TL;DR: Ninety-six percent of organizations are running AI agents. Only 21% have mature governance over them. The gap between those two numbers is where the next generation of organizational failures will be born. When an AI agent acts and something goes wrong, most companies have no clear answer to the most basic management question: who is responsible? The courts are starting to answer it for them.

There is a management question so foundational that most leaders have never had to think about it consciously: when something goes wrong, who owns it?

In a human workforce, the answer is embedded in the org chart. An employee makes an error; a manager is accountable for the error; a system exists to investigate, correct, and prevent recurrence. The accountability chain is imperfect, and often contested, but it exists. Organizations have spent a century building it. It is the scaffolding under every performance conversation, every incident review, every compliance audit.

Now introduce an agent that schedules meetings, screens applicants, drafts contracts, flags supplier risks, initiates procurement workflows, and responds to customers on the company’s behalf. Ask the same question: when this agent makes a mistake, who owns it? Most large organizations do not have an answer.

In February 2024, the British Columbia Civil Resolution Tribunal ruled against Air Canada after its chatbot gave a passenger incorrect information about bereavement fare refund eligibility. Air Canada argued, with apparent seriousness, that the chatbot was a “separate legal entity” responsible for its own actions. The Tribunal rejected this in terms that should be posted in every enterprise AI deployment room: the company bears responsibility for all information on it shares with customers, regardless of whether a human or an algorithm produced it.

In March 2026, Nippon Life sued OpenAI after ChatGPT helped a claimant draft 44 post-settlement legal filings, including at least one with a fabricated case citation. The fabricated filings cost Nippon Life approximately $300,000 in legal fees to respond to. The lawsuit is not primarily about the hallucination. It is about who bears the cost when AI outputs cause harm in a legal proceeding.

The cases are not isolated. Edelson PC has filed wrongful death and personal injury suits against OpenAI and Google across at least a dozen cases. HSB introduced AI Liability Insurance in March 2026, which is notable not because insurance solves the problem, but because insurance companies do not invent products for risks that do not exist.

What the cases have in common is not the severity of the harm. It is the accountability vacuum underneath each one. The AI acted. Something went wrong. The company had no clear owner of the outcome. Courts are filling the gap the companies left open.

The data on organizational readiness is not ambiguous. According to a 2026 analysis aggregated across enterprise AI deployments, 96% of organizations are already running AI agents. Only 21% have a mature governance model for autonomous AI agents. That means roughly three out of every four companies running agents cannot tell you, with confidence: who approved this agent’s scope of authority? Who monitors its outputs? Who is alerted when it acts outside expected parameters? Who is called when something goes wrong?

The Deloitte 2026 State of AI in the Enterprise report is specific about what mature governance requires and how many organizations have it: approximately 80% lack clear boundaries defining which decisions agents can make independently versus which require human approval; real-time monitoring that tracks agent behavior and flags anomalies; and audit trails capturing the full chain of agent actions. Those three requirements are not exotic. They are the minimum conditions for managing anything consequential in an organization. We apply them to financial transactions, to regulatory filings, to clinical decisions. We are not applying them to the agents we are giving authority to act.

An Accenture and Wharton joint report published in March 2026 stated the problem cleanly: “Intelligence may be scalable, but accountability is not.” The researchers found that more than 50% of working hours across the American economy are now subject to reshaping by AI agents. The accountability structures most organizations rely on were designed before any of that was true.

Here is the mechanism by which this becomes expensive. AI agents do not make isolated errors. They make errors inside workflows, and workflows are connected. A Roborhythms analysis of 2026 enterprise AI deployments describes the cascade pattern: an AI agent mislabels a supplier’s risk rating, which triggers an automated contract review flag, which pauses a procurement approval, which delays a product launch. No single point of failure. A chain of automated reactions, each one reasonable given the preceding step, the whole chain resting on an original error that no one caught because no one was watching.

More than half of all agents deployed in enterprise environments run without security oversight or logging. Only 24.4% of organizations have full visibility into which AI agents are communicating with each other. Twenty-eight percent of US firms report zero confidence in the data quality feeding their agents, which means those agents are reasoning correctly over wrong inputs and producing confidently wrong outputs.

This is not a technology problem. The technology is doing what it was deployed to do. The problem is a management design problem. Specifically: the absence of the accountability infrastructure that organizations build around every other consequential process.

I spent nearly a decade building workforce and organizational design functions from the ground up. The pattern I saw repeatedly was this: new capabilities get deployed faster than the management systems that surround them. The capability is visible. The governance gap is invisible until it becomes a crisis. AI agents are following the same pattern, at a much larger scale and with much faster deployment timelines.

In post-07, I wrote about the governance gap between “we have agents” and “we manage agents.” The data has sharpened since then. What was a gap is becoming a liability, in the literal sense: the EU AI Act’s full enforcement begins August 2, 2026. High-risk AI systems used in employment, credit decisions, education, and similar contexts are subject to mandatory risk management, human oversight mechanisms, and audit trails. Organizations deploying agents in those domains that have not built governance infrastructure are not just operating carelessly. Starting this August, in the EU, they are operating unlawfully.

The EU AI Act approach is notable because it assigns liability to the deployer, not the developer. Companies that deploy AI systems bear responsibility for their operation. The “our vendor’s AI did it” defense has the same legal credibility as Air Canada’s “the chatbot is a separate entity” argument. Courts and regulators are not interested in the internal supply chain of the AI product. They are interested in who decided to deploy it and who was supposed to be watching. Third-party risk management just took on a lot more weight too.

The Accenture-Wharton framing is useful here: accountability is not scalable. You cannot apply more accountability by simply deploying more agents. Every agent added to an organization’s workforce is an additional node of potential error, an additional actor whose outputs need someone responsible for reviewing them. The governance cost grows with every deployment. Most organizations have not accounted for that cost.

The organizations that are getting this right share a specific discipline. Before deploying any agent with consequential authority, they answer four questions: What decisions can this agent make without human approval? Who monitors its outputs and on what cadence? Who is notified when it acts outside expected parameters? Who owns the incident response when something goes wrong?

Those four questions are not technically complex. They are organizationally complex because answering them requires cross-functional alignment among technology, legal, compliance, operations, and business leadership before the agent goes live, not after. Most organizations reverse that sequence. They deploy first, build governance when something breaks.

Forty percent of agentic AI projects were canceled or paused as of February 2026, with governance friction cited as one of the top blockers. The lesson most organizations are drawing from this is that governance slows deployment. The correct lesson is that deployment without governance is not deployment. It is exposure.

The Air Canada ruling was about $812. The Nippon Life suit is about $300,000. The next case may be about a financial transaction an agent initiated, a hiring decision an agent influenced, a contract an agent approved. The scale of the error will match the scope of the authority organizations have handed to agents. That scope is expanding every week.

The question is not whether AI agents will make mistakes. Every workforce makes mistakes. The question is whether the organization that deployed the agent has built the accountability infrastructure to catch errors early, assign responsibility clearly, and correct course before a manageable problem becomes a lawsuit. Most have not.

Here’s How You Take Action

1. Run the accountability audit. For every AI agent currently operating in your organization with consequential authority, ask the four questions: What can it decide without approval? Who monitors its outputs? Who gets alerted when it acts anomalously? Who owns incident response? If you cannot answer all four for a given agent, that agent is ungoverned.

2. Separate deployment authority from governance authority. The team that builds or procures an agent should not be the team that approves its governance model. Conflating the two creates a structural incentive to undercount risk. Someone outside the deployment team needs to sign off that the governance infrastructure is in place before the agent goes live.

3. Map your EU AI Act exposure by August 2. If your organization operates in the EU or deploys AI in employment, credit, education, or similar high-risk domains, full enforcement begins August 2, 2026. Start with which agents touch those domains and work backward through the compliance requirements.

4. Build the incident response protocol before you need it. The organizations best positioned when an AI error escalates are the ones that decided in advance how to respond. Who is notified? Who investigates? Who communicates externally? What is the remediation path? Don’t wait until an incident’s post-mortem to document this.

5. Challenge the deployment velocity. Every new agent added to your organization’s workforce adds governance cost. If your procurement or technology teams are deploying agents at a rate that outpaces your governance infrastructure’s ability to absorb them, the gap is widening, not closing. Deployment velocity is a governance risk metric.

Christina Lexa writes about workforce strategy, organizational design, and the human infrastructure that organizations build or fail to build around new capabilities. Workforce Rewired publishes weekly at the intersection of AI, organizational design, and the future of work. If this piece made you think, share it with someone navigating the same questions.

The views expressed here are my own and do not represent the position of my employer or any organization I am affiliated with.