A senior leader asked a simple question in a governance review last week: can we audit and verify every action an agent takes? Not the model’s reasoning, not the prompt — the actions. The edits, the sends, the deletions. The honest answer was no. Not yet. And the more I sat with that “not yet,” the more I realized it is the actual story of agentic AI inside a regulated firm, and almost nobody is telling it.

The entire public conversation about agents is about capability. How much access should they have. How autonomous should they be. Whether to let them run in a loop until a goal is met. Those are real questions. They are also the wrong ones to lose sleep over, because they are downstream of a quieter fact that has already shipped.

The agent runs as you

When a lawyer sets up an agent, the agent does not operate in some sandbox beside their work. It operates inside their identity. Microsoft’s own documentation for Microsoft 365 Copilot agents is explicit about this: an agent runs under the user’s identity, accessing data and services according to the permissions already assigned to that user. The agent inherits the person.

In a law firm, that inheritance is not abstract. It means the agent can open the matter, edit the document, send the email, and delete a file from the document management system — because the lawyer can. The newer agent layers that sit inside everyday tools, the ones that took Copilot from “draft me a paragraph” to “go do the thing,” did not just add a feature. They quietly handed a non-human process the full reach of a licensed professional.

So the unit of risk was never the agent’s cleverness. It was the agent’s authority. And that authority is borrowed, silently, from a person who may never see how it was used.

Accountability used to live in a person

The reasonable objection is that we never had a clean audit trail for humans either. That is true, and it is worth conceding plainly. A lawyer who made a hundred small decisions in a document did not generate an inspectable log of each one. The record, where it existed, lived in systems IT could comb through after the fact, not in anything the practitioner reviewed.

But accountability did not depend on that log, because it lived somewhere more reliable: in a licensed person you could question. You could ask a lawyer why they did something and get an answer, because they were present for the doing. Responsibility and awareness were the same thing.

An agent breaks that link. The action still carries the lawyer’s authority — their permissions, their identity, their name on the matter — but the awareness is gone. The person who is accountable was not in the room. The trail still exists for IT to assemble; tools like Purview will surface agent activity to administrators and compliance teams. What does not exist is a view that puts “here is what your agent did, under your name” in front of the one person who has to answer for it.

That is the gap. Not logging. Surfacing, to the accountable party, in time to matter.

The unsolved part is judgment, not logging

Here is the part I am genuinely unsure about, and I would rather name the uncertainty than pretend past it. Even if you capture every action — and increasingly you can — it is not obvious that you can present that record to a non-technical professional in a form they can actually use.

A partner does not want a JSON event stream. They want to know whether the thing the agent did was the thing they would have done, and they want to know it without becoming an engineer. The hard problem is not storage. It is translation: turning a machine’s actions into something a human can apply judgment to, fast enough to catch a mistake before it leaves the building. I have not seen anyone solve that well, and I am not certain the interface even exists yet.

What I am certain of is the asymmetry. Capability is compounding on a monthly cadence — new agents, broader access, longer autonomous runs. The ability to answer for any of it is not moving at the same speed. Every month that gap widens is a month a firm is accumulating authority it cannot account for.

The smaller question

There is a temptation, when a tool gets more powerful, to spend all the governance energy on the frontier — what should we let it do next. That energy is misallocated if you cannot yet answer for what it has already done.

Before you give an agent more of what it can do, you have to be able to answer the smaller question. Not the impressive one about capability. The unglamorous one about accountability.

What did the agent do? What can it do? The second question is getting all the attention right now. The first is the one with your name on it.

I write every week about AI as an operational discipline inside regulated firms — the work behind the work that does not show up in the vendor demo. If that is your world, subscribe.