July 14, 2026
By Burak Oktenli
Key Takeaways:
Governance gap in autonomous AI agents across sectors: Eight industries (water utilities, aviation, road transport, maritime, critical infrastructure, finance, defense, etc.) face the same core problem: systems acting faster than humans can review or reverse, creating an accountability and irreversibility issue.
Existing responses inadequate: Regulating models (e.g., export controls) or relying on internal safeguards fails to address the temporal gap; the fix needs to sit outside the system at the point of action.
Proposed solution: shared governance layer: Implement permission evaluation by independent components, tiered human confirmation based on stakes, and tamper-evident audit records — a common standard that can be adopted across sectors and borders using existing frameworks like NIST and EU rules.
When cybersecurity agencies from the United States and its four closest allies issued their first joint warning about autonomous AI agents in May, the detail that should have unsettled policymakers was not any single risk. It was the pattern. The same failure recurred across every setting the agencies examined: systems that can now take consequential action faster than any human can review, permit, or reverse what they do. The guidance called this an accountability gap and an irreversibility problem. It is more useful to name it directly: a governance gap, hiding in plain sight across at least eight industries at once.
Consider the range of settings across which it appears. In April, security researchers documented what appears to be the first confirmed case of an AI agent autonomously navigating the network boundaries of a municipal water utility to reach live industrial control systems. In aviation and space, single-event upsets from cosmic radiation continue to flip bits in flight-critical processors, a hazard that grows as more decisions are delegated to onboard autonomy. In road transport, driver-assistance and self-driving systems make control decisions in milliseconds that no human passenger can meaningfully authorize. The same structure appears in maritime autonomy, in counter-drone systems, in critical infrastructure, in agentic software that can execute code and move money, and in the swarming systems now under development for defense. Eight different sectors, eight different technologies, one identical hole.
The hole is not that machines are becoming too clever. That is the fear that dominates public debate, and it points attention in the wrong direction. The nearer and more concrete danger is temporal. Autonomous systems have crossed the threshold where they act faster than the humans nominally in charge can keep up. When a system can complete an irreversible action in the time it takes a person to read a single alert, the traditional safeguard, a human reviewing and approving each consequential step, quietly stops functioning. The human is still in the diagram. The human is no longer in the loop.
Two responses dominate current policy, and neither closes the gap. The first is to regulate the models themselves, restricting what the most capable systems are allowed to be. The United States has moved in this direction with export controls on frontier models. This is a blunt setting for a precise problem: it governs how capable a system may be, not what a fielded system is permitted to do now it acts. The second response is to trust the model’s own internal safeguards, the guardrails built in by developers. But the same allied guidance warns that these systems should be treated as untrusted components until proven otherwise, precisely because their behavior cannot be fully predicted and their reasoning cannot be fully inspected. A safeguard that lives inside the system it is meant to constrain is not a safeguard a regulator can rely on.
What the eight-sector pattern reveals is that the missing layer is the same everywhere, which means the fix can be common too. Governance should attach not to the model but to the moment of action, and it should sit outside the system rather than inside it, and three properties make this work in practice. Permission to act on a grave decision should be evaluated by a component the autonomous system cannot itself overrule, so that the check cannot be reasoned away by the thing being checked. Actions above a defined threshold of consequence should pause for human confirmation, with the level of human involvement rising as the stakes rise, so that reversible low-stakes decisions stay fast while irreversible high-stakes ones slow down by design. And every such decision should be written to a tamper-evident record, so that when something goes wrong, and eventually something will, investigators can reconstruct what was permitted and why. None of this is exotic. These are the same three ideas the allied guidance reaches for when it calls for enforced human control points, cryptographically anchored identity, and auditable action.
The encouraging part is that the scaffolding for this already exists in embryonic form and does not need to be invented from scratch. The US National Institute of Standards and Technology has built a widely used risk-management framework for AI. The European Union’s high-risk obligations for autonomous systems take effect in August, and they apply directly to agents operating in high-stakes settings. The Five Eyes guidance, for all its caution, is in substance a description of the same missing layer seen from the security side. What is absent is not the raw material but the recognition that these are one problem, not eight, and that a shared governance layer at the point of action would serve road safety, maritime operations, infrastructure protection, and defense alike.
That recognition matters because the alternative is to keep solving the same problem eight times, badly, one sector at a time, each industry discovering the governance gap only after its own first serious failure. The water-utility intrusion, the flight-control upset, the near-miss on the road: each is treated as a domestic incident in a single field, when together they are early readings of one structural condition. No single state can close this gap alone, because the systems and their supply chains cross borders, and no single regulator owns all eight sectors. But the commonality is also the opportunity. A governance layer defined once, now of action and outside the model, and adopted through the frameworks that already exist, would let allied states convert a scattered set of warnings into a single, enforceable standard before the pattern completes itself in the one sector where a first failure is not survivable.
The debate about artificial intelligence keeps asking how smart these systems will become. The more urgent question, visible now across eight industries at once, is simpler and more answerable: who is permitted to let them act, and can anyone still say no in time.
About Burak Oktenli
Burak Oktenli holds an MBA and a Master of Professional Studies in Applied Intelligence from Georgetown University. His research addresses the governance of authority in autonomous and AI-enabled systems, and his writing has appeared at the Modern War Institute at West Point, RUSI, RealClearDefense, RealClearMarkets, and Geopolitical Monitor.
View all posts by Burak Oktenli →
Consider the range of settings across which it appears. In April, security researchers documented what appears to be the first confirmed case of an AI agent autonomously navigating the network boundaries of a municipal water utility to reach live industrial control systems. In aviation and space, single-event upsets from cosmic radiation continue to flip bits in flight-critical processors, a hazard that grows as more decisions are delegated to onboard autonomy. In road transport, driver-assistance and self-driving systems make control decisions in milliseconds that no human passenger can meaningfully authorize. The same structure appears in maritime autonomy, in counter-drone systems, in critical infrastructure, in agentic software that can execute code and move money, and in the swarming systems now under development for defense. Eight different sectors, eight different technologies, one identical hole.
The hole is not that machines are becoming too clever. That is the fear that dominates public debate, and it points attention in the wrong direction. The nearer and more concrete danger is temporal. Autonomous systems have crossed the threshold where they act faster than the humans nominally in charge can keep up. When a system can complete an irreversible action in the time it takes a person to read a single alert, the traditional safeguard, a human reviewing and approving each consequential step, quietly stops functioning. The human is still in the diagram. The human is no longer in the loop.
Two responses dominate current policy, and neither closes the gap. The first is to regulate the models themselves, restricting what the most capable systems are allowed to be. The United States has moved in this direction with export controls on frontier models. This is a blunt setting for a precise problem: it governs how capable a system may be, not what a fielded system is permitted to do now it acts. The second response is to trust the model’s own internal safeguards, the guardrails built in by developers. But the same allied guidance warns that these systems should be treated as untrusted components until proven otherwise, precisely because their behavior cannot be fully predicted and their reasoning cannot be fully inspected. A safeguard that lives inside the system it is meant to constrain is not a safeguard a regulator can rely on.
What the eight-sector pattern reveals is that the missing layer is the same everywhere, which means the fix can be common too. Governance should attach not to the model but to the moment of action, and it should sit outside the system rather than inside it, and three properties make this work in practice. Permission to act on a grave decision should be evaluated by a component the autonomous system cannot itself overrule, so that the check cannot be reasoned away by the thing being checked. Actions above a defined threshold of consequence should pause for human confirmation, with the level of human involvement rising as the stakes rise, so that reversible low-stakes decisions stay fast while irreversible high-stakes ones slow down by design. And every such decision should be written to a tamper-evident record, so that when something goes wrong, and eventually something will, investigators can reconstruct what was permitted and why. None of this is exotic. These are the same three ideas the allied guidance reaches for when it calls for enforced human control points, cryptographically anchored identity, and auditable action.
The encouraging part is that the scaffolding for this already exists in embryonic form and does not need to be invented from scratch. The US National Institute of Standards and Technology has built a widely used risk-management framework for AI. The European Union’s high-risk obligations for autonomous systems take effect in August, and they apply directly to agents operating in high-stakes settings. The Five Eyes guidance, for all its caution, is in substance a description of the same missing layer seen from the security side. What is absent is not the raw material but the recognition that these are one problem, not eight, and that a shared governance layer at the point of action would serve road safety, maritime operations, infrastructure protection, and defense alike.
That recognition matters because the alternative is to keep solving the same problem eight times, badly, one sector at a time, each industry discovering the governance gap only after its own first serious failure. The water-utility intrusion, the flight-control upset, the near-miss on the road: each is treated as a domestic incident in a single field, when together they are early readings of one structural condition. No single state can close this gap alone, because the systems and their supply chains cross borders, and no single regulator owns all eight sectors. But the commonality is also the opportunity. A governance layer defined once, now of action and outside the model, and adopted through the frameworks that already exist, would let allied states convert a scattered set of warnings into a single, enforceable standard before the pattern completes itself in the one sector where a first failure is not survivable.
The debate about artificial intelligence keeps asking how smart these systems will become. The more urgent question, visible now across eight industries at once, is simpler and more answerable: who is permitted to let them act, and can anyone still say no in time.
About Burak Oktenli
Burak Oktenli holds an MBA and a Master of Professional Studies in Applied Intelligence from Georgetown University. His research addresses the governance of authority in autonomous and AI-enabled systems, and his writing has appeared at the Modern War Institute at West Point, RUSI, RealClearDefense, RealClearMarkets, and Geopolitical Monitor.
View all posts by Burak Oktenli →

No comments:
Post a Comment