Gartner warns 40% of enterprises will decommission AI agents by 2027 due to governance failures

Lack of AI governance could force 40% of enterprises to roll back autonomous AI agents by 2027

* Two in five companies could have to scale back AI agents by 2027 * Companies urged to reconsider basic governance policies * Thorough, four-stage framework introduced Gartner has warned that as many as two in five enterprises will have to decommission their AI agents by 2027 due to gaps in their governance frameworks that might only be discovered after incidents occur. This is because organizations are either treating AI agents as completely locked down or fully trusted - it's these uniform controls that could end up causing the biggest headaches for companies in the next few years. The report reveals that this could actually present two risks - as well as the obvious miscalculated trust that affords agents access to systems they shouldn't have access to, overly strict policies could lead human workers to other, unapproved tools, adding to the potential data exposure risks. Governance is a crucial consideration for agentic AI To move forward, Gartner is advising companies to adopt a four-stage framework for more granular access controls, starting with 'Level 1: Observe'. This would grant AI agents read-only access to defined data sources, with outputs only available to the requesting user. 'Level 2: Advise' would add to this by generating recommendations or proposed actions that must be reviewed manually by humans - under this policy, agents would still have no write access to systems. For full read-write access, 'Level 3: Act with Approval' would let agents carry out actions, write data and send communications, but only after explicit human approval every single time. The final policy, 'Stage 4: Act Autonomously', is where AI agents can truly come into their own by executing actions by themselves. Humans would still be involved at the exceptions, audit logs and aggregated outcome levels. "Because accountability for outcomes remains with the organisation, this level requires the most rigorous governance, including continuous monitoring, enforced guardrails, rapid rollback mechanisms, circuit breakers that halt agent operation on threshold violations and clear ownership for agent behaviour," Senior Director Analyst Shiva Varma explained. Gartner's report essentially serves to remind enterprises that rushing into autonomy without careful consideration into what agents can read and write could harm security later on. With a calculated approach to governance, enterprises can avoid reactive rollbacks entirely. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Gartner Predicts 40% of Enterprises Will Decommission Autonomous AI Agents by 2027

"Enterprises are treating AI agent governance as binary, either locked down or fully trusted, and that is the root cause of failure," said Shiva Varma, Senior Director Analyst at Gartner. "Agents operate at different autonomy levels and across different trust boundaries. When the same controls are applied indiscriminately, organizations encounter two common failure modes: over-restriction of simple agents, which slows delivery and drives shadow development, or under-restriction of more autonomous agents, which increases operational, security and compliance risk."

Gartner: Uniform Governance Is a Death Sentence for Enterprise AI Agents

By 2027, 40% of Enterprises Will Demote or Decommission Autonomous AI Agents Due to Governance Failures Applying uniform governance to all AI agents, regardless of their autonomy level and scope, can lead to enterprise AI agent failure, according to Gartner, Inc., a business and technology insights company. Failures are most likely to occur when organizations fail to distinguish between an agent's ability to act and the scope of access it is granted. Gartner predicts that by 2027, 40% of enterprises will demote or decommission autonomous AI agents due to governance gaps identified only after production incidents occur. "Enterprises are treating AI agent governance as binary, either locked down or fully trusted, and that is the root cause of failure," said Shiva Varma, Senior Director Analyst at Gartner. "Agents operate at different autonomy levels and across different trust boundaries. When the same controls are applied indiscriminately, organizations encounter two common failure modes: over-restriction of simple agents, which slows delivery and drives shadow development, or under-restriction of more autonomous agents, which increases operational, security and compliance risk." To mitigate these risks, Gartner recommends applying a proportional governance approach that classifies AI agents across distinct autonomy levels, with each level representing a different trust boundary and corresponding governance requirements (see Figure 1). Figure 1: AI Agent Autonomy Levels Source: Gartner (May 2026) Level 1: Observe At Level 1, observe agents are limited to read-only access to defined data sources, with outputs visible only to the requesting user. Common use cases include document summarization, data or knowledge retrieval, and code explanation. "At this level, governance should focus on baseline controls such as scoped data access, user authentication, usage logging, and basic functional and security testing," said Varma. "Because risk is limited primarily to data exposure and output accuracy, controls should remain lightweight and targeted." Level 2: Advise Advise agents generate recommendations, drafts or proposed actions, while humans review all outputs and execute actions manually. These agents retain read‑only access with no write access to any system and are commonly used for email drafting, report or code generation, and decision support. Although humans execute decisions, advisory agents can anchor judgment, creating downstream risk when inaccurate outputs are trusted due to automation bias. "Governance for advise agents should include all Level 1 controls and extend to addressing output quality and decision influence through accuracy and hallucination testing, domain-specific quality evaluations, and user training on appropriate reliance levels," said Varma. Level 3: Act with Approval At Level 3, agents can execute actions such as writing data, sending communications or modifying configurations, but only after explicit human approval for every action. "At this level, human review is effective only if it remains a meaningful control," said Varma. "Without strong security testing, clear approval workflows with audit trails, and agent‑specific incident response procedures, approvals can degrade under time pressure or approval fatigue, creating a false sense of safety while expanding the attack surface." Level 4: Act Autonomously At the highest autonomy level, agents execute actions independently within defined guardrails, with humans reviewing exceptions, audit logs and aggregated outcomes rather than individual decisions. "When agents operate autonomously, actions are executed at a scale and speed that can outpace human oversight," said Varma. "Because accountability for outcomes remains with the organization, this level requires the most rigorous governance, including continuous monitoring, enforced guardrails, rapid rollback mechanisms, circuit breakers that halt agent operation on threshold violations and clear ownership for agent behavior."