Enterprises that apply the same governance rules to every AI agent, regardless of what that agent can actually do, are setting themselves up to fail. That is the warning from new research published today by Shiva Varma, Senior Director Analyst at Gartner.
The global research and advisory firm predicts that by 2027, 40% of enterprises will “demote or decommission” autonomous AI agents as a direct result of governance gaps that were only identified after production incidents had already occurred.
The findings arrive at a time when governance has become one of the defining challenges of enterprise AI deployment, particularly in customer-facing operations where the business stakes are high.
In many ways, these findings ratify research from Sinch, published earlier this month. The cloud communications provider found that 73% of enterprises had rolled back a live AI customer agent following a governance failure. Both Gartner and Sinch research point to companies underestimating the governance requirements for enterprise AI. Gartner’s report has also gone further to uncover a popular yet misguided approach to enterprise governance.
The Binary Trap
The root cause, according to Varma, is not a lack of governance but the wrong kind: "Enterprises are treating AI agent governance as binary, either locked down or fully trusted, and that is the root cause of failure". He continued: "Agents operate at different autonomy levels and across different trust boundaries. When the same controls are applied indiscriminately, organisations encounter two common failure modes."
Those two failure modes are over-restriction and under-restriction. Over-restriction applies heavy compliance burdens to low-risk agents, slowing delivery and pushing teams towards shadow AI development outside sanctioned tools. Meanwhile, under-restriction grants excessive trust to highly autonomous agents, creating security, compliance, and operational exposure that only becomes visible once something has gone wrong.
A Framework Built Around Autonomy
Gartner's recommended response is a proportional governance model that classifies agents across four distinct autonomy levels, each with its own trust boundary and corresponding controls.
Level 1 agents observe: they have read-only access to defined data sources, with output visible only to the requesting user. Governance here should be lightweight, covering data access controls, authentication, and usage logging.
Level 2 agents advise: they generate recommendations and proposed actions, but humans execute every decision manually. Varma warns that advisory agents can anchor human judgement through automation bias, making accuracy testing and training on appropriate reliance levels important governance requirements at this tier.
Level 3 agents act with approval: they can write data, send communications, or modify configurations, but only with explicit human sign-off on each action. Gartner flags that meaningful approval processes can degrade under time pressure or approval fatigue, creating a false sense of safety.
Level 4 agents act autonomously: they execute independently within defined guardrails, with humans reviewing exceptions and aggregate outcomes rather than individual decisions. This is the tier requiring the most rigorous governance, including continuous monitoring, circuit breakers, enforced guardrails, and rapid rollback mechanisms.
What This Means for CX
Governance frameworks built around a single standard cannot distinguish between an agent that summarises a product document and one that autonomously modifies a customer's account. As agents take on more consequential roles in contact centres and service operations, ensuring governance matches the actual risk level of each deployment is likely to be the difference between agents that survive production and those that have to be shut down.
Vendors are already responding to that pressure. Platforms including Kore.ai's recently launched Artemis and ServiceNow's AI Control Tower are building governance into the agent layer itself, responding to a sharp rise in enterprise demand driven partly by incoming EU AI Act obligations. What Gartner's research adds something those solutions alone do not provide. It outlines a clear analytical framework for classifying agents by their level of autonomy before deciding which controls to apply, and hopefully a better path through the relatively unknown and untested governance landscape.