One policy for every agent breaks both ways.

The error that looks like prudence

When an organisation writes its first AI governance policy, the instinct is to make it apply to everything. One policy, one review board, one approval path, one set of controls — uniform, defensible, easy to point an auditor at. It feels like rigour. It reads, on a slide, like a company taking the risk seriously.

It is the most common way a 2026 AI programme stalls. The problem is not that the policy is too strict or too loose. The problem is that "agent" is not one thing, and a control that is correct for one kind of agent is wrong for another by construction. A document classifier that sorts a PDF into one of six buckets and a treasury agent that releases funds are both "agents" in the org chart and have nothing in common in their capacity to do harm. Governing them with the same instrument guarantees you are mis-governing at least one of them — and usually both.

A uniform policy is not a neutral default. It is a single setting applied to a range of risks, which means it is calibrated correctly for exactly one point on that range and wrong everywhere else.

The frame that replaced it in board conversations this year is risk-bounding by design: the amount of governance an agent carries should be a function of how much it can do without a human, and how much damage that autonomy can cause. Dedicated agentic-AI frameworks pushed the same idea from different directions — national governance models published in global forums, ISO/IEC 42001 as the management system that wraps the whole estate, NIST AI RMF as the baseline vocabulary for risk. The common thread is that governance is proportional or it is theatre.

Why one policy breaks both ways

The uniform policy fails in two opposite directions at the same time, which is what makes it so hard to see. Leaders notice one failure and assume the other end is fine. It is not.

At the low-risk end, it over-controls — and that kills ROI. A classifier that mislabels a document costs a re-queue and a few seconds. Put it behind a mandatory human review on every run, a change-advisory board for every prompt tweak, and a sign-off chain borrowed from the treasury agent, and you have spent more governing it than the work it saves. The business case evaporates, the team quietly stops using it, and the programme records another pilot that "didn't deliver." It delivered. The governance ate the delivery.

At the high-risk end, it under-controls — and that is the incident. The same policy that suffocates the classifier is, for the agent that moves money or writes to the system of record, far too loose. It has no value ceiling per action, no per-step audit trail an investigator can replay, no re-authentication when the agent crosses a threshold, no scoped revocation. The first time that agent does something expensive and wrong, the organisation discovers — in the post-mortem, which is the worst place to discover it — that the control built for the average agent was never sized for the dangerous one.

Average the two and you get a policy that is simultaneously too heavy and too light, which is the worst of both: it imposes the full cost of governance on the cases that do not need it and withholds the controls from the cases that do. The fix is not a better single policy. There is no single setting that is right for both ends. The fix is to stop having one setting.

Govern the agent by what it can do, not what it is

The unit of governance is not the use case, the team, or the application. It is the agent's autonomy level — how far it can act before a human is required, and what it is allowed to touch when it does. Frameworks converged on roughly four rungs, each a distinct trust boundary with its own required control. Naming the rung is most of the work, because once an agent is on a rung, the controls are no longer a debate.

The point of the ladder is not the labels. It is that each rung is a different fraction of the trust the organisation extends, and therefore a different amount of control it has to keep. An assisted agent borrows none of your trust — the human holds it. An autonomous agent that writes to the ERP holds a large piece of it on its own, and the controls have to be sized to what it can break while no one is watching the individual action.

Proportional controls, by level

Once an agent is placed on a rung, governance becomes a set of dials that turn up together as autonomy rises. None of these are exotic — they are the same controls a bank applies to a junior versus a senior trader, ported to software. The discipline is making each dial a function of the rung rather than a single value copied across the estate.

• Human-in-the-loop — mandatory and per-action at the assisted and supervised rungs, exception-only at conditionally autonomous, on-the-loop at autonomous. The human moves from gate to auditor as the agent earns the rung.
• Tool-use scope — the set of tools and systems an agent may call, narrowed to the task. A classifier needs read access to a queue; it has no business holding write access to the ledger, and a scope granted "for convenience" is the line an incident later walks through.
• Value ceiling per action — an explicit cap on what a single autonomous action can commit — an amount, a record count, an irreversible operation — above which the agent must escalate rather than proceed.
• Re-authentication frequency — how often the agent must re-prove its mandate and how short-lived its credentials are. Long-lived, broad credentials are how a compromised agent becomes a compromised estate.
• Audit-trail depth — from a sampled log at the bottom to a per-step, page-anchored, immutable trail an investigator can replay at the top. The depth tracks the blast radius, not a one-size retention rule.
• Observability by blast radius — the monitoring an agent gets is calibrated to what it can damage, not to its traffic. A high-volume classifier needs less scrutiny per action than a low-volume agent that moves money.

Read top to bottom, the dials describe an assisted agent that costs almost nothing to govern and an autonomous one that carries a real control stack. Read across the estate, they replace "what is our AI policy" with "what is this agent allowed to do, and what do we therefore have to keep an eye on" — a question with a different answer for every agent, which is exactly the point.

Promotion is a gate, not a graduation

The autonomy ladder only works if movement up it is earned. The failure mode here is subtle: an agent is classified once, at design time, on the basis of what it was meant to do, and never re-examined as its scope quietly grows. Six months later the "supervised" agent has been handed write access and a higher value limit by a series of reasonable-looking tickets, and nobody re-ran the governance that the new rung demands. It is autonomous in capability and supervised on paper.

Proportional governance needs a promotion gate: moving an agent to a higher rung is an explicit decision with an evidence requirement, not a side effect of a config change. The gate asks for the things the next rung assumes — a track record at the current rung within its accuracy bound, an envelope defined and tested, the audit trail proven to reconstruct a real case, the kill switch exercised at least once. An agent that cannot produce the evidence stays where it is. This is the same logic always-on agents need before they run unattended, applied to the moment autonomy increases rather than the moment it is switched on.

The mirror of promotion is revocation, and it has to be per agent and per rung. Every rung above assisted needs a kill switch that stops that agent specifically — not a global breaker that takes down the estate, and not a vague "we'd open a ticket." Autonomy that cannot be revoked cleanly is not autonomy the organisation controls; it is autonomy it is hoping nothing goes wrong with. The right time to test the revocation is before the agent is promoted, not during the incident that makes everyone wish it had been.

The four mistakes that uniform governance hides

Every stalled programme we have looked at made at least one of these, and the single-policy approach hides all four because it never forces the question the mistake would answer.

• The copied RPA policy — governance lifted wholesale from the deterministic-automation playbook, where a bot does exactly what it was scripted to do. An agent decides, which means the old controls — change windows, scripted-step review — govern the wrong thing and miss the new risk entirely.
• Classify once, never revisit — the autonomy level is set at design time and treated as permanent, so capability creep moves the agent up the ladder while the governance stays at the bottom. The agent is more dangerous than its paperwork by the time anyone checks.
• No objective promotion criteria — "give it more autonomy" is decided by confidence and convenience rather than evidence, so agents are trusted with more because they have not failed yet, which is not the same as having earned it.
• Governance at the application, not the agent — the policy attaches to the product or the team, so two agents of wildly different risk inside the same application inherit the same controls. The unit of governance has to be the agent, because the agent is the unit of autonomy.

The thread connecting all four is the refusal to treat agents as different from one another. Each mistake is a way of pretending the estate is uniform so a uniform policy can cover it — and each one defers the cost to the day an agent does something its governance never anticipated.

What this means for the document layer

The abstraction gets concrete fast on a document workflow, because a single document pipeline usually contains agents from every rung of the ladder — and the uniform-policy instinct is to govern the whole pipeline at one setting. That is precisely the error, scaled down to something you can see end to end.

The same pipeline spans the whole ladder. The classifier that routes an inbound document by type is assisted or supervised — wrong is cheap, a human clears the edge cases, and governing it heavily is pure waste. The extraction-to-decision step that auto-clears a document when every field clears its confidence band and escalates the rest is conditionally autonomous — it acts inside a defined envelope, so it needs the envelope, the ceiling, and the sampled audit, not a review on every page. The agent that takes the cleared output and executes the downstream action — posts the invoice, releases the payment, writes to the system of record — is autonomous, and it needs the full stack. One policy across all three either drowns the classifier or under-governs the agent that pays. Usually both.

The audit trail is the evidence the rung demands — sized to the rung. An audit trail for non-deterministic output is cheap insurance on the classifier and a hard requirement on the agent that moves money, where an investigator has to replay exactly which fields, which confidence, which model version, and which human sign-off produced an action. Proportional governance is what lets you spend the trail depth where the blast radius justifies it instead of paying for forensic-grade logging on a document sort.

Multi-agent pipelines make the unit-of-governance point unavoidable. Once a flow is a squad of specialists — a reader, a validator, a decider, an executor — governing "the pipeline" is meaningless, because the reader and the executor sit on opposite ends of the autonomy ladder. The governance has to attach to each agent and travel with it, including the per-agent identity, scope, and revocation that let you stop the executor without stopping the reader.

And the matrix has to live somewhere standing. The taxonomy of autonomy against control is not a one-off classification exercise; it is an artefact in the AI operating model, reviewed when an agent's scope changes, mapped to ISO/IEC 42001 as the management system and to NIST AI RMF as the risk vocabulary the auditor already speaks. A matrix that is drawn once and filed is the classify-once mistake wearing a nicer template.

Closing thought

The uncomfortable part of 2026 AI governance is that the instinct to be careful — one policy, applied to everyone, no exceptions — is the instinct that breaks the programme. Care, in this domain, is not uniformity. It is proportion: matching the weight of the control to the weight of what the agent can do unattended, and re-checking the match every time the agent's reach grows. The organisations clearing the gap from pilot to production are not the ones with the strictest policy. They are the ones that stopped having a single policy and started governing each agent by its rung — light where it is harmless, heavy where it is not, with a gate between the two that moves on evidence.

At Cogneris we build the document layer to be governed proportionally rather than uniformly: per-field confidence and a clean escalation path so a supervised step is real review and not a rubber stamp, an envelope and a value ceiling so a conditionally autonomous step acts only inside its bounds, a per-step immutable audit trail so an autonomous step can be replayed by an investigator, and per-agent identity, scope, and revocation so you can stop the agent that pays without stopping the one that sorts. If you are governing your document agents with one policy and wondering why the cheap ones feel slow and the dangerous ones feel exposed, that is the uniform-policy error with a findable shape — talk to our team and we will help you put each agent on its rung.