The agentic wave no longer just suggests — it orchestrates workflows, executes actions, and makes decisions within critical transactional systems.
If data must be governed, the processes that produce and consume them must be as well — with the same rigor, traceability, and accountability.
HITL — Human in the Loop — becomes the only real point of accountability in an agentic workflow. Without governance, this point becomes the point of failure.
Data is produced, transformed, and consumed by processes. Governing data without governing the processes that produce it means treating symptoms while ignoring causes. With agentic AI, this gap becomes critical.
A poorly designed KYC process generates incorrect customer data, regardless of the quality of the downstream storage system. Poor data quality almost always has a process root cause: uncontrolled manual entry, bypassed validation steps, undocumented business rules. Governing data without governing the process is like filtering water without fixing the plumbing.
When an AI agent executes an action in a system — creating a ticket, modifying a configuration, sending a notification — the question "who is accountable?" can only be answered through a formalized process. Without a clear process RACI, accountability is nowhere. With agentic AI, this absence becomes a documented regulatory risk (DORA Art. 5.2, EU AI Act Art. 9).
An AI agent without a documented process determines its own action boundaries — which is precisely what a governance framework seeks to prevent. The formalized and business-validated process is the only legitimate foundation for an agent policy: it defines what the agent can do, how far it can decide alone, and at what point it must await human validation.
The production unit is evolving toward human-agent fleet pairs. SAFe, Scrum, and squad frameworks need to be rethought when most time is spent on supervision rather than production. Process governance precedes agent governance — it is its necessary condition.
Processes that create, transform, or delete critical data: customer onboarding (KYC), billing, financial reporting, risk collection. These processes must be governed with an identified Process Owner, documented quality rules at each step, and a traceable process-to-data lineage. Data governance and data process governance are inseparable.
Processes partially or fully executed by AI agents: support request handling, IT deployment pipelines, automated risk analysis, data reconciliation. These processes require an Agent Catalog, a documented agent policy (Agent Policy), defined guardrails, and explicitly positioned HITL checkpoints.
Processes where human and agent share steps based on complexity and risk: credit underwriting, major incident management, regulatory processes. These are the most complex to govern because the accountability boundary is fluid. AI-augmented BPMN (see P.05) is the appropriate formalization tool.
Any process partially or fully executed by an AI agent must be: documented (BPMN or equivalent), validated by the business Process Owner, associated with an agent policy (scope, authorized tools, HITL checkpoints), auditable (logs, decision traces), and reversible (documented rollback procedure). These 5 attributes are non-negotiable for critical processes — they are mandated by DORA and the EU AI Act.
You have viewed the preview of this module (first 2 pages).
To access the full content, enter your access code or request access.