Agentic transformation: govern first, transform responsibly

80% of executives believe that agent-based AI will be critical to their company’s survival by 2027 (Cisco/Omdia, 2025). However, Deloitte reports that only 11% of organizations are actually using it in production, and Gartner predicts that more than 40% of agent-based projects will be abandoned by the end of 2027. The gap is not technological. It is one of governance.

Agent-based AI: A Paradigm Shift That Demands a Commensurate Response

AI agents are systems capable of planning, deciding, acting, and learning autonomously to achieve complex objectives, without human intervention at every step. When one agent manages an end-to-end customer service workflow, another rewrites legacy code while you sleep, and a third rebalances a financial portfolio based on real-time market signals, the nature of the business has fundamentally changed.

Beyond insurance risk, which is beginning to spark debate, the autonomy of agents raises a question that previous approaches did not have to address: who is responsible when an agent decides on its own ? Who is accountable when it makes a mistake, biases a decision, or violates a confidentiality rule? The answer to this question is organizational, legal, and ethical.

The regulatory framework is no longer optional

The regulatory environment has become significantly stricter. Three standards are now jointly mandatory for any organization deploying AI in Europe.

The EU AI Act entered into force on August 1, 2024. Its obligations are being rolled out in phases: prohibited AI practices and AI literacy requirements have applied since February 2025; rules on general-purpose AI models and governance since August 2025; and full obligations for high-risk systems in 2026.

Penalties can reach €40 million or 7% of global revenue. Agent-based AI, due to its autonomous nature and its ability to directly influence decisions, frequently falls into the high-risk categories that trigger the strictest requirements.

ISO/IEC 42001 is the first certifiable international standard for an AI Management System (AIMS). Structured around the PDCA cycle: Plan, Do, Check, Act, it provides the operational framework that translates legal obligations into verifiable and reproducible practices.

ISACA puts it clearly: the EU AI Act is the regulation; ISO 42001 is the operating system that makes compliance repeatable and auditable. The two are complementary: 40 to 50% overlap in their high-level requirements (Vanta, 2025), which allows for the creation of a unified framework rather than two parallel programs.

The GDPR applies with particular relevance to autonomous agents, which often process personal data on a large scale and in an unsupervised manner. The obligations of data minimization, traceability of automated decisions (Article 22), and Privacy by Design are non-negotiable, while agent-based AI increases the scope of risk.

These three frameworks are not obstacles to transformation. They are its foundation. An organization that incorporates them early on builds trustworthy AI; one that discovers them in response to an incident builds fragile AI that could be very costly to fix.

What the enterprise architecture framework must include

Responsible agent-based transformation requires that the enterprise architecture explicitly incorporate an AI governance layer. Without this, compliance remains declarative and risks remain invisible.

The inventory of AI agents as an architectural asset. Every agent deployed, or in the process of being deployed, must be documented in the repository with: its function, its EU AI Act risk level, the data it processes, its access rights, its system dependencies, its designated human operators, and its oversight mechanisms. This inventory serves as the common anchor for regulatory compliance and operational governance.

Mapping automated decision flows. Where agents are involved in decisions impacting individuals: credit granting, HR management, pricing, customer mediation, the flows must be modeled, decision points made explicit, and human oversight mechanisms formalized.

Article 14 of the EU AI Act requires that high-risk systems be designed to enable effective supervision by natural persons.

The ISO 42001 / EU AI Act / GDPR cross-compliance register. The enterprise architecture must maintain a register linking each regulatory requirement to its technical or organizational control, proof of compliance, and revision date. This register is the central tool for internal and external audits, and it must reside within the architecture tool, not in a disconnected spreadsheet.

Responsible agent architecture patterns. Privacy by Design, Human-in-the-Loop for high-impact decisions, segregation of agent access rights, immutable logging of autonomous actions, and circuit breakers to halt an agent whose behavior deviates: these are all patterns that must be standardized in the architecture catalog and made mandatory for any new agent deployment.

Alignment with digital sovereignty. Agents processing sensitive data must operate in controlled sovereign environments, with data localization compliant with the GDPR and a documented subcontracting chain. Digital sovereignty is not an option in agent-based architecture: it is a structural constraint.

The Role of the Chief Transformation Officer in Agent-Driven Transformation

Responsible agent-driven transformation requires a cross-functional leadership role that simultaneously orchestrates strategy, architecture, governance, and organizational change. This is precisely the role of the Chief Transformation Officer (CTrO).

Their first task is to define the organization’s agent-based AI policy. What decisions can agents make on their own? In which areas is human supervision non-negotiable? What risk thresholds trigger human intervention? These rules reflect the organization’s values and commitments. They must be formalized, known, and enforceable.

Their second task is to orchestrate cross-functional governance. The CTrO ensures alignment between the CIO who builds the agents, the DPO who monitors GDPR compliance, the CISO who secures access, the HR Director who anticipates skill development, and the business units that deploy use cases. Without this coordination, each function optimizes locally and the transformation remains fragmented.

Its third priority is to build a responsible deployment roadmap. A roadmap prioritized by business value, risk management, and impact on the workforce, with ISO 42001 and EU AI Act compliance milestones integrated from the design phase.

Lean Change Management and Workforce Evolution: AI as a Partner

Cisco has measured it: 55% of the workforce will be collaborating with AI agents within the next 24 months. And 60% of employees will need to upskill—no longer just in prompt engineering, but in supervising agents, auditing them, and managing their behavior. This is not a training issue. It is a cultural transformation.

This is precisely where Lean Change Management, developed by Jason Little, offers the most suitable framework. Its logic of co-constructing change, its short experimentation cycles, and its iterative approach naturally apply to an agent-driven transformation that cannot be planned down to the last detail, because the agents themselves are learning and evolving.

In this context, AI plays a dual role. It is the object of the transformation (the agents that teams must learn to supervise), but it is also a lever to support this transformation: real-time analysis of resistance signals, customization of skill-building pathways based on actual profiles and behaviors, and assistance in defining new rules for human-agent collaboration.

The challenge is to build a new way of working, where human value shifts toward supervision, critical evaluation, creativity, interpersonal skills, and decisions requiring contextual judgment that agents do not possess.

Agents are a silicon workforce that complements the human workforce (Deloitte).

Managing this mixed team (humans + agents) is the new skill of transformation management.

The Meridian Approach: Responsible by Design

At Gabriel Greenfield, we believe that responsible agent-driven transformation is not achieved by adding governance as an afterthought. It is built from day one, in the architecture, in the methodology, and in the support.

Recommend: Identify high-impact agent-based use cases, evaluate them against the EU AI Act and ISO 42001 standards, and propose a deployment roadmap aligned with the organization’s maturity and risks.

Facilitate: create the conditions for effective cross-functional governance between the CIO, DPO, CISO, HR, and business units. Structure decision-making processes. Bring the agentic architecture framework to life. Integrate ISO 42001 requirements into development and deployment practices.

Support: sustainably support teams through a Lean Change Management approach: short experiments, rapid feedback, continuous adjustments. Measure the impact. Develop agents, processes, and skills together.

Responsible agent-based transformation is not a constraint imposed on innovation. It is the condition for this innovation to be sustainable, trustworthy, and a creator of real value.

REFERENCES

• Cisco / Omdia — The Race to Agentic AI (2025): 80% of executives view agentic AI as critical to survival by 2027

• Deloitte — Agentic AI Strategy (2025): only 11% in production, 35% without a formal strategy

• Gartner — Over 40% of agentic AI projects will be canceled by the end of 2027 (June 2025)

• Bain & Company — State of the Art of Agentic AI Transformation (2025)

• ISACA — ISO/IEC 42001 and EU AI Act: A Practical Pairing for AI Governance (December 2025)

• Vanta — How ISO 42001 helps with EU AI Act compliance (2025): 40–50% overlap

• Futurum Research — Rise of Agentic AI (2025): 60% of DIY initiatives fail to scale

• McKinsey — The Change Agent: Goals, Decisions, and Implications for CEOs in the Agentic Age (2025)

• Jason Little — From Skeptic to Strategist: Embracing AI in Change Management (2024)

• EU AI Act — Official Journal of the EU, effective August 1, 2024, compliance timeline 2025–2027