Most boards still talk about AI as if it arrives through a clear, visible decision. Someone proposes a project, IT reviews it, security people check it, legal function looks at the contract and the executive team discusses it. The board gets sight of it if it is big enough. That is no longer the full picture.

A new kind of software is starting to appear inside the systems companies already use and trust. These tools do more than answer questions. They can read information, make recommendations, trigger actions, and in some cases act on their own. These are AI agents.

The deeper vulnerability is that agents may enter, expand, or be enabled below board level without ever being surfaced to the board as a distinct governance issue. That is what makes them insidious: they can create real business risk before the board fully understands they are there. This is not just a technology risk. It is a fundamental business risk that requires board-level awareness and governance.

No need to ask

There is an even sharper point. AI agents do not always arrive because the customer asked for them. Vendors can now ship agent functionality inside software suites the company already licenses and trusts, often without any fresh, explicit approval moment from the customer each time that functionality appears. In Microsoft’s own documentation, ready-to-use agents are provided by default in Microsoft 365 Copilot, and some agents are available by default in Copilot Chat. Microsoft also says Copilot Chat is pinned by default for most eligible users.

Google’s Gemini Enterprise documentation says agent owners can, by default, share agents within the organisation without prior admin approval unless admins change that setting. That matters. Because some agents may be visible from the start. Others may sit inside a wider software release, waiting to be enabled, connected to data, or given permission to act. Some may already be active inside the company’s technology stack while only IT, or perhaps only part of IT, is fully aware of them.

Microsoft’s admin documentation is explicit that admins can enable, disable, assign, block and remove agents centrally, which underlines the point: these are now operating capabilities inside the enterprise stack, not just experimental tools at the edge. And the threat does not care how it entered. If an agent can read sensitive data, influence decisions, trigger actions, move information between systems, or act autonomously, then it creates risk. If no one can clearly say where the agents are, what they are allowed to do, and who is controlling them, then the organisation is vulnerable.

Board accountability

That is not an IT detail. It is not a side issue for innovation teams. It is not something that can be left to product managers and administrators alone. It is a board-level business risk. Why? Because when something goes wrong, the accountability does not sit abstractly with “the technology”. It sits with the enterprise, with the company that allowed the agent into its environment, with the leadership team that failed to see it clearly, and with the board that did not insist on governance equal to the risk.

The vendor proof points now matter because they show that this is not theory. Microsoft said on 9 March this year that it now has visibility into more than 500,000 AI agents across its own company, and that over the previous 28 days, those agents had been generating more than 65,000 responses a day for employees.

In the same announcement, Microsoft said this showed it was no longer simply experimenting, but embedding these capabilities into everyday work. Google Cloud’s partner article explicitly says its aim is to help System Integrator partners build, scale, and manage enterprise-grade agent systems for enterprise clients. Salesforce announced six new healthcare agents on 5 March.

Taken together, those signals point in one direction. Agents are no longer confined to a few experiments run by specialist teams. They are starting to spread through large organisations through the normal software stack: enterprise suites, cloud platforms, partner ecosystems, admin settings, and easy-to-use build tools. Microsoft’s February security report goes further: it says more than 80% of Fortune 500 companies now use active AI agents built with low-code or no-code tools, and argues that observability, governance and security are becoming central enterprise issues as a result.

This is why the board conversation needs to change. The conversation is not ‘Do we have an AI strategy?’, but rather ‘Where are the agents? What can they do? Who controls them?’ Those are now the serious questions. Because if the board cannot get clear answers, then it is not governing the risk. It is guessing. And that is a dangerous position when agents can already sit inside customer service, finance, workflow systems, cloud platforms, HR processes, and regulated environments. Microsoft’s own description of agent adoption spans sales, finance, security, customer service, and product innovation; Salesforce’s healthcare launch shows the same direction of travel in a regulated sector.

Three questions to ask immediately

Three questions follow on from the above. First: where are the agents? Which systems already contain them? Which teams are using them? Which partners have introduced them? Which ones are sanctioned, and which ones are not? Microsoft says many organisations still struggle to answer basic questions, such as how many agents are running, who owns them, and what data they touch.

The second question is: what can they do? Can they only draft text? Or can they read sensitive data, make recommendations, trigger workflows, move information between systems, or act autonomously? Google defines AI agents as software systems that pursue goals and complete tasks on behalf of users, with autonomy to make decisions, learn, and adapt.

Third, ask: who controls them? Who approved them? Who gave them access? Who set the rules? Who checks the logs? Who is accountable if they make a bad decision, mishandle sensitive information, or expose the business? Microsoft’s governance guidance is explicit that ownership, accountability, policy, and oversight now have to be treated as part of the enterprise AI control problem, not as an afterthought. If those answers are unclear, the business is more exposed than it thinks.

The danger is not some dramatic science-fiction scenario. The danger is something much simpler: agents are becoming easier to introduce into the business than they are to see, understand and control. That is how real enterprise risk builds: quietly, inside trusted systems, below board level—and before the board has fully caught up. So the right question now is not whether AI matters. It is whether the company can see, understand and control the agents that are already starting to appear inside its business. If it cannot, then the next AI risk may not be coming. It may already be there.

Bill Lewis is a chair, non-executive director, and senior business adviser