Folder Explainer

Back to folder
GPT-5.6 Terra · Sync

Research Explainer · Acharya (2026)

Governance maturity makes agent fleets safer, but the evidence is still simulated

A 750-run multi-agent simulation finds that higher governance maturity sharply reduces agent sprawl and risk incidents while improving task completion and composite Net Business Value. Its pivotal claim is that Level 3 is the minimum viable standard, not a decorative middle rung.

Published March 2026

Level 1 reactive governance with high shadow-agent and orphan-agent exposure

Level 2 an early control stage that barely improves adversarial outcomes

Level 3 the minimum viable governance level with formal controls and oversight

Level 4 the stage associated with automated sprawl detection and the largest sprawl decline

Level 5 the highest simulated maturity level, pairing lower risk with lower governance cost

The study tests five levels of an Agentic AI Governance Maturity Model across 750 deterministic Python simulations: five enterprise scenarios, five maturity levels, and 30 repetitions for every scenario-level combination. The workload contains 30 agent types across five business functions, with task difficulty split between simple (40%), moderate (35%), complex (20%), and critical (5%) work.

The scenarios range from greenfield deployment to scaling, cross-functional collaboration, adversarial unauthorised actions, and agent optimisation or retirement. At each higher maturity level, the model lowers the assumed probability of shadow and orphan agents and changes success, violation, and safe-delegation probabilities. It measures sprawl, incidents per 1,000 actions, governance cost, effective task completion, delegation safety, and a weighted Net Business Value (NBV) score.

This is therefore a controlled test of the model's assumptions, not an observation of firms in the wild. It can show what follows if those assumptions hold rather well, which is a more modest trick than proving they do.

The five levels form the paper's central progression:

  1. Levels 1 and 2Early or reactive governance, where shadow-agent probability is modelled at the high end of the range and controls are insufficient in the adversarial case.
  2. Level 3Formal policies, centralised agent catalogues, role-based access control, observability, auditing, and human oversight establish the proposed baseline.
  3. Level 4Automated sprawl detection is introduced, coinciding with the simulation's steepest reduction in the Sprawl Index.
  4. Level 5The most mature configuration, with the lowest modelled shadow-agent and orphan-agent rates and a lower governance cost ratio than Level 4.
Refer to caption
Figure 1: Business outcome metrics by governance maturity level ( n = 150 n=150 per level, error bars = 95% CI). (a) Sprawl Index decreases 94.6% from L1 to L5; (b) Risk incidents decrease 96.5%; (c) Effective task completion improves 33.0%; (d) Composite Net Business Value improves 51.0%.

The strongest practical claim is not simply that more governance is better. The model places a threshold at Level 3: NBV rises from 0.694 at Level 2 to 0.849, a gain of 0.155 with Cohen's d of 5.90. All reported pairwise maturity comparisons have p < 0.001 and effect sizes above 2.0, although repeated deterministic runs make those very tidy p-values less impressive than they first appear.

Level 3 also changes delegation safety. The rate is about 0.60 at Levels 1 and 2, rises to 0.902 at Level 3, and reaches 0.992 at Level 5. In the adversarial scenario, Level 2 produces virtually no NBV improvement over Level 1, 0.666 versus 0.664, whereas Level 3 reaches 0.856. For security-sensitive work, reactive governance is portrayed as almost indistinguishable from none.

The model's implication is clear: registration, lifecycle management, least-privilege access, delegation tracking, observability, audit trails, and human checkpoints belong before a large rollout. A governance policy filed in a drawer is not much of a control.

MeasureLevel 1Level 2Level 3Level 4Level 5
Net Business Value0.6250.6940.8490.944
Delegation Safety Rate≈0.60≈0.600.9020.992
Sprawl Index0.5200.028
Risk incidents per 1,000 actions59.082.05
Effective Task Completion Rate0.6990.930
Governance Cost Ratio0.1800.160
Reported selected outcomes by governance maturity level. NBV is the study's weighted composite score; values not reported in the supplied results are left blank.

Across the full maturity range, the simulated Sprawl Index falls from 0.520 at Level 1 to 0.028 at Level 5, a 94.6% reduction. The biggest single decline is between Levels 3 and 4, 74.4%, which the paper links to automated sprawl detection. Risk incidents fall from 59.08 to 2.05 per 1,000 actions, while effective task completion rises from 0.699 to 0.930 and NBV from 0.625 to 0.944.

Scaling is the weak spot that gives the model some teeth. At Level 1, the scaling scenario records NBV of 0.579 and a Sprawl Index of 0.746, worse than the overall Level 1 result. More agents without registration, retirement, and detection mechanisms do not merely create a longer inventory. They create more unattended ways for work to go sideways.

Level 5 is presented as an unusually friendly outcome: the governance cost ratio falls from 0.180 at Level 4 to 0.160, even as completion, safety, and NBV improve. That result depends on fixed maturity-level cost assumptions, so it should not be read as a guarantee that adding controls makes every real organisation cheaper to run. Spreadsheets are famously well-governed places.

The study does not validate its model against production deployments, enterprise case studies, or longitudinal operational evidence. Task success and violations are parameterised from industry reports rather than directly observed enterprise data; governance controls are modelled as binary conditions; and the simulation uses a deterministic seed of 42. Reproducible, yes. Representative, not yet.

NBV also rests on one choice of outcome weights. Change how a stakeholder values speed, safety, cost, or control, and the ranking could change. Fixed governance costs omit the awkward variation introduced by organisation size, platform, implementation quality, and existing process. The paper reports no sensitivity analysis, so the stability of its results under different parameters is unknown.

The sensible next test is empirical: apply the model across platforms and organisations, track agent lifecycles over time, vary costs and weights, and compare observed incidents with the prediction. Until then, Level 3 is a useful design proposition, not an invoice from reality.

THE PRACTICAL READING

Treat Level 3 controls as a credible starting checklist for an expanding agent fleet, especially where unauthorised action matters. Treat the dramatic percentages as simulation outputs until field evidence and sensitivity testing have earned them a less comfortable status.

Reference

Acharya, V. (2026). Governing the Agentic Enterprise: A Governance Maturity Model for Managing AI Agent Sprawl in Business Operations. arXiv preprint arXiv:2604.16338. https://arxiv.org/abs/2604.16338v1

We use analytics cookies to understand site usage and improve the service. We do not use marketing cookies.