A board paper can make an agent look calmer than it is.

The diagram is usually tidy. A user asks a question. The agent retrieves context, calls a tool, checks a policy, asks for approval, and records the output. There is a human in the loop somewhere near the end, and a steering committee somewhere near the top.

Then someone asks a smaller question.

If the agent makes the wrong operational commitment at 2.14 pm on a Tuesday, whose decision was that?

Not who built it. Not who sponsored the pilot. Not which committee saw the strategy paper, or which vendor supplied the model. Whose decision was the action? Who had the authority to let the agent act, who accepted the residual risk, who could pause it without convening a new forum, and who would answer afterwards?

That is D6 — Decision Rights and Accountability in the framework. It sits in the Responsible and Agentic AI pillar because autonomy changes the shape of governance. A dashboard can inform. A copilot can recommend. An agent can do. Once a system can take an action inside a workflow, accountability has to resolve to a named human or role before the agent runs.

I have watched organisations get this nearly right and still miss the hard part. They create an AI council, publish a RACI, name a business sponsor, and declare that technology owns the platform while the business owns the outcome. But when the question becomes deploy, expand, pause, reverse, compensate, report, or defend, the neatness often breaks. The named owner owns a budget. The committee owns endorsement. The risk function owns challenge. The vendor owns a service level. The agent owns nothing.

Decision rights are useful because they expose that gap. They are not useful when they become a pre-built catalogue of forums, RAPID entries, and laminated approval matrices. That is the anti-pattern. A finished matrix can look mature while hiding the only question that matters: where does an autonomous action fail to resolve to an accountable person before it happens?

D6.1, the AI decision-rights inventory, should therefore be treated as a diagnostic instrument. It asks which AI-enabled decision classes exist and what authority each one needs: deploy, expand, change autonomy, change model or data source, accept residual risk, pause, resume, retire, reverse, and escalate a case that should no longer be handled by the agent.

This is not a request to build a universal matrix and force every use case through it. It is closer to tracing. Pick a material decision class from the D2.3 portfolio register. Bring in the D5 autonomy and blast-radius design. Add the D7 risk tier when the AI impact assessment has done its work. Then ask whether the authority path is visible. If the decision class is vendor-embedded or SaaS-enabled, include it.

The operating model’s job is to make the missing mapping visible. It is not to hand the organisation a finished accountability matrix as if governance were a stationery problem. In a bank, an insurer, a health system, a retailer, and a university, the same diagnostic may point to different answers. The maturity claim is not that one structure is correct. It is that the organisation can see which structure is carrying which action.

That role-neutrality matters in the leadership debate as well. Some organisations will appoint a CAIO and give the role enough authority to matter. Others will extend the CIO, CDO, CTO, CRO, or product-accountability model. Others will use CEO-direct committee sponsorship. Any of those paths can work. None works if accountability remains a fog around the phrase AI owner.

D6.2 is where the deflections have to stop. When an AI outcome harms someone, breaches a process, creates a financial exposure, or makes a regulated workflow harder to defend, the organisation will be tempted by several evasions. The model did it. The vendor did it. The human approved it. The system only advised. The decision was low risk until the edge case arrived.

A mature accountability framework does not pretend those questions are simple. It names who owns outcome quality, residual risk acceptance, harm response, vendor escalation, evidence integrity, and the decision when the system’s action has to be explained. Some risk may be retained internally, transferred through vendor terms or insurance, or left uncovered and explicitly accepted. Insurance brokers, underwriters, legal counsel, and finance specialists determine coverage, indemnity interpretation, reserves, and notification timing. The operating-model question is whether those categories are visible before the incident.

This is where APRA’s CPS 230 and the Financial Accountability Regime matter for prudential organisations. CPS 230 is an operational risk standard. It pushes critical operations, disruption tolerances, material service provider management, and operational-risk accountability into a board-visible discipline. FAR maps senior management responsibilities to named accountable persons across the prudential perimeter. Neither should be waved around as an AI governance slogan. Together, they reinforce a principle that agentic AI makes harder to avoid: accountability has to be assigned before operational failure, not title-shopped afterwards.

Specialist regulatory counsel determines how CPS 230, FAR, and related prudential obligations apply to a particular entity, accountable person, service provider, event, or notification pathway. Risk committees and accountable persons carry that accountability; from the consulting seat, the honest work is to make sure the operating model gives them a clean enough evidence trail to exercise it. It does not include pretending that a framework author can adjudicate FAR accountability from outside the entity.

D6.3 then asks whether pause and override authority is real. A board can have the right to stop a material AI workload in principle and still be unable to stop it in practice. The authority holder may not have system access. The runbook may depend on one engineer. The vendor path may be slower than the operational clock. D4.5 owns much of the technical resilience. D10 owns detection and incident response. D6 owns who decides what happens when thresholds are crossed.

The evidence is not a policy sentence. It is a drill, a log, a timing record, a failed-control remediation, and a communication trail where customers or employees are affected. It is the difference between a pause right and a pause capability.

The same discipline applies to redress, which is the work of D6.4. Contestability is not a mailbox with the word AI in front of it. Reversibility is not confidence that someone in engineering can unwind the workflow. A decision class that affects access, pricing, employment, credit, service eligibility, safety, or a material operational outcome needs a designed path for challenge, explanation, correction, reversal, re-processing, compensation where appropriate, and human review. Privacy counsel determines Privacy Act transparency and phased commencement questions. Discrimination law specialists determine protected-attribute analysis. The operating model owns the trace.

D6.5 is the evidence layer that keeps all this from becoming performance. Board reporting should not be a celebration of AI adoption. It should show decision quality: material AI decision volumes, exception rates, meaningful human intervention, pause events, redress outcomes, unresolved high-risk issues, AIA status, vendor-agent exceptions, and material incidents. The board does not need telemetry soup. It needs reporting that can challenge management and change a decision.

This is why D6 depends on the earlier posts in the series. D2 gives the portfolio register and criticality. D3 gives data and output attribution. D4 gives the platform and resilience layer. D5 gives the agent architecture and autonomy class. D6 turns those inputs into a harder governance question: now that the system can act, who is allowed to let it act, stop it, and answer for what it did?

The dependency map matters because accountability cannot be bolted on at the end. If the autonomy class is unclear, decision rights blur. If the register is incomplete, vendor agents disappear. If attribution is weak, redress becomes theatre. If board reporting is narrative-heavy, directors receive comfort instead of challenge.

I would not start D6 by designing a better committee.

I would start with one material agentic decision class already close to production and trace the action until the named human disappears. That disappearance is the work.