Folder Explainer
Back to folderResearch Explainer · Acharya (2026)
Governance maturity makes agent fleets safer, but the evidence is still simulated
A 750-run multi-agent simulation finds that higher governance maturity sharply reduces agent sprawl and risk incidents while improving task completion and composite Net Business Value. Its pivotal claim is that Level 3 is the minimum viable standard, not a decorative middle rung.
Published March 2026
Level 1 reactive governance with high shadow-agent and orphan-agent exposure
Level 2 an early control stage that barely improves adversarial outcomes
Level 3 the minimum viable governance level with formal controls and oversight
Level 4 the stage associated with automated sprawl detection and the largest sprawl decline
Level 5 the highest simulated maturity level, pairing lower risk with lower governance cost
A maturity model put through a simulation
The study tests five levels of an Agentic AI Governance Maturity Model across 750 deterministic Python simulations: five enterprise scenarios, five maturity levels, and 30 repetitions for every scenario-level combination. The workload contains 30 agent types across five business functions, with task difficulty split between simple (40%), moderate (35%), complex (20%), and critical (5%) work.
The scenarios range from greenfield deployment to scaling, cross-functional collaboration, adversarial unauthorised actions, and agent optimisation or retirement. At each higher maturity level, the model lowers the assumed probability of shadow and orphan agents and changes success, violation, and safe-delegation probabilities. It measures sprawl, incidents per 1,000 actions, governance cost, effective task completion, delegation safety, and a weighted Net Business Value (NBV) score.
This is therefore a controlled test of the model's assumptions, not an observation of firms in the wild. It can show what follows if those assumptions hold rather well, which is a more modest trick than proving they do.
The five levels form the paper's central progression:
- Levels 1 and 2Early or reactive governance, where shadow-agent probability is modelled at the high end of the range and controls are insufficient in the adversarial case.
- Level 3Formal policies, centralised agent catalogues, role-based access control, observability, auditing, and human oversight establish the proposed baseline.
- Level 4Automated sprawl detection is introduced, coinciding with the simulation's steepest reduction in the Sprawl Index.
- Level 5The most mature configuration, with the lowest modelled shadow-agent and orphan-agent rates and a lower governance cost ratio than Level 4.
The turning point is Level 3
The strongest practical claim is not simply that more governance is better. The model places a threshold at Level 3: NBV rises from 0.694 at Level 2 to 0.849, a gain of 0.155 with Cohen's d of 5.90. All reported pairwise maturity comparisons have p < 0.001 and effect sizes above 2.0, although repeated deterministic runs make those very tidy p-values less impressive than they first appear.
Level 3 also changes delegation safety. The rate is about 0.60 at Levels 1 and 2, rises to 0.902 at Level 3, and reaches 0.992 at Level 5. In the adversarial scenario, Level 2 produces virtually no NBV improvement over Level 1, 0.666 versus 0.664, whereas Level 3 reaches 0.856. For security-sensitive work, reactive governance is portrayed as almost indistinguishable from none.
The model's implication is clear: registration, lifecycle management, least-privilege access, delegation tracking, observability, audit trails, and human checkpoints belong before a large rollout. A governance policy filed in a drawer is not much of a control.
| Measure | Level 1 | Level 2 | Level 3 | Level 4 | Level 5 |
|---|---|---|---|---|---|
| Net Business Value | 0.625 | 0.694 | 0.849 | 0.944 | |
| Delegation Safety Rate | ≈0.60 | ≈0.60 | 0.902 | 0.992 | |
| Sprawl Index | 0.520 | 0.028 | |||
| Risk incidents per 1,000 actions | 59.08 | 2.05 | |||
| Effective Task Completion Rate | 0.699 | 0.930 | |||
| Governance Cost Ratio | 0.180 | 0.160 |
The largest gain comes from finding sprawl
Across the full maturity range, the simulated Sprawl Index falls from 0.520 at Level 1 to 0.028 at Level 5, a 94.6% reduction. The biggest single decline is between Levels 3 and 4, 74.4%, which the paper links to automated sprawl detection. Risk incidents fall from 59.08 to 2.05 per 1,000 actions, while effective task completion rises from 0.699 to 0.930 and NBV from 0.625 to 0.944.
Scaling is the weak spot that gives the model some teeth. At Level 1, the scaling scenario records NBV of 0.579 and a Sprawl Index of 0.746, worse than the overall Level 1 result. More agents without registration, retirement, and detection mechanisms do not merely create a longer inventory. They create more unattended ways for work to go sideways.
Level 5 is presented as an unusually friendly outcome: the governance cost ratio falls from 0.180 at Level 4 to 0.160, even as completion, safety, and NBV improve. That result depends on fixed maturity-level cost assumptions, so it should not be read as a guarantee that adding controls makes every real organisation cheaper to run. Spreadsheets are famously well-governed places.
What the simulation cannot settle
The study does not validate its model against production deployments, enterprise case studies, or longitudinal operational evidence. Task success and violations are parameterised from industry reports rather than directly observed enterprise data; governance controls are modelled as binary conditions; and the simulation uses a deterministic seed of 42. Reproducible, yes. Representative, not yet.
NBV also rests on one choice of outcome weights. Change how a stakeholder values speed, safety, cost, or control, and the ranking could change. Fixed governance costs omit the awkward variation introduced by organisation size, platform, implementation quality, and existing process. The paper reports no sensitivity analysis, so the stability of its results under different parameters is unknown.
The sensible next test is empirical: apply the model across platforms and organisations, track agent lifecycles over time, vary costs and weights, and compare observed incidents with the prediction. Until then, Level 3 is a useful design proposition, not an invoice from reality.
THE PRACTICAL READING
Treat Level 3 controls as a credible starting checklist for an expanding agent fleet, especially where unauthorised action matters. Treat the dramatic percentages as simulation outputs until field evidence and sensitivity testing have earned them a less comfortable status.
Reference
Acharya, V. (2026). Governing the Agentic Enterprise: A Governance Maturity Model for Managing AI Agent Sprawl in Business Operations. arXiv preprint arXiv:2604.16338. https://arxiv.org/abs/2604.16338v1