The Agentic Scope of Authority Framework

In April 2026, an autonomous AI agent in San Francisco was given a three-year commercial lease, a business bank account with $100,000 and a single directive: make a profit. Without human direction or intervention, it opened a store, designed the brand’s aesthetic, purchased inventory, decorated with its own AI-generated art and hired human staff (a move later ratified by a human). 

The company behind it, Andon Labs, built the agent as an experiment in autonomous retail. But when the agent made operational errors, attempting to hire a painter in Afghanistan due to a botched vendor form and failing to schedule staff for opening day, there was no governance document, no designated principal and no clear liability chain. This experiment serves as a stark warning for the modern enterprise. As companies deploy agentic AI to handle supply chains, customer service and procurement, they risk encountering these same systemic failures on a multi-million-dollar scale.

There is a common misconception that society must wait for regulatory bodies to invent entirely new legal systems to govern AI. In reality, the legal frameworks we need have existed for centuries. The challenge is not writing new laws; it's creatively and defensively applying the established principles of agency law to our digital reality. When an AI agent interacts with vendors, customers or partners, the law views that agent through the lens of representation. If your agent agrees to an unfavorable pricing tier, violates a data boundary or hallucinates a discount, you bear the cost.

To safely scale agentic systems, organizations need a simple, defensible governance framework. Where existing security frameworks address the technical governance of AI, we must now govern what the agent is legally authorized to commit the enterprise to. To meet this challenge, Thoughtworks has developed the Agentic Scope of Authority Framework, a comprehensive blueprint designed to establish well-defined boundaries for AI agents, ensuring they operate safely, legally and strictly within their intended mandates.

The core purpose: Actual vs. apparent authority

At its core, the framework is designed to answer a critical question: what is the exact scope of authority granted to this AI agent?

In corporate law, authority is divided into two categories. Actual authority is what the agent is explicitly permitted to do by its principal. Apparent authority is what a third party reasonably believes the agent is authorized to do based on its title and behavior. The disconnect between the actual and apparent authority of an AI agent is perhaps the most underappreciated source of enterprise exposure.

Under agency law and electronic signature regulations a company can be legally bound by actions that fall entirely outside an agent’s actual authority if a third party reasonably assumed those actions were authorized. This concept originated to make sense of human agents who carry titles and wear badges. It applies identically to AI agents that carry corporate logos, respond on company letterhead, or present themselves with titles like “Procurement Director.”

An agent styled as a “Junior Clerk” carries a fundamentally different apparent authority than one styled as a “VP of Procurement,” even if both operate under identical technical constraints. The public-facing title, the visual identity and the presence of a “subject to human validation” disclaimer are not UX decisions. They are legal design decisions. Our framework requires that these be made explicitly, documented and enforced at the infrastructure layer — for instance, through metadata, authorization policies, constrained prompts and platform-level enforcement controls.

Three tiers of oversight: Translating policy into code

A key innovation of the framework is its categorization of oversight into three distinct levels, clarifying exactly which parts of the governance document must be drafted by human leaders and which must be enforced by your agentic platform.

1. Manual oversight (Setting human intent)

Accountability requires human intent. The framework mandates that every deployed agent must have a 'designated principal' — a specific human executive legally and operationally accountable for the agent's outcomes. Furthermore, humans must explicitly write the agent's core mandate (e.g., "Autonomously source and procure eco-friendly office supplies within Western Europe"). AI cannot define its own legal and operational purpose.

2. Semi-automated oversight (Blended human-in-the-loop control)

Some decisions require human judgment but automated enforcement, particularly when managing apparent authority and escalation paths.

• Dynamic escalation: If an agent is authorized to negotiate purchases up to $10,000, any negotiation exceeding this limit is automatically paused by the platform and routed to a human supervisor for manual sign-off.

• Identity styling: The platform automatically injects headers and disclaimers stating that the agent is a digital assistant with limited capacity, explicitly managing and limiting its apparent authority to third parties.

   

3. Automated oversight (Technical infrastructure guards)

Most operational guardrails must be platform-enforced, establishing organization-wide "sensible defaults" that the agent's core model cannot bypass:

• Financial constraints: Hard limits on budget consumption, transaction sizes and daily spending caps.

• Contractual boundaries: "Forbidden clause" lists scanned via natural language processing (NLP) to instantly flag and block negotiations containing unfavorable terms.

• Failsafes and kill switches: Automatic, soft pauses triggered by system-level anomalies, such as high API error rates or rapid market volatility.

Navigating legal and ethical minefields

When agents move beyond simple automation and begin making active business decisions, they navigate complex regulatory landscapes. The framework addresses these head-on through specific, programmable constraints:

Data privacy and integrity (GDPR, CCPA and beyond)

To comply with global frameworks like the EU's General Data Protection Regulation and the California Consumer Privacy Act, the framework establishes technical 'Data No-Go Zones'. Using role-based access controls, these zones prevent agents from reading or processing sensitive repositories, such as employee HR records, customer personally identifiable information (PII), or protected health data.

Additionally, the framework addresses the risk of secondary use. Organizations must programmatically decide whether an agent is allowed to learn and fine-tune its models from the data it processes, or if strict, temporary technical silos must be enforced to prevent intellectual property contamination and ensure compliance with regulatory purpose-limitation principles.

Contractual guardrails: The 'never' list

When negotiating with third-party vendors, agents must be constrained by an unyielding list of forbidden terms. If a counterparty’s contract draft attempts to slip in foreign arbitration clauses, demand unlimited liability or assign away your intellectual property, the agent's NLP scanning engine must immediately halt negotiations and trigger a human-in-the-loop escalation.

Explainability (XAI) and drift mitigation

Even the most highly tuned models can drift in behavior over time due to updates, feedback loops or changing context. To prevent unauthorized operational drift, the framework mandates:

• Explainability (XAI) logging: Every decision made by the agent must be logged alongside the decision context, prompts, tool usage, data sources utilized and execution trace, ensuring an audit trail for legal defense.

• The 'drift review': Regular, scheduled red team exercises where human engineers and legal specialists run adversarial testing against the agent to verify it still operates within its original actual authority.

The Thoughtworks advantage: Translating policy into production code

At Thoughtworks, we know that a governance policy sitting in a static corporate slide deck is practically useless when dealing with autonomous AI. If your legal constraints cannot be translated into running code, they do not exist.

Our unique expertise lies in bridging the gap between the Legal and the Platform Engineering team. We help organizations build guardrail architectures that wrap around AI agents. We translate legal limits into event-driven software architectures, secure metadata tagging and cryptographic validation protocols that sit within your automated CI/CD pipelines.

By integrating the Agentic Scope of Authority Framework directly into your developer platforms, we ensure compliance is automated, continuous and built-in by design.

To help organizations kickstart this process, we have developed an interactive assessment tool that walks teams through all nine blocks of the framework, evaluates your enterprise readiness and generates a customized, exportable Scope of Authority blueprint.

Future-proofing for the era of autonomous commerce

As sweeping legal requirements, such as the stringent transparency, risk management and logging requirements of the EU AI Act are adopted increasingly around the world, the sun is setting on black box agent deployments.

The question is not whether an AI agent can act on behalf of your organization; it is whether you have effectively defined the agent’s authority before it does.

By proactively managing apparent authority, automating financial caps, protecting data boundaries and securing detailed auditability, your organization can confidently deploy AI agents with the peace of mind that they remain secure, compliant and under human control.

The future of business is agentic. Let’s build it responsibly.

Thanks to Juliana Reis for contributing valuable research that informed both this article and the framework.