Agentic Governance
& Operations Model
An open standard for evaluating, classifying, and governing autonomous AI-based systems — regardless of industry.
Ungoverned autonomy
The risk is not AI. The risk is not knowing how much autonomy you are granting it.
AI systems are no longer merely assisting — they are deciding. They approve loans, prioritize patients, execute transactions, and manage critical infrastructure without direct human intervention. Yet most organizations lack a structured framework to evaluate the actual level of autonomy their systems exercise and determine whether existing governance controls are proportionate.
According to Gartner (Digital Workplace Summit, London 2026), large corporations average 15 AI agents today and project reaching 150,000 by 2028 — a 10,000× increase in three years. Only 13% consider their current governance adequate for what they have already deployed.
AGOM was developed to address this structural gap: the imbalance between the autonomy AI systems exercise and the oversight controls organizations have in place.
Four evaluation dimensions
Every autonomous system is scored 0 to 4 across four independent dimensions. The four dimensions capture complementary aspects of the same system — no single dimension is sufficient alone.
| Dimension | Core question | What it measures |
|---|---|---|
| Autonomy | How independently does this system act? | Degree of operation without human intervention |
| Governance | How controlled and audited is it? | Maturity of controls, audits, and oversight mechanisms |
| Economic Exposure | Can it generate costs or commit resources autonomously? | Capacity to make decisions with direct financial impact |
| Operational Impact | How severe would a failure be? | Operational and continuity consequences of a failure |
Scoring scale
Each dimension uses a five-level descriptive scale. Levels are not purely quantitative — each level has behavioral criteria anchored to observable organizational indicators.
| Level | Autonomy | Governance |
|---|---|---|
| 0 | Manual — no autonomous decisions | No controls — no formal oversight |
| 1 | Automation — executes within fixed rules | Basic controls — owner + activity logs |
| 2 | AI Assisted — generates recommendations | Human supervision — periodic structured review |
| 3 | Supervised Autonomy — acts within defined limits | Structured Governance — continuous monitoring + audits |
| 4 | Operational Autonomy — acts without human input | Adaptive Governance — active Ethics/AI Committee |
Three metrics, three questions
Scoring four dimensions produces three composite metrics. Each answers a distinct question — they are not redundant, they are complementary. Reading them together is what makes AGOM actionable.
Interpretation
| AGI Index | Interpretation | Recommended posture |
|---|---|---|
| 0.00 – 0.99 | No formal assessment. Manual or uncontrolled system. | Establish baseline. Designate system owner. |
| 1.00 – 1.99 | Basic automation. Nascent governance. | Formalize controls. Implement structured review. |
| 2.00 – 2.99 | AI-assisted or limited autonomy. Partial oversight. | Strengthen audit mechanisms. Define formal risk thresholds. |
| 3.00 – 3.49 | Significant autonomy. Structured governance in place. | Continuous monitoring. Formal risk assessment cycle. |
| 3.50 – 4.00 | Highly autonomous with adaptive governance. | Active Ethics/AI Committee. Documented escalation protocols. |
The four treatment scenarios
Combining Risk Priority (RP) and Governance Gap (GG) identifies the appropriate treatment response. The same AGI Index can produce entirely different treatment priorities — which is why reading all three metrics together is essential.
Ungoverned Autonomy. Emergency intervention. Assign owner, restrict capabilities, escalate to executive level immediately.
Governed, high-risk. Governance is calibrated but the system generates significant economic or operational risk. Operational controls: circuit-breakers, financial limits, enhanced monitoring.
Emerging gap. Low urgency now, but autonomy already exceeds governance. The most commonly overlooked scenario. Preventive governance before autonomy grows further.
Stable baseline. Well-calibrated system. Monitor and improve. Annual review, continuous improvement program.
Treatment urgency by Risk Priority
| Risk Priority | Urgency | Recommended cadence |
|---|---|---|
| 0.0 – 0.5 | Low — Monitor | Annual governance review |
| 0.5 – 1.5 | Moderate — Plan | Semi-annual review; document controls |
| 1.5 – 2.5 | High — Act | Quarterly cycle; structured treatment plan |
| 2.5 – 3.0+ | Critical — Escalate | Immediate executive-level intervention |
AGOM and existing risk frameworks
AGOM defines the AI-specific assessment layer. For risk treatment, use the established framework appropriate to your regulatory and operational context.
| Framework | Application in AGOM context |
|---|---|
| ISO 31000:2018 | General risk management — principles and process |
| ISO 27005:2022 | Information security risk treatment |
| NIST SP 800-30 Rev.1 | Formal risk assessment and treatment methodology |
| NIST AI RMF (2023) | AI-specific governance and risk management |
| EU AI Act (2024) | Regulatory compliance for high-risk AI (EU scope) |
| COSO ERM | Enterprise-level risk governance integration |
Full framework document
The complete AGOM Framework v2.1 is available as a free PDF download in English and Spanish. Published under CC BY 4.0 — free to use and share with attribution.
All versions archived at zenodo.org/records/20719559 with permanent DOI 10.5281/zenodo.20719559.
How to cite AGOM
If you use AGOM in your work, research, or publications, please cite it using one of the formats below.
author = {Fragola, Leonardo},
title = {{AGOM Framework v2.1 — Agentic Governance \& Operations Model}},
year = {2026},
publisher = {Zenodo},
doi = {10.5281/zenodo.20719559},
url = {https://doi.org/10.5281/zenodo.20719559}
}
Leonardo Fragola
Leonardo Fragola
CISO · Cybersecurity & AI Governance · Neuquén, Patagonia, Argentina
CISO and cybersecurity professional specializing in digital identity governance and AI security in regulated industries across Latin America. ISO 27001, ISO 22301, and ISO 14001 management systems auditor.
He developed AGOM from direct observation of the governance gap created by accelerating AI adoption: the structural imbalance between the autonomy AI systems exercise and the oversight controls organizations have in place.
AGOM is published as an open framework, free to use with attribution (CC BY 4.0).
linkedin.com/in/leonardo-fragola →Version history
- Renamed to Agentic Governance & Operations Model (from Autonomy)
- New section: From Assessment to Management — four treatment scenarios, urgency scale, reference frameworks
- All sections renumbered (01–11)
- Author bio updated with ISO audit credentials
- Published on Zenodo with DOI
- Four evaluation dimensions (added Economic Exposure and Operational Impact)
- Three composite metrics: AGI Index, Governance Gap, Risk Priority
- Industry applications: Fintech, Healthcare, Energy
- Recommended controls by governance level
- Bilingual release (English + Spanish)
- Initial release — two dimensions (Autonomy, Governance)
- AGI Index as single composite metric