Every conversation about agentic AI eventually arrives at the same wall. Someone in the room asks: “But who is responsible when it gets it wrong?” And the room goes quiet.
That question is not going away. Grant Thornton‘s 2026 AI Impact Survey found that 78% of business executives lack strong confidence that they could pass an independent AI governance audit within 90 days and that most organizations deploying AI cannot show how decisions are made or who is accountable for the outcome. The gap is not technical. It is structural. Organizations are deploying AI agents without first answering the most basic governance question: which decisions should AI be making in the first place?
This is the question that deserves a proper framework. A practical classification model that any executive team can apply in a leadership meeting.
Why the Current Approach Is Not Working
Most organizations approach AI decision-making as a binary: either AI does it, or a human does it. That framing is too strict to be useful. It produces either excessive caution, where AI is kept in an advisory role long past the point where it could be trusted to act, or excessive speed, where agents are executing decisions that carry consequences nobody has thought through.
The Zoox robotaxi incident in April 2025 is instructive. A driverless vehicle misjudged an approaching vehicle, braked too late, and sideswiped it at 43 miles per hour on the Las Vegas Strip. Amazon issued a software recall on 270 autonomous vehicles and suspended operations. The crash was minor, but it sent a clear message: when AI systems fail, responsibility shifts rapidly from programmers to corporate leadership to regulators.
The lesson is not that autonomous AI is dangerous. Nobody had clearly defined the boundaries of what that system was authorized to decide on its own and what required a different level of scrutiny.
AI governance fails most often for one reason: nobody is clearly accountable. The following framework can help fix that, as it is a simple, straightforward way of thinking about balancing shared and own accountabilities.
The Three Categories of AI Decision Delegation
Every decision your organization makes, or could make with AI assistance, falls into one of three categories. Governance follows by placing each decision in the right box and building the operating model around that classification.
Category 1: Decisions AI should own fully
These are decisions that are high volume, rule-based, data-rich, time-sensitive, and where the cost of a wrong decision is low and reversible, meaning nothing that is life-threatening. The value of full AI autonomy here is speed and consistency. Human review here actually might bring a bottleneck without adding any meaningful protection.
Some examples where this applies:
- fraud transaction blocking in real-time payments
- dynamic pricing adjustments within pre-approved bands
- IT incident ticket routing and prioritization
- Inventory reorder triggers in logistics
- cybersecurity alert triage and initial response
- And appointment scheduling optimization in healthcare administration.
The governing principle for Category 1 is not whether to delegate, but how to define the boundaries precisely. Every Category 1 decision needs a defined scope, a defined exception trigger, and an audit log. Within those parameters, the agent should act without waiting for human approval.
Category 2: Decisions AI should inform but humans execute
These are decisions where AI can process far more relevant data than a human can in the available time, but where the consequences of error are significant enough that a named human should make the final call.
AI’s role is to be an assistant that compresses the decision space, surfaces the relevant factors, and provides a recommendation. The human’s role is to validate, contextualize, and own the outcome.
Examples are:
- credit approval above defined thresholds
- employee performance assessments
- supplier contract negotiations
- medical treatment recommendations
- and customer intervention decisions above a certain revenue value.
Business leaders in this area must take responsibility for the use of AI and the decision-making process. Escalation paths must exist for high-risk or high-impact use cases, and AI must align with organizational values and risk appetite.
Category 2 is where most of the governance investment should go, because it is also where most of the misclassification happens. Organizations frequently slide Category 2 decisions into Category 1 as confidence in the AI grows, without formally reassessing the risk profile. That slide is where incidents happen.
Category 3: Decisions that must stay with humans regardless of AI capability
These are decisions where the stakes involve irreversible consequences, legal liability, ethical judgment, or human dignity. No level of AI accuracy justifies removing human ownership from these decisions. The reason is not that AI cannot perform well on them in controlled conditions. It is that when something goes wrong, and eventually something will, the absence of a human decision-maker creates accountability gaps that no organization can survive on either a legal, reputation, or ethical level.
Examples:
- termination of employment
- denial of medical treatment
- sentencing recommendations in legal proceedings
- decisions involving life-safety systems
- and any decision that permanently affects a person’s rights, access, or safety.
According to The Conversation a bill introduced in the U.S. House of Representatives in early 2025 proposed allowing AI systems to prescribe medications autonomously. This trigged a debate among health personnel and lawmakers about whether such prescribing would be even feasible or advisable.
he fact that the capability may exist does not mean the delegation is appropriate. Category 3 is defined not by what AI can do, but by what humans must own.
The Decision Delegation Matrix
Apply this matrix to every AI deployment your organization is running or planning. For each decision the agent makes or influences, place it in one of the three categories using four criteria:
1. Reversibility. Can the decision be undone within 24 hours without significant cost or harm? If yes, Category 1 is possible. If no, you are in Category 2 or 3.
2. Consequence magnitude. Does a wrong decision affect one transaction, one customer, or one system? Or does it affect people’s livelihoods, health, legal standing, or safety? Low magnitude supports Category 1. High magnitude requires Category 2 or 3.
3. Explainability requirement. Does this decision need to be explained to a regulator, a customer, or a court? If the answer is yes and the AI cannot generate a human-readable explanation of its reasoning, it belongs in Category 2 at minimum.
4. Ethical or legal exposure. Does the decision involve protected characteristics, contractual obligations, or personal rights? If yes, it is Category 3 regardless of the other criteria.
What This Means for Your Leadership Team
Most organizations are not yet permitting fully autonomous AI decision-making: only 5% allow agents to execute high-stakes decisions without human review, and 60% limit agents to moderate-risk tasks according to this study by Grant Thornton. The instinct is right. The problem is that the limits are often set by instinct rather than by a structured classification, which means they shift depending on who is in the room and what pressure the business is under.
The CIO’s job is to make the classification explicit, documented, and defensible. That means sitting down with legal, risk, and business leadership and running every active or planned AI agent through the four criteria above. It means assigning a named human owner to every Category 2 decision. And it means creating a formal review process for any proposal to reclassify a decision from Category 2 to Category 1.
This connects directly to the governance framework I laid out in my earlier piece on why agentic AI is stalling in Swiss enterprises. The five-level autonomy model works in parallel with this decision classification matrix. The autonomy level tells you how independently the agent acts. The decision category tells you whether it should act independently at all.
The two frameworks used together give you something most organizations currently lack: a complete governance picture that is practical enough to apply today and robust enough to hold up when something goes wrong.
If these questions are live in your organization right now, they connect to broader themes I explore in Life in the Digital Bubble, including how technology is reshaping accountability, trust, and leadership responsibility at every level. More perspectives on AI governance and digital leadership are across the Insights section of this site.