Ben Okonkwo: Marcus, I want to start with something that I think we're framing wrong — like, industry-wide, not just us.
Marcus Vale: Go.
Ben Okonkwo: Everyone calls this a governance gap — like we just need better rules and we catch up. But the Cisco numbers suggest something more uncomfortable. Eighty-three percent of organizations deploying agentic AI this year, 29% feel prepared. That's not a gap. That's a structural mismatch between deployment speed and institutional capacity. Those don't close at the same rate.
Marcus Vale: Okay, I'd push on that framing slightly — because the AIGN Global data is even more specific. Seventy-two percent of enterprises, no formal oversight model, none documented. And only 9% have what they're calling Agentic Access Management actually in place. That's not slow. That's absent.
Ben Okonkwo: Exactly the distinction I want to draw out — so today we're getting into autonomous agents in critical infrastructure. Water utilities, aviation, maritime, finance, defense. Eight sectors already in scope, and the driving question is really whether the governance problem is even solvable with faster rulemaking, or whether certain deployments are happening that shouldn't be happening yet at all.
Marcus Vale: And the proof that this isn't hypothetical — OpenAI shipped three distinct agent product layers, Workspace Agents, Frontier, Codex infrastructure, all between February and April 2026. Two months. These are not experiments. They're in enterprise production now.
Ben Okonkwo: And the thing that makes agentic AI different from every prior wave — it's not that it's smarter. It's that it perceives an environment, sets a goal, and executes a multi-step task without waiting for a human sign-off. The action lands before anyone can review it, let alone reverse it.
Marcus Vale: Which is why the 81% figure from the explainability data hits differently. Eighty-one percent of organizations can't tell you why their agent made a specific decision. That's not a compliance headache — that's a live liability sitting in production right now.
Ben Okonkwo: And we've outsourced pieces of civilization's operating layer to systems that, structurally, cannot produce an account of themselves. That's where we actually are.
Marcus Vale: But wait — 'structurally cannot produce an account of themselves' is doing a lot of work there. What does that actually mean for, like, a water utility operator?
Ben Okonkwo: Okay, here's the plain version. Imagine you hire a contractor, you give them a key, they show up at 3 a.m., renovate your entire building overnight, and when you ask what they changed and why — they hand you a blank sheet of paper. That's the auditability gap. Not 'we lost the logs.' The paper was always going to be blank.
Marcus Vale: And 76% of enterprises — no audit trail at all. That's the Agentic Access Management number landing in the real world.
Ben Okonkwo: Right — and now layer the legal obligation on top. GDPR, FAA airworthiness rules, maritime law — all of them, architecturally, assume a human made the call and an auditor can reconstruct the reasoning. Autonomous agents don't produce that. Not because companies are cutting corners. Because the system is goal-seeking, not rule-following. There's no decision tree to subpoena.
Marcus Vale: So the compliance obligation is just... structurally impossible to meet.
Ben Okonkwo: With the technology as currently deployed, yes. And the Agentic Access Management piece — AAM — is the specific discipline that's supposed to govern this. What permissions does an agent hold, how do you revoke them mid-workflow, how do you secure agent-to-agent handoffs. Only 9% of enterprises have it formally in place. Which means the other 91% are running on static credentials — built for humans who log in once, not agents that might need permissions granted and revoked four times inside a single task.
Marcus Vale: Static credentials for a system that's dynamically reauthorizing itself every few minutes. That's — yeah, that breaks the whole model.
Ben Okonkwo: And NIST's AI Agent Standards Initiative — launched early 2026 — that's the first formal U.S. acknowledgment this is even a distinct problem. But it launched, I mean, after Workspace Agents, Frontier, Codex were already in production. The acknowledgment arrived after the deployment.
Marcus Vale: So the regulation isn't lagging the technology. It's lagging the shipped product that's already inside the regulated sector. Those are different problems.
Ben Okonkwo: And the gap between acknowledgment and enforcement — that's precisely where Hassabis's FINRA proposal lands, and I want to be honest about what it actually says. July 14, 2026, 'A Framework for Frontier AI and the Dawning of a New Age' — he's calling for an independent body, voluntary pre-release model review, FINRA as the template. And the instinct isn't wrong. But the analogy breaks at the foundation.
Marcus Vale: Because FINRA works because the SEC already has a bat.
Ben Okonkwo: Exactly — and more specifically, FINRA can audit a trade because trades leave reconstructible records. A timestamp, a counterparty, a price. The auditability precondition is baked into the instrument. But 81% of organizations can't reconstruct why their agent acted. So you're proposing a FINRA-style body for a system where the audit trail — the thing FINRA's entire enforcement chain depends on — doesn't exist.
Marcus Vale: That's the knife. The proposal assumes the thing it needs to create.
Ben Okonkwo: Now — the EU AI Act does have teeth, I want to flag that. It's binding, cross-sectoral, real enforcement powers, an AI Board. Marcus wins partial credit on the 'voluntary doesn't work' point. But the EU AI Act was designed before production-grade agentic systems. It's not yet fully operational for autonomous agents. It's a framework built for a different animal, to use your phrasing.
Marcus Vale: Right — and NIST's AI Agent Standards Initiative, same structural problem. First formal U.S. acknowledgment that agentic governance is distinct from general AI. I mean, that matters, genuinely. But it launched after Workspace Agents was in enterprise production. Anthropic is shipping Claude's Managed Agents layer and calling it 'safety as infrastructure' — which sounds good, but where's the binding accountability behind that framing?
Ben Okonkwo: There isn't one. And the historical pattern — nuclear, aviation, pharmaceuticals — regulators always lag the technology. But those took decades and were contained to one sector. Aviation didn't have to coordinate with pharmaceuticals when a plane crashed. Agentic AI compounds the lag across every sector simultaneously.
Marcus Vale: Picture a port logistics operator in Rotterdam, 2 a.m., her maritime agent has already rerouted three container ships based on signals from a financial agent hedging fuel futures — no human in the loop, no audit trail, Coast Guard jurisdiction, FERC jurisdiction, SEC jurisdiction, none of them talking to each other. Which actually — that jurisdictional fragmentation problem gets dramatically worse when you move to multi-agent networks, and we should get into that.
Ben Okonkwo: The partial win for the hot take is real though — the proposed fixes aren't just slow. They're structurally mismatched to the problem. FINRA needs records. The records don't exist. The EU AI Act needs agentic definitions it wasn't written for. NIST arrived after deployment. That's not a timing problem. That's a category error baked into every institutional response so far.
Marcus Vale: Which means the Rotterdam scenario isn't a future stress test — it's the actual present condition. So what's the defensible claim here? Not 'governance is slow.' That's not specific enough.
Ben Okonkwo: The defensible claim is this: the jurisdictional architecture was built on the assumption that sectors are separate. FAA governs aviation. Coast Guard governs maritime. FERC governs energy. The EU AI Act, NIST's initiative — they inherited that architecture. Agentic AI is, at the structural level, cross-sector. A port agent in Rotterdam coordinates a maritime handoff, a financial clearing decision, a road-transport reroute — simultaneously. Three regulators, zero real-time coordination mechanism between them.
Marcus Vale: And when it breaks — who investigates?
Ben Okonkwo: Nobody, actually. No single body holds jurisdiction. And in critical infrastructure — water utilities, aviation, defense — that's not a compliance failure waiting to happen. That's a life-safety failure. A misconfigured agent in a water treatment SCADA system doesn't produce a fine. It produces a public health crisis. The auditability gap becomes a national security gap.
Marcus Vale: Water utilities specifically — chronically under-resourced on cybersecurity. That's the invisible one.
Ben Okonkwo: Right — and no retrofitted single-sector framework resolves that. GDPR can't. The EU AI Act, binding as it is, wasn't written for cross-sector agent coordination. Hassabis's FINRA proposal, I mean — FINRA operates inside one sector with decades of muscle memory. This problem is, almost by definition, what no single-sector body was designed to handle.
Marcus Vale: So the hot take lands — but for the wrong reason. It's not that nobody's in charge because governance is slow. It's that the category of 'in charge' doesn't exist for cross-sector agentic coordination.
Ben Okonkwo: That's the precise claim. It's a governance category error. You can't retrofit your way out of a jurisdictional architecture that assumes separation — not when the technology is designed to coordinate across every boundary simultaneously.
Marcus Vale: Fine — it's not that nobody's in charge. It's that everybody's in charge of a different piece of a system that doesn't respect the pieces.
Ben Okonkwo: Yeah. And we started this whole thing with that Cisco number — 83% deploying, 29% prepared. I keep thinking, that gap isn't closing. OpenAI, Anthropic, Google are all accelerating into enterprise right now. The commercial pressure isn't waiting.
Ben Okonkwo: The real question isn't which governance framework wins the standards race. It's whether the first catastrophic agentic failure in a water utility or aviation system arrives before any framework has enforcement authority — and at that point, governance becomes post-hoc liability assignment for a technology nobody can explain, operating in systems nobody can roll back.