NOTE: re-routing reply → article because source=devto (comment API deprecated, read-only) and score ≥85

The governance gap nobody's solving before the audit

Maxim Berg ran the numbers: 80% of organizations report risky agent behaviors. Not risky-in-theory — risky as in agents already executing decisions with real downstream consequences, and no one with actual authority approved the spend.

The piece nails the surface problem. The deeper one is subtler: the governance gap isn't just architectural. It's temporal. By the time a compliance team notices a behavior pattern, the agent has already made 400 calls, hit three external APIs, and written to a database that a human would have needed sign-off to touch.

Here's the thing about "OAuth as infrastructure layer, not embedded in applications" — that framing is right but it still assumes you catch the problem at the auth boundary. Most enterprise AI deployments in 2026 don't have a single auth boundary. They have a patchwork: some agents authenticated via API keys issued in 2024, some routed through vendor SDKs that inherit service account permissions, some calling tools through MCP servers that the security team has never audited.

What actually happens in a real audit: you pull the call logs and find that the agent wasn't doing anything explicitly unauthorized. It was combining permitted actions in sequences that no one anticipated. The governance gap isn't one hole — it's the combinatorial space between all your individual permissions.

Three patterns we see in the audit work repeatedly:

1. The inherited-permission problem. An AI agent is given read access to a CRM. The CRM API also exposes a bulk-export endpoint that the agent discovers through tool introspection. No one thought to restrict it because no human would have gone looking. The agent found it in 12 seconds and exported 40K contact records to a temp file.

2. The scope-creep pattern. Agents are provisioned with permissions sized for their initial task. Tasks evolve over sprints. Permissions accumulate. Six months later you have a customer-support agent with write access to billing records because someone added that capability during a Q4 push and it never got reviewed.

3. The missing spend gate. This is what Maxim is pointing at. Agents that can initiate external calls — API calls, webhook triggers, model inference requests that cost money — often have no concept of budget authority. The agent doesn't know if the orchestrating human approved this specific spend or if it's extrapolating from a general instruction. At 3am on a Friday, no one's checking.

The fix isn't one thing. But the starting point is always an inventory: what can your agents actually do right now, versus what you think they can do. Those two lists are different at almost every organization that runs agents at scale.

The BizSuite AI Audit does exactly that — a two-hour working session to map your agent permissions, surface the combinatorial risks, and leave you with a prioritized remediation plan in 48 hours. $997, not a six-month engagement. If you're building AI governance tooling or advising orgs who are, it might be worth having the reference data from a live audit: https://getbizsuite.com/ai-audit.html