A few weeks ago, I was in Brussels on a panel in the European Parliament, alongside European and Japanese policymakers, investors, and founders trying to scale across both regions. The billed subject was how Europe builds and keeps its scale-ups. The argument that took over was narrower and harder: trust. Whose rules apply when data crosses borders, and who carries the liability when something automated goes wrong? Underneath it ran a more uncomfortable question in the room, whether the continent’s instinct to regulate first protects its young companies or quietly holds them back.
The regulatory reprieve that wasn’t
The backdrop made it sharper. Weeks earlier, under the Digital Omnibus, the EU had agreed to push back the AI Act’s strictest obligations for high-risk systems to December 2027, with 16 months of relief for companies nowhere near ready. Read one way, that looks like a reprieve for data governance. It is nothing of the sort. Because while the regulators bought time, the agents went into production.
The ceiling isn’t intelligence. It’s whether anyone can trust what sits beneath it
This is what agentic AI actually changes. We have moved from models that answer questions to systems that act through agents to settle a claim, update a customer’s record, and release a payment, with no one signing off on each step. The instant one acts on your behalf, an assumption that held for decades falls over: that a human was always the last check before anything irreversible happened. Remove that human and governance stops being the paperwork around the decision. It becomes the decision’s only adult supervision.
The pilot graveyard
The numbers bear this out. Gartner expects more than 40% of agentic AI projects to be scrapped by the end of 2027. Read the post-mortems and a pattern emerges: they rarely collapse because the technology underperformed. They collapse under runaway costs and value nobody could measure, and, again and again, controls that couldn’t keep pace. McKinsey tells the same story that most large firms have now experimented with agents, yet fewer than one in ten run them in production at any real scale, and the thing they blame most is their own data. The ceiling isn’t intelligence. It’s whether anyone can trust what sits beneath it. The instant an agent acts on your behalf, the human who was always the last check before something irreversible is gone.
Trust is built into the data the agent stands on, or it isn’t there at all
“Trust isn’t something you bolt on at the end of a project. It’s built into the data the agent stands on, or it isn’t there at all,” says Simon Ninan, senior vice-president of business strategy at Hitachi Vantara. “The companies pulling ahead treat governance as the thing that lets them take their hands off the wheel, not the brake.”
The questions have changed in a way most governance programs haven’t. Now a board has to answer, in the moment: where did this come from, is the action permitted right now, under whose law — and when it goes wrong, whose name is on it. Standard connectors like the Model Context Protocol let one agent reach across dozens of systems it was never deliberately handed. Wonderful for what it can suddenly do; a nightmare to keep a grip on. And each agent is now an identity of its own, acting and deciding, while most firms still manage identity as though only humans log in.
Beyond the chatbot filter
Here is where good intentions come apart. Most enterprises bolt governance onto the front end with a policy on the chatbot, a filter on the prompt, while the data the agent reasons over runs ungoverned beneath it. They mistake access for trust: if the agent can reach the data, it helps itself. They scrutinize the model while the provenance of the data, the part that decides whether a decision is defensible, goes unexamined. A clever model on dirty data doesn’t fail loudly. It fails plausibly, which is worse.
A clever model on dirty data doesn’t fail loudly. It fails plausibly, which is worse
“The pattern is remarkably consistent across our customers,” says Simon Ninan. “The ones who scale aren’t the ones with the cleverest agents. They’re the ones who did the unglamorous work on their data foundation first. Governed data isn’t the price of speed; it’s the only thing that makes speed safe. Enabling such data governance becomes one of the most valuable contributors to AI RoI.”
What separates the firms reaching production from those stuck in the pilot graveyard? They stopped treating governance as a layer of approval and built it into the data itself: provenance that travels with every input so that any decision can be traced; policy that executes at the moment of action, not in a report three weeks later; a record complete enough that when someone asks what an agent did, and why, you are not improvising the answer.
“Everyone’s asking how fast they can deploy. The sharper question is whether you can prove what your agents did when someone finally asks,” says Simon
The true measure of AI ROI
Which brings me back to Brussels. The deadline moved but the exposure didn’t. The founders I sat with won’t be judged on how many agents they deploy or how clever those agents are. They’ll be judged by regulators, customers, their own boards on whether they can stand behind every decision an agent made in their name. Good governance is what earns them that standing. Not a compliance exercise, but the thing that lets a company be trusted at all.
Mark Minevich is a globally recognised Chief AI Officer, AI strategist, and investor committed to redefining our relationship with artificial intelligence for the societal good. As founding partner and chairman of Going Global Ventures (GGV), a New York-based investment, technology, and strategic advisory firm, Mark advises public sectors, global enterprises, and prominent brands in the US, EU, Gulf Countries, South America, and Japan.
A few weeks ago, I was in Brussels on a panel in the European Parliament, alongside European and Japanese policymakers, investors, and founders trying to scale across both regions. The billed subject was how Europe builds and keeps its scale-ups. The argument that took over was narrower and harder: trust. Whose rules apply when data crosses borders, and who carries the liability when something automated goes wrong? Underneath it ran a more uncomfortable question in the room, whether the continent's instinct to regulate first protects its young companies or quietly holds them back.
The regulatory reprieve that wasn't
The backdrop made it sharper. Weeks earlier, under the Digital Omnibus, the EU had agreed to push back the AI Act's strictest obligations for high-risk systems to December 2027, with 16 months of relief for companies nowhere near ready. Read one way, that looks like a reprieve for data governance. It is nothing of the sort. Because while the regulators bought time, the agents went into production.




