AI Strategy & Insight  |  Brooklyn Solutions  |  Part 4 of 5

Most organisations are using AI as a sophisticated assistant. That’s about to change, and the governance requirements change with it.

Nick Francis  ·  Co-Founder & CTO, Brooklyn Solutions  ·  2025/26

79% of enterprises say they’ve adopted AI agents. Only 11% run them in production. That gap between claiming agentic AI and actually governing it is where most organisations are right now. Closing it requires something most AI strategies don’t yet have: a serious answer to what happens when the AI acts, not just advises.

The Buzzword Problem and Why It Matters

Every board deck has ‘agentic’ in it somewhere. Most of them mean something between ‘we’re using Copilot’ and ‘we’re thinking about it.’ That’s fine, those are legitimate starting points. But the gap between the language of agentic AI and the reality of deploying it is where strategies fail and governance gaps become liabilities.

This blog is the fourth in a series about AI readiness in procurement and supplier management. The first three covered process understanding, transformation governance, and data readiness. Those weren’t preamble. They were prerequisites. Because this is where the journey has been heading: the point at which AI stops advising and starts acting, and the governance requirements change fundamentally as a result.

Where Most Organisations Actually Sit: The Maturity Arc

The most common experience of AI in the enterprise today is Microsoft 365 Copilot, or equivalent AI features embedded into the tools people already use: summarising meeting notes, drafting email responses, reformatting documents, extracting data points from a report. These are genuinely useful capabilities and they represent the copilot stage: AI that makes humans faster at tasks they were already doing.

What they are not is agentic AI. And the distinction matters enormously, because the governance requirements of an AI that advises are categorically different from the governance requirements of an AI that acts.

What Agentic AI Actually Means in a Procurement Context

An AI agent, properly defined, is a system given a remit: a defined part of a process that it executes autonomously when triggered, within governed boundaries, with defined escalation paths when those boundaries are reached. It doesn’t wait to be asked. It acts.

In a procurement and supplier management context, that looks like:

• →Proactive threshold alerting: an agent that continuously monitors supplier spend, contract commitments, or risk indicators and raises alerts before thresholds are breached, not after. Proactive Threshold Alert Agents monitor in real time, contextualise the alert against the relevant contract and supplier data, and route it to the right person with relevant context already assembled.
• →Obligation monitoring: an agent that tracks contractual commitments, key dates, renewal windows, and performance obligations, and initiates the next steps defined in a governance playbook when those milestones arrive. Obligation Monitoring Agents surface upcoming obligations, assemble the relevant documentation, and trigger the appropriate workflow without waiting for a human to notice a date in a spreadsheet.
• →Data consolidation and opinion-forming: an agent that receives structured data inputs as part of a process (supplier submissions, risk assessments, performance data), consolidates them, identifies gaps or anomalies, and forms a preliminary view for human review. The human arrives at the decision point with the analysis already done.

These are not chatbots. They are systems that execute defined steps in defined processes, and that distinction is where the agentic AI governance conversation must begin.

Blog Parts 1–3 Were Not Optional Reading

An agent can only be as well-governed as the process it runs on. For an agent to execute a process step correctly, it needs every input that precedes that step to be defined and available. It needs to know what a correct output looks like. It needs instructions for how to behave when inputs are missing, when data is anomalous, or when the situation doesn’t match its training.

Without those things, the process mapping from Part 1, the governance structure from Part 2, the data standards from Part 3, the agent will do what large language models always do when left without sufficient constraint: generate a plausible-sounding answer that may bear no reliable relationship to the truth. This is what practitioners have started calling ‘AI slop’: output that is fluent, confident, and wrong.

The Unconstrained Agent Problem

If you haven’t defined what good looks like, the agent will always find a way to conclude that things are fine. Large language models are optimistic by default, trained to produce positive, coherent completions. Without explicit instruction to surface anomalies, flag missing data, and escalate uncertainty, an agent will paper over the gaps with confidence. The damage to a procurement process (missed obligations, undetected risk, unaudited spend decisions) is a live operational risk in any organisation that deploys agents without first doing the process work.

The EU AI Act: This Is Not a Future Requirement

The EU AI Act is in force, with obligations for high-risk AI applications already active and enforcement ramping up significantly from August 2026. For procurement functions in regulated sectors (financial services, defence, utilities, government supply chains) the question of whether agentic AI falls into a high-risk category is not hypothetical. It is urgent.

The core obligation is traceability: the ability to explain, in reverse, why an AI agent did what it did. What data did it use? What was the decision context? What recommendation did it make, and on what basis? What oversight mechanism was in place? This is the same standard of oversight you would apply to a human employee making spend decisions or managing supplier relationships, and it is now expected of the AI systems that perform equivalent functions.

The Regulatory Position

When your AI agent makes a determination that affects a spend decision, a supplier relationship, or a contractual commitment, you must be able to explain that determination to a regulator, an auditor, or a major customer. ‘The AI decided’ is not an acceptable answer. The governance structure behind the agent’s decision must be as auditable as the decision itself. From August 2026, the EU AI Act makes this a legal obligation for qualifying applications.

Human-in-the-Loop: What It Actually Means in Practice

Human-in-the-loop is one of the most used and least defined terms in enterprise AI strategy. In the context of agentic AI, it has a specific and practical meaning:

1. Which outputs require human review before action is taken. Where the agent’s recommendation is a proposal, not a decision, and a named person must approve before the workflow proceeds.
2. Which situations trigger escalation. The definition of anomaly, missing data, or out-of-bounds condition that tells the agent to stop and route to a human. The agent needs to know not just what good looks like, but what ‘I don’t know’ looks like.
3. Who that human is, named, not generic. The RACI model from Part 2 now has a new swim lane: the AI agent. The agent may be Responsible for executing a process step. Accountable must always be a human, the named owner of that process area, answerable for what the agent does in their name. Accountability cannot be held by a non-human element. That is not a philosophical position. It is a regulatory one.

Observability and Audit Trails: Brooklyn’s Architectural Commitment

The question of whether you can trust your agent’s outputs is, in practice, a question of whether you can see them: not just the final output, but the full chain. What data the agent used, what the prompt structure was, what the model returned, why the agent reached the conclusion it did.

Brooklyn’s observability architecture logs every prompt, every input data source, every model response, every escalation and non-escalation, attributable and reviewable. Not as a compliance checkbox. As the operational backbone of a system you can actually trust.

When something goes wrong with an agent output, and something will go wrong, particularly in the tuning phase, the cause is almost always one of two things: the data was flawed, or the prompt structure and process design were insufficiently specific. Observability is what lets you diagnose which has occurred and fix it.

Sequencing: The Primer Process Principle, Applied to Agents

Part 2 introduced the primer process principle: your first transformation should not be your most complex one. Its purpose is to prime the machinery (the programme, the governance, the change management) so that you know how to transform before you do it at scale.

The same principle applies to agentic AI with double force. Your first agent deployment should be on a well-bounded, lower-risk process step where inputs are clean, the definition of done is clear, and the consequences of an incorrect output are recoverable. Execute well on one. Document what worked. Apply the blueprint to the next. That is how agentic AI earns trust.

The Agentic Readiness Checklist

Before deploying an AI agent on any procurement or supplier management process, the following is the minimum governance threshold:

• ✓Process mapped and owned: the process the agent will execute is documented end-to-end, with a named owner who is accountable for its outputs.
• ✓Data governed and sourced correctly: the agent draws only from designated systems of record meeting the minimum viable data standard from Part 3.
• ✓Definition of done established: the agent has explicit criteria for what a correct output looks like, and equally explicit criteria for anomaly, gap, or out-of-bounds conditions requiring escalation.
• ✓Human escalation paths named: every escalation condition maps to a named individual. The RACI includes the agent as Responsible and a human as Accountable.
• ✓Audit trail architecture in place: every agent action is logged with full decision context and retained in line with your data governance policy.
• ✓EU AI Act obligations assessed: you have determined whether the process falls within a high-risk category. As best practice, treat all agent-executed procurement processes as if they do; you will never be found wanting.
• ✓Primer process selected and piloted: the first deployment is well-bounded, lower-risk, with the tuning phase budgeted for and observability in place before the agent goes live.

The Series So Far, and Where It Ends

This is the fourth of five blogs in Brooklyn’s AI readiness series. The arc has been deliberate: understand your processes → fix your transformation approach → govern your data → deploy agents with the right governance. The fifth and final blog will address the people dimension: what the AI-ready procurement team actually looks like, how roles need to evolve, and how organisations build the human capability that makes everything in this series sustainable at scale.

The organisations that will get the most from agentic AI are not the ones that deployed it fastest. They are the ones that designed it to be trusted, by their teams, their customers, and their regulators. That design starts before the agent is built. It starts with the process.

About the Author

Nick Francis, Chief Technology and Marketing Officer at Brooklyn Solutions

Nick Francis is a well-established and experienced CxO delivering Digital & Security-focused Transformation through the design, build, and deployment of cost-effective, highly automated industry-leading solutions. Nick has experience working across the private and public sectors in industries such as Financial Services, Insurance, Legal, Utilities, Retail, Public Sector and Government. Specialised in transformation activity to optimise processes, operational expenditure, and increase productivity. Significant experience in compliance, risk & control activities in highly regulated industries, standardisation of technologies, streamlining of internal processes and continuous improvement driving consistency and efficiency across an organisation whilst holding Customer, Colleague and Partner experience at a premium.

References & sources

1. Svitla Systems / Agentic AI Market Trends 2026 (April 2026): 79% of enterprises say they’ve adopted AI agents; only 11% run them in production.
2. Gartner (2025–2026): 40% of enterprise applications will include task-specific AI agents by end of 2026, up from under 5% a year earlier.
3. Agentic AI Institute (May 2026): 72% production deployment rate, but a 60% governance gap remains across enterprises.
4. EU AI Act (in force 2024, enforcement ramping August 2026): high-risk AI applications require documented human oversight, explainability, data governance, and audit trails.
5. MuleSoft / Deloitte Digital — 2025 Connectivity Benchmark Report: 93% of IT leaders intend to introduce autonomous agents within two years; 60% of finance leaders cite data governance as primary barrier.