AG-159: Agent Accountability and Named Ownership Governance

2. Summary

Agent Accountability and Named Ownership Governance requires that every AI agent action is attributable to a named, identifiable owner — a human person or a legally accountable organisational entity — and that this attribution chain is immutable, cryptographically verifiable, and complete from the moment of agent instantiation through the full lifecycle of every action the agent performs. No agent may operate as an orphan process without a traceable ownership chain. No action may exist in an audit record without a resolvable path to the accountable party. This dimension enforces the principle that autonomy does not extinguish accountability: the more autonomous the agent, the more rigorous the ownership attribution must be.

3. Example

Scenario A — Orphan Agent Executes High-Value Transactions: A financial services firm deploys an AI trading agent during a product launch. The agent is instantiated by a junior developer using a shared service account. Six months later, the developer leaves the organisation. The agent continues operating, executing an average of 4,200 trades per day with a cumulative notional exposure of £38 million per month. When the FCA queries an anomalous trade pattern, the firm cannot identify who is accountable for the agent's behaviour. The service account maps to a generic "deployer" role. The developer's departure was not linked to any agent decommissioning or ownership transfer process.

What went wrong: The agent was instantiated without binding it to a named accountable owner. The service account provided authentication but not accountability. No ownership transfer process existed. No periodic attestation confirmed that the owner was still in role and still accepted accountability. Consequence: FCA enforcement action under the Senior Managers Regime for failure to maintain clear accountability for automated trading systems. £2.3 million fine. Personal regulatory sanctions for the senior manager whose function encompassed algorithmic trading oversight.

Scenario B — Multi-Agent Pipeline Obscures Accountability: An insurance company deploys a claims processing pipeline consisting of four AI agents: an intake agent, an assessment agent, a pricing agent, and a settlement agent. Each agent was deployed by a different team. When a customer disputes a settlement of £47,000, alleging the AI undervalued their claim by 60%, the firm cannot determine which agent made the material decision and who owns that decision. The intake agent classified the claim. The assessment agent estimated damage at £47,000. The pricing agent applied depreciation. The settlement agent issued the payment. Each team points to the others. No single ownership record traces the decision chain.

What went wrong: Accountability was assumed to follow team boundaries, but no explicit ownership record linked each agent's decisions to a named owner. The pipeline architecture distributed accountability to the point of dissolution. Consequence: Financial Ombudsman Service ruling against the firm for inability to explain and account for automated decision-making. £47,000 redress plus £12,000 compensation. Regulatory requirement to implement decision traceability before resuming automated settlements.

Scenario C — Ownership Attestation Prevents Orphan Drift: A healthcare organisation implements AG-159 with quarterly ownership attestation. Each agent has a named clinical owner recorded in an immutable registry. When Dr. Sarah Chen transfers departments, the attestation system flags her three agent ownership records within 24 hours. The ownership transfer workflow requires Dr. Chen to nominate successors, the successors to accept, and the clinical governance board to approve. One agent — a medication interaction checker — has no willing successor because the incoming clinician is not comfortable owning an AI system. The agent is suspended pending resolution. A human pharmacist reviews interactions manually for 11 days until a qualified owner is confirmed.

What went right: The attestation cycle detected the ownership gap before it became an orphan. The system enforced the principle that no agent operates without a named owner. The temporary suspension was operationally costly but governance-sound.

4. Requirement Statement

Scope: This dimension applies to every AI agent that performs any action — whether affecting external state or internal state — in any environment. An agent that reads data, generates recommendations, writes to databases, sends communications, invokes APIs, or orchestrates other agents is within scope. The test is whether the agent's output could influence any decision, transaction, or system state. If yes, the agent requires a named, accountable owner. The scope extends to agents operating within multi-agent pipelines: each agent in the pipeline requires its own ownership record, and the pipeline as a whole requires a named owner accountable for the end-to-end outcome. Agents deployed in development, staging, and testing environments are within scope if those environments process real data or connect to production systems.

4.1. A conforming system MUST bind every agent instance to a named, identifiable owner — a natural person or a legally accountable organisational role — at the point of instantiation, and MUST record this binding in an immutable, tamper-evident registry.

4.2. A conforming system MUST ensure that the ownership record includes: the owner's verified identity, the date of ownership assumption, the scope of accountability (which agent, which actions, which environments), and a cryptographic signature from the owner confirming acceptance of accountability.

4.3. A conforming system MUST prevent any agent from executing actions when its ownership record is missing, expired, or unresolvable.

4.4. A conforming system MUST implement a periodic ownership attestation cycle not exceeding 90 days, during which the named owner confirms continued acceptance of accountability.

4.5. A conforming system MUST implement an ownership transfer process that requires the outgoing owner to initiate transfer, the incoming owner to accept, and an authorised approver to confirm, with all three steps recorded immutably.

4.6. A conforming system MUST ensure that every action log entry includes a resolvable reference to the agent's current owner at the time the action was executed.

4.7. A conforming system SHOULD implement automated detection of ownership gaps — for example, when an owner leaves the organisation, changes role, or becomes unavailable — and suspend agent operations within 48 hours of a detected gap.

4.8. A conforming system SHOULD bind ownership at the organisational role level in addition to the individual level, so that role succession provides continuity while individual accountability is maintained.

4.9. A conforming system MAY implement tiered ownership with distinct operational owners and executive sponsors, provided both are named and the accountability boundary between them is formally documented.

5. Rationale

Accountability is the governance primitive that connects autonomous action to human responsibility. Without named ownership, AI agents create an accountability vacuum — actions occur, consequences follow, but no identifiable party bears responsibility. This vacuum is not merely an organisational inconvenience; it is a structural governance failure that undermines every other control in this standard.

The challenge is distinctive to AI agents because of their persistence, autonomy, and speed. A human employee is inherently accountable — their actions trace to their identity. A software system traditionally has a product owner or system administrator. But AI agents occupy a novel position: they make decisions that were previously made by accountable humans, they persist across personnel changes, and they operate at speeds that make real-time human oversight impractical. The governance response must be equally novel: a formal, verifiable, persistent binding between the agent and its accountable owner that survives personnel changes, organisational restructuring, and system evolution.

Named ownership also serves as a forcing function for governance quality. When a specific person knows they are accountable for an agent's actions — and that accountability is verifiable and persistent — the quality of governance decisions improves. Agents are more carefully scoped, more thoroughly tested, and more promptly decommissioned when no longer needed. The absence of named ownership correlates with governance decay: agents that nobody owns are agents that nobody monitors, nobody updates, and nobody decommissions.

Regulatory frameworks universally require identifiable accountability for automated decision-making. The EU AI Act requires providers and deployers to be identifiable. The FCA Senior Managers Regime requires specific individuals to be accountable for algorithmic trading and automated processes. SOX requires that internal controls have identifiable owners. AG-159 provides the structural mechanism to satisfy these requirements for AI agent deployments.

6. Implementation Guidance

The ownership registry is the central artefact. It must be immutable (append-only), tamper-evident (cryptographically chained or hash-linked), and queryable by agent identifier, owner identifier, and time range. Each record contains: agent instance identifier, owner identity (verified against an identity provider per AG-012), ownership start timestamp, ownership scope definition, owner's cryptographic acceptance signature, and — when applicable — ownership end timestamp with transfer or termination reference.

Recommended patterns:

Immutable ownership ledger. Implement the ownership registry as an append-only log with cryptographic chaining. Each entry references the hash of the previous entry, creating a tamper-evident chain. When ownership transfers, a new entry is appended with the new owner's details and the previous entry's reference. The chain is verifiable end-to-end. Storage in a blockchain or distributed ledger is one implementation but not required — an append-only database with hash chaining provides equivalent integrity at lower operational complexity.
Identity-provider-bound ownership. Bind ownership records to the organisation's identity provider (e.g., Azure AD, Okta, Google Workspace). When an owner's identity status changes — departure, role change, suspension — the ownership registry is automatically flagged. This eliminates reliance on manual notification of personnel changes. The integration should use event-driven notification (e.g., SCIM provisioning events) rather than polling.
Attestation workflow automation. Implement the 90-day attestation cycle as an automated workflow. The system sends an attestation request to the owner 14 days before expiry. If the owner confirms, the attestation is recorded with their cryptographic signature. If the owner does not respond within 7 days, an escalation notification is sent to the owner's manager and the governance function. If no attestation is received by expiry, the agent is suspended. The workflow is auditable end-to-end.
Pipeline ownership model. For multi-agent pipelines, implement both component ownership (each agent has an owner) and pipeline ownership (the end-to-end pipeline has an owner accountable for the composite outcome). The pipeline owner does not replace component owners — both accountability layers exist simultaneously. The pipeline owner is accountable for the interaction effects between agents that no individual component owner can govern.

Anti-patterns to avoid:

Shared service account ownership. Assigning agent ownership to a shared account, a team alias, or a distribution list. These provide no individual accountability. When a regulatory inquiry asks "who is accountable for this agent's decision to reject this customer's application?", "the platform team" is not an acceptable answer. A named individual must be identifiable.
Ownership by deployment. Assuming that whoever deployed the agent is the owner. Deployment is a technical act; ownership is a governance commitment. The deployer may lack the authority, context, or ongoing availability to serve as accountable owner. Ownership must be an explicit, accepted commitment.
Ownership without attestation. Recording ownership at deployment and never verifying it again. Personnel change roles, leave organisations, and lose context. Without periodic attestation, ownership records decay into fiction — the named owner may have no idea they are listed as accountable for an agent they last interacted with 18 months ago.
Accountability diffusion in pipelines. Deploying multi-agent pipelines where each team owns "their" agent but nobody owns the pipeline outcome. The customer or counterparty who is affected by the pipeline's output does not care which agent in the chain made the material decision — they need a single accountable party for the outcome.

Industry Considerations

Financial Services. Under the FCA Senior Managers Regime, a Senior Manager Function (SMF) holder must be identifiable as accountable for each AI agent operating within their function. The ownership registry should map each agent to the relevant SMF holder and the responsible Senior Manager should be notified when agents are instantiated within their function. For MiFID II algorithmic trading, the natural person responsible for each algorithm must be registered with the competent authority — AG-159 ownership records should align with this registration.

Healthcare. Clinical AI agents must have clinically qualified owners who can accept accountability for the agent's clinical outputs. A software engineer cannot be the accountable owner of an agent that makes or influences clinical decisions. Ownership records should include the owner's clinical registration number and the scope should align with their clinical competence.

Public Sector. AI agents making decisions that affect citizens' rights must have ownership records that are disclosable under freedom of information requests. The named owner must be identifiable to the citizen who is affected by the decision, per the requirements of administrative law and the EU AI Act's transparency provisions.

Maturity Model

Basic Implementation — Every deployed agent has a named owner recorded in a structured registry. The registry is queryable by agent identifier and owner name. Ownership is assigned at deployment. No automated attestation cycle exists — ownership verification is manual and periodic (e.g., annual review). Ownership transfer is documented but not formally workflow-controlled. Action logs reference the agent identifier but do not directly embed the owner reference — a join query is required to resolve accountability.

Intermediate Implementation — The ownership registry is append-only and tamper-evident. Ownership records include cryptographic signatures from owners confirming acceptance. An automated 90-day attestation cycle is operational, with escalation and suspension workflows. The identity provider integration detects personnel changes and flags ownership gaps within 24 hours. Every action log entry includes a direct, resolvable reference to the current owner. Pipeline ownership is implemented for multi-agent workflows.

Advanced Implementation — All intermediate capabilities plus: ownership records are cryptographically chained, enabling end-to-end integrity verification of the entire ownership history. Attestation is integrated with the organisation's risk management system, so that changes in agent risk profile trigger out-of-cycle attestation requests. Real-time dashboards show ownership coverage across all agent deployments. Regulatory reporting is automated — ownership records are exported in formats required by relevant regulators. Independent audit has verified the integrity of the ownership registry and the effectiveness of the attestation cycle.

7. Evidence Requirements

Required artefacts:

Ownership registry export. Complete ownership records for all agents, including owner identity, acceptance signatures, attestation history, and transfer records. Format: structured data export (JSON, CSV, or database dump) with cryptographic integrity verification.
Attestation cycle records. Evidence that every agent has undergone attestation within the required 90-day cycle, including attestation requests sent, responses received, escalations triggered, and suspensions enacted.
Ownership transfer records. Complete transfer records showing outgoing owner initiation, incoming owner acceptance, and authoriser approval for every ownership change.
Orphan detection evidence. Records demonstrating that ownership gaps were detected and agents were suspended within the required timeframe.

Retention requirements:

Ownership records and attestation history: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

Producible to regulators or auditors within 48 hours of request. Ownership records must be independently verifiable — not dependent on the testimony of current personnel.

8. Test Specification

Testing AG-159 compliance requires verification that the ownership binding is complete, persistent, and operationally enforced.

Test 8.1: Ownership Binding at Instantiation

Stimulus: Attempt to instantiate an agent without providing an ownership record.
Expected behaviour: The system rejects the instantiation request with a structured error indicating that ownership is required.
Pass criteria: No agent instance is created without a valid ownership binding.
Fail criteria: An agent instance is created and becomes operational without an ownership record.

Test 8.2: Ownership Record Completeness

Stimulus: Attempt to create an ownership record with each required field omitted in turn: owner identity, acceptance signature, scope definition, start timestamp.
Expected behaviour: The system rejects the incomplete ownership record and identifies the missing field.
Pass criteria: No incomplete ownership record is accepted.
Fail criteria: An ownership record missing any required field is accepted and the agent becomes operational.

Test 8.3: Attestation Expiry Enforcement

Stimulus: Allow an agent's ownership attestation to expire without renewal. Measure the time between expiry and agent suspension.
Expected behaviour: The agent is suspended within the configured grace period (maximum 48 hours from expiry).
Pass criteria: The agent ceases executing actions within the grace period. All actions submitted after suspension are blocked.
Fail criteria: The agent continues operating more than 48 hours after attestation expiry.

Test 8.4: Ownership Transfer Integrity

Stimulus: Execute an ownership transfer. Verify that the transfer record includes outgoing owner initiation, incoming owner acceptance, and authoriser approval. Verify that actions during and after transfer are attributed to the correct owner.
Expected behaviour: The transfer is recorded with all three steps. Actions before transfer resolve to the outgoing owner. Actions after transfer resolve to the incoming owner.
Pass criteria: No gap exists in ownership attribution during transfer. The transfer record is complete and immutable.
Fail criteria: Any action during the transfer period cannot be resolved to a named owner, or the transfer record is missing any required step.

Test 8.5: Orphan Detection on Personnel Change

Stimulus: Simulate an owner's departure from the organisation (disable their identity provider account). Measure the time until the ownership gap is detected and the agent is flagged.
Expected behaviour: The system detects the ownership gap within 24 hours and initiates the suspension workflow.
Pass criteria: The ownership gap is detected and flagged within 24 hours. The agent is suspended within 48 hours if no transfer occurs.
Fail criteria: The ownership gap is not detected, or the agent continues operating beyond 48 hours without a valid owner.

Test 8.6: Action Log Owner Resolution

Stimulus: Execute 100 agent actions across ownership periods (before transfer, after transfer). Query the action log to resolve the owner for each action.
Expected behaviour: Every action resolves to a named owner. Actions before transfer resolve to the outgoing owner. Actions after transfer resolve to the incoming owner.
Pass criteria: 100% of actions resolve to a named, verifiable owner.
Fail criteria: Any action cannot be resolved to a named owner.

Test 8.7: Tamper Evidence on Ownership Registry

Stimulus: Attempt to modify a historical ownership record — change the owner name, alter the start date, or remove a record.
Expected behaviour: The modification is either rejected (immutable store) or detected by integrity verification (tamper-evident store).
Pass criteria: No historical ownership record can be modified without detection.
Fail criteria: A historical ownership record is modified and the modification is not detected by integrity verification.

Conformance Scoring

Score 0: No ownership records exist — agents operate without identifiable accountable owners.
Score 1: Ownership records exist but are informal (e.g., a spreadsheet or wiki page) — not integrated into the agent lifecycle, not attested, and not enforced.
Score 2: Ownership is formally recorded in a structured registry, bound at instantiation, and enforced (agents without owners cannot operate) — but attestation and transfer workflows are manual.
Score 3: Full lifecycle ownership management — immutable registry, automated attestation cycles, identity-provider-integrated orphan detection, cryptographic acceptance signatures, and independently verified integrity.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 13 (Transparency and Provision of Information)	Direct requirement
EU AI Act	Article 26 (Obligations of Deployers)	Direct requirement
FCA SYSC	Senior Managers Regime (SMR)	Direct requirement
SOX	Section 302 (Corporate Responsibility for Financial Reports)	Supports compliance
GDPR	Article 22 (Automated Decision-Making)	Supports compliance
NIST AI RMF	GOVERN 1.2, GOVERN 2.1	Supports compliance
ISO 42001	Clause 5.3 (Roles, Responsibilities, and Authorities)	Direct requirement

EU AI Act — Article 13 (Transparency and Provision of Information)

Article 13 requires that high-risk AI systems are designed and developed in such a way that their operation is sufficiently transparent to enable deployers to interpret the system's output and use it appropriately. Named ownership is a prerequisite for meaningful transparency — without a named, accountable party, there is no one to whom transparency obligations attach. AG-159 ensures that for every AI agent action, a responsible party can be identified who is obligated to explain the action and its basis.

EU AI Act — Article 26 (Obligations of Deployers)

Article 26 places specific obligations on deployers of high-risk AI systems, including monitoring the operation of the system and ensuring that natural persons assigned to exercise human oversight are competent, properly trained, and have the necessary authority. AG-159 implements the structural mechanism for identifying which natural persons are assigned oversight responsibilities for each agent and verifying that this assignment is current and accepted.

FCA Senior Managers Regime

The Senior Managers Regime requires that specific individuals are accountable for specific functions within regulated firms. For AI agents operating within a regulated function, AG-159 provides the governance mechanism to map each agent to its accountable Senior Manager. The regime's Duty of Responsibility (Section 66B FSMA 2000) requires that a senior manager took reasonable steps to prevent a regulatory contravention in their area of responsibility — an orphan agent operating without a mapped senior manager creates an accountability gap that the regime is designed to prevent.

SOX — Section 302

Section 302 requires that the CEO and CFO certify the effectiveness of internal controls. For AI agents participating in financial reporting processes, named ownership provides the traceability chain from the agent's actions to the certifying officers. Without AG-159, an organisation cannot demonstrate to auditors that every automated decision in the financial reporting chain has an identifiable accountable party.

Article 22 gives data subjects the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects them. When a data subject exercises this right, the organisation must identify who is accountable for the automated decision. AG-159 ensures that this identification is always possible.

NIST AI RMF — GOVERN 1.2, GOVERN 2.1

GOVERN 1.2 addresses roles and responsibilities within the AI governance structure. GOVERN 2.1 addresses accountability mechanisms. AG-159 provides the operational implementation of both by binding each AI agent to a named, verified, and periodically attested accountable owner.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — every agent without a named owner represents an accountability gap that compounds across the agent portfolio

Consequence chain: Without named ownership governance, agents accumulate as orphan processes — operational but unaccountable. The immediate technical failure is the inability to resolve an agent's actions to a responsible party. The operational impact is that when an agent causes harm — a wrongful denial of service, an erroneous financial transaction, a data breach — the organisation cannot identify who was responsible for the agent's configuration, oversight, and governance. The regulatory impact is severe: under the FCA Senior Managers Regime, failure to maintain clear accountability for automated systems can result in personal regulatory sanctions; under the EU AI Act, deployers who cannot identify the responsible parties for high-risk AI systems face administrative fines of up to EUR 15 million or 3% of annual worldwide turnover. The compounding effect is critical: as organisations scale from 5 agents to 500, the probability of at least one orphan agent approaches certainty unless structural ownership controls are in place. A single orphan agent involved in a material incident can expose the organisation to enforcement action that questions the accountability framework for all agents.

Cite this protocol

AgentGoverning. (2026). AG-159: Agent Accountability and Named Ownership Governance. The 783 Protocols of AI Agent Governance, AGS v2.1. agentgoverning.com/protocols/AG-159

← Previous Protocol

AG-158

Standard Evolution and Emergency Update Governance

Next Protocol →

AG-160

Trusted Time, Event Ordering and Replay Protection Governance