WHITE PAPER · FRAMEWORK RESEARCH
The Organizational Accountability Architecture That Existing Governance Frameworks Require But Do Not Implement at the Agent Level
Who it is for
CISO AND CTO
You need to answer the board's accountability question before the next agentic AI deployment. This paper gives you the three-layer governance architecture that makes that answer possible, built before the incident, not assembled under pressure during it.
SECURITY ARCHITECT
You need an organizational design framework to work against, not a policy checklist. This paper gives you a diagnostic, a risk proportionality model, and a pre-deployment gate you can enforce.
BOARD MEMBER
You need to understand what governance evidence you should be asking for. This paper shows you the three documents any board should be able to request for any deployed AI agent, and what it means when they cannot be produced.
The governance question
The meeting had been going for forty minutes when the board chair held up a printout and asked a simple question. Three weeks earlier, the organization's AI agent had sent a draft contract amendment to an external counterparty. The agent had been configured to draft, not to send. The version it sent was not the current version.
The compliance team had logs. The security team had the audit record. The IT team had the agent configuration file. What none of them had was a document written before the incident that answered the chair's question: who in this organization authorized that agent to act, and how is that authorization documented?
Logging tells you what happened. It does not tell you who was responsible. Those are two different questions, and only one of them survives a board meeting.
Board question
Before any AI agent is deployed in your environment, does your organization have a formal record of what it was authorized to do, who made that authorization, and under what conditions that authorization must be reviewed?
White paper structure
Eight named incidents. The gap between auditability and accountability.
NIST AI RMF, EU AI Act, ISO 42001, CSA Agentic Profile, Microsoft. What each requires. What none of them specify.
Three layers. Context, Intent, and Governance. Each layer produces a document. Together they answer the board question.
Fifteen quick-scan questions. A full practitioner diagnostic for each layer. Designed for a 90-minute working session with the business unit that owns the agent.
Not every agent needs the same documentation depth. Three risk tiers. A complete Tier 2 Intent Document template.
OCC, FINRA, Federal Reserve, FINMA. The shift from governance language to evidence language.
Three stages. Accumulation, Recognition, Resolution. IBM's $670K shadow AI breach cost figure. The Agent Sprawl three-tier structure.
Microsoft Entra Agent ID, Purview, Agent 365, Copilot Studio. EchoLeak (CVE-2025-32711) and RoguePilot mapped to the Intent Architecture Stack.
The three-layer documentation set. What each document must contain. The governance test each must pass.
A Stage 3 organization in operational terms. The one test a mature governance program passes without preparation.
Vocabulary
CONCEPTS
The organizational design layer that defines what an AI agent is authorized to do, who authorized it, and what happens when it acts outside those boundaries. Built before deployment. The Intent Architecture Stack is the operational framework that implements this concept.
Explore the frameworkCONCEPTS
The unplanned divergence between what an organization genuinely intended an AI system to do and what it actually does in production. It is not a deployment failure. It is a monitoring failure.
Explore the conceptCONCEPTS
The accumulated accountability design work deferred while deploying AI at speed. It builds the moment a deployment goes live without authorization, a named owner, or a compliance review.
Explore the conceptCONCEPTS
The implicit belief that accountability for an AI agent's decisions resides with the vendor, the platform, or another team. Regulators have started saying explicitly that vendor terms of service are not a defense.
Explore the conceptCONCEPTS
The proliferation of AI agents without corresponding governance architecture. It operates across three tiers, each requiring a different governance response.
Explore the conceptGET THE PAPER
Free to read and cite with attribution to Sougata Roy and sougataroy.com. No gate. No form.
The Intent Architecture Stack · Framework White Paper v1.0 · May 2026
Ten sections. A complete diagnostic for all three governance layers. A Tier 2 Intent Document template. Named incident analysis across Air Canada, Meta, Upstart Holdings, Microsoft, AWS, and six others. Every statistic cited to a named primary source with a publication date.
PDF · Framework white paper · 10 sections · Full diagnostic · Intent Document template
Not legal advice. Views are my own.
Related frameworks
Three organizational layers every enterprise must design before any agent goes live. The framework that implements the concepts in this paper.
Open frameworkAgent count versus authorization coverage. The matrix that places your organization in one of four quadrants and makes the governance gap calculable.
Open frameworkThree tiers. One deployment. A map of who owns what across the provider, the platform, and the deploying organization.
Open frameworkThree stages every organization moves through as its Governance Debt ratio changes. The lifecycle the paper's Stage 1/2/3 model describes.
Open frameworkFive steps for establishing the actual count of AI agents operating in your environment. The first step toward closing the governance gap.
Open framework