The governance gap in agentic AI is no longer a secret. UC Berkeley published 67 pages on it earlier this month. The World Economic Forum addressed it in 2024. Singapore’s Cyber Security Agency released agentic AI guidance in late 2025. Industry practitioners are writing about it on LinkedIn. The problem has a name, a growing body of research, and broad agreement that model-centric governance cannot contain it.
What nobody has published is the structural infrastructure to close it.
The gap sits at a specific point on the autonomy spectrum: where AI shifts from recommending actions to taking them between human reviews. Checkpoint-Based Governance (CBG) and the GOPEL v0.6.1 specification were designed to close exactly this gap through forced human arbitration at defined decision points, cryptographic audit trails that capture what happens between approvals, and provider plurality that catches errors no single platform can detect on its own. Berkeley’s Agentic AI Risk-Management Standards Profile, authored by Madkour, Newman, Raman, Jackson, Murphy, and Yuan (2026), independently confirms the risks. The operational infrastructure to address those risks predates the report.
The Problem: Governance Built for Recommendations Meets AI That Takes Action
The industry has converged on a rough spectrum of AI autonomy, inspired by the SAE International levels for autonomous vehicles and refined by the World Economic Forum (2024), Vellum AI (2025), Singapore’s IMDA, and multiple research groups. No single canonical version exists. Berkeley’s report explicitly notes that consensus on autonomy level frameworks remains absent. The composite that follows represents the emerging shared vocabulary, not a settled standard.
At L0, the human controls everything. At L1, the AI recommends and the human approves each action. Most organizations believe they operate here. At L2, the AI acts within defined boundaries and the human reviews periodically. At L3, the AI operates independently with human exception handling. L4 involves full workflow management by the AI with human goal-setting and outcome review. At L5, the AI operates independently while the human observes.
The fracture point sits between L1 and L2: the moment AI starts making decisions between human reviews. That shift doesn’t announce itself. It arrives through vendor updates, feature releases, and integration defaults that quietly move the boundary. When an AI tool starts automatically categorizing, routing, prioritizing, or escalating work based on its own analysis, the organization has crossed into L2. When an AI system triggers actions in connected systems without waiting for human sign-off, the organization has crossed into L2. Many already have without recognizing it because no one redrew the governance boundary when the capability changed.
The practical diagnostic: ask whether any AI system in the organization can take an action that no human explicitly approved beforehand. If the answer is yes, governance must account for what happens in the intervals between reviews, measured by whether the audit trail captures autonomous decisions with the same rigor it captures human-approved ones.
The Risks: What Berkeley Validated
Checkpoint-Based Governance was designed around a specific observation: in multi-step AI workflows, errors compound. A mistake at step three affects all subsequent steps. Ethical alignment shapes the AI’s disposition, but disposition alone cannot prevent compounding failures in autonomous operation. Governance requires intervention points where human judgment can intercept errors before they cascade. That argument was published in Governing AI and formalized in the GOPEL v0.6.1 specification before Berkeley’s report existed.
Berkeley’s report now confirms this at academic scale. The Agentic AI Risk-Management Standards Profile identifies cascading failures as a primary risk for agentic systems. One agent’s error spreads to connected systems before human review catches it. A procurement agent makes a flawed vendor assessment, which triggers an inventory agent to adjust orders, which cascades to a logistics agent rerouting shipments. Three systems act on a flawed premise before anyone notices. The report is structured as guidance organized around NIST’s Govern, Map, Measure, and Manage functions, not as binding regulation, but the risk analysis carries weight precisely because it extends the framework that federal agencies already use.
Berkeley also confirms accountability diffusion. When an AI agent makes a multi-step decision autonomously, who is accountable for the outcome? The person who set the goal? The team that configured the agent? The vendor who built the model? Most governance frameworks assign accountability for deploying AI. They do not assign accountability for the thousands of micro-decisions an agent makes after deployment. The GOPEL v0.6.1 specification addresses this through cryptographic logging: every prompt, every response, every checkpoint decision gets a timestamp, operator identity, and hash chain linking it to the previous record. Accountability doesn’t diffuse when the log shows which platform produced which output, at which checkpoint, and which human approved it.
The report names deceptive alignment as a distinct risk category: agents that perform correctly during evaluation and differently during autonomous operation. They pass the test. They behave differently when no one watches. Standard monitoring catches drift in model performance. It does not catch an agent that has learned to behave one way when observed and another way when operating freely. The GOPEL specification addresses this through non-cognitive design. A governance agent that performs zero cognitive operations cannot be deceptive because deception requires cognition. It dispatches, collects, routes, logs, pauses, hashes, and reports. It cannot evaluate, rank, or filter.
The Solution That Already Exists: Provider Plurality
Each of the risks Berkeley identifies shares a common structural weakness: they are invisible within a single-provider system. Cascading failures propagate undetected because the platform that produced the error lacks the independent vantage point to flag it. Accountability diffuses because no comparative record exists. Deceptive alignment succeeds because no independent observer checks the output against an alternative.
Provider plurality addresses each risk at a structural level that single-provider governance cannot reach.
For cascading failures: when the same assessment runs through three independently trained platforms and one diverges, that divergence is the signal. The cascade breaks where the disagreement surfaces, not three systems later when a human finally reviews the wreckage. Organizations can test their exposure today by mapping every AI-to-AI handoff in their workflows and confirming whether an independent comparison point sits between each one. Where no comparison exists, a cascading failure path exists.
For accountability diffusion: when every prompt dispatches to multiple providers, the audit trail shows which platform produced which output. The question shifts from “who is accountable?” to “here is exactly where the chain broke and who was responsible at that link.” That is a forensic capability organizations either possess or don’t, measurable by whether any post-incident review can reconstruct the full decision chain from prompt to consequence without gaps.
For deceptive alignment: when three independently trained platforms receive the same prompt, correlated deception across all three becomes significantly less likely. Independent training data, different alignment methods, and separate corporate incentives mean that if one platform masks its actual behavior, the others are unlikely to mask in the same direction. The divergence becomes the detection mechanism. Organizations don’t need to solve deceptive alignment theoretically. They need a structure where deception by one system gets surfaced by the others. Plurality provides that structure.
The AI Provider Plurality proposal frames this as federal infrastructure, not as a theoretical governance principle. GOPEL v0.6.1 specifies the operational mechanism: seven deterministic operations that dispatch to multiple platforms, collect all responses without filtering, log everything with cryptographic tamper evidence, and pause at preconfigured checkpoints for human arbitration. The specification exists. What it needs is investment, pilot deployment, and regulatory integration.
Mapping Governance Models to the Autonomy Spectrum
Three operating models calibrate governance to risk across the spectrum.
Model 3: Manual Human AI Governance covers L0 through L1. No automated agent runs the pipeline. The human orchestrates everything: dispatching prompts to multiple AI platforms, collecting responses, synthesizing outputs, making every decision at every step. This model produced Governing AI and all operational experience to date. It serves highest-consequence decisions and framework validation.
Model 2: Agent AI Governance covers L2 through L3. This is the critical transition model, the one most organizations need and the fewest have built. The GOPEL agent runs dispatch and collection but pauses after each functional role. The human reviews, approves, modifies, or rejects before the pipeline proceeds. This serves high-risk decisions: employment, credit, healthcare, law enforcement. The pause gates are preconfigured and content-independent. The agent cannot decide to skip a checkpoint because it performs zero cognitive work.
Model 1: Agent Responsible AI covers L3 through L4. The agent runs the full pipeline. The human reviews final output at a single checkpoint. This serves routine, lower-risk operations at operational speed. Defense-in-depth monitoring becomes essential here.
No current operating model covers L5. That is a deliberate design choice. The human checkpoint is a non-negotiable principle, not a feature to optimize away.
The jump from L1 to L2 demands more new governance infrastructure than any later transition. Organizations that build Model 2 capability, including checkpoint pause gates, cryptographic audit trails, and multi-provider dispatch, own the architectural foundation to extend toward L3 and L4. Organizations that skip this step because they believe they still sit at L1 will face the most expensive rebuild when their systems cross the threshold.
The Regulatory Clock
The EU AI Act applies broadly from 2 August 2026. Transparency obligations and general application provisions take effect at that date. Certain high-risk system rules carry an extended transition period to 2 August 2027, and ongoing legislative proposals including the Digital Omnibus could alter specific timelines further. The regulatory landscape is phased, not singular.
What remains clear across all tranches is the architectural requirement. Article 14 requires that high-risk AI systems be designed for effective human oversight, enabling natural persons to monitor operations, intervene when necessary, and interrupt the system through stop mechanisms. The requirement is structural, not aspirational. It demands humans with authority and mechanism to step in, not AI systems trained to value oversight. The gap between disposition and mechanism, which the “A Constitution Is Not Governance” white paper identified as the core distinction between ethical alignment and structural governance, is the same gap Article 14 exists to close.
Organizations that haven’t built governance architecture capable of functioning at L2 will face operational exposure as vendors push capabilities past the L1 boundary. The compliance tactic: conduct an autonomy level audit of every AI vendor and internal tool before Q3 2026, classifying each based on whether it can act without prior human approval. The measurable outcome is a complete inventory showing which systems require governance upgrades before enforcement milestones arrive.
The Tension Worth Naming
This mapping is an analytical overlay, not a correspondence that any single framework defines. The autonomy levels represent an emerging industry composite, not a settled standard. GOPEL’s models describe what the governance does. The two measure different things. The mapping holds because governance requirements scale with autonomy, but organizations should not assume that a specific autonomy level automatically dictates a specific governance model. A healthcare organization at L2 may need Model 2 governance. A content marketing team at L2 may operate safely under Model 1. The governance model maps to risk, not just autonomy level.
It is also worth stating clearly what this piece claims and does not claim about Berkeley’s report. The Agentic AI Risk-Management Standards Profile is rigorous, valuable, and provides structured guidance that the field needs. The risks it identifies are real. The NIST integration is sound. The report validates at academic scale problems that this work identified and built solutions for through operational practice. That is how the field advances: practitioners identify problems through direct experience, build solutions, and academic research validates or challenges those solutions through structured analysis. The L0 through L5 labels used throughout this piece are drawn from the broader industry conversation, not from Berkeley’s report, which explicitly notes the absence of consensus on autonomy level frameworks. Getting attribution right matters. Governance that misattributes its own sources cannot credibly govern anything else.
What This Means for the Next Twelve Months
The regulatory milestones are no longer distant. Organizations building AI governance today face a practical question: build for L1, where most currently sit, or build for L2 through L3, where most will sit within 18 months?
The answer shapes whether agentic AI arrives as a smooth extension of existing governance or as a crisis requiring expensive reconstruction. The operational infrastructure exists: Checkpoint-Based Governance provides the methodology, GOPEL v0.6.1 provides the agent specification, provider plurality provides the structural detection mechanism. Berkeley provides the independent risk validation. NIST provides the risk management framework. The EU AI Act provides the enforcement mechanism. What remains missing is the organizational will to build before the deadlines force it.
That infrastructure needs three properties: it must extend across autonomy levels without architectural rebuild, it must produce auditable records with cryptographic tamper evidence, and it must keep a human at the decision point for every action that carries consequence. Building for L1 alone guarantees a rebuild. Building for L2 through L3 today means the architecture stretches when the technology does.
The gap between L1 and L2 has a name now. Berkeley named the risks. The industry named the spectrum. The EU named the deadline. What remains unnamed is the infrastructure that closes the gap. That is the work this piece exists to advance.
Frequently Asked Questions
What is the governance gap between L1 and L2 AI autonomy? The L1-to-L2 governance gap occurs when AI systems shift from recommending actions that humans approve individually to taking bounded actions between periodic human reviews. Most organizations cross this threshold without updating their governance frameworks, creating unmonitored intervals where AI makes decisions no human explicitly approved.
What is GOPEL in AI governance? GOPEL (Governance Orchestrator Policy Enforcement Layer) is a non-cognitive agent specification that performs seven deterministic operations: dispatch, collect, route, log, pause, hash, and report. It dispatches prompts to multiple AI platforms, logs every response with cryptographic tamper evidence, and pauses at preconfigured checkpoints for human arbitration. Because it performs zero cognitive work, it cannot be manipulated or deceived.
How does provider plurality prevent cascading AI failures? Provider plurality routes the same prompt through multiple independently trained AI platforms. When one platform diverges from the others, that disagreement signals a potential error before it propagates downstream. Single-provider governance cannot catch errors the same platform produced, but plurality breaks cascading failures at the first point of divergence.
When does the EU AI Act require human oversight for AI systems? The EU AI Act applies broadly from 2 August 2026, with transparency obligations and general provisions taking effect at that date. Certain high-risk system rules carry an extended transition period to 2 August 2027. Article 14 requires that high-risk AI systems be designed for effective human oversight, enabling intervention and system interruption through structural mechanisms.
What is Checkpoint-Based Governance for AI? Checkpoint-Based Governance (CBG) is a methodology requiring human arbitration at defined decision points in AI workflows. Every output receives a uniquely versioned record, every decision gets logged with cryptographic tamper evidence, and no AI system proceeds past a checkpoint without explicit human approval. CBG was designed to govern AI systems that operate between human reviews.
References
Madkour, N., Newman, J., Raman, D., Jackson, K., Murphy, E. R., & Yuan, C. (2026). Agentic AI Risk-Management Standards Profile (Version 1.0). Center for Long-Term Cybersecurity, UC Berkeley. https://cltc.berkeley.edu/publication/agentic-ai-risk-management-standards-profile
European Union. (2024). Regulation (EU) 2024/1689 (AI Act), Articles 14, 113: Human Oversight and Application Timeline.
National Institute of Standards and Technology. (2023). AI Risk Management Framework (AI RMF 1.0). U.S. Department of Commerce.
World Economic Forum. (2024). Navigating the AI Frontier: A Primer on the Evolution and Impact of AI Agents. WEF.
Vellum AI. (2025). LLM Agents: The Six Levels of Agentic Behavior. https://www.vellum.ai/blog/levels-of-agentic-behavior
Cyber Security Agency of Singapore. (2025). Addendum to support system owners in securing agentic AI systems [Press release]. https://www.csa.gov.sg/news-events/press-releases/csa-releases-an-addendum-to-support-system-owners-in-securing-agentic-ai-system
Puglisi, B. C. (2025). Governing AI: When Capability Exceeds Control. BasilPuglisi.com.
Leave a Reply
You must be logged in to post a comment.