For a couple of years, most business AI has been a clever advisor. You ask, it answers, a human decides what to do. That's a fairly safe arrangement, because the person is still the one pressing the button.
The newer wave changes that. So-called agents don't just answer. They act. They book the thing, send the message, update the record, kick off the next step, and talk to other systems without a human checking each move. That's genuinely useful. It's also where I'd tell any business to slow down and think before rushing in.
More autonomy, more that can go wrong
When AI only suggested, a bad answer cost you a moment of someone's attention. When AI acts on its own, a bad decision can ship before anyone notices. McKinsey's point about this is the right one: as these systems take on more independence, the cost of getting it wrong climbs, and trust stops being a nice-to-have and becomes the thing that decides whether you get any value at all.
The market is already showing the strain. Gartner has forecast that more than 40% of agent projects could be scrapped by 2027, not because the tech can't do it, but because of runaway costs, fuzzy business value, and weak controls. Translated: plenty of companies will build agents they can't justify, can't measure, and can't fully trust, then turn them off.
Governance that isn't just a tick-box
The companies that make this work won't be the ones with the fanciest agents. They'll be the ones who put sensible limits around them. In practice that means a few things worth being firm about.
Keep a human in the loop wherever a mistake is expensive or hard to undo. Let the agent draft, prepare, and recommend on the high-stakes stuff, and let a person approve. Make every action it takes auditable, so you can see after the fact what it did and why. Give it clear boundaries on what it's allowed to touch, and a way to stop or roll back when it goes off course. And be honest about which tasks are safe to hand over fully and which aren't, rather than automating everything because you can.
None of that is glamorous, and some of it slows the rollout down. That's fine. A slightly slower agent you can explain and trust beats a fast one that occasionally does something you can't account for to a customer or a regulator.
The simple test
Here's the question I'd put to any team about to deploy an agent: if it does the wrong thing at 3am while nobody's watching, would you know, could you undo it, and could you explain what happened? If the answer to all three isn't yes, the answer isn't autonomy yet. It's a tighter leash and a human nearby.
The agentic shift is real and it's worth getting into. But the businesses that come out ahead will be the ones who treated trust and control as part of the build, not an afterthought bolted on once something went wrong. That's the version we'd rather help you build: capable, but accountable, with someone always able to see what it's doing.