Accountability and ownership — the agent is never the accountable party.
When an autonomous agent issues a wrong refund, deletes the wrong records, or sends a defamatory email, "the model did it" is not an answer anyone — a customer, an auditor, a court — will accept. Accountability cannot be delegated to software; it always lands on a person or an organization. The failure mode in practice is not malice, it is a diffusion of responsibility where everyone touched the system and no one owns its decisions. This essay is about assigning that ownership before the incident: the operator role, RACI for autonomous actions, and sign-off that means something.
Accountability does not transfer to the agent.
An agent is an instrument; instruments are not accountable, the people who deploy them are. This is not a philosophical aside — it is the design premise everything else follows from. Saying "the AI decided" is, in governance terms, equivalent to "we deployed a system that took this action and we had not assigned anyone to own that". The autonomy of the agent does not create an accountability gap; it relocates accountability onto whoever chose to grant that autonomy, scope it, and ship it. The job of governance is to make that person explicit in advance, because an unassigned accountability becomes a diffuse one, and a diffuse one becomes nobody's.
The operator role: a named human owns this agent in production.
Every agent in production needs an operator — a specific, named human or role accountable for what it does while it is running. Not the team, not "AI governance" in the abstract: a person who can answer for this agent's actions, has the authority to pause or revoke it, and is expected to. The operator owns its scope and permissions, its escalation path, and the decision to keep it running after an incident. An agent without a named operator is an agent nobody is accountable for — which, the first time it does damage, is discovered to mean everyone and therefore no one.
"Operator" is a governance role, not a job title — it can be on-call rotation. The non-negotiable is that for any given action there is always a determinable human answer to "who was accountable for this".
RACI the autonomous action, not just the project.
Teams RACI the project and forget to RACI the action. For agent governance the unit that needs Responsible / Accountable / Consulted / Informed is the autonomous decision itself. Concretely, for each class of agent action: who is Accountable (singular — the operator or their chain), who is Responsible for the agent behaving (the building team), who must be Consulted before high-consequence classes act (legal, security, a domain owner), and who is Informed when they do (audit, affected business owners). The output is a small table mapping action class to a single accountable owner.
# RACI per agent action class — Accountable is always singular action_class A R C I "read_only" operator eng-team — — "refund <= 1k" operator eng-team — audit "refund > 1k" finance-lead eng-team fin-controls audit "delete_customer" dpo eng-team legal,sec audit
Sign-off is a decision with a name and a date, not a checkbox.
"It was approved" is worthless if approval was a green button anyone could press without reading. Meaningful sign-off has three properties: a named approver with the authority to bear the consequence, a recorded basis (what they reviewed — the risk assessment, the eval results, the scope), and it is captured in the audit trail (C1) so the decision and its owner survive staff turnover. This applies both to deploying the agent and, for high-consequence action classes, to specific runtime approvals. The point of sign-off is not ceremony; it is converting a diffuse "the team decided" into a specific person who decided, on a date, on a stated basis.
Map autonomy to the accountability it requires.
The right amount of human ownership scales with consequence and reversibility, and the mapping should be explicit, not improvised per incident. Low-consequence, reversible actions can be fully autonomous under the operator's standing accountability. As consequence rises, accountability has to be exercised closer to the action: an operator reviewing exceptions, then explicit pre-action sign-off by a named approver, then dual control (the separation of duties from C2). The agent's capability may be constant; the accountability structure around it tightens as the stakes rise — and that ladder is decided in advance and recorded, so an incident never becomes an argument about who was supposed to be watching.
The honest tradeoff.
Explicit accountability has a cost: it puts named people on the hook, which they will reasonably resist, and it slows down high-consequence paths with review and sign-off. The pressure is always to leave it implicit and ship faster. But implicit accountability is not lighter governance — it is a guaranteed post-incident scramble where the diffusion of responsibility is itself the finding, and the absence of a named owner is read as negligence. Name the operator and the accountable owner per action class before the agent is autonomous; an action no specific person owns is an action your organization owns by default, on the worst possible terms.