AI Agents Are Coming to Your Business. Govern Them Before They Arrive.
There’s an important shift happening in AI right now, and it’s one every business owner should understand: the move from AI assistants to AI agents.
An assistant answers questions. You ask, it responds, you decide what to do with the answer. An agent acts. It can read your emails, update your CRM, raise invoices, book meetings, move files, and chain dozens of steps together to complete a task — often without a human checking each step.
That’s an enormous productivity opportunity. It’s also a new category of business risk, and most organisations have no rules in place for it whatsoever.
Why agents change the risk picture
When a staff member makes a mistake, there’s usually a natural speed limit — one person can only do so much damage in an afternoon. Software agents have no such limit. An agent with the wrong instructions or the wrong permissions can make a thousand mistakes before morning tea.
A few scenarios worth thinking about:
- Over-permissioned agents. An agent given broad access “to be safe” can read every file, every mailbox, every customer record. If that agent is manipulated — and there are well-documented techniques for tricking AI systems through the content they read — your entire data estate is exposed through a single point.
- Untraceable actions. If an agent sends an email, updates a record, or deletes a file, can you tell it was the agent and not a person? Without proper logging and identity separation, you can’t answer the most basic question after an incident: what happened?
- Accountability gaps. If an AI agent gives a customer incorrect pricing, makes a commitment on your behalf, or mishandles personal information, your business is still responsible. “The AI did it” is not a defence under New Zealand consumer law or the Privacy Act 2020.
What good governance actually looks like
The good news: governing AI agents doesn’t require a compliance department. It requires a handful of clear, written rules and the discipline to apply them. The essentials:
- An inventory. You can’t govern what you can’t see. Keep a register of every AI agent in use, what it does, what systems it touches, and who owns it.
- Least privilege. Agents get the minimum access required for their task — nothing more. An agent that summarises support tickets does not need access to your accounting system.
- Human-in-the-loop for consequential actions. Define which actions an agent may take autonomously (drafting, summarising, reading) and which require a human to approve (sending external communications, financial transactions, deleting data, anything touching personal information).
- Separate identities and full audit trails. Each agent runs under its own account, never a shared staff login, so every action is attributable and reviewable.
- A kill switch. Someone in your business must be able to stop any agent immediately, and everyone should know who that is.
- Regular review. Agents, like staff, need performance reviews. Is it still doing what it was approved to do? Does it still need the access it has?
The window to do this cheaply is now
Most NZ businesses currently have somewhere between zero and a handful of AI agents in operation. Writing the rules now — while the fleet is small — is a few documents and a workshop. Retrofitting governance after agents are embedded in every department is a project measured in months and incidents.
There’s a competitive angle too. Larger customers and government buyers are increasingly asking suppliers how they govern AI. Being able to hand over a written AI governance framework is rapidly becoming the new “do you have cyber insurance?” — a basic tick required to win the work.
A practical starting point
A workable AI agent governance framework for an SME typically consists of: an AI usage policy for staff, an agent register, an approval process for new agents, defined autonomy levels, and an incident response addendum covering AI-specific events. That’s it. Five documents, aligned to the Privacy Act 2020, reviewed annually.
Intellium has developed a complete AI agent governance framework for New Zealand businesses, aligned with the Privacy Act 2020 and designed to be practical for SMEs — not just enterprises. To talk through what governance would look like for your organisation, contact us by clicking the button below or call 09 630 8118.
