-makers by systematically evaluating potential courses of action against organisational objectives and governance constraints. Relevant considerations may include risk reduction, regulatory compliance, operational feasibility, financial impact, resource requirements, stakeholder consequences, and evidence quality.

This capability reflects principles from decision theory and enterprise risk management, both of which emphasise the importance of evaluating uncertainty and trade-offs when selecting among alternatives (COSO, 2017). Rather than prescribing outcomes, AGRC systems provide structured analysis that enhances the quality, consistency, and defensibility of governance decisions.

Transparency is particularly important at this stage. Stakeholders must understand not only what recommendation is being made but also why alternative options were rejected. Such transparency strengthens accountability and supports independent review.

4.5 Governed Action

Governed action represents the defining characteristic of agentic systems. While assistive systems inform human decision-makers and automated systems execute predefined rules, agentic systems possess the capacity to initiate actions in pursuit of organisational objectives.

Within governance environments, however, autonomy cannot be unconstrained. Governance exists precisely because organisational actions carry consequences. Accordingly, AGRC incorporates the concept of governed action, whereby autonomous behaviour is permitted only within explicitly authorised boundaries.

Governed action may include initiating control assessments, requesting evidence, escalating incidents, assigning remediation tasks, updating risk registers, coordinating compliance activities, or triggering predefined workflows. The scope of authority granted to an agent is determined through governance policies and risk-based controls.

Key governance mechanisms include role-based access controls, segregation-of-duties requirements, approval thresholds, audit logging, exception management procedures, and rollback capabilities. These controls ensure that agent behaviour remains observable, controllable, and accountable.

The concept aligns closely with emerging research on AI agent governance, which emphasises that autonomy must be accompanied by monitoring, intervention mechanisms, and clearly defined authority boundaries (Bommarito, Katz and Bommarito, 2025). Within AGRC, the objective is not unrestricted automation but accountable organisational action.

4.6 Organisational Learning

The final capability of the AGRC framework is organisational learning. Governance systems generate substantial information regarding outcomes, effectiveness, failures, and emerging risks. Yet many organisations struggle to convert this information into institutional knowledge.

Organisational learning refers to the ability of AGRC systems to improve future governance activities based on prior experience. Learning may involve refining alert thresholds, improving risk scoring methodologies, optimising escalation procedures, identifying recurring control weaknesses, or enhancing remediation recommendations.

This capability reflects principles from cybernetic governance and adaptive systems theory, both of which emphasise feedback as a prerequisite for effective control (Wiener, 1948). Without learning mechanisms, governance systems remain reactive and fail to adapt to changing organisational conditions.

However, learning itself must be governed. Autonomous modification of governance policies, risk appetites, control standards, or regulatory interpretations could introduce significant organisational risk. Consequently, AGRC distinguishes between operational learning, which may be automated, and governance learning, which requires human oversight and approval.

Through organisational learning, the AGRC framework completes the governance cycle. Outcomes generated through governed action become new sources of evidence, feeding future observation and creating a continuous process of adaptation and improvement.

4.7 The AGRC Closed-Loop Architecture

The six capabilities should not be viewed as independent functions but as components of an integrated governance system. Observation provides awareness of organisational conditions. Contextualisation transforms observations into organisational knowledge. Reasoning evaluates implications and alternatives. Decision support structures choices. Governed action translates decisions into outcomes. Organisational learning incorporates feedback and improves future performance.

Together, these capabilities form a closed-loop governance architecture that enables organisations to move beyond static compliance management towards adaptive, evidence-driven governance. The framework therefore represents a transition from systems that document governance activities to systems that actively participate in governance processes while remaining accountable to organisational objectives, regulatory requirements, and human oversight.

5. Governance Requirements for Agentic GRC

The emergence of Agentic Governance, Risk and Compliance (AGRC) systems introduces a fundamental governance challenge: organisations must not only govern business activities but also govern the autonomous systems participating in those activities. As agentic systems acquire increasing capabilities for reasoning, planning, decision support, and action execution, traditional governance mechanisms become insufficient. Governance frameworks originally designed for static software applications or predictive AI models must evolve to address systems capable of dynamic and adaptive behaviour.

This challenge reflects a broader shift in organisational accountability. While agentic systems may automate elements of governance processes, responsibility for outcomes remains with the organisation. Consequently, trust in agentic GRC systems cannot be established solely through technical performance metrics. Organisations must ensure that autonomous capabilities operate within clearly defined governance structures that preserve transparency, accountability, controllability, and regulatory compliance (Batool, Zowghi and Bano, 2025; NIST, 2023).

The literature on trustworthy AI consistently identifies governance as a socio-technical concern requiring the integration of technological safeguards, organisational controls, and human oversight mechanisms (Mökander and Floridi, 2021). Building upon this literature, five governance requirements emerge as foundational for the deployment of AGRC systems: explainability, accountability, assurance, human oversight, and operational resilience.

5.1 Explainability

Explainability represents one of the most widely recognised requirements for trustworthy AI. Within governance environments, decisions frequently influence regulatory compliance, operational risk exposure, audit findings, and organisational accountability. Stakeholders therefore require the ability to understand how conclusions are reached and why particular actions are recommended or executed.

The importance of explainability increases as systems progress along the autonomy continuum. While users may tolerate limited transparency in low-risk applications, governance decisions require traceability and justification. Agentic systems must therefore provide visibility into the evidence utilised, reasoning processes performed, tools invoked, assumptions applied, and actions recommended or executed (Raza et al., 2025).

Within AGRC environments, explainability serves several purposes. First, it supports decision-makers who must evaluate recommendations before approving actions. Second, it enables auditors and regulators to review decision pathways retrospectively. Third, it strengthens organisational trust by reducing the opacity often associated with advanced AI systems.

Effective explainability should extend beyond model-level interpretations to encompass end-to-end decision transparency. Stakeholders should be able to answer fundamental governance questions: What information was considered? Which relationships influenced the analysis? Why was one option preferred over another? What governance constraints affected the outcome? Without such transparency, autonomous governance activities risk becoming difficult to justify or defend.

5.2 Accountability

Although agentic systems may perform increasingly sophisticated governance functions, they cannot assume organisational accountability. Accountability remains a human and institutional responsibility. Boards, executives, risk owners, compliance officers, and control owners retain responsibility for governance outcomes regardless of the technologies employed to support them.

The emergence of autonomous systems therefore requires organisations to establish clear accountability structures defining authority, responsibility, and oversight obligations (OECD, 2024). Ambiguity regarding accountability can create significant governance risks, particularly when autonomous actions affect regulatory compliance, financial reporting, cybersecurity, or operational resilience.

Within AGRC environments, accountability should be explicitly assigned across several dimensions. Responsibility must be established for defining objectives, configuring authority boundaries, approving autonomous actions, monitoring system behaviour, validating outcomes, and responding to failures. Agentic systems may execute activities, but they should never become the ultimate locus of accountability.

This principle aligns with emerging regulatory approaches to AI governance, which consistently emphasise meaningful human responsibility for AI-enabled decisions. Effective governance therefore requires organisations to maintain clear chains of accountability regardless of the sophistication of the underlying technology.

5.3 Assurance

Trustworthy governance requires independent verification. Historically, organisations have relied upon assurance mechanisms such as audits, control testing, regulatory examinations, and compliance reviews to evaluate the effectiveness of governance processes. As agentic systems become embedded within governance operations, equivalent assurance mechanisms will be required to evaluate autonomous behaviour.

AI assurance has emerged as an important area of research concerned with evaluating whether AI systems operate as intended and remain aligned with organisational objectives (Mökander and Floridi, 2021). Unlike conventional software assurance, agent assurance must assess behavioural characteristics in addition to technical functionality. This includes evaluating consistency, reliability, authority boundaries, evidence quality, decision transparency, and resilience under changing conditions.

Within AGRC environments, assurance programmes should assess several dimensions of performance:

• Scope of delegated authority.

• Quality and completeness of evidence.

• Behavioural consistency across similar scenarios.

• Compliance with governance policies.

• Security and access controls.

• Accuracy and reliability of outputs.

• Escalation and exception handling mechanisms.

• Performance monitoring and failure recovery capabilities.

The objective of assurance is not merely to confirm technical correctness but to establish confidence that autonomous behaviour remains aligned with organisational expectations and governance obligations. As agentic systems assume greater operational responsibility, assurance is likely to become a prerequisite for regulatory acceptance and organisational trust.

5.4 Human Oversight and Authority

A defining characteristic of trustworthy agentic systems is the presence of meaningful human oversight. While autonomy may improve efficiency and responsiveness, governance functions often involve judgement, ethical considerations, strategic trade-offs, and regulatory interpretation that cannot be fully delegated to autonomous systems.

Human oversight should therefore be viewed as an integral component of AGRC architecture rather than a residual safeguard. Oversight mechanisms ensure that organisational actors retain the ability to review, intervene in, modify, or terminate agent behaviour when necessary (NIST, 2023).

The degree of oversight required should be proportionate to the level of autonomy and the significance of potential consequences. Low-risk activities such as evidence collection or control monitoring may operate with minimal intervention. Higher-risk activities involving compliance determinations, risk acceptance decisions, or regulatory reporting may require explicit human approval before execution.

This principle supports a model of graduated autonomy in which governance controls scale according to risk. Rather than adopting a binary distinction between automated and human-controlled processes, AGRC systems should operate within carefully defined authority structures that balance efficiency with accountability.

5.5 Operational Resilience and Control

Agentic systems operating within governance environments must remain resilient under conditions of uncertainty, disruption, and failure. Operational resilience refers to the ability of systems to continue functioning safely and predictably despite changing circumstances, incomplete information, security incidents, or technical failures.

This requirement reflects a fundamental principle of governance: organisations must be able to maintain control even when technology behaves unexpectedly. Consequently, AGRC architectures should incorporate mechanisms that support controllability, recoverability, and safe failure modes.

Key controls include:

• Role-based access management.

• Segregation-of-duties enforcement.

• Authority and spending limits.

• Human approval thresholds.

• Continuous behavioural monitoring.

• Audit logging and traceability.

• Exception handling procedures.

• Rollback and recovery mechanisms.

• Emergency shutdown capabilities.

These controls ensure that autonomy remains bounded by governance policies and organisational risk tolerances. They also support operational resilience by providing mechanisms through which organisations can detect, investigate, and respond to unexpected behaviour.

Research on agent governance increasingly emphasises that the objective is not to maximise autonomy but to maximise trustworthy autonomy (Bommarito, Katz and Bommarito, 2025). Resilience and control therefore become essential characteristics of effective AGRC systems.

5.6 Towards Trustworthy Agentic Governance

Taken together, explainability, accountability, assurance, human oversight, and operational resilience form the governance foundation for Agentic Governance, Risk and Compliance. These requirements are mutually reinforcing rather than independent. Explainability supports accountability. Accountability enables assurance. Assurance strengthens trust. Human oversight provides governance legitimacy. Operational resilience ensures that autonomy remains controllable under real-world conditions.

The central argument of this paper is that governance capability must evolve alongside autonomous capability. Organisations that deploy increasingly autonomous GRC systems without corresponding investments in governance mechanisms risk creating new forms of operational, regulatory, and reputational exposure. Conversely, organisations that successfully integrate these governance requirements can harness the benefits of agentic AI while maintaining the transparency, accountability, and control necessary for trustworthy governance.

Accordingly, the future of AGRC should not be understood as the replacement of human governance by artificial intelligence. Rather, it represents the emergence of governance architectures in which human judgement and machine autonomy operate together within a structured framework of accountability, oversight, and assurance.

6. Discussion

The emergence of agentic artificial intelligence represents a potentially transformative development for Governance, Risk and Compliance (GRC). While much of the current discourse focuses on technological capabilities, the findings of this paper suggest that the more significant challenge is organisational rather than technical. The deployment of agentic systems within governance functions requires organisations to rethink how decisions are made, how accountability is maintained, and how autonomy can be exercised safely within complex regulatory environments.

The Agentic Governance, Risk and Compliance (AGRC) framework proposed in this paper contributes to this discussion by providing a conceptual model through which organisations can understand, evaluate, and govern emerging forms of AI-enabled autonomy. Rather than viewing agentic AI as merely an extension of automation, the framework positions agentic systems as participants within governance processes that must operate within explicit organisational constraints and accountability structures.

6.1 Theoretical Implications

A key contribution of the AGRC framework is its integration of four previously distinct streams of research: AI governance, enterprise risk management, knowledge graph-based contextual intelligence, and agentic systems theory. Existing literature has largely examined these domains independently. AI governance research focuses on oversight, accountability, and trustworthiness (Batool, Zowghi and Bano, 2025). Enterprise risk management literature emphasises interconnected organisational risks and strategic resilience (COSO, 2017). Knowledge graph research addresses contextual representation and semantic reasoning (Hogan et al., 2021; Li et al., 2024). Agentic AI literature explores autonomous planning, reasoning, and action (Wang et al., 2024).

The AGRC framework demonstrates that these domains are not merely complementary but mutually dependent. Agency without contextual intelligence limits decision quality. Contextual intelligence without governance introduces accountability risks. Governance without adaptive reasoning constrains organisational responsiveness. Consequently, effective agentic governance requires simultaneous advancement across all four domains.

The framework also contributes to ongoing debates regarding the nature of autonomy in enterprise systems. Much of the current discussion treats autonomy as a binary characteristic in which systems are either autonomous or not. The findings presented here support an alternative view in which autonomy exists along a continuum. Organisations may progressively delegate observational, analytical, decision-support, and operational responsibilities to AI systems while retaining varying levels of human oversight and authority.

This perspective aligns with emerging socio-technical theories of AI deployment that emphasise collaboration between humans and intelligent systems rather than substitution of human judgement (Mökander and Floridi, 2021). From this viewpoint, AGRC should be understood as a model of augmented governance rather than autonomous governance.

6.2 Implications for Governance Practice

The framework has several practical implications for organisations evaluating agentic AI technologies. First, it provides a structured basis for distinguishing genuine agency from advanced automation. Many contemporary solutions marketed as agentic primarily offer conversational interfaces, workflow orchestration, or generative assistance. While these capabilities may improve productivity, they do not necessarily demonstrate contextual reasoning, governed action, or adaptive learning (GRC 20/20 Research, 2026).

The AGRC framework therefore offers organisations a more rigorous evaluation model. Rather than focusing on linguistic sophistication or user experience, decision-makers should assess whether systems possess the six foundational capabilities identified in this study: observation, contextualisation, reasoning, decision support, governed action, and organisational learning.

Second, the findings suggest that future GRC architectures will increasingly depend upon contextual intelligence. Traditional governance technologies are predominantly document-centric and record-oriented. Agentic systems require richer representations of organisational knowledge, including relationships among risks, controls, regulations, business processes, assets, and stakeholders. This finding reinforces growing interest in graph-based architectures as foundational infrastructure for enterprise AI and risk management (Li et al., 2024).

Third, the study highlights the importance of governance maturity as a prerequisite for autonomy. Organisations with poorly defined accountability structures, fragmented control environments, or weak assurance mechanisms may struggle to deploy agentic systems responsibly. The effectiveness of AGRC therefore depends not only on technological capability but also on organisational governance capability.

6.3 The Governance Paradox of Agentic Systems

The findings also reveal a governance paradox. Agentic systems are often introduced to improve organisational decision-making and operational efficiency. Yet increasing autonomy simultaneously increases governance requirements.

Historically, governance focused on supervising human actors and deterministic systems. Agentic AI introduces entities capable of adaptive behaviour, dynamic decision-making, and autonomous action. As a result, organisations must govern not only business processes but also the behaviour of the systems participating in those processes.

This shift creates a second-order governance challenge: the governance of governance technologies themselves. Agentic systems become both instruments of governance and subjects of governance. Their actions, reasoning processes, authority boundaries, and learning mechanisms require continuous oversight and assurance.

This paradox suggests that future governance functions may become increasingly focused on supervising networks of human and artificial actors rather than solely monitoring business activities. Such developments represent a significant departure from traditional GRC operating models and may require new governance structures, assurance practices, and professional competencies.

6.4 Limitations

Several limitations should be acknowledged.

First, the AGRC framework is conceptual rather than empirical. The framework synthesises insights from multiple research domains and proposes a theoretical architecture for agentic governance. However, the model has not yet been validated through large-scale organisational deployment or longitudinal case studies.

Second, the field of agentic AI remains rapidly evolving. Technological capabilities, governance frameworks, and regulatory expectations continue to develop at a pace that may outstrip current academic understanding. Consequently, some assumptions regarding agent behaviour, governance controls, and assurance mechanisms may require refinement as the technology matures.

Third, the framework has been developed primarily from the perspective of enterprise governance and risk management. Additional research may be required to assess its applicability across different sectors, regulatory environments, organisational sizes, and cultural contexts.

Finally, while the framework emphasises accountability and oversight, important ethical questions remain regarding delegation of authority, organisational responsibility, and human dependence upon autonomous systems. These issues extend beyond technical architecture and require interdisciplinary examination.

6.5 Future Research Directions

The AGRC framework opens several avenues for future research.

One priority is empirical validation. Case studies, field experiments, and longitudinal organisational research could assess how agentic systems perform within real governance environments and whether the proposed six-capability model accurately reflects operational practice.

A second area concerns assurance methodologies for agentic systems. Existing audit and control assessment approaches were developed primarily for deterministic systems and human-operated processes. New assurance frameworks may be required to evaluate adaptive behaviour, autonomous decision-making, and learning mechanisms.

Third, future research should investigate the role of knowledge graphs and contextual intelligence within governance architectures. While existing evidence suggests significant potential benefits, further study is needed to understand how contextual models influence decision quality, explainability, and organisational trust.

A fourth research opportunity concerns governance operating models. As organisations increasingly adopt agentic technologies, governance functions may evolve from overseeing business activities to orchestrating interactions among humans, AI agents, and organisational systems. Understanding the implications of this shift will be critical for both scholars and practitioners.

Finally, future research should examine the relationship between agentic governance and emerging regulatory frameworks. Regulations governing AI accountability, transparency, safety, and assurance are rapidly developing across jurisdictions. Understanding how agentic systems can comply with these evolving requirements will be essential for large-scale adoption.

6.6 Towards a New Governance Paradigm

The broader significance of the AGRC framework lies in its recognition that governance technologies are evolving from passive repositories of information toward active participants in organisational decision-making. This transition mirrors a wider shift occurring across enterprise AI, where value increasingly derives from systems capable of understanding context, coordinating actions, and supporting organisational objectives.

The central argument of this paper is that the future of governance will not be determined by the sophistication of conversational interfaces or the scale of language models. Rather, it will depend upon the ability of organisations to combine contextual intelligence, autonomous capability, and governance discipline within coherent socio-technical architectures.

Agentic AI therefore represents not merely a technological innovation but a governance innovation. Its success will ultimately depend on whether organisations can achieve a balance between autonomy and accountability, efficiency and control, learning and oversight. The AGRC framework provides one possible foundation for achieving that balance and for guiding the next generation of governance, risk, and compliance systems.

7. Conclusion

This paper has argued that the future evolution of Governance, Risk and Compliance will be shaped not merely by advances in artificial intelligence, but by the emergence of systems capable of acting within governance processes while remaining accountable to organisational objectives, regulatory obligations, and human oversight. As organisations increasingly explore agentic AI, a critical distinction must be made between systems that assist governance activities and systems that demonstrate genuine organisational agency.

Through a review of the literature spanning AI governance, enterprise risk management, knowledge graph technologies, and agentic systems research, the study identified a significant gap in existing scholarship. While these domains have advanced independently, limited attention has been given to how they can be integrated into a coherent framework specifically designed for Governance, Risk and Compliance environments. To address this gap, the paper proposed the Agentic Governance, Risk and Compliance (AGRC) framework.

The AGRC framework conceptualises governance as a continuous, closed-loop process comprising six interconnected capabilities: observation, contextualisation, reasoning, decision support, governed action, and organisational learning. Together, these capabilities enable governance systems to move beyond static repositories of information and traditional workflow automation towards adaptive, evidence-driven participation in organisational decision-making. Central to the framework is the argument that genuine agency requires contextual intelligence, continuous awareness of organisational conditions, and the capacity to act within explicitly defined governance boundaries.

The paper further argued that increasing autonomy must be accompanied by increasing governance capability. Consequently, five governance requirements were identified as essential foundations for trustworthy agentic GRC systems: explainability, accountability, assurance, human oversight, and operational resilience. These requirements ensure that autonomous behaviour remains transparent, controllable, auditable, and aligned with organisational objectives. In this sense, the challenge of agentic AI is not solely technological but fundamentally one of governance design.

The broader contribution of this study is the proposition that agentic GRC represents a new stage in the evolution of governance technology. Historically, GRC platforms functioned primarily as systems of record that documented risks, controls, policies, and compliance activities. The AGRC model envisions a future in which governance systems become active participants in governance processes, capable of contextual reasoning, decision support, and governed execution while remaining subject to organisational oversight and accountability.

For practitioners, the framework provides a structured approach for evaluating claims of agentic capability and distinguishing genuine organisational agency from conversational interfaces and advanced automation. For researchers, it offers a foundation for future empirical investigation into the governance, assurance, and operational implications of autonomous systems within regulated environments.

Ultimately, the success of agentic AI in Governance, Risk and Compliance will not be determined by the sophistication of language models or the persuasiveness of generated outputs. Rather, it will depend upon an organisation’s ability to combine contextual intelligence, autonomous capability, and governance discipline within a coherent socio-technical architecture. The future of governance is therefore unlikely to be fully human or fully autonomous; instead, it will emerge through governed collaboration between human judgement and intelligent systems working together to pursue organisational objectives, manage uncertainty, and act with integrity.

8. References

Batool, A., Zowghi, D. and Bano, M. (2025) ‘AI governance: a systematic literature review’, AI and Ethics, 5, pp. 3265–3279.

Bommarito, J., Katz, D.M. and Bommarito, M.J. (2025) ‘Governing AI agents: Risk, compliance, and accountability in law and finance’, SSRN Working Paper.

COSO (2017) Enterprise Risk Management: Integrating with Strategy and Performance. New York: Committee of Sponsoring Organizations of the Treadway Commission.

Hogan, A., Blomqvist, E., Cochez, M., d’Amato, C., de Melo, G., Gutierrez, C., Kirrane, S., Gayo, J.E.L., Navigli, R., Neumaier, S., Ngonga Ngomo, A.C., Polleres, A., Rashid, S.M., Rula, A., Schmelzeisen, L., Sequeda, J., Staab, S. and Zimmermann, A. (2021) ‘Knowledge Graphs’, ACM Computing Surveys, 54(4), pp. 1–37

Iansiti, M. and Lakhani, K.R. (2020) Competing in the Age of AI: Strategy and Leadership When Algorithms and Networks Run the World. Boston: Harvard Business Review Press.

GRC 20/20 Research (2026) Agentic AI in GRC: Pulling Back the Curtain: Why Much of the Market is Theater, What Real Agency Requires, and How the Next Generation of GRC Earns Business Confidence Through Connected Context, Governed Action, and Proof. Milwaukee: GRC 20/20 Research.

Li, P., Zhao, Q., Liu, Y., Zhong, C., Wang, J. and Lyu, Z. (2024) ‘Survey and prospect for applying knowledge graph in enterprise risk management’, Computers, Materials & Continua, 78(3), pp. 3825–3865.

Mökander, J. and Floridi, L. (2021) ‘Ethics-Based Auditing to Develop Trustworthy AI’, Minds and Machines, 31(2), pp. 323–327.

National Institute of Standards and Technology (NIST) (2023) Artificial Intelligence Risk Management Framework (AI RMF 1.0). Gaithersburg, MD: NIST.

OECD (2024) OECD Framework for the Classification of AI Systems. Paris: Organisation for Economic Co-operation and Development.

Raza, S., Sapkota, R., Karkee, M. and Emmanouilidis, C. (2025) ‘TRiSM for Agentic AI: A review of trust, risk and security management in LLM-based agentic multi-agent systems’, arXiv preprint.

Wang, X., Ma, Y., Chen, Y., Xiao, H., Huang, S. and Deng, Z. (2024) ‘A Survey on Large Language Model Based Autonomous Agents’, Artificial Intelligence Review, 57(8), pp. 1–45.

Wiener, N. (1948) Cybernetics: Or Control and Communication in the Animal and the Machine. Cambridge, MA: MIT Press.

Contact

Reach out via email for inquiries.

Email

Subscribe to newsletter

info@grcadvisory.ch

© 2025. All rights reserved.