By Nate Olson, Fractional CIO & IT Director | N.O. IT Strategy LLC
You Can't Delegate Your Way Out of Responsibility. You Own Your AI Agent's Actions.
When you deploy an AI agent, you delegate authority, you don’t delegate responsibility.
The agent can send the email, approve the invoice or promise the customer something, but when it gets one of those wrong, the customer, the regulator and the insurer will all look at you. Which raises the question most businesses haven’t actually answered: who owns the agent?
I’m sure you have heard this advice: make sure a human being is responsible for the Agent. Despite hearing that, I don’t think most businesses have defined what that actually means. Naming someone in a policy is easy, giving that person the authority, information, controls and resources to manage the agent is something else entirely. The question matters more as AI changes from a tool that helps an employee produce work into a system that performs work on the company’s behalf.
That shift has happened quickly. When businesses first started experimenting with generative AI, the primary concern was whether an employee might paste sensitive information into a chatbot or use inaccurate content without reviewing it. Those concerns haven’t disappeared, but the technology has already moved further.
AI agents can now interact with email, customer records, cloud storage, accounting platforms, calendars and other business systems. They can plan a series of steps, select tools and take actions with varying levels of independence.
NIST describes AI agent systems as capable of planning and taking autonomous actions that affect real-world systems or environments. In 2026, NIST began a dedicated AI Agent Standards Initiative and requested industry input on how businesses can secure these systems, constrain their access and monitor what they do.
The Agent Isn’t Just Helping With the Work Anymore
There’s a meaningful difference between asking an AI tool to draft an email and authorizing an AI agent to send one. There’s a difference between asking for a summary of an invoice and allowing an agent to approve it, enter it into the accounting system or contact the vendor about a discrepancy. And there’s a difference between using AI to suggest a response to a customer and allowing it to issue a refund, modify an account or make a promise on the company’s behalf.
In each example, the technology moves one step further into the business process. It’s no longer producing information for a person to consider. It’s exercising authority that previously belonged to an employee.
That authority didn’t appear on its own. The business gave it to the agent. Someone created the account. Someone approved the integration. Someone gave the agent access to email, customer information, financial records or internal systems. Someone selected the instructions, decided how much human review was necessary and accepted the possibility that the agent might get something wrong.
An AI agent isn’t an employee, an officer or an independent decision maker. It can’t accept responsibility for a loss, explain itself to a regulator, sit for a deposition, answer a customer complaint or decide whether the company is willing to carry a particular risk. It operates on authority the business delegated to it.
So when I ask who owns an AI agent, I’m not asking who installed it or who uses it most often. I’m asking who had the business authority to approve what it can do. That person should understand the intended outcome, the information the agent can access, the actions it can take and the consequences if it makes a mistake. That person should also have enough organizational authority to restrict the agent, require additional controls or stop the deployment entirely.
NIST’s AI Risk Management Framework makes the same distinction. It calls for clearly documented roles, responsibilities and delegated authorities, and it asks who’s ultimately responsible for decisions produced by an AI system. NIST also says the responsible people must be empowered, trained and able to challenge or correct AI deployment decisions.
A name without authority isn’t ownership. It’s administrative decoration.
Air Canada Already Tested That Argument
Their chatbot gave a customer incorrect information about the company’s bereavement fare policy, and when the customer relied on it, Air Canada argued the chatbot was a separate entity responsible for its own actions.
The British Columbia Civil Resolution Tribunal rejected that argument. It found the chatbot was part of Air Canada’s website and that Air Canada remained responsible for the information it provided to customers. The tribunal found the company had failed to take reasonable care to ensure the chatbot’s information was accurate.
This was a Canadian tribunal decision, not a sweeping United States precedent, and it involved a customer-facing chatbot rather than the more capable agents businesses are deploying today. It doesn’t answer every future question about AI liability, but it establishes a practical lesson every business owner should understand. Delegating a task to AI doesn’t delegate the responsibility for it. A company can’t give technology a public-facing role and then treat the technology as a separate party when something goes wrong.
The agent may have written the message, selected the action or completed the transaction, but the business chose to deploy it. The customer, employee, regulator or injured party will still look to the business for an answer.
Insurance Is Starting to Ask the Same Question
The insurance market is beginning to separate AI risk from the general technology risk businesses may have assumed was already covered.
Verisk’s Insurance Services Office has filed new optional commercial general liability endorsements addressing generative AI. One form, CG 40 47, can exclude bodily injury, property damage and personal and advertising injury arising from generative AI. A narrower version, CG 40 48, applies to personal and advertising injury. These are optional forms, so their existence doesn’t prove every carrier will use them or that they’re attached to a particular company’s policy.
The point isn’t that every business is suddenly uninsured. The point is that AI exposure is no longer guaranteed to remain silent inside traditional coverage.
Berkley Insurance Company’s Form PC 51380 00, titled “Artificial Intelligence Exclusion (Absolute),” makes the issue even more concrete. The endorsement applies to Berkley management liability coverage forms for directors and officers, employment practices and fiduciary liability. It excludes certain claims based upon, arising out of or attributable to the use, deployment or development of AI by any person or entity. Its language specifically addresses inadequate AI policies, procedures or training, products or services incorporating AI, statements about a company’s use of AI, and representations allegedly made by a chatbot or virtual customer service agent.
That endorsement won’t be part of every policy, and its application to a claim would depend on the complete policy, the facts and the applicable law. Business owners shouldn’t read about one exclusion and conclude their insurance provides no AI protection. They should ask a better question: has anyone reviewed the company’s actual policies and endorsements against the ways the company is currently using AI?
The market is already offering separate coverage as well. In March 2026, HSB announced AI liability coverage for small and medium-sized businesses intended to address some AI-related bodily injury, property damage and advertising injury claims that general liability policies may exclude. HSB stated the coverage remained subject to regulatory approval and would be distributed through participating insurance carriers.
Exclusions on one side and new coverage products on the other tell me the same thing. Businesses can’t assume every AI-related risk automatically fits inside the policies they already have.
What Owning the Agent Actually Requires
No business would hire an employee, provide them with access to critical business systems on day one, skip the job description, put them in a headlock, give them a noogie, and send them out the door. That’s how you treat a kid brother, not someone with the keys to your business.
But that’s exactly how many businesses are deploying AI agents. Friendly, casual, and completely unsupervised.
The agent deserves the same discipline as the hire. When I say someone needs to own an AI agent, I mean a named person needs to approve and continue overseeing several specific decisions.
The owner approves the purpose.
The business should be able to explain why the agent exists and what outcome it’s expected to produce. “Improve efficiency” isn’t a sufficient answer. The business should know whether the agent is intended to reduce response times, qualify sales leads, process invoices, update records or communicate with customers. Without a defined purpose, there’s no meaningful way to determine whether the agent is working correctly or whether its access is justified. The owner approves the boundaries.** The responsible person should know what the agent is allowed to do and what it’s prohibited from doing. Can it draft an email but not send it? Recommend a refund but not approve one? Update customer contact information but not change pricing or payment details? These boundaries should be documented before deployment, not discovered after an incident.
The owner approves access.
An AI agent can only cause harm within the systems and information it can reach. The owner should know which accounts the agent uses, which records it can view, which records it can modify and whether it can reach sensitive customer, employee, financial or confidential business information. Access should follow the same principle businesses should already use for employees and vendors: the minimum necessary to perform the approved function, not broad access because it’s easier to configure.
The owner decides where a human must intervene.
Human oversight needs to mean more than placing a person somewhere near the process. The business should identify the specific actions that require approval and the conditions that trigger escalation. Higher financial values, unusual customer requests, legal commitments, sensitive data, employment decisions and actions that can’t easily be reversed should receive more scrutiny than routine administrative work. The important question isn’t whether a human is technically involved. It’s whether that person has enough information, time and authority to prevent a bad action.
The owner requires evidence.
The business should be able to reconstruct what the agent did. That means maintaining appropriate logs, approval records, system activity and changes to the agent’s instructions, integrations or permissions. It also means monitoring whether the agent stays within its approved purpose and whether its performance has changed. An agent that appeared safe during a demonstration may behave differently when it encounters real customer data, unusual requests, conflicting instructions or changes made by the technology provider.
The owner has the authority to stop it.
Every material AI deployment should have a clear suspension and shutdown process. The responsible person should know who can disable the agent, revoke its access, preserve relevant records and move the process back to a human workflow. That process shouldn’t depend on the employee who originally configured the tool being available during an incident. The ability to stop the agent is part of owning it.
The owner confirms how the remaining risk is handled.
Controls reduce risk, but they don’t eliminate it. Someone must decide whether the remaining risk fits within the company’s tolerance. That decision may require input from leadership, legal counsel, the insurance broker, the technology provider, cybersecurity and the department using the agent. The owner doesn’t need to be an expert in every one of those areas. The owner does need to recognize when those perspectives are required and make sure the questions are answered before the agent is trusted with business authority.
The Owner Isn’t the Scapegoat
I don’t believe businesses should name an AI owner just so they have someone to blame later. The company remains responsible for the deployment. Leadership approves the budget, establishes the risk tolerance and decides whether the expected benefit justifies the exposure. The named owner keeps the decision visible. That person makes sure the agent has a defined purpose, appropriate access, documented boundaries, meaningful oversight and a clear escalation path.
For that structure to work, leadership must give the owner real authority. An employee can’t be held responsible for an agent while being denied the ability to limit its permissions, question the business use or stop it when the risk becomes unacceptable.
Responsibility without authority isn’t governance. It’s liability assignment.
What Sign-Off Should Look Like
Not every use of AI requires a lengthy committee process. Asking an AI tool to help organize meeting notes doesn’t carry the same risk as giving an agent access to the accounting system or letting it communicate directly with customers. The level of governance should follow the level of authority.
Before a material AI agent is deployed, I’d expect the sign-off to identify:
The business purpose and expected outcome.
- The named business owner and technical owner.
- The systems and information the agent can access.
- The actions it can take independently.
- The actions that require human approval.
- The actions it is prohibited from taking.
- The method used to test its performance.
- The records and logs that will be retained.
- The incident escalation and shutdown process.
- The vendor’s responsibilities and contractual obligations.
- The applicable insurance policies and endorsements that were reviewed.
- The date when the deployment will be reviewed again.
That doesn’t need to become a hundred-page governance package. It does need to exist somewhere other than inside the memory of the person who configured the tool.
The Question Leadership Needs to Answer
The question is no longer whether employees are using AI. In many businesses, that question was answered before leadership knew to ask it.
The next question is how much authority the business is willing to give AI, and who has the authority to approve it.
Before an AI agent can act for a company, someone should be able to explain what it may do, what it may access, where it must stop, how its actions will be reviewed and what happens when it’s wrong. Someone should also confirm whether the company is prepared to absorb the loss or has insurance that may respond.
The AI agent can’t sign that decision. It can’t accept the remaining risk, and it can’t stand in front of a customer, regulator, insurer or ownership group and explain what happened.
A person still has to do that.
That’s what owning the AI agent actually means.
Sources and References
- National Institute of Standards and Technology. “CAISI Issues Request for Information About Securing AI Agent Systems.” January 12, 2026.
NIST describes AI agent systems as capable of planning and taking autonomous actions affecting real-world systems or environments. The request also addresses controls for constraining and monitoring agent access within deployment environments. - National Institute of Standards and Technology. “Announcing the AI Agent Standards Initiative for Interoperable and Secure Innovation.” February 17, 2026.
NIST formally announced its AI Agent Standards Initiative and identified emerging agent uses that include managing email and calendars, interacting with internal data, and operating on behalf of users. - National Institute of Standards and Technology. “NIST AI Risk Management Framework Playbook: Govern.”
The NIST playbook addresses clearly defined AI risk-management roles, delegated authority, ultimate responsibility for AI decisions, human oversight, continuous monitoring, incident response, approval processes, and organizational risk tolerances. - Moffatt v. Air Canada, 2024 BCCRT 149, paragraphs 27–28. British Columbia Civil Resolution Tribunal, February 14, 2024.
The tribunal rejected Air Canada’s argument that its chatbot should be treated as separately responsible for its statements. It found that the chatbot was part of Air Canada’s website and that the company had not taken reasonable care to ensure its information was accurate. The official CanLII case summary reproduces the relevant portions of the decision. - Verisk, ISO Core Lines Services. “Emerging Risks in ISO General Liability Multistate Filing.” July 25, 2025.
Verisk announced a multistate general-liability filing containing endorsements addressing generative AI and described the forms as providing insurers with additional underwriting options for emerging exposures. - Independent Insurance Agents & Brokers of America, Virtual University. “Verisk to Roll Out New General Liability Exclusions for Generative AI Exposures.” October 21, 2025.
This insurance-industry reference identifies CG 40 47 as the optional ISO endorsement addressing Coverage A and Coverage B, and CG 40 48 as the narrower Coverage B-only endorsement. It also identifies CG 35 08 for products and completed operations. - Insurance Services Office, Inc. Form CG 40 48 01 26. “Exclusion: Generative Artificial Intelligence, Coverage B Only.” © 2025.
The actual sample endorsement states that personal and advertising injury arising out of generative artificial intelligence is excluded from Coverage B. The sample is hosted in the FC&S insurance form library. - Berkley Insurance Company. Form PC 51380 00 (06-24). “Artificial Intelligence Exclusion (Absolute).”
The actual endorsement amends Berkley’s directors and officers, employment practices, and fiduciary liability forms. It addresses claims arising from AI use or deployment, inadequate AI policies or training, AI-enabled products and services, chatbot representations, AI-related disclosures, and regulatory obligations. The form is hosted publicly by Hunton Andrews Kurth. - HSB, a Munich Re company. “HSB Introduces AI Liability Insurance for Small Businesses.” March 18, 2026.
HSB announced AI liability coverage intended for small and medium-sized businesses. The release identifies potential bodily injury, property damage, and personal and advertising injury coverage and states that the product is subject to regulatory approval and will be offered through HSB’s participating insurance-carrier partners.
