The AI agent operating inside your tools did not wait for your governance framework. When a vendor ships an agent as a feature and someone switches it on, the click becomes your policy, unless a named human decided otherwise.
Mercury recently launched Command across its accounts, business and now personal, an AI agent that drives financial work end to end: creating cards, paying bills, summarizing spending. Read Mercury's own copy and the governance question is sitting right in it. One line promises "your finances can now take care of themselves." The next promises "every action Command takes is reviewed and approved by you. You stay in control at every step." Both, at once.
Those two are in tension, and the gap between them is the whole issue. If the pitch is that your finances take care of themselves, the per-action approval quietly becomes the button you click to keep the hand-off moving. "You stay in control at every step" holds only if a human at each step is actually deciding, not rubber-stamping a flow sold as automatic.
And the dashboard is not the only door. Alongside Command, Mercury shipped a command-line interface built for "you and your agents" to perform write actions like payments and chain them into agentic workflows. The careful per-action review lives in the app. The programmatic agent path is a different surface with a different risk profile. Most organizations have a position on neither.
That is the new category of governance exposure. Not the AI your employees discovered and adopted without telling you. AI that arrived inside products you already use, shipped as a feature, switched on through a product update, operating now.
The pattern runs across industries. Harvey arrived inside law firms that enabled it for efficiency. Clinical AI tools document patient encounters at hospitals that turned the feature on because it was already in the product they owned. Payroll, accounting, CRM: AI capabilities ship as updates, presented at login, accepted with a click.
The vendor is doing what vendors do, shipping capability to the customers who contracted for the platform. The person who enables it is doing what principals do, keeping the business moving. Neither act is wrong. Neither produces a governance policy. That is a third thing, and it belongs to neither party's default behavior. It belongs to the organization. Which means if no one in the organization did it, it did not happen.
The questions are the ones AI always raises. What data does the agent reach? What can it do on its own, and what still requires a human to decide? Who is accountable when it gets one wrong? What is the escalation path? These are not questions the product is built to answer for you. They are what your governance framework is supposed to answer before you switch the product on. Most organizations do not have one. So the agent's scope, its data access, and its approval logic become the organization's de facto policy on that domain. Not because anyone decided that. Because no one decided anything else.
The inventory question has not changed: where is AI operating inside your organization, and who is the named human answerable for it? Vendor-side agents add a second one the internal ones never did: what did you actually authorize when you clicked yes, and does your organization have a position on it?
Most do not. The click already happened. The policy is already in force. The only question left is whether anyone has read it.