A model cannot be deposed. It cannot sign a certification, sit for an examination, or lose its license. When something an AI agent did goes to a regulator, a court, or a board, the agent is not the one who answers for it — a named human is. Most teams shipping agents have not absorbed the uncomfortable starting point: accountability does not transfer to the software. It stays where it was before the agent arrived, on a person now asked to vouch for decisions they may never have seen.
This is not a philosophical point. It is how liability is allocated in regulated industries. The signature on a batch-release record names a person. The annual certification of an anti-money-laundering program names an officer. The filing of a suspicious-activity report is, by law, a human decision. None of those obligations were written with an exemption for "an agent did it." Delegate the work to a model and the obligation does not move — only the person's ability to answer for it does. That is the gap.
"The model decided" is not a defense
Picture the questions that come after an incident. Who authorized this agent to clear that sanctions hit? Who approved the tool list it was using that day? Show me it did not also sign off on its own work, and that the record has not been altered since.
"The model decided" answers none of them. It is not an account of a decision; it is the absence of one. An examiner, an auditor, or opposing counsel hears it the way they hear "we don't have that record."
Pointing at the vendor or the model provider fails for the same reason. The personally-liable officer cannot subcontract their accountability to a supplier any more than to a junior analyst. They delegated the task. They kept the answer. If they cannot produce the answer, the delegation was the failure.
Three things accountability actually requires
Strip accountability down and it is not abstract. For any action that matters, a responsible person must be able to say three things, with evidence:
- Who was acting. The action traces to a named principal — a specific identity, not an anonymous process or a shared service account.
- Who authorized it. A named human signed the decision that mattered, and was not the same actor who proposed it.
- That the record is intact. The trail tying action to authorization can be shown to be unaltered since the day it was written.
If any one is missing, there is no account — only a story. Most agent deployments today satisfy none of the three. The agent runs under a generic credential, no human gates the consequential steps, and the "log" is an application table anyone with database access could edit. That is not a governance gap. It is an accountability vacuum, and someone with a name ends up standing in it.
Named principals: you cannot answer for an anonymous actor
The first requirement is the one teams skip, because it feels like plumbing. An agent acting under a shared API key or a service account is, for accountability purposes, anonymous. There is no "who." Asked who did this, the honest answer is "a process, on behalf of nobody."
A real control treats every agent as a named principal — an identity that acts as something specific, holds one role at a time, and does nothing anonymously. That naming is the precondition for everything downstream: you cannot authorize, limit, or audit an actor you cannot name, let alone hold a person responsible for it.
It is also what lets accountability flow back to a human. The agent's identity ties to its role, the role to whoever authorized the grant, the grant to a date and an approver. The chain from "this happened" to "this person answers" only exists if the named actor does.
Human gates: keep a person on the decisions that matter
The second requirement is that a person actually decides the things a person is supposed to decide. Not every action needs this — gating everything trains people to rubber-stamp everything, destroying the accountability it pretends to create. The control belongs on the one-way doors, the actions you cannot take back.
Releasing a batch. Filing a report with a regulator. Moving money. Pushing a change to systems in the field. For those, a real human-in-the-loop approval gate parks the run until a named person signs — and captures their reason verbatim, so the signature carries its meaning rather than being a green tick nobody can later reconstruct.
This is where accountability becomes literal. The signer's name, on a specific decision, with a stated reason, recorded at the moment of approval, is the artifact a personally-liable officer needs to answer for the work. A notification fired off while the agent proceeds is a courtesy the agent can outrun. It names nobody.
Segregation of duties: the agent cannot account for itself
One failure an agent makes easy destroys accountability outright: the same actor preparing the work and approving it. An agent can draft a payment, approve it, mark it reconciled, and write the note explaining why — one unbroken run, nobody else involved. No independent party can say the decision was checked.
Segregation of duties for AI agents exists to make that combination impossible, not merely visible. The standard is old and named directly in the rules regulated firms already live under — 21 CFR 211.22 puts the quality unit beyond the reach of production in pharma; the Wolfsberg Group names maker-checker as the four-eye control for high-risk financial-crime decisions. Maker and checker must differ.
If an agent can be both maker and checker on one run, the only party who "reviewed" the decision is the one who made it — no review, no account. Enforcing the separation structurally, so the same agent provably cannot sit on both sides, keeps a second, independent name on the consequential decisions. That second name is the account.
A record that ties action to authorization
The third requirement is the one that survives contact with discovery. Naming the actor and gating the decision are worthless if the evidence can be quietly rewritten, or was not kept.
| Question after an incident | What you need to produce |
|---|---|
| Who was acting? | The named principal on the run |
| Who authorized the action? | The signer on the gate, with their reason |
| Could the agent approve its own work? | The recorded refusal, or the excluded requester |
| Has any of this changed since? | A tamper-evident chain that proves it has not |
The record has to do more than exist. It has to be defensible against the claim that it was edited after the fact. A hash-chained, cryptographically signed audit trail a third party can verify offline — without access to your systems, without trusting the vendor — is what turns a log into evidence. Alter one entry and the chain visibly breaks. That is the difference between a record an officer can stand behind and a table counsel can pick apart.
The accountability stays human either way
On 17 April 2026 the Federal Reserve issued SR 26-2, retiring SR 11-7 and scoping agentic AI out of model-risk guidance. There is no agent-specific template to point at — and no template means no safe harbor. The predicate rules underneath did not move, and neither did the people whose names are on them. An agent in the seat does not dilute the obligation; it concentrates the risk, because the same officer answers for decisions made faster than they can watch.
The honest way to read this: an agent is a delegation, and every delegation in a regulated firm comes with a person who keeps the answer. The work is not to blame the model. It is to build the record that lets a named human answer for what the model did — the only thing that has ever counted as accountability, and the precondition for moving agents from pilot to production.
A model cannot answer for its own work — a person has to, and needs the record to do it. See how it works, or book a demo to watch an agent get blocked from approving its own work, live.