Who Can Say No to Your AI Agent?

Who Can Say No to Your AI Agent?

Amir OfekAmir Ofek· CEO, Co-founder of aizome7 min read

Who Can Say No to Your AI Agent? If You Can't Answer That, You Don't Have Governance.

MIT Sloan Management Review published something last week worth every enterprise AI leader's attention.

The author, Joseph Wallace, Director of Data and AI Governance at Adobe, asks what he calls the real question of AI governance. Not which framework you've adopted. Not whether you have a risk council or a model registry or a compliance dashboard. One question: Who in your organization can say "no" to an AI system that's doing something it shouldn't - and has the authority to mean it?

He notes that most people can't answer it. The infrastructure of governance has proliferated - the policies, the slides, the dashboards - while the ability to actually stop a misbehaving AI system remains unclear in most organizations.

I've been thinking about this question because, for enterprise AI agents specifically, it is even harder to answer than it may seem. And the reason it's harder reveals exactly what most AI governance programs are still missing.

The Question Has Two Parts

When Wallace asks, "Who can say no?" he is asking an organizational question. Who has the authority? Who makes the decision? Who picks up the phone when something goes wrong?

These are the right questions for AI broadly. For enterprise AI agents specifically, there is a second, equally important question that must be answered first: how does anyone know when something is wrong in time to say no?

An enterprise AI agent operating in Finance, HR, or Operations is not producing a document for human review before it goes out. It is executing workflows, accessing data, invoking tools, triggering downstream actions, often with no human in the loop, at machine speed, across systems that were never designed to be observed from a single vantage point.

By the time the question of "who can say no" becomes relevant, the AI agent action has often already happened. The transaction has been processed. The data has been accessed. The permission has been changed. The audit trail shows what occurred, but the moment for intervention has passed.

This is the governance gap that most programs do not fully reckon with: the "who" question is unanswerable without first solving the "how would we know" question.

Why AI Agent Governance Is Harder Than AI Governance

The AI governance conversation Wallace describes- registries, dashboards, risk councils, policies- was built primarily for a world of AI models that produce outputs. A model generates text, a recommendation, a classification. A human reviews it, or the output itself is governed. The chain from AI action to human oversight is relatively clear, even if the organizational accountability around it is murky.

Enterprise AI agents break this chain.

An agent does not produce an output for review. It takes action. It reasons about a problem, forms a plan, invokes tools, makes decisions, and produces consequences, in sequence, at machine speed, across multiple systems, often without surfacing a meaningful checkpoint where a human could intervene before the action completes.

The EU AI Act that Wallace references, which requires documented decision-making, clear lines of accountability, and the ability to show who made a consequential choice, was written for this world. The problem is that, for enterprise AI agents, consequential choices are made continuously, at a pace and scale that make traditional human oversight a bottleneck rather than a means of control.

This is not an argument against human oversight. It is an argument for building the infrastructure that enables meaningful and effective human oversight, which is very different from building dashboards that show you what happened in retrospect.

Three Things That Have to Be True Before Anyone Can Say No

I want to be specific about what the infrastructure of real agent governance requires, because "who can say no" turns out to depend on three capabilities that most organizations have not yet built.

First, you have to know the agent exists.

Wallace notes that most organizations cannot tell you who has the authority to stop a misbehaving AI system. Before you get to authority, you have to get to awareness. Most enterprises today lack a complete, up-to-date inventory of the AI agents operating in their environments. Agents built by employees in workflow tools. Agents enabled by SaaS vendor updates. Agents deployed by engineering teams are moving fast. Gravitee's 2026 State of AI Agent Security Report found that only 14.4% of AI agents go live with full security and IT approval. The rest are running in the environment without anyone having formally acknowledged they exist.

You cannot say no to an agent you do not know about. The governance question starts with discovery, and most organizations have not solved it.

Second, you have to know what the agent is supposed to be doing.

Even for agents that are known and formally registered, "saying no" requires a standard to measure against. What was this agent built to do? What systems should it touch? What actions are within its approved scope, and which are not?

This is organizational intent - the structured definition of an agent's purpose, captured at provisioning and maintained across its lifecycle. Without it, you can observe that an agent is doing something. You cannot determine whether what it is doing is within acceptable bounds.

The absence of organizational intent means the answer to "should we say no to this?" requires a human to reason through the context from scratch every time, which is not a governance model; it is a response model.

Third: You have to know something is wrong before a damage is done.

This is the hardest part. Saying no requires intervention before a consequence. For enterprise AI agents operating at machine speed, that means real-time behavioral observation, continuously evaluating whether what an agent is doing right now is consistent with what it was built to do, and surfacing the signal that warrants intervention before the action completes.

Most governance programs today answer the "who" question and leave the "how would we know in time" question to post-incident review. That is governance theater in precisely the sense Wallace describes: the infrastructure exists, the authority exists on paper, but the actual capability to exercise that authority when it matters is absent.

What "Saying No" Actually Looks Like for Enterprise AI Agents

Let me make this concrete. An enterprise AI agent is operating in a Finance workflow. It has a documented owner, a verified identity, and a defined scope. The organizational intent was captured at provisioning: it processes vendor invoices, queries the ERP, and writes to accounts payable.

Six weeks later, the agent is three hops into a workflow it was never designed for, invoked by a supervisor agent, operating on behalf of a delegation chain that has entirely abstracted the original human authorization. It is about to access a dataset that nobody intended to make available to this workflow.

Who can say no? The owner is identified. The policy is documented. The governance infrastructure exists.

But none of that matters if nobody detected that the agent's behavior diverged from its organizational intent before the access occurred. If the only signal available is the audit log showing what happened after the fact, the authority to say no existed and was never given the chance to exercise itself.

Real governance means the Guardian Agent, the continuous behavioral layer that observes every action against the organizational intent baseline, detects divergence, and surfaces the signal at the moment of execution. The human who has the authority to say no receives an alert before the action completes. The intervention is possible, not merely documented as having been too late.

The Organizational and Technical Questions Are Both Necessary

Wallace is right that the organizational question- who has the authority to say no- is the one most organizations have not clearly answered. It exposes governance theater for what it is: the appearance of control without the substance.

But for enterprise AI agents, the technical question is equally essential. You cannot exercise authority over something you cannot see. You cannot intervene in something you have no real-time signal for. The organizational clarity Wallace calls for and the technical infrastructure aizome is building are not separate concerns. They are two halves of the same answer.

Who can say no to your AI agent?

The real answer has two parts: a named human with clear authority, and a system that tells that human something is wrong in time to act on it.

If you have one without the other, you have half a governance program.

What to Do on Monday

Wallace's article ends with a call to action: find out who in your organization can say no, and clarify the answer if it's unclear.

For enterprise AI agents, I would add three steps before that:

Find out what agents are running in your environment. Not the approved list, the actual list. The number will be higher than you expect, and the access will be broader than anyone authorized.

Establish organizational intent for every agent you find. What was it built to do? Who owns it? What should it never touch? This is the standard that makes "saying no" meaningful rather than arbitrary.

Build the real-time signal. Intent drift detection, behavioral observation at the point of execution, continuous evaluation against the organizational intent baseline. This is what gives the person who has the authority to say no the information they need to say it before it's too late.

The governance question Wallace asks is exactly the right one. For enterprise AI agents, answering it requires more than an org chart. It requires infrastructure.

Amir Ofek is CEO and Co-Founder of aizome, an Enterprise AI Agent Identity Fabric Platform and a founding player in the ARISE - Agentic Runtime Identity Security Enforcement - category.

This post was inspired by "The Real Question to Ask About AI Governance" by Joseph Wallace, published in MIT Sloan Management Review.



Amir Ofek

Amir Ofek

CEO, Co-founder of aizome

Related content

The latest news, technologies, and resources from our team.

  • NIST Just Proved Rules Aren't Enough. Intent-Based Identity Is What Comes Next.

    Darktrace's conclusion from the NIST analysis is that AI security must shift from rules to behavior. This is right. But behavioral detection alone has a limitation that matters for enterprise AI agent governance: it tells you when something looks different. It does not tell you whether what is different is wrong. The answer is not behavior alone. It is identity and intent as the reference layer against which behavior is evaluated.

    Amir Ofek

    Amir Ofek

  • The Enterprise Guide to AI Agent Identity, Governance, and the ARISE Category

    Enterprise AI agents are operating in Finance, HR, Sales, Operations, and IT at organizations across every industry - accessing sensitive data, executing multi-step workflows, and making consequential decisions, often with no human in the loop. The identity and governance infrastructure designed to secure human employees and traditional machine identities was not built for this.

    aizome - Making AI Agents Accountable

  • Why an LLM Is Not the Core Component of Intent Analysis

    Most vendors policing AI agents are using an LLM as the core component of their intent analysis. We think that's the wrong architectural choice - and here's the more nuanced picture of what actually works at production scale.

    Chen Pipek, CPO & Co-Founder, aizome

    Chen Pipek

  • RBAC Is Reaching Its Limit. Intent Is What Comes Next.

    Think of it as a Guardian Agent, a continuous, observant layer whose entire job is to make sure that no matter how fluid an agent's permissions become, it can never veer off course from its approved plan. RBAC defines the boundaries. The Guardian Agent polices them, in real time, for every action, across every session.

    Chen Pipek, CPO and Co-Founder of aizome

    Chen Pipek

  • Intent Is Not a Feature. It's the Architecture.

    Remember when we called it system instructions? Then roles. Then purposes. Then goals? Now it's intent. The term changes with the cycle. The underlying question: does this agent actually do what it's supposed to do? What "intent" actually means architecturally, mechanically, at the point of enforcement varies enormously across implementations. That difference is the difference between controls that hold under pressure and controls that look complete on paper and fail in production.

    Chen Pipek, CPO & Co-founder aizome

    Chen Pipek

Subscribe to the Aizome newsletter

Occasional, substance-first notes on making enterprise AI agents accountable. No spam; unsubscribe anytime.

We use your email only to send you our newsletter. See our privacy policy for how we handle your data. You can unsubscribe at any time.