ORIGINAL FRAMEWORKS
Two axes. Agent count versus authorization coverage. One number tells you where you are. Most organizations cannot produce either number.
The reconciliation problem typically surfaces at the worst possible moment, during examination prep, when the team that deployed the original agents has turned over and nobody owns the registry. The matrix exists because most organizations discover their agent count by asking the wrong people.
Free to read and cite with attribution to Sougata Roy and sougataroy.com. Do not republish, rebrand, or claim authorship of any framework, term, or model as your own.
AGENT PATHWAY DECISION TREE
The problem
Inside the organization
The framework
The matrix has two axes. Understanding what each one measures is the prerequisite for placing your organization accurately on it.
Axis
The horizontal axis is Agent Count. This is the actual count of AI systems operating in the environment, including systems deployed without formal approval. Velocity is what IT thinks is deployed. Count is what a cross-functional inquiry produces. These are not the same number.
Axis
The vertical axis is Authorization Coverage. This is the percentage of deployed AI systems with all four governance artifacts verifiably in place. This is not a tier score or a policy commitment. It is a ratio. It can be calculated from two numbers. If you cannot calculate it today, that inability is the finding.
Governance artifacts
The matrix
The Governance Readiness Matrix gives organizations a precise, calculable way to understand where they are. Not as an abstract self-assessment. Not as a maturity model that requires expert scoring. As a ratio, calculated from two numbers your organization either has or cannot produce - and the inability to produce them is itself a finding.
LOW COUNT / HIGH COVERAGE
Low deployment velocity and high governance maturity. Few deployments, but each one is fully governed. The organization has built governance discipline before scaling. This is the right starting position for an enterprise that has not yet deployed AI broadly. The risk here is specific and worth naming: governance processes designed for low volume often do not survive the transition to scale. Organizations in this quadrant should redesign their governance process for the velocity they expect, not the velocity they currently have.
Good starting position, specific risk.
HIGH COUNT / HIGH COVERAGE
High deployment velocity and high governance maturity. Every new deployment goes through an established governance process. The organization can produce authorization records for its AI systems on demand, as a routine operational capability, not in response to a triggering event. The shadow agent population is low and declining. The intake process is enforced consistently, including for urgent deployments. This is the destination. It is currently occupied by a small minority of enterprises. The organizations that are there did not arrive by accident. They built the intake process before they needed it.
Destination state.
LOW COUNT / LOW COVERAGE
Low deployment velocity and low governance maturity. Few deployments, and governance is not yet in place. The organization is in an AI pilot phase. This quadrant is only genuinely low-risk if two conditions hold simultaneously: the pilots remain genuinely limited in scope and data access, and governance infrastructure is being built before scale begins. Most organizations in this quadrant believe they have more time than they do. The transition from pilot to production happens faster than governance programs develop.
Only low-risk if two conditions hold.
HIGH COUNT / LOW COVERAGE
Most commonHigh deployment velocity and low governance maturity. This is where most enterprises are in 2026. Deployment has outpaced governance. Many AI systems are operating without authorization records, without named accountable owners, or without compliance review. The organization knows it has AI systems running. It does not know the complete count, and it cannot produce governance artifacts for a significant portion of them on demand. The signal for this quadrant is the gap between what leadership thinks is deployed and what a discovery exercise reveals. The shadow agent population grows with every passing quarter in which no intake process exists.
MOST COMMON
The path forward
Step 1 is establishing the velocity count. Inventory every AI system currently operating in your environment. The count must include systems deployed through official channels and systems deployed by teams without formal approval. Ask IT, compliance, procurement, and individual business units separately, then compare their answers. The gap between what any single source says and what a cross-functional inquiry produces is the baseline measure of how much shadow AI exists in your environment. The count that matters is the actual count, not the approved count.
Board governance review
This framework guides the board through a four-step evaluation to move from "Urgent" or "Prepare" postures toward a "Sustain" posture, based on deployment velocity and governance maturity.
Current posture is determined by agents in production versus existing governance documentation.
Accurate answer -> correct intervention.
Estimated answer -> misallocated resources.
Maturity is defined by whether governance work keeps pace with deployment velocity.
Governance growing with deployment -> on track.
Deployment outpacing governance -> debt accumulating.
Movement requires specific investment in registry infrastructure, documentation programs, and headcount.
Cost of governance vs cost of governance debt - compare before deciding.
In regulated environments, governance posture has a quantifiable liability value.
Unquantified exposure is the most expensive governance debt.
Moving quadrants is a resource decision, not a values decision. Leadership that understands which quadrant it is in can make the investment case. Leadership that does not is making the decision by default.
Why it lasts
Who it is for
Quick reference
A one-page reference card for calculating your governance position and identifying your quadrant in a single working session.
QUICK CHECK
Calculate your Governance Debt Ratio and identify your quadrant in two inputs.
Executive FAQ
These are the questions that separate a maturity policy from an operating governance system. If the answer is not visible in the matrix, the coverage ratio is still an assumption.
60-minute operating sprint
Use this as a live governance exercise. Leave the session with named evidence, a visible gap, and a next owner rather than another discussion note.
Working session board
4
Steps
60
Minutes
1
Owner
Live
Decision
15 minutes
How many AI agents or AI-enabled tools does your organization currently operate? Include Copilot, Copilot Studio agents, any automation using AI APIs, and any third-party AI tools accessed by employees. Write the number down. If you cannot produce a number, that is itself a governance maturity finding - you are in the deployment velocity axis without knowing your position.
Output
Written evidence ready for the next governance decision.
15 minutes
For each deployment, how many have: a documented authorization record, a named human owner who knows they own it, a defined review date that has not passed, and a record of compliance review before deployment? Count how many have all four. This is your governance maturity score.
Output
Written evidence ready for the next governance decision.
15 minutes
If you have 40 deployments and 4 have full governance artifacts, your ratio is 10 percent. This places you on the matrix. Most organizations are in the upper-left quadrant - high agent count, low authorization coverage - before they know it.
Output
Written evidence ready for the next governance decision.
15 minutes
Among the deployments without governance artifacts, which one has access to the most sensitive data? Which one would be most difficult to explain to an examiner without documentation? That is where remediation starts.
Output
Written evidence ready for the next governance decision.
Referenced in
"Who Owns the Agent?" applies this framework to real-world deployment scenarios and maps it to named governance incidents from 2024 to 2026.
White paper
The Intent Architecture Stack white paper, ten sections, complete diagnostic, named incident analysis, Intent Document template.
Research brief
Source: McKinsey and Company, "State of AI Trust in 2026: Shifting to the Agentic Era," March 25, 2026. Survey of approximately 500 organizations, December 2025 to January 2026.
Continue through the connected framework sequence above.