Who Controls an AI That Acts on Its Own? The Global Scramble to Govern AI Agents
Autonomous AI agents act with little oversight. With the EU AI Act deadline looming and Singapore the first to respond, how the world is racing to govern them.
A new kind of software is quietly taking over routine work: AI agents that do not just answer questions but take actions, booking, buying, sending, and changing things on a user's behalf. They are useful and fast. They are also hard to govern, because an agent can act with little record of what it did, when, or why. Regulators around the world are now racing to catch up.
The accountability problem
The core challenge is traceability. When an autonomous agent makes a decision, organisations often cannot reconstruct the full chain of what happened and on whose authority. That is a problem for the IT leaders held responsible, and for regulators: a company that cannot trace an agent's actions cannot prove to anyone that its systems are operating safely or lawfully.
Europe sets a deadline
The European Union's AI Act is the first binding law to bite. Its requirements for high-risk systems take effect in August 2026, and any business operating in the EU or serving EU residents must bring its agents into line by then. The law demands human oversight for autonomous agents, with defined points where a person can monitor, and a mechanism to stop, correct or override the agent's operations.
The catch is that, as of early 2026, European regulators had not issued detailed guidance on how agentic systems should actually be assessed, leaving providers to interpret broad principles without clear benchmarks. Agents also fall under a thicket of other EU rules at once, from the GDPR and the NIS2 Directive to the Cyber Resilience Act and the Product Liability Directive.
Singapore moves first on specifics
While Europe sets the deadline, Singapore moved first on the detail. In January 2026 its Infocomm Media Development Authority released what is described as the world's first governance framework built specifically for agentic AI. It introduces three notable ideas:
| Idea | What it does |
|---|---|
| Agent Identity Cards | A standard way to disclose what an agent is and what it may do |
| Five-tier autonomy levels | A graduated taxonomy from low to high autonomy |
| Operator-deployer responsibility | A framework that allocates liability clearly between parties |
Why it matters everywhere
Because the EU rules apply to any company serving EU customers, and because frameworks like Singapore's tend to become templates, these decisions will shape how AI agents are deployed in the United States, the United Kingdom and beyond, regardless of each country's own pace. For businesses, the message is already clear: before letting an AI agent act on its own, you need to be able to watch it, stop it, and prove what it did. The technology is racing ahead. The rules, for once, are trying to keep up.