When AI Acts on Its Own: Agentic AI, Discoverability, and the Governance Record

Most of the AI conversation in litigation has been about generative models that answer a prompt and stop. Agentic AI is a different animal. These systems pursue goals, call tools, query databases, and execute multi-step workflows with limited human supervision. Some are already permissioned to read internal email, access deal rooms, place orders, or communicate with investors and customers. The shift from a model that suggests to a system that acts is the whole story, because it relocates the consequential decision away from a person and into a process that may have no human in the loop at the moment it matters.

That relocation is what creates the legal risk surface. When an autonomous agent does something the company would rather it had not — trades on information it should not have touched, publishes a figure the data does not support, grants access it should have denied — the first questions are not technical. They are who is accountable, and can anyone reconstruct what the agent actually did and why. Both questions are answered by the governance record, or by its absence.

Autonomy does not create an accountability vacuum

The instinct that an autonomous system somehow absorbs responsibility — that no human formed the requisite intent, so no one is on the hook — is wrong as a matter of how the law already works. An AI agent is not a juridical actor. It cannot form intent, hold a duty, or be sued. It is an instrumentality of the company that deployed it, pointed it at an objective, and captured the benefit of what it did. Long-standing agency principles, respondeat superior, and control-person doctrines reach the principal who acts through a tool, and they do not turn on the state of mind of the tool itself.

Enforcement bodies have a parallel path. In the securities context, courts have allowed scienter to be aggregated and imputed to a corporate defendant through the knowledge and recklessness of the humans who designed, deployed, and supervised the instrumentality. A firm that gave an agent access to sensitive repositories without controls, knew or had reason to know its retrieval tooling would sweep that content into the decision surface, and deployed it anyway, can face a recklessness theory built on those deployment choices. And where intent is hard to prove, negligence-based theories — was the company's care reasonable given the autonomy of the tool — remain available and do not depend on locating a culpable mind. The practical upshot for compliance is that a program optimized to defend against intent-based claims may be poorly prepared for the reasonableness inquiry that autonomy invites.

The governance record is the evidence

When the dispute arrives, the contest is over what the company's humans knew, or had reason to know, about an agent's access and capabilities — and that contest is decided on documents. The defensible deployment leaves a record that can be produced. The indefensible one leaves a gap that an adversary will fill with the least charitable inference. Recordkeeping duties, and the discovery obligations that attach the moment litigation is reasonably anticipated, apply to agentic systems the same way they apply to any other source of relevant information.

Frameworks already in circulation give this record its shape. The NIST AI Risk Management Framework is organized around four functions — govern, map, measure, and manage — and ISO/IEC 42001 frames AI governance as a management system rather than a one-off attestation. Both point in the same direction: explainability, traceability, measurement, and documentation are not optional features but governance expectations, particularly for higher-risk deployments. The EU AI Act makes the point concrete by requiring high-risk systems to log events over their lifetime so behavior can be traced. Read together, these standards describe an operational discipline that maps cleanly onto what a litigator needs to prove or disprove after the fact.

What a discoverable agent record looks like

A well-instrumented agentic deployment is both a compliance asset and an investigator's reconstruction tool. The same logs that let an engineer debug the system let a neutral or an expert answer what happened. The pieces that matter most in discovery:

• Prompt and tool-call logs — the instruction the agent received, each tool it invoked, and the action it took, with timestamps that let you build a timeline.
• Retrieval records — every data source the agent read and the specific document identifiers it touched, which is how you establish what the system had the ability to know.
• Access and permission history — what repositories the agent could reach, when those permissions changed, and by whom, since capability changes can expand an agent's reach without altering its nominal role.
• Drafting and revision lineage — for agents that generate outward-facing statements, the draft history that shows what was produced, what was reviewed, and what was published.
• Governance artifacts — the AI risk assessment, the system or model card describing purpose and known limits, evidence of testing, the committee approval, and the named accountable owner.

Where these exist, an agent decision is a tractable matter: you can reconstruct it, measure it, and defend or attack it on the record. Where they do not, the company is litigating from a position of self-inflicted opacity, and a model that classifies or acts in ways no human can explain raises the proof burden rather than lowering it.

Discoverability and defensibility of agentic decisions

Two related problems follow from autonomy. The first is discoverability: the relevant evidence is now machine-generated telemetry — logs, retrieval traces, configuration history — that lives in places a generic email-and-documents collection will miss entirely. If a litigation hold and collection plan do not reach the agent's logging infrastructure, the most probative evidence in the case may age out under routine retention before anyone asks for it. The second is defensibility: producing the logs is not the same as proving the decision was reasonable. Someone has to interpret the telemetry, connect it to the governance choices the company made, and explain in plain terms why the agent did what it did. That is an expert exercise, and the same Rule 702 discipline that governs any technical opinion governs here — a documented, reliable method applied to the facts, with the limits of the opinion stated honestly.

Controls litigators and companies should demand

Whether you are advising a company before deployment or attacking an opponent's agentic system in litigation, the questions are the same, and they should be asked while the answers are still recoverable.

1. 01Map and tier every agent's data access. Inventory each source an agent can read and each action it can take, with particular attention to sensitive repositories — deal rooms, executive mailboxes, draft filings, legal and compliance queues, litigation-hold collections. Controls at the retrieval layer are more robust than policy-level restrictions.
2. 02Build a deployment record designed to be produced. A written risk assessment, a system card, evidence of testing, governance-committee minutes, and a named accountable owner are what answer the what-did-the-humans-know question — and they should be created before deployment, not reconstructed after a demand lands.
3. 03Log at the decision level and preserve it. Capture prompts, tool calls, retrieved document identifiers, and access changes, and scope the litigation hold to that infrastructure explicitly so it is not overwritten on a routine retention cycle.
4. 04Scale human oversight to the agent's autonomy. The more consequential the action — trades, guidance, disclosures, access grants — the stronger the case for human-in-the-loop review of the output before it becomes the company's act by default.
5. 05Pin down agentic-AI sources in the ESI protocol. Negotiate the logs, retention, and the role of autonomous tools up front, so disputes are framed before the data disappears rather than litigated after it is gone.

The accountability does not diffuse just because the decision was automated; if anything, automation concentrates responsibility within the organizational processes that built and supervised the system. The companies that fare best are the ones that treated governance as an operational discipline and left a record, not the ones that waited for litigation to define the minimum acceptable practice.

The bottom line

Agentic AI does not rewrite the rules of accountability, discovery, or expert proof — it tests them, and it raises the stakes for the governance record because the consequential decision now happens without a person in the room. The firm deploying the instrumentality is unlikely to escape that analysis, and the case will turn on whether anyone can reconstruct what the agent did and show that the controls around it were reasonable. If you are deploying autonomous agents, or facing a dispute that turns on what one of them decided, the preservation and forensic window is short. You can start a scoping conversation through our home page or email the team directly to discuss a conflict check and approach.