AI Agents: Where autonomy belongs in the enterprise
At the AIBP Innovation Retreat in late April, more than 60 senior technology leaders from across Southeast Asia worked through one of the harder questions on the enterprise agenda. Where should AI agents be allowed to act, and where should they not. The conversation did not produce consensus. It produced a structured set of disagreements about what enterprises are willing to trade for the speed agentic AI promises, and that disagreement is the most useful record of the room.
The retreat's opening had set the frame. The decisions enterprise leaders are making in 2026 are trade-offs by nature, even when they are not framed that way. Agentic AI is the most legible version of that proposition. Each agent deployment is a wager on speed against control. The question is not whether agents will scale. It is what an enterprise gives up to scale them.
The sequencing question
The room treated adoption versus governance as a sequence to be ordered, not a balance to be struck. Two views were articulated with equal conviction.
The first view held that pace is the lesson of the past three years. Enterprises that prove use cases internally over a short window, often three months, develop adoption discipline through running rather than through writing policy in advance. Building governance ahead of deployment tends to produce controls that do not match the real risk surface once the agent is live.
The second view held that adoption signals are not the same as adoption discipline. Early signs of agents being used or projects being funded are not evidence that the enterprise can manage agents at scale. Mistaking the first for the second leads to scaling commitments the operating model cannot support, and to projects that quietly fail to reach production.
The split mapped to industry exposure rather than seniority. Leaders from regulated sectors leaned structural; leaders from less regulated industries leaned pragmatic. For single-sector businesses, this is a question of where the regulatory exposure of the business places it on the spectrum. For conglomerates with both regulated and less-regulated business lines, the question is harder. Both trade-offs are being made at once, and the answer cannot be uniform across the portfolio.
A second sequencing question ran underneath the main one. Cyber for AI, or AI for cyber. One view held that the enterprise must protect its AI systems from cyber threats before delegating any cyber capability to AI. Another held that the threat surface is too large to defend without delegating part of the work to AI itself. Both are correct under different conditions. The concern raised in the room was that an enterprise treating both as equal priorities at the same time risks doing neither well, with the result being partial cover on both fronts rather than a clear position on either.
Specialist or generalist agents
The second trade-off is structural. An enterprise can build a fleet of confined, purpose-built agents, or a hierarchy of specialist and general models that pass information between layers under defined access governance.
The case for the confined fleet rested on the principle that safety comes from the boundary itself. Each agent is built for one function and locked to it; most failure modes are not available to the agent because it cannot do most things. The trade-off is that capability is capped at the function level.
The case for the hierarchy rested on the principle that capability compounds across layers. Specialist small models can hand off to general large models, and the enterprise can address tasks that no single agent could handle alone. The trade-off is that access governance between layers has to be enforced in practice, and context boundaries have to be maintained as agents pass information between each other.
The disagreement is not technical. It is about how much trust the enterprise is willing to extend to its agents. Most enterprises in the room had not formally chosen one architecture over the other. They were already moving toward one or the other through procurement decisions, sometimes without the choice being explicit at the leadership level. Where this matters is in the cost of running both informally: the enterprise carries the operational burden of two architectures and the strategic benefits of neither.
The talent floor
Two threads on talent ran through the conversation, and both were treated as load-bearing rather than peripheral.
The first thread positioned talent as a precondition rather than a consequence. Reskilling, a centre of excellence, and a measurable training timeline have to be in place before agentic AI can be deployed, used, and governed properly. Without these, agentic AI tends to land in one of two failure modes. It becomes an external vendor expense, where the enterprise depends on suppliers for capability it does not have internally. Or it becomes shadow IT, where business units run their own agents without central oversight.
The second thread raised a generational concern. Productivity gains from agents are unlikely to fall evenly across the workforce. Fresh graduates and roles consisting mostly of repeatable tasks are likely to be the first to be exposed. The room treated this as a leadership question (what does the enterprise owe the people it has hired) rather than a policy question (what does HR write down). Enterprises that scale agents without a clear position on this tend to find the situation resolved through people leaving, which is a more expensive way to arrive at the same answer.
The economic unit of an agent
A reframe surfaced in the room that several other threads had been circling. The right question is not what an agent costs to build. It is what an agent returns each time it is used. A useful unit of measurement is margin per task, per workflow, or per decision delegated.
Most enterprises in the room had not measured this. Pilot ROI had a number attached to it. The unit economics of an agent did not. This converts the autonomy question from a technology question into a commercial one, and the conversion matters because it determines when adding more agents stops paying off. An enterprise that deploys a second agent without unit economics on the first has no way of knowing whether the second is helping or compounding a loss it cannot yet see.
What This Means for ASEAN Enterprises
The most consequential decision is the sequencing decision, and it benefits from being made deliberately at leadership level rather than left to teams making implementation choices. Whether the enterprise prioritises pace or discipline, and whether it sequences cyber for AI before AI for cyber, are calls best taken in advance and communicated clearly.
Agent autonomy should be defined in writing, not held informally. The boundary belongs to the business owner who signed off on the agent, not to the team that built it. If the boundary is implicit, it tends to move under operational pressure.
The choice between fleet and hierarchy should be an enterprise architectural decision before scaling, not after. Running both informally tends to produce the cost of two approaches without the benefits of either.
Unit economics should be measured on the first agent before deploying the second. If the first agent's return per task or per workflow is unclear, the second agent will compound the opacity rather than resolve it.
The integrity steward function should be treated as a budgeted hire, not as a line in a policy document. Named accountability for agent behaviour, separate from the build team and separate from InfoSec, is what allows governance to operate beyond the level of text.
The retreat did not deliver a single answer on where autonomy belongs. It surfaced that ASEAN enterprises are already making the decision through procurement, deployment, and silence. The trade-offs are real. They are not yet on the agenda in most enterprises, and that is the gap worth closing first.
A companion piece, Trust on the line, looks at the integrity question from a parallel discussion at the same retreat. Where this piece asks where AI agents should be allowed to act, the companion asks how Southeast Asian enterprises should govern the data those agents act on, and why integrity has to be answered differently in each sector.
