The incident review had the shape these reviews often have.
The system had not failed in a cinematic way. There was no single catastrophic model answer. No dramatic outage. No executive discovering, in one clean moment, that the organisation had handed a material decision to a machine. The failure was slower and more ordinary. A vendor-embedded workflow had started making recommendations that downstream staff treated as decisions. A queue moved faster. A customer cohort was affected. The first complaints looked like edge cases. By the time the pattern was visible, nobody in the room could say who had been authorised to pause the workflow three weeks earlier.
Someone said there was an AI committee.
It did not help.
The committee had reviewed the pilot. It had noted the risk assessment. It met monthly, carried reasonable membership, and produced minutes that would look responsible to anyone reading them later. What it did not have was authority to interrupt the live operating process before the next meeting. The Tuesday-afternoon test from the opening essay had arrived, and the governance design answered with a calendar invitation.
This is the first trap in Responsible and Agentic AI Governance. Organisations create a new AI forum because the technology feels new, but the actual power stays where it always was. Product owns rollout. Technology owns tooling. Risk owns appetite. Procurement owns the vendor. Privacy and security each own a slice of the facts. Operations owns the process the customer experiences. The AI committee can recommend. It can ask for analysis. It can escalate politely through the system. But an agentic workflow that can call tools, route work, change records, or shape human decisions will not wait for a monthly committee to become brave.
Governance becomes useful here only when existing forums are hardened. Not decorated. Hardened. The risk committee needs AI decision-quality evidence it can act on. The investment forum needs authority to stop work that has drifted outside strategic posture. Technology and operations need pause, rollback, and resumption conditions. The board needs exception reporting that can move risk appetite and funding, not a quarterly AI update with reassuring traffic lights. A separate AI committee may still be useful as a coordinating forum. But if it can only recommend, it is not the control. It is commentary.
Three of the four gates in the AI Operating Model cascade live inside this pillar. Strategy sets the upstream posture: where the organisation will and will not compete with AI. Responsible and Agentic AI Governance then has to carry D6.1 authority, D6.4 reversibility, and D10.5 notification triggers through the forums that already govern risk, change, operations, technology, and external accountability. The dependency map matters because these gates are not independent artefacts. Authority without reversibility becomes a stop button with no path for affected people. Reversibility without notification triggers becomes internal service recovery when the issue may have crossed an external threshold. Notification without authority becomes a late paper trail.
D6.1 starts with an inventory that is more practical than most organisations want it to be. Who approves the use case. Who owns the live workflow. Who can pause it while facts are incomplete. Who can override the model or agent. Who accepts residual risk. Who briefs the board. Who speaks externally. The framework is role-neutral on AI leadership because structure is not the test. A CAIO can work. An expanded CIO, CDO, or CTO mandate can work. CEO-direct ownership can work. A regulated three-lines-of-defence model can work. What fails is the gap between nominal ownership and actual interruption rights.
D6.4 is the design work that stops reversibility being a promise made after the damage is visible. An affected customer, employee, supplier, citizen, or internal stakeholder needs a route back through the decision when the outcome matters: intake, explanation, attribution, human review, correction, closure, and evidence. A low-risk drafting assistant does not need the same contestability design as an agentic workflow shaping eligibility, pricing, prioritisation, employment outcomes, or market-facing communication. But when the workflow matters, reversibility cannot be a mailbox attached at launch. It has to be part of the operating design.
D10.5 is where organisations discover whether their incident process can handle AI without pretending AI has its own special legal universe. There is no AI-specific Australian notification scheme as at May 2026. Existing schemes — OAIC’s Notifiable Data Breaches scheme (NDB), APRA prudential standards, ASIC notifiable matters, the Security of Critical Infrastructure Act 2018 Notification of Cyber Security Incident (NSCI, Part 2B) for designated critical-infrastructure assets, DTA reportable-incident pathways for Commonwealth agencies, and ASX continuous disclosure for listed entities — apply where their preconditions are met. A separate upcoming change: from 10 December 2026, new APPs 1.7–1.9 will require entities to disclose in their privacy policies how personal information is used in substantially-automated decisions affecting individuals. That is transparency, not notification, but it lands on the same accountability surface. Specialist counsel owns the threshold and timing calls at each clock. Privacy counsel determines NDB eligibility. Specialist regulatory counsel determines the notification trigger and clock. Employment counsel determines consultation timing. Anti-discrimination specialists determine the protected-attribute analysis. Commercial and technology counsel determine contract language, indemnification, and evidence-access terms. Security architects determine cryptographic specifics for agent identity and incident attribution. The operating-model question is narrower and more useful: whether incident classification, accountable officers, vendor evidence handoff, executive briefing, preservation of logs, and reconciliation back to risk forums are in place before a clock starts.
The Australian anchors sharpen the point because they already live in existing governance. APRA is the prudential regulator. CPS 230 is operational resilience: maintaining critical operations within tolerance levels through severe disruption and managing material service provider arrangements. CPS 234 is the information-security prudential standard. If an AI-enabled vendor, model platform, or embedded SaaS workflow touches a critical operation or material service provider arrangement, the question is not whether the AI committee has been briefed. The question is whether the accountable operational-resilience forum can see the dependency, evidence the tolerance position, and act when the service path is no longer defensible.
OAIC is the privacy regulator. The Privacy Act is the Privacy Act 1988 (as amended by the Privacy and Other Legislation Amendment Act 2024). AI does not make every poor output an eligible data breach, and governance should not pretend it can answer that question by slogan. It should preserve the facts privacy counsel needs to make the legal call. What personal information was involved. Who was affected. What access or disclosure occurred. What remedial action was taken. When the organisation became aware. Whether serious harm is likely is the lawyer’s question. Whether the facts can be reconstructed at all is the operating model’s. That capability has to exist before the legal conclusion.
ASIC brings a different pressure: market conduct, licensing, disclosure, consumer harm, and the integrity of financial markets. An AI workflow that produces misleading market-facing content, distorts advice processes, changes customer treatment, or weakens supervision may not be an “AI incident” in any special statutory sense. It may simply be a conduct problem with AI in the evidence chain. DTA settings matter for Commonwealth agencies in scope, including responsible use, transparency, impact assessment, and procurement expectations. AICD guidance shapes director governance expectations. None of this asks for amateur legal advice inside the operating model. It asks for the facts, forums, and decision rights that get the right specialists engaged early enough to matter.
This pillar is larger than the three gates I have focused on here. D5 Agent Architecture asks how autonomy, tool access, identity, evaluation, and human review are bounded before release. D7 Ethical AI and Risk asks how affected persons, harms, fairness, explainability, and regulatory mapping are recognised before the pilot becomes normal work. D8 Vendor Governance asks whether contracts, evidence access, incident support, model-change notice, concentration risk, and exit paths fit AI-shaped dependencies. D9 AI Security asks whether non-human identities (NHI), telemetry, shadow AI, and bring-your-own-AI (BYOA) behaviour are visible to the control plane. The full pillar treatment sits at Responsible and Agentic AI Governance. This essay is making the narrower point because it is where the dysfunction shows first.
A committee that can recommend but not stop is not governance for agentic AI. It is a record of concern.
The hard work is less glamorous: make the existing forums able to pause, explain, reverse, and evidence the decision while there is still time to change it.
This is the third thesis essay. The twelve-dimension framework moves from strategy into responsible governance; the next essay takes Pillar 3 Enablement. If you’re new here, About is where to start; Archive collects the rest.