Agent Governance Is Access Control You Never Wrote Down
Every requirement a UN body just named for a trustworthy AI agent is the access discipline you already run for people — the only new part is the judgment the machine doesn’t bring.
A trustworthy machine and a trustworthy employee need the same six things. A United Nations standards body spent this month naming them for machines. Enterprises named them for people years ago and filed the whole discipline under access management.
Here is what actually happened. The ITU — the International Telecommunication Union, the UN agency that has set the rules for how machines talk to each other since 1865, back when the machines were telegraphs — opened a focus group in July on trust and identity for AI agents. Its agenda names what a trustworthy agent has to account for: identity, authority, delegation, human oversight, accountability, and provenance. The first working meeting is in Paris in November, the second in Geneva in January. Treat that as a new frontier and the honest move is to wait — let the standards body convene, deliberate, and eventually tell you what a trustworthy agent is.
Treat it as an operator and the list stops the wait cold. You have seen every item on it before.
You already run this system
Read the agenda again with an IT lens instead of a policy one and it resolves into something ordinary:
Identity is a credential — the verifiable answer to “who is this.”
Authority is permissions — can it spend, sign, send, move money.
Delegation is the grant record — who handed over the access, and who can take it back.
Oversight is an approval gate — the step where a human has to say yes.
Accountability is knowing whose name is on the action when it goes wrong.
Provenance is an audit log — the trail that lets you reconstruct what happened.
That is not an emerging governance discipline. It is identity and access management, the practice every regulated enterprise has run for its people for years — the joiner-mover-leaver process, the role-based permissions, the quarterly access review, the audit trail the regulator asks to see. A UN body did not describe a new problem. It described your IAM program and pointed it at a new kind of user.
The maturity of that program was always measured by one question: can you say, without a two-week fire drill, who can touch a given system and why. Most enterprises can answer it for their people, at least on paper. Almost none can answer it yet for the agents they have already switched on.
Why it feels new anyway
The reason the list reads as novel is that we built every piece of it around a human being, and the human quietly did half the work.
A person authenticates, gets permissions scoped to a role, and then supplies the one thing the access model never had to encode: judgment. A lawyer with full reach into the document system does not open every matter she can technically open. She knows which files are walled off, which client would object, which situation calls for asking first. The permission set was never actually safe on its own. It was safe because a person with context and something to lose sat behind it.
An agent inherits the access and brings none of the judgment. Spin one up inside that same document system and it has the lawyer’s reach with none of the lawyer’s restraint. It will do exactly what its permissions allow, at machine speed, and nothing in it will pause to ask whether that was wise. The credential still resolves. The permissions still check out. The judgment that made them safe is simply gone.
That is the only genuinely new fact in the whole affair. Not identity, not authority, not audit. The actor holding the permissions no longer comes with a person attached.
You don’t have to wait for Paris
Some of this work does need the standards body. When your agent has to prove itself to another company’s agent across an organizational boundary — no shared HR system, no common directory, no one who onboarded them both — you need an agreed way to exchange and verify identity and authority. That is real, it is genuinely new, and it is what Paris and Geneva are for. The scientists advising the UN keep making a related point: the capability is running ahead of the evidence base the policy needs. A standards process moving at the speed of a November meeting will not hand you a safe agent next quarter.
Inside your own walls, you are not waiting on anyone. The six requirements are your existing access model, made explicit for an actor that supplies no judgment of its own. This is what “AI without operations is just a demo” looks like at the scale of a single agent: the demo is the capability, and the operations is the access model you write down around it.
You provisioned people out of habit — a role, a template, an approval, done. You have to provision an agent on purpose, in writing: state what it may touch, what it may never touch, where a person has to approve, and whose name answers for it when it goes wrong — the developer who built it, the team that deployed it, or the human who was supposed to be supervising. The implicit rule has to become an explicit one, because the thing holding the access will follow the letter of what you wrote and none of what you assumed.
What the agent is actually for
Here is the part worth sitting with. The agent is not the thing that needs governing. It is the thing that finally forces you to write your governance down.
For years “allowed” meant “technically permitted, and trusted not to abuse it” — and the second half of that sentence lived in people’s heads, never on paper. An actor with no judgment turns that unwritten half into a specification you have to author, review, and own. The uncomfortable gift of agents is that they make you say, in writing, what you always meant by access.
A UN focus group can define what trust between agents should look like across the industry. It cannot write down what “allowed” was always supposed to mean inside your organization. Only you can — and now, for the first time, you have a reason to. The six things that make a machine trustworthy were never really about the machine. They were about the discipline you already had, and finally have to put in writing.
If this landed, the earlier posts in this thread — on why your agent inherits your lawyer’s permissions, and why least privilege is the only sane default — are on my LinkedIn. Subscribe here to get the next one on operating AI, not just deploying it.


