The Stack Nobody Ships
The five-layer machine consequence stack now exists in the literature. No single vendor ships it assembled. The market has built dashboards, guardrails, gateways, authorization layers, and runtime pol
Enterprise AI governance has become very good at producing records.
Model inventories. Risk dashboards. Policy documents. Governance workflows. Compliance attestations. Audit trails. Vendor scorecards. All the instruments required to make an oversight committee feel briefly less endangered.
Useful, yes.
Sufficient, no.
The problem is that agents do not merely generate answers. They act. They send emails, update records, call APIs, move cases, create tickets, approve exceptions, retrieve documents, modify entitlements, initiate procurement, and hand work to other agents. Once AI moves from response generation into execution, governance stops being a documentation problem and becomes an authority problem.
The question is no longer just “What did the model say?”
The better question is: “Who authorized the machine to do this, with what evidence, under what scope, before which system executed the action?”
That is a different control problem. It needs a different stack.
Call it machine consequence infrastructure.
Clumsy phrase. Accurate problem.
The Framing Problem
When I refer to the five-layer stack, I am referring to the minimum control architecture an enterprise needs before an AI agent can take consequential action. Consequential action means anything that changes a record, sends a communication, triggers a workflow, moves money, grants access, affects a customer, touches a regulated process, or creates an obligation the enterprise may later have to defend.
This is not the same as model governance. A model governance system can tell you whether a model was reviewed. A guardrail can inspect generated text. A gateway can route and log traffic. A dashboard can show inventory and ownership.
Those are useful, but they do not answer the harder question: whether a specific AI-initiated action was authorized before execution.
That is where the five layers come in.
An agent system needs:
A declared authority scope: who or what has the right to authorize an action.
An evidence record: what the agent knew, retrieved, evaluated, and relied on at decision time.
An escalation path: a named human with verified and scoped authority at the end of the chain.
A refusal mechanism: a signed log of the refusal, not a silent block or vague system error.
An auditable decision artifact: created before execution proceeds, not assembled later by a tired risk team with three spreadsheets and a mild headache.
That is the basic control model for agentic AI. Before an agent touches a real system, the enterprise should be able to prove authority, evidence, escalation, refusal, and decision record.
The literature is increasingly clear on this point. The products are less complete.
A typical enterprise deploying agents in 2026 may have a governance dashboard, an AI inventory, a model card, a content guardrail, and a cloud policy console. Those tools create visibility. They help document what exists. Some help detect unsafe content. Some help monitor model behavior. Some help route traffic.
Very few decide, before execution, whether an AI-initiated action has legitimate authority.
That gap is where the risk sits.
Why This Is Not a Small Gap
When no named human sits in the decision chain, accountability falls to whoever is closest when something breaks.
That is a terrible operating model, but a surprisingly common one.
The McKinsey Lilli incident is useful here, but it needs careful handling. Public reporting claimed that an AI agent discovered weaknesses in McKinsey’s internal AI platform and accessed large volumes of internal conversation data. McKinsey later stated that it had investigated the vulnerability, strengthened safeguards, and found no evidence that client data or confidential information had been accessed.
Both points matter.
The important lesson is not the tabloid version of “AI hacked McKinsey.” The important lesson is that agentic access changes the audit question. When an autonomous or semi-autonomous system probes, retrieves, writes, or escalates across an enterprise platform, the enterprise must prove more than whether the system behaved correctly. It must prove who authorized the action, under what scope, with what evidence, and through which control path.
Many enterprises can reconstruct activity.
Far fewer can reconstruct authority.
That is the accountability gap agentic AI exposes.
Enterprise governance has spent years asking whether AI systems are explainable, fair, safe, and aligned. Those questions still matter. Agents add a harder question: was the machine allowed to do the thing it did?
What the Market Has Actually Built
The market has not ignored this problem. It has built serious pieces around it.
The issue is assembly.
Five product categories now sit around the agent governance stack. Each category is genuine. Each solves a real problem. None, by itself, delivers the full consequence infrastructure layer.
Category 1: AI Governance Dashboards and Inventories
This is the familiar territory.
Products such as IBM watsonx.governance, ModelOp Center, Credo AI, Holistic AI, and similar platforms help enterprises manage AI inventory, risk classification, model lineage, policy mapping, validation evidence, drift monitoring, fairness metrics, and compliance workflow.



