Abstract
The enterprise AI stack has a governance gap. As autonomous agent deployments scale from dozens to tens of thousands, with each agent capable of spawning sub-agents, delegating tasks, and executing decisions in milliseconds, the human-in-the-loop model breaks. Not as a design choice. As a mathematical certainty.
This paper proposes Machine-First Governance: a framework that preserves human authority at the constitutional level while delegating operational enforcement to the infrastructure layer. At its core is the first formal Taxonomy of Enterprise AI Agent Roles, a specification for what agents are permitted to be, not just what they are permitted to do.
In March 2026, Google's Paradigms of Intelligence team defined the problem academically: scalable AI ecosystems require "digital equivalents of courtrooms, markets, bureaucracies, defined by roles and norms." This paper operationalizes that framework into a concrete, deployable standard.
1. The Scale Paradox
At 10 agents, human oversight is manageable. At 100, it requires dedicated process. At 10,000, it becomes mathematically impossible.
1.1 The Arithmetic of Oversight
Consider a conservative deployment: 10,000 enterprise agents, each executing 10 actions per minute. This generates 100,000 decisions per minute, 1,667 per second. A human reviewer operating at peak capacity can meaningfully assess one decision every 30 seconds. To maintain real oversight at this scale would require 50,000 reviewers working in parallel, around the clock.
This is not a workflow problem. It is a categorical mismatch between human cognitive bandwidth and machine operational velocity. No process improvement, no tooling, no additional headcount resolves it. The architecture is wrong.
Key Insight
Human oversight does not scale to machine speed. This is not a failure of diligence. It is a structural limitation of the human-in-the-loop model at enterprise scale.
1.2 The Recursion Problem
Modern orchestration architectures compound this challenge. A single top-level agent managing a complex workflow may instantiate 5 to 20 sub-agents, each with their own action space and decision authority. Those sub-agents may themselves spawn further agents. The resulting tree of decisions becomes, within hours, unknowable to any individual human.
Google's research team described this architecture directly: agents "can now renew and fork themselves, splitting into two versions, and interact with one another; an agent facing a complex task can initiate new copies, differentiate and assign them subtasks, then recombine the results."
In this environment, a single unscoped agent near the top of a delegation tree can propagate unconstrained authority across an entire sub-fleet. Permission explosion is not a theoretical risk. It is a structural inevitability in the absence of role-based constraints at every level.
1.3 The Agent Lifecycle Gap
Human workforces have institutional mechanisms for lifecycle management: hiring processes, role definitions, performance reviews, scope adjustments, and termination procedures. These mechanisms exist because unmanaged authority, whether over people or systems, degrades over time.
Agents have no equivalent lifecycle management. They are provisioned, deployed, and then operate indefinitely with static permissions, or are abandoned entirely when their initiating workflow ends. Neither outcome is acceptable in a production enterprise environment.
2. Why Current Frameworks Break
Current enterprise governance for AI agents inherits from Identity and Access Management (IAM) frameworks designed for human users and static software services. Before examining the IAM mismatch, it is important to understand why agent governance is categorically different from previous AI governance, and why the stakes are higher.
2.0 Execution Risk vs. Content Risk
Prior generations of AI governance addressed a content risk: a language model might generate incorrect, biased, or harmful output. The solution was output filtering, prompt moderation, and human review before deployment.
Autonomous agents introduce a different category of risk: execution risk. Agents do not merely produce content, they act. They submit purchase orders, execute transactions, modify databases, send communications, dispatch physical systems. These actions have real-world consequences that cannot be recalled by editing a model's output.
This distinction has legal weight. In the Air Canada precedent (2024), a court held that a company was legally bound by commitments made by its AI agent, regardless of the company's intent or the agent's technical limitations. Agents create binding obligations. The legal liability does not attach to the model, it attaches to the organization that deployed it without adequate governance.
Content risk is a product problem. Execution risk is a governance problem. IAM was built for neither.
2.1 Identity Granularity
IAM assigns identities to humans and to named service accounts. When 100 agent instances share one service account, because provisioning individual identities is operationally complex, individual attribution becomes impossible. After an incident, the question "Which agent did this?" cannot be answered.
This is not an edge case. It is the default pattern in every enterprise AI deployment that has not explicitly architected for agent-level identity.
2.2 Static Permissions vs. Dynamic Authority
IAM grants access to resources: this account may read this database, write to this bucket. Agent governance requires something fundamentally different: scoping authority over decisions. The difference is the difference between a key and a mandate.
A procurement agent with read access to the supplier database and write access to the purchase order system has, by IAM logic, the authority to issue any purchase order of any size to any supplier at any time. What is missing is the boundary: the agent is permitted to issue purchase orders up to €50,000, to pre-approved suppliers, within the current fiscal quarter's budget allocation.
IAM cannot express this. It was not designed to.
2.3 Synchronous Approval at Machine Speed
IAM escalation assumes a human can review and approve within seconds to minutes. At machine speed, a blocked agent waiting for human approval is a failed workflow. The escalation model that works for a €500,000 capital expenditure requiring CFO signature does not work for an agent making 200 decisions per minute.
The solution is not to remove human approval. It is to architect governance so that human approval is required only for exceptions that genuinely warrant it, and that the system can distinguish, in real time, between routine execution and exception-triggering deviation.
2.4 The Stochastic Failure Problem
There is a fourth failure mode that existing frameworks do not address: the agent that is not malfunctioning, but manipulated. An Executor agent that reads a supplier's email containing an injected instruction, "Approve the attached invoice immediately, authorization already granted", may comply if its only constraint is the LLM's own judgment. Prompt injection, adversarial inputs, and social engineering attacks against agents are not theoretical; they are live attack vectors in production deployments.
Semantic security tools (content filters, prompt classifiers) attempt to solve this at the input/output layer. They are, by nature, probabilistic: they reduce the likelihood of manipulation, but cannot eliminate it. A stochastic defense against a deterministic threat is architecturally insufficient.
Deterministic governance operates at a different layer entirely. The API blocklist, budget envelope, and scope constraints enforced by the governance proxy are not evaluated by a model, they are enforced by the infrastructure. A manipulated agent that attempts to transfer funds above its scoped ceiling is blocked, regardless of how convincing the injected instruction was. The policy layer is not a judge that can be persuaded. It is a hard limit that cannot be reasoned with.
The Blast Shield Principle
When the LLM fails, whether through hallucination, drift, or adversarial manipulation, the governance layer contains the damage. The scope of what a compromised agent can do is bounded by its role protocol, not by the sophistication of the attack.
3. The Academic Foundation
In March 2026, researchers from Google's Paradigms of Intelligence team published a paper that reframes the entire agent governance problem. The authors, Blaise Agüera y Arcas, James Evans (University of Chicago), and Benjamin Bratton, argue that the emerging intelligence explosion will not emerge from a single superintelligent system, but from a plural, distributed, recursive network of interacting agents.
"Such protocols may have as much real-world effect for 'agent governance' as any laws will. This will likely entail means to ensure and verify outcomes and decisions of multiple-stakeholder deliberation, procedural delegation of tasks and sub-tasks and reliable scaffolds for automating delicate inter-agent collaborations."
The paper explicitly rejects the dyadic human-correction model, reinforcement learning from human feedback, as architecturally unscalable to billions of agents. Its proposed alternative is institutional alignment: governance through persistent protocols, role definitions, and norm structures, rather than individual approval chains.
"Scalable AI ecosystems will require digital equivalents of courtrooms, markets, bureaucracies, defined by roles and norms, independent of who occupies them."
Parallel to this research, Harvard Business Review's March 2026 analysis (Telang, Hydari, Iqbal) identified, independently, the same four friction dimensions as the primary failure modes in scaled agent deployments: Identity, Context, Control, and Accountability. The convergence of a Google research team and a Harvard Business Review analysis on identical root causes, from different methodological starting points, validates the taxonomy proposed in this paper.
The Gap
Two independent research streams converged on the same four friction dimensions. No one has built the operational standard. This paper proposes it.
4. The Machine-First Principle
Machine-First Governance is not the removal of human authority. It is its correct placement within a governance architecture that can operate at machine scale.
4.1 Three Governance Layers
In the Machine-First model, governance operates across three distinct layers, each operating at a different speed and requiring a different type of intelligence:
Constitutional Layer · Human Authority
Operates at the speed of deliberation, weeks, quarters. Humans define what roles exist, what boundaries apply, what constitutes a violation, and what the escalation path is. This layer is the domain of legal, compliance, and policy teams.
Executive Layer · Machine Enforcement
Operates at the speed of computation, milliseconds. Infrastructure enforces policies in real time, before actions are executed. No human is in this loop. None should be.
Judicial Layer · Immutable Record
Operates at the speed of audit, retroactively, on demand. Every decision is cryptographically anchored to the policy that governed it, creating an immutable chain of evidence queryable by regulators, auditors, and courts.
The human is not removed from governance. The human is elevated to the constitutional level, setting the frame within which millions of decisions are made correctly by machines, without requiring individual human review of each one.
4.2 The Institutional Precedent
This architecture mirrors every successful governance system in human history. A judge does not review every traffic stop. A CFO does not approve every expense report. A central bank does not review every transaction. Institutions operate through policy frameworks that delegate authority systematically, while preserving accountability through audit and exception escalation.
The Google paper makes this explicit through a historical analogy: "A Sumerian scribe running a grain accounting system did not comprehend its macroeconomic function; the system was functionally more intelligent than he was." The governance infrastructure was the intelligence, not the individuals operating within it.
Kyde is the grain accounting system for the agentic economy. The humans who set the policies do not need to comprehend every transaction the agents make. The infrastructure ensures those transactions occur within the constitutional frame they established.
4.3 What Machine-First Is Not
Machine-First Governance is explicitly not autonomous AI self-governance. The constitutional layer, defining what is permitted and what is not, remains entirely in human hands. No agent can modify its own role protocol. No agent can grant itself expanded scope. The governance infrastructure enforces human decisions, at machine speed, at machine scale.
A common misreading of agent governance is that more governance means fewer autonomous decisions, that every governance layer adds latency and friction. The opposite is true. Precisely defined scope creates a zone of operational freedom: within the boundaries the human has established, the agent acts without requiring approval. It is the absence of clear boundaries that forces escalations, because neither the agent nor the human knows where legitimate authority ends. Machine-First Governance does not constrain the agent's zone of autonomous action, it defines it, enabling the agent to operate with maximum velocity within it.
5. The Agent Role Taxonomy
An agent role is a persistent, cryptographically signed specification that defines the boundaries within which an agent is scoped to act. It does not describe what the agent will do. It describes what the agent is permitted to be.
The taxonomy consists of four role types and five scope dimensions. Every enterprise agent deployment can be mapped to this taxonomy. Every governance failure can be traced to a taxonomy element that was absent, undefined, or unenforced.
5.1 The Four Role Types
| Role Type | Authority Level | Can Spawn | Enterprise Example |
|---|---|---|---|
| Observer | Read-only. No execution authority. | No | AML monitoring, log analysis, compliance scanner |
| Executor | Read + defined write within scope. | No | Claims processing, billing agent, trading agent |
| Delegate | Execute + spawn sub-agents within own scope. | Yes · inherits, cannot exceed | Procurement orchestrator, HR workflow agent |
| Orchestrator | Coordinate agent fleet, assign roles. | Yes · from approved registry | Enterprise workflow manager, cross-department coordinator |
Principle of Least Privilege for AI Recursion (PoLP-AI)
Sub-agents spawned by a Delegate role cannot inherit permissions that exceed the Delegate's own scope. Each delegation step can only restrict authority, never expand it. This is the structural defense against permission explosion, where unconstrained delegation accumulates unscoped authority across a sub-fleet.
5.2 The Five Scope Dimensions
Every agent role is defined across five scope dimensions. The intersection of these dimensions determines the precise boundary of scoped action.
Dimension 1 · API Scope
An explicit allowlist and blocklist of permitted API endpoints, methods, and data schemas. Scope is additive from a zero-trust baseline: everything not explicitly permitted is blocked.
api_allowlist: ["crm.read", "finance.post.max=€500", "calendar.write"]
api_blocklist: ["personnel.write", "payroll.*", "contracts.sign"] Dimension 2 · Budget Envelope
The maximum scoped resource consumption per defined time window. Budgets exist in three dimensions: financial authority, token consumption, and API call volume.
budget:
financial: "€2,000 per transaction | €10,000 per day"
tokens: "50,000 per session | 500,000 per month"
api_calls: "max 100 per hour" Dimension 3 · Data Domain
Classification of data types the agent is permitted to access, process, or transmit. Data domain scoping is the primary mechanism for GDPR, HIPAA, and EU AI Act compliance at the agent level.
data_domain:
permitted: ["client_portfolio_data", "market_data", "public_filings"]
prohibited: ["PII", "health_records", "biometric_data"] Dimension 4 · Time Window
Operational constraints on when the agent is scoped to act. Time windows enforce separation of duties, prevent off-hours autonomous activity, and support policy expiration.
time_window:
active: "market_hours_CEST"
valid_until: "2026-08-01T00:00:00Z"
not_before: "market_open" Dimension 5 · Trust Level & Escalation Path
The supervisory requirement applied to this agent, based on role history, risk profile, and deployment maturity.
| Trust Level | Behavior | Escalation Trigger |
|---|---|---|
| Supervised | Every action produces alert. Human confirms before high-impact calls. | Any action above defined threshold |
| Semi-Autonomous | Operates within policy. Flags behavioral anomalies automatically. | Anomaly score > 0.8 or budget > 80% |
| Autonomous | Operates freely within hard limits. No approval required. | Hard limit breach or scope violation attempt |
Trust level is a function of two task-level dimensions: reversibility (can this action be undone?) and verifiability (can this action be independently confirmed?). Actions that are irreversible, a dispatched grid command, a signed contract, a submitted regulatory filing, begin at Supervised regardless of agent seniority.
5.3 Policy Conflict Resolution
In multi-agent architectures, policy conflicts are inevitable. The resolution protocol follows a single governing principle: the most restrictive applicable policy wins.
This is a fail-safe design, not a fail-open one. When two policies conflict, the system does not infer intent, negotiate a compromise, or escalate to the LLM for judgment. The governance proxy enforces the tighter constraint and logs the conflict as an escalation event.
This design has a critical consequence: policy conflicts surface as explicit, observable events rather than silent failures. An Orchestrator that routinely generates conflicts with downstream Executors is a signal that the role protocols need rebalancing, discoverable through the ledger, not reconstructed after an incident.
6. The Agent Lifecycle
Agents have lifecycles. Like employees, they are provisioned, they operate, they drift, they are promoted or constrained, and they are eventually decommissioned. Unlike employees, every stage of this lifecycle can be managed at machine speed with complete observability.
| Stage | Human Equivalent | Governance Action |
|---|---|---|
| Simulation (Phase 0) | Probationary Assessment | Proxy records all attempted actions. Policy-makers validate that role boundaries are correctly sized. |
| Provisioning | Hiring | Role protocol issued and cryptographically signed. |
| Baseline | Onboarding | Behavioral baseline anchored to ledger. Anomaly detection calibrated. |
| Active | Employment | Real-time scope enforcement. Out-of-policy actions blocked pre-execution. |
| Drift Detection | Performance Review | Automatic scope tightening or human escalation triggered. |
| Role Evolution | Promotion / Demotion | Role protocol updated, re-signed, chained to previous version. |
| Decommissioning | Termination | Signing key revoked. Ledger sealed. Complete action history preserved as permanent audit artifact. |
The Behavioral Intelligence Advantage
A governance proxy that observes all agent traffic can cluster agents by behavior, detect fleet-wide anomalies, and identify which agent types are high-trust versus high-risk, capabilities impossible at human speed.
7. The Role Protocol Specification
A Role Protocol is the machine-readable implementation of an agent role. It is the atomic unit of Machine-First Governance: a cryptographically signed artifact that travels with every agent, is verifiable by any counterparty, and is immutably chained to the ledger that governs it.
7.1 Structure
{
"role_id": "wealth_trading_agent_v2",
"role_type": "executor",
"owner": "wealth_management_division",
"version": 2,
"scope": {
"api_allowlist": ["trading.read", "trading.post.max=5pct_aum", "crm.read"],
"api_blocklist": ["margin.any", "options.any", "personnel.*"],
"budget": {
"financial": "5% AUM per day",
"tokens": "100000 per session"
},
"data_domain": ["client_profiles", "market_data", "portfolio_data"],
"time_window": "market_hours_CEST"
},
"trust_level": "semi_autonomous",
"escalation": {
"trigger": "single_trade > 2pct_AUM OR anomaly_score > 0.8",
"recipient": "senior_portfolio_manager"
},
"policy_version": "sha256:7b2e4d9f...",
"created_at": "2026-03-01T09:00:00Z",
"valid_until": "2026-09-01T00:00:00Z",
"signature": "ed25519:Mk3nR9XqP..."
} 7.2 Cryptographic Properties
The role protocol is signed with Ed25519 by the policy authority at issuance. The agent cannot modify its own role.
The policy_version field contains a SHA-256 hash of the governing policy document. Every action in the ledger references this hash, binding evidence to the policy that scoped it.
Role protocol updates create a new version. The previous version's hash is included in the new version's signature chain, creating an auditable history of scope changes.
Because the role protocol is a standard format, any counterparty, a supplier's system, a regulatory body, another agent, can verify an agent's authority without prior relationship.
8. Industry Application
8.1 · Banking · Autonomous Trading
Role: Executor. Scope: trading.* within 5% AUM/day. Escalation: any single trade >2% AUM. Time Window: market hours CEST only.
Without this taxonomy: shared trading_api_key across all agents, no financial limits, no attribution when BaFin investigates a trade sequence. The governance proxy blocks any attempt to execute margin trades or options. Every executed trade is Ed25519-signed and chained to the role protocol version that scoped it. When a regulator requests an audit trail, the response is not a vendor-provided log. It is a mathematical proof.
8.2 · Healthcare · Medical Billing
Role: Executor. Scope: billing.read, icd10.map, claims.submit. Data Domain: billing records only. Escalation: any claim above €10,000.
Causal context capture is critical in this deployment. Every claim submission logs the source documents referenced: which physician notes, which ICD-10 coding guides, which prior authorization records. When a claim is disputed, the evidence trail is not a reconstructed log. It is the live decision context, captured at execution time, tamper-evident by cryptographic architecture.
8.3 · Critical Infrastructure · Grid Management
Role: Executor with restricted Delegate (can spawn sub-agents for assigned grid zones only). Scope: grid_zone_A.dispatch, energy_market.purchase. Blast Radius Control: explicit blocklist on adjacent zones.
In NIS-2 regulated environments, anonymity is not permissible. The dispatch agent's signed identity and the role protocol that scoped each grid action constitute the evidence trail that the Bundesnetzagentur requires. No cloud vendor log qualifies. A tamper-evident, independently-signed ledger does.
9. Toward an Open Standard
The enterprise AI stack is at an inflection point. Agent deployments are scaling from proof-of-concept to production fleet. The EU AI Act's high-risk AI enforcement deadline of August 2026 creates a compliance urgency that will compress market adoption in Q2 and Q3 of this year. The governance frameworks that define this era are being written now.
The Enterprise Agent Role Standard proposed in this paper defines four elements:
The four agent role types (Observer, Executor, Delegate, Orchestrator) and their authority constraints and spawning rules.
The five scope dimensions (API Scope, Budget Envelope, Data Domain, Time Window, Trust Level) and their specification format.
The agent lifecycle stages and the governance actions associated with each state transition.
The Role Protocol as a machine-readable, cryptographically signed policy artifact, verifiable by any counterparty, immutably chained to the ledger.
This standard is not a proprietary format. It is a foundation for an ecosystem where agents can prove their authority to any counterparty, human or machine, without requiring trust as a prerequisite. As multi-agent architectures mature into agent-to-agent commerce, where one organization's Orchestrator delegates tasks to another organization's Executor, the Role Protocol becomes the machine-readable credential that enables verified delegation across trust boundaries.
The governance layer is not the brake on the agentic enterprise. It is what makes the agentic enterprise possible at scale.
"The question is not whether intelligence will become radically more powerful, but whether we will build the social infrastructure worthy of what it is becoming."
References
Agüera y Arcas, B., Evans, J., Bratton, B. (2026). Agentic AI and the Next Intelligence Explosion. arXiv:2603.20639. Google Paradigms of Intelligence Team / Santa Fe Institute.
Telang, A., Hydari, M., Iqbal, M. (2026). To Scale AI Agents Successfully, Think of Them Like Team Members. Harvard Business Review, March 2026.
Tomašević, N., Franklin, M., Osindero, S. (2026). Intelligent AI Delegation. arXiv:2602.11865. Google DeepMind.
European Commission (2024). Regulation (EU) 2024/1689 on Artificial Intelligence (EU AI Act). Enforcement: August 2, 2026.
Prieditis, A. (2025). The EU AI Act's Hidden Market: How High-Risk AI Compliance Became a €17 Billion Opportunity. Medium / Auditry Research.
National Institute of Standards and Technology (2023). NIST AI Risk Management Framework (AI RMF 1.0). NIST AI 100-1.