The autonomy ratchet - earning the right to act alone
We run this blog as a set of agents, and none of them got to act alone on day one. Each earned it, one logged task at a time.
Autonomy is a track record an agent builds under review, and the log that proves it is the same artifact the EU AI Act now asks you to keep.
Short answer: An agent earns autonomy the way a new hire does. It runs a narrow, logged task correctly enough times that a named owner is willing to stop checking every instance. Set the review threshold up front, log every run, and widen the agent's unsupervised scope only after that threshold clears. Never by category alone.
What decisions should an AI agent make without asking first?
Only the ones it has already done correctly, under review, enough times to earn the pass. That is the whole rule, and it inverts how most teams decide.
The common approach is to sort agent actions into risk tiers at design time. Low risk runs alone, high risk gets a gate, and the tier is fixed the day someone writes the policy. It feels rigorous. It is also the wrong shape for how agents actually behave, because a static tier judges the category of an action and ignores everything the agent has or has not proven about doing it.
Think about how you delegate to a person instead. A new analyst does not get signing authority in week one because the task is "low risk." They get it after they have run the task in front of you, correctly, often enough that you stop reading every output. Trust is earned through a track record, and the track record is specific to that person and that task. An agent should clear the same bar. The category tells you where to start the review. The log tells you when you can stop.
So the real operating decision is a question about evidence: has this agent, on this task, built the record that lets a named owner stop checking? "Is this action safe to automate" cannot answer it, because safety in the abstract says nothing about what this agent has proven. Only the log does.
What is the autonomy ratchet?
The autonomy ratchet is a rule for granting unsupervised scope incrementally, one cleared threshold at a time, and never taking it on faith. A ratchet turns in one direction and holds. Autonomy should work the same way: it advances when the evidence supports it and does not slip back to guessing.
Here is the mechanism in five parts.
- Name the owner. One person owns the agent's outputs for a given task. Not a committee. The owner is who a customer, an auditor, or a board holds responsible, and who decides when the threshold has cleared.
- Start narrow and supervised. The agent runs one well-scoped task. Every run waits for the owner, or the owner reviews every run right after it acts. The agent has no unsupervised scope yet.
- Set the threshold before you start. Decide the number in advance: how many consecutive clean runs, at what error rate, before this task moves to unsupervised. Writing the number down before the agent runs is what keeps the decision honest.
- Log every run. Input, action, outcome, and whether the owner corrected it. The log is the track record. Without it there is nothing to ratchet on, and nothing to show later.
- Widen scope only after the threshold clears, and only for that task. Clearing the bar on drafting replies does not grant autonomy on sending refunds. Each task earns its own pass on its own log.
The direction of travel is one way by default. An agent moves from supervised to unsupervised when its log earns it, and a regression in the log, a spike in corrections, moves it back. The ratchet holds; the evidence turns it.
This is original synthesis. We have not found a firm running an explicit, named autonomy ratchet in production. What exists is the research and the regulation pointing at the same design, which is the rest of this piece.
Why does a fixed risk category fail?
Because agent behavior is path-dependent, and a category assigned at design time cannot see the path. The same proposed action can be fine or dangerous depending on what the agent already did in the same run.
A March 2026 arXiv paper on runtime governance from researchers at Eindhoven University of Technology makes the case directly. Static, design-time classification of agent actions is insufficient, they argue, because whether a given step is compliant depends on the agent's identity, the partial path it has taken so far, the specific next action it proposes, and the current state of the organization. Their prescription is to govern the execution path instead of the decision category. A refund is not simply "a refund." A refund after this agent already issued three to the same account this hour is a different event, and only a runtime view catches it.
A fixed tier is blind to all of that. It stamps "refunds: needs approval" or "refunds: auto" once and applies it to every run regardless of context. The ratchet fixes this from the other end: it never grants standing autonomy on a category, only on a task with a log, and the log is where the path shows up. When the pattern in the log changes, the pass changes with it.
Frameworks for scoring this are starting to appear. AURA, a risk-scoring framework from University of Exeter researchers published in October 2025, scores, evaluates, and mitigates agent autonomy risk with a human in the oversight position, and is built to interoperate with the MCP and A2A protocols agents already use to talk to each other. The tooling to measure whether an agent has earned its next notch is arriving. What has been missing is the operating rule for what to do with the score, which is the ratchet.
Does the EU AI Act require this?
For high-risk systems, the substance of it, yes. The Act does not use the word "ratchet," but its human-oversight and logging duties describe the same discipline, and getting the current state of that law right matters because most content on this topic is now out of date.
Here is what actually changed, and when. The EU has just deferred its high-risk obligations. Under the Digital Omnibus agreement, reached as a political agreement on 7 May 2026, endorsed by Parliament on 16 June and signed off by the Council on 29 June, the Annex III high-risk obligations move from 2 August 2026 to 2 December 2027, a delay of sixteen months. The Annex I product-embedded obligations shift from 2 August 2027 to 2 August 2028. If you read a piece stating that high-risk obligations took full effect in 2026, it predates this and is wrong on the date.
Two things did not move, and they are the two that most affect an agent builder today. General-purpose AI model provider obligations took effect on 2 August 2025 and were untouched by the Omnibus delay, so if you provide a GPAI model those duties are already live. And for systems that remain in high-risk scope, the deployer's human-oversight duty under Article 26 still stands; the deadline for enforcement moved, the obligation did not.
So the delay buys time. It does not excuse the obligation. The direction of the law is fixed, and the sensible read is to build to Article 26 now rather than scramble in late 2027.
Want the version of this you can hand to your team? We wrote up the human side of running agents as a free skill. Get the free human-writing skill.
What does Article 26 actually ask for?
Two things, and they are exactly the two the ratchet already produces: a named human owner, and a retained log. Article 26 of the EU AI Act requires deployers of high-risk systems to assign human oversight to named natural persons who have the necessary competence, training, and authority, and to keep the system's logs for at least six months.
Read that against the ratchet and the overlap is close to total. "Name the owner" is Article 26's named natural person with the authority to act. "Log every run" is the retained log the Article requires you to hold. Build the ratchet for operating reasons, to know when an agent can be trusted to run alone, and you have built most of what the Article asks for anyway. The operating decision and the compliance decision turn out to be the same decision, made once.
That is the part worth internalizing. Teams tend to treat governance as a tax paid after the useful work is done. Here the artifact that makes the agent safe to scale, the log that proves the track record, is the same artifact the regulator wants to see. You are not doing two jobs. You are doing one and getting the second for free.
How do you build the log in a week?
Start with one task, one owner, and a table. You do not need a governance platform to begin; you need a record honest enough to ratchet on, and a threshold you wrote down before the agent ran.
| Step | What to decide or capture | Why it matters |
|---|---|---|
| Pick one task | The narrowest useful thing the agent does end to end | A narrow task builds a clean log fast; a broad one never clears a threshold |
| Name the owner | One person accountable for the outputs | Article 26's named person, and the one who calls the threshold |
| Write the threshold | The clean-run count and error rate for going unsupervised | Deciding it after the fact is how teams talk themselves into trust they did not earn |
| Log every run | Input, action, outcome, correction yes or no | The track record, and the six-month record the Act asks you to keep |
| Review at the threshold | Read the log and decide from it | The log turns the ratchet; the owner does not override it on a hunch |
The cost of starting is a spreadsheet and a rule, and the payoff compounds. The first task you take through the ratchet teaches the owner what a clean log looks like, and the second one moves faster. This is not a project with an end date. It is the operating rhythm for running agents that act on their own, and the pressure to have it is rising: Gartner projects that task-specific AI agents will be embedded in 40% of enterprise software applications by the end of 2026, up from under 5% in 2025.
Are companies actually ready for this?
Most are not, and they know it. The gap between how many organizations run agents and how many can govern them is the single clearest signal that the ratchet is missing.
McKinsey's State of AI trust in 2026, a survey of roughly 500 organizations fielded across December 2025 and January 2026, found that nearly two-thirds of respondents name security and risk as the top barrier to scaling agentic AI. On the same survey's maturity scale, only about a third of organizations report agentic-AI governance maturity of three or above. Overall responsible-AI maturity rose to 2.3 in 2026 from 2.0 the year before, real movement, and still short of where scaling agents safely would put it.
Put those two numbers together and the shape is clear. Risk is what holds most teams back, and most teams have not built the governance that would answer the risk. The ratchet is a way to close that gap without waiting for a platform or a mandate. Name an owner, pick a task, write a threshold, keep the log. The agents are capable of more autonomy than most companies have granted. What is missing is the record that would make granting it defensible, and that record is a week of work away.
The ratchet decides how much scope an agent earns over time. It still leaves the separate question of where a human belongs in the loop at all, which is worth answering first for any task you are about to start logging.
Frequently asked questions
What decisions should an AI agent be allowed to make without human approval? Only tasks it has run correctly under review enough times to clear a threshold the owner set in advance. Decide the acceptable error rate and clean-run count before the agent runs, log every run, and grant unsupervised scope one task at a time. A fixed risk category is not enough, because it cannot see what the agent has actually proven.
What is an AI agent autonomy framework? It is a rule for deciding what an agent runs without asking first. The autonomy ratchet grants unsupervised scope incrementally: name an owner, start narrow and supervised, set a threshold up front, log every run, and widen scope only after the log clears the threshold. Autonomy is earned per task on evidence instead of assigned once by category.
Does the EU AI Act require human approval for AI agent decisions? For high-risk systems, it requires human oversight by named, competent people and retained logs, under Article 26, rather than approval of every decision. The enforcement deadline for these obligations was deferred to 2 December 2027 by the Digital Omnibus, but general-purpose AI model provider obligations have been in force since 2 August 2025.
Has the EU AI Act deadline for high-risk AI systems changed? Yes. The Digital Omnibus deferred the Annex III high-risk obligations from 2 August 2026 to 2 December 2027, and the Annex I product-embedded obligations from 2 August 2027 to 2 August 2028. General-purpose AI model provider obligations, live since 2 August 2025, were not delayed. Content citing a 2026 high-risk deadline is out of date.
How do you build an audit trail for AI agent decisions? Log every run of the agent: the input, the action it took, the outcome, and whether the owner corrected it. Keep the log for at least six months, which is what Article 26 asks of high-risk deployers. Start with one task and a spreadsheet. That same log is both your evidence for granting autonomy and your compliance record.
Get the framework
The ratchet only works if the human in the owner's seat can read a log and make the call. We wrote up that human side of running agents as a free skill: how to keep judgment sharp when the machine does most of the work, so the owner's review means something. Get the free human-writing skill.
If you would rather not download anything, we write about building and governing AI-native operating models, and you can get the next piece by email.
Sources
- Council of the EU, "Artificial intelligence: Council and Parliament agree to simplify and streamline rules" (7 May 2026). consilium.europa.eu
- EU AI Act, Article 26, obligations of deployers of high-risk AI systems. artificialintelligenceact.eu
- Baker McKenzie, "General-purpose AI obligations" (August 2025). bakermckenzie.com
- McKinsey, "State of AI trust in 2026: Shifting to the agentic era" (n=~500, fielded Dec 2025-Jan 2026). mckinsey.com
- Lorenzo Satta Chiris and Ayush Mishra, University of Exeter, "AURA," arXiv preprint (17 October 2025). arxiv.org/abs/2510.15739
- Maurits Kaptein, Vassilis-Javed Khan, and Andriy Podstavnychy, "Policies on Paths," arXiv preprint (17 March 2026). arxiv.org/abs/2603.16586
- Gartner, "Gartner Predicts 40% of Enterprise Apps Will Feature Task-Specific AI Agents by 2026" (August 2025). gartner.com
By Christopher Kliebenstein. We build and govern AI-native operating models and agent workflows for founders and operators at Kliebenstein AI Studio.