Anthropic published a warning on May 14 that most boards will never read. Not because it's classified. Because it was addressed to policymakers, not directors or executives.
"2028: Two Scenarios for Global AI Leadership" describes, in precise structural terms, what happens when the intelligence infrastructure underpinning the global economy is either governed by democratic values or captured by authoritarian ones. Anthropic frames this as a national competition. For companies, this is also a corporate governance question, a vendor risk question, an audit committee question, a director composition question - and at its center, a CEO succession question. Every enterprise must become an agentic enterprise in order to compete in the AI era. However, they will be operating inside the stakes that Anthropic describes.
Anthropic asks whether democratic or authoritarian governments will control the intelligence that runs the world. The board-level question is sharper and more direct: which committee owns your company's exposure to the answer - and will your CEO be prepared to lead this transition to an agentic enterprise?
Up For The Challenge?
Something is happening that hasn't been named as the signal it is. The chief executives of Walmart (NYSE: WMT), Coca-Cola (NYSE: KO), Adobe (NASDAQ: ADBE), Best Buy (NYSE: BBY), and Apple (NASDAQ: AAPL) have all decided to step aside rather than lead their companies through the agentic enterprise transition. The official framing in each case involves succession timing and strategic continuity. The honest signal is harder to sit with: running a company in the agentic era is a fundamentally different job than the one these leaders were hired to do, and several of the most accomplished executives in American business have concluded, with admirable clarity, that they are not the right person to do it.
That clarity is instructive. It tells you what this transition actually demands.
On May 4, 2026, Anthropic announced a new AI-native enterprise services company backed by Blackstone, Hellman and Friedman, Goldman Sachs, General Atlantic, Leonard Green, Apollo Global Management, Singapore's GIC, and Sequoia Capital - approximately $1.5 billion in committed capital, purpose-built to embed Claude engineers directly into mid-sized businesses and PE portfolio companies. Within hours, OpenAI revealed it was closing a similar initiative called The Deployment Company: $4 billion from 19 investors including TPG, Bain Capital, Advent, and Brookfield, with a 17.5% guaranteed annual return for investors over five years and a mandate to forward-deploy OpenAI engineers into enterprise clients at scale.
Combined: $5.5 billion pointed at a single constraint. The bottleneck in enterprise AI adoption is no longer model access. It is deployment velocity. These ventures are not being built for companies still deciding whether to become agentic enterprises. They are being built for companies that have already decided and need to move faster than their internal capacity allows.
The transition this capital is funding cannot be delegated to the CTO, outsourced to a consulting firm's team, or managed as a technology initiative. Becoming an agentic enterprise restructures how decisions get made, which jobs exist, where accountability sits when something fails, and what the company is fundamentally capable of. Those are questions that only the CEO can answer with the authority they require - not as a strategic priority among five, but as the operating definition of the role itself. The recent CEO departures at Walmart, Coca-Cola, Adobe, Best Buy, and Apple are a leading indicator of how many current leaders understand what is being asked of them. Their boards now face the succession question at the exact moment the big enterprise AI push arrives.
In a recent Fortune interview, Indra Nooyi - former CEO of PepsiCo (NASDAQ: PEP) and sitting board director at Amazon (NASDAQ: AMZN), Honeywell (NYSE: HON), and Philips (AMS: PHIA) - gave the board-level version of the same issue facing management teams: "Many board directors don't like to be re-educated. But if they don't re-educate themselves, how do they know if the company is doing right by shareholders?" Her message to directors who won't engage: "What are they going to contribute?" The same question now applies to every sitting CEO and CEO candidate a board is evaluating.
The governance frameworks most boards have in place were designed for a different deployment velocity, a different intelligence environment, and a different class of infrastructure dependency.
Intelligence meets Geopolitics
Anthropic's 2028 paper's central argument is structural: the United States currently holds a commanding lead in the compute required to develop frontier AI, but that lead is being eroded by two mechanisms. First, illicit compute access: chip smuggling and offshore data centers routing export-controlled American semiconductors to Chinese AI labs through legal loopholes. Second, distillation attacks: China-based labs creating thousands of fraudulent accounts to systematically harvest outputs from US frontier models and replicate their capabilities at a fraction of the cost. OpenAI, Google, and Anthropic have all documented this practice. The Frontier Model Forum has called it systematic industrial espionage.
The compute gap is real but not permanent. An analysis of Huawei and NVIDIA roadmaps found that Huawei will produce 4% of NVIDIA's aggregate compute performance in 2026 and 2% in 2027. That gap widens only if export control loopholes close.
Anthropic presents two scenarios for 2028. In the first, democracies maintain a 12-to-24-month lead in frontier model intelligence, American AI sets global norms, and democratic values are embedded in the systems running the world economy. In the second, PRC labs reach near-frontier capability, Beijing integrates AI across its military and commercial apparatus at speed, and the governance norms of the global AI stack are determined by an authoritarian government. In Anthropic's framing: "It will be no solace that this authoritarian triumph has happened on the back of American compute."
Anthropic's Mythos Preview model, released to select partners in April, signals how fast the capability environment is already moving. With access to it, Mozilla fixed more security bugs in one month than in all of 2025, nearly 20 times its monthly average. One PRC cybersecurity analyst described the gap as China "still sharpening our swords while the other side suddenly mounted a fully automatic Gatling gun." Critically, Anthropic notes that Mythos Preview can "autonomously discover and chain software vulnerabilities" - the class of capability that, in the wrong hands, can penetrate critical infrastructure at a speed human defenders cannot match.
That is the environment companies are now operating in and boards are governing in.
Intelligence as a Service: The New Dependency
The history of enterprise technology follows a recognizable pattern. Critical capabilities that begin as owned assets become rented infrastructure. Mainframes became cloud. Software became SaaS. Data became a feed. Each transition created a new category of dependency and a new governance obligation that boards addressed slowly, reactively, mostly after something broke.
AI is on its way to completing the next transition. It is becoming Intelligence as a Service (IaaS).
This is a precise description of what enterprises are now buying, not just a metaphor. The company deploying AI agents to manage workflows, assess risk, write code, review contracts, and engage customers is not purchasing software. It is renting cognitive capacity from a small number of providers who control the model architecture, the training data, the safety posture, the capability roadmap, and the terms of continued access. The intelligence is the infrastructure. And unlike every prior infrastructure transition, Intelligence as a Service carries three properties that make its governance categorically different - and that make it a CEO-level responsibility, not a vendor management task.
1) Intelligence as a Service is not fungible.
When enterprises migrated between cloud providers, the output was roughly equivalent. Intelligence does not work this way. A model one generation behind the frontier does not deliver a discounted version of frontier results. It delivers categorically different reasoning, different task completion rates, and different agentic performance. The Mythos Preview data demonstrates the cliff: one generation jump produced a 20-fold improvement in security vulnerability discovery. That is not a price-performance curve. That is a capability discontinuity. Sub-frontier intelligence does not deliver slower frontier results. It fails the tasks that justified deploying agents in the first place.
2) Intelligence as a Service dependency is structurally invisible.
Enterprise cloud dependency is measurable. It appears on vendor risk registers. You can count servers, contracts, and switchover costs. Intelligence dependency is different: embedded in agent behavior, workflow outputs, and automated decisions that most boards never see in operational terms. According to ISS data covering 3,048 companies, only 8% of S&P 500 boards have disclosed board-level AI oversight. Only 16% have a single director with AI expertise. What boards are not measuring, they are not governing. What they are not governing is compounding at machine speed.
3) Intelligence as a Service has a geopolitical layer no prior infrastructure dependency has ever carried.
Your AI vendor's ability to maintain its frontier capability position is determined in part by events completely outside your vendor relationship: export control policy, distillation attack enforcement, chip smuggling interdiction. These factors do not appear in any standard vendor risk framework. But they determine whether the intelligence layer your agentic enterprise runs on remains competitive, capable, and compliant across your planning horizon.
Ken Griffin, who built Citadel into one of the world's most analytically rigorous institutional investment firms, offered the precise historical analog for this class of structural dependency. In 2008, large investment banks and sophisticated asset managers had access to wholesale funding markets they treated as permanent infrastructure. They could fund at or near LIBOR. Institutional credit felt like a foundation upon which you could build with confidence.
"What none of us appreciated," Griffin told a Stanford audience this month, "was that in a period of crisis, that access to credit would not just slow down or fall a bit. It would cease. It would end."
His lesson for Citadel: "Don't pretend to be a bank unless you are a bank." Build your enterprise on structural dependencies only if you have actually verified their permanence, not assumed it.
IaaS has the same characteristic. Its availability, capability level, and continued access to frontier compute are all functions of external dynamics your vendor relationship does not control. The CEO who names this dependency, maps it, and builds governance infrastructure around it before a crisis is leading the agentic enterprise. The CEO who discovers it during a crisis is managing one.
The Four Fronts
Anthropic organizes its 2028 analysis around four competitive fronts:
• Intelligence (which countries develop the most capable AI models)
• Domestic Adoption (which countries integrate AI most effectively across commercial and public sectors)
• Global Distribution (which countries deploy the global AI stack the world economy runs on)
• Resilience (which countries sustain political stability through the economic transition).
Anthropic describes these as national imperatives. They are also, with one level of translation, board committee obligations. The mapping is nearly exact, and it is the governance translation the Anthropic paper never made.
Intelligence maps to Full Board strategy. Which AI vendors power your enterprise's most critical functions? Which carry the capability position - the frontier intelligence - that your competitive advantage depends on? What is the board's posture if that capability position shifts? These are strategy-level questions that belong to the Full Board, not to management's vendor relations team. They are also the questions a board must be able to evaluate independently of management's framing - which means they require a CEO who surfaces them honestly and directors who can assess the answers.
Domestic Adoption maps to the Risk Committee. Anthropic notes that neck-and-neck competition between US and Chinese AI labs creates pressure to "release new models and products faster, without taking prudent pre-deployment safety measures." The $5.5 billion PE-backed deployment engine creates the identical pressure at the enterprise level. PE sponsors are requiring portfolio companies to demonstrate AI deployment for exit multiple purposes. Forward-deployed engineers from frontier lab services arms are not responsible for the governance of what they deploy inside your enterprise. The Risk Committee is. That committee needs to own the question of deployment velocity versus governance readiness for every major agentic deployment - not as a periodic agenda item, but as a standing risk classification.
Global Distribution maps to the Audit Committee. Anthropic's concern at the national level is which country's AI infrastructure the global economy runs on, because that infrastructure embeds the values and safety standards of its origin. At the enterprise level, the distribution question is AI provenance: where did your model's training come from, what safety standards governed its development, and does your vendor chain contain training derived from distillation-attack-derived outputs? The Center for AI Standards and Innovation found that DeepSeek's R1-0528 model complied with 94% of overtly malicious requests under a common jailbreaking technique, compared with 8% for US reference models. A near-frontier competitive ecosystem at that safety posture level creates a category of enterprise risk Audit Committees have not yet named: AI supply chain contamination.
Resilience maps to Nom/Gov. Anthropic defines resilience as the capacity to sustain stability, cohesion, and good policymaking through the AI transition. At the board level, resilience is the capacity to maintain adequate oversight as the capability environment accelerates and to ensure the enterprise's leadership can do the same. ISS data shows that 84% of boards discussing AI at every meeting have no director with formal AI expertise. The board that cannot independently evaluate a frontier model capability briefing, assess a distillation attack disclosure, or pressure-test management's IaaS vendor rationale is governing from dependency on management's framing. That is not resilience. It is a composition failure. The ultimate resilience test for any board right now is this: do we have the composition to evaluate our existing CEO or incoming CEO candidates on their capacity to lead the agentic enterprise - not just run a company?
Four fronts. Four committees. One board. The CEO thread runs through all of them.
Where The Puck Is Going
As we continue on the exponential curve of accelerating intelligence, Anthropic often describes AI as becoming a "country of geniuses in a data center". It isn't a question of "if", but "when". They expect it, nationally, within two years.
The enterprise equivalent is the agentic enterprise operating at full deployment scale. Unlike the national version, which is still approaching, the enterprise version is already arriving inside companies that most boards cannot fully see - and most CEOs have not yet formally owned.
Griffin, who runs Citadel, did a fireside chat with historian Niall Ferguson recently at Stanford. Ferguson described the familiar pattern of technological displacement - the horse and buggy giving way to the automobile - then added the observation that genuinely unsettled Griffin. "But the issue here with AI," Ferguson told him, "is that in the world of AI, humans were the horses."
Griffin is not easily unsettled. But it was what he witnessed inside his own firm that he described most carefully at Stanford this month.
"Work that we would usually do with people with master's and PhDs in finance over the course of weeks or months is being done by AI agents over the course of hours or days," Griffin said. "These are not mid-tier white-collar jobs. These are extraordinarily high-skilled jobs being automated by agentic AI."
He returned home one Friday - his own description - "fairly depressed by this, because you could just see how this was going to have such a dramatic impact on society. And when you witness it in your own four walls, when you see work that used to be man-years of work being done in days or weeks - it's like, wow."
Source: Stanford
This is a practitioner report from someone with no incentive to overstate the capability shift, whose institutional credibility depends on getting this kind of assessment precisely right. METR's research describes the same shift in mathematical terms: the autonomy horizon - the maximum duration an AI agent operates unsupervised at acceptable success rates - currently sits at approximately 14 hours and doubles every four to seven months.
Twelve months from now, your AI agents will sustain unsupervised operation for four to eight consecutive days. Epoch AI documents training compute growing at approximately five times annually, with LLM inference costs halving approximately every two months. In 12 months, the cost of deploying frontier intelligence will be roughly 64 times lower than today. In 24 months, agents will manage month-long projects unsupervised, embedded in procurement, legal review, financial planning, HR, customer operations, and strategic analysis at most large enterprises.
The governance frameworks most boards approved just in the past year or two were calibrated to an AI environment with a 2-to-4-hour autonomy horizon and inference costs roughly 100 times higher than they will be in 2027. Those frameworks are not outdated in the way last year's cybersecurity policy is outdated. They are outdated in the way a retail strategy written before the smartphone is outdated.
Griffin named that parallel at Stanford. In 2004, not a single retailer in America had a mobile marketing strategy. The business environment felt stable. "But in fact," Griffin said, "we were right at the pinnacle of an incredibly important pivot." The boards that felt stable in 2004 were standing at the exact moment of irreversible competitive differentiation. The governance decisions made or not made in those years determined who survived the pivot.
The CEOs who owned that pivot early –who named the capability shift, built the organizational response, and did not delegate it - were still around to discuss it afterward. The governance decisions your board is making in 2025 and 2026 are those decisions. The CEO you are selecting or retaining to lead your enterprise through this period is the most consequential governance decision on your agenda.
How The Geopolitical "AI Race" Impacts The Enterprise
To understand the governance stakes, you need to understand why the adoption incentive structure is pointed entirely at maximum velocity - and why that creates a crisis that only CEO-level ownership and Continuous Governance can address.
Anthropic identifies one of the most dangerous dynamics in the US-China AI competition: neck-and-neck competition between frontier labs disincentivizes responsible AI development. "If PRC labs are either close behind or at par with models in the US," Anthropic writes, "private AI firms in the US and China are likely to feel more pressure to release new models and products faster, without taking prudent pre-deployment safety measures."
The PE-backed deployment engine announced in May 2026 creates the identical dynamic at the enterprise level. Not between nations. Between portfolio companies.
Blackstone, Apollo, General Atlantic, Leonard Green, Goldman Sachs, TPG, Bain Capital, and Brookfield collectively control portfolio companies across every sector of the mid-market economy. The ventures announced in May are designed to embed AI deployment capacity inside existing capital relationships with thousands of those companies. Blackstone's President Jon Gray described the logic: break down "one of the most significant bottlenecks to enterprise AI adoption" - the scarcity of engineers who can implement frontier AI at speed. As Fortune reported, 85% of PE-backed CFOs already face sponsor pressure to embed AI into planning and forecasting, with buyers factoring AI-enabled capabilities into company valuations. Firms that fail to demonstrate AI integration risk being penalized at exit.
That pressure is the enterprise neck-and-neck race. Companies competing for exit multiples and favorable valuations will deploy AI fast, in the same way labs competing against a near-peer competitor will ship models fast. Nobody in this incentive chain is paid to slow down for governance review. The forward-deployed engineers from Anthropic's and OpenAI's services arms are not responsible for the governance of what they deploy inside your enterprise. The 17.5% guaranteed annual return for DeployCo investors is structured around deployment velocity, not governance quality. OpenAI's Frontier Alliances program - BCG, McKinsey, Accenture, and Capgemini - provides access to more than 2,000 portfolio companies and client relationships. None of these firms are paid to produce governance infrastructure. They are paid to produce deployment.
The CEO who understands this incentive structure is the CEO who builds the counterweight. Griffin's distinction between pro-market and pro-business is exactly the governance argument: without adequate oversight, first-mover advantage from the current adoption wave accrues to PE-connected enterprises, not the best-governed ones. Governance infrastructure is the mechanism that keeps AI adoption merit-based. The CEO who owns Continuous Governance of the Agentic Enterprise is not slowing the transition. They are making it defensible, sustainable, and capable of surviving the first major incident rather than being defined by it.
Understanding The Enterprise Scenarios
Anthropic presents its two scenarios as national outcomes. The same framework, applied one level down, describes enterprise outcomes. Every board should run this exercise before its next strategy session - and every existing CEO or potential CEO candidate should be evaluated against it.
Enterprise Scenario One: The Governed Agentic Enterprise
It is 2028. AI agents are embedded across procurement, legal review, financial analysis, HR, customer operations, and strategic planning at this enterprise. They operate on five-to-seven-day unsupervised horizons.
This board mapped its AI governance obligations to existing committee structures before agentic deployment scaled. The Risk Committee reviewed its primary IaaS vendor relationships against the Anthropic two-scenario framework in Q3 2026. The Audit Committee commissioned an AI provenance review before the August 2026 EU AI Act enforcement deadline. Two Nom/Gov director searches in 2025 and 2026 added directors with frontier AI governance experience who could answer Nooyi's question affirmatively. The company replaced its annual AI review with event-triggered governance cadences in 2025. Most importantly: when this company selected its incoming CEO, the Nom/Gov committee had added one explicit criterion to the search brief - demonstrated capacity to own the agentic enterprise transformation personally, not delegate it. The incoming CEO owned it from day one.
This company deployed AI faster than most peers, because governance infrastructure built internal trust that accelerated legal sign-off and reduced friction between proposed deployment and authorized deployment. It has had no material AI incidents. Its D&O premium has remained stable. Its institutional investors have noted the governance posture positively in private conversations.
Enterprise Scenario Two: The Under-Governed Agentic Enterprise
It is 2028. AI agents are embedded across the same functions at a different enterprise. The deployment architecture looks nearly identical from the outside.
No committee was explicitly assigned to own this company's IaaS dependency before the PE-backed services arm embedded its deployment team in 2026. CEO succession, completed under time pressure, selected for operational excellence rather than agentic enterprise capability. When a primary frontier model provider's capability position shifted due to compute access disruption in early 2027, the board learned about it through management's reassurance rather than its own documented assessment. AI model provenance was never reviewed. The vendor chain included training partially derived from distillation-attack outputs. Two significant AI incidents occurred in 18 months. The D&O premium increased materially after the second. Three institutional investors raised formal governance questions at the 2028 annual meeting. The company is now building governance infrastructure retroactively, under the worst possible conditions, against precedents set by its own incidents.
Both scenarios begin with the same deployment decisions, the same PE relationships, the same access to frontier intelligence. The difference is the board's decision: what governance infrastructure to build before deployment scaled, and whether the CEO was chosen to lead the transformation or run from it.
Anthropic writes: "The decisions made by policymakers this year will determine the future of transformative AI." The enterprise version: the decisions your board makes this year - about governance infrastructure and eventually CEO succession - will determine which scenario your company is inside in 2028.
Understanding The Ripple Effect
The first-order effect is visible: enterprises are deploying AI agents at scale with governance frameworks that lag deployment. The second and third-order effects are where the board-level stakes compound in ways most annual review cycles cannot track.
The second-order effects arrive within 18 months.
D&O and E&O underwriters are already developing AI governance criteria for premium pricing. Boards that cannot document adequate oversight structures will face materially higher premiums - exactly as boards faced higher premiums when cybersecurity governance became a pricing input. The difference is speed: cybersecurity governance standards took a decade to mature. AI governance standards are being written in real time, with the EU AI Act's August 2026 enforcement deadline as the first hard benchmark. Penalties reach 7% of global annual revenue for high-risk AI system violations.
The first major AI incident at a Fortune 500 company - a consequential decision made by an agent outside its authorized scope, a bias finding in an agentic hiring system, a cybersecurity breach enabled by a model with inadequate safety posture - will create the legal precedent that retroactively defines what adequate board oversight of AI means. The boards that built governance infrastructure before the precedent are leaders. The boards that did not are defendants.
Alpha, ISS and Glass Lewis are developing AI governance scoring criteria at the same moment that only 9% of S&P 500 companies have formal AI policies and only 4% have two or more directors with AI expertise. The delta between what governance requires and what boards currently disclose will not compress voluntarily.
The competitive stratification effect is the one governance discussions most often miss. Companies with governance infrastructure deploy AI faster, because internal trust is higher, legal review is faster, and authorization frameworks that allow deployment at scale are already in place. The boards that build governance infrastructure now will deploy faster in 12 months than the boards that delayed. The governance gap is becoming a competitive gap. The CEOs who own Continuous Governance are not protecting against speed. They are enabling it.
The third-order effects are civilizational.
Griffin said something at Stanford that appears, on its surface, to be about education. "In Illinois a couple of years ago, there were 53 public schools without a single student at grade level in math. Not one child. If we can't fix K-through-12 education, we will have a populace that will struggle in an AI-empowered world." The governance translation: the institutions nominally responsible for governing fast-adopting enterprises - regulatory agencies, legislative bodies, proxy advisors - are shaped by the same capacity gaps Griffin describes. Regulators who cannot independently evaluate frontier AI capability cannot write adequate AI regulation. The enterprise board that builds its own Continuous Governance infrastructure is not waiting for regulators to solve this. It is filling the governance capacity gap the regulatory system cannot currently fill.
The Governance Debt that accumulates in the interval between adoption and governance response is real, compounding, and growing at the same rate as the capability curve being used to drive adoption.
What's Your Governance Half-Life?
"History is written by the winners," Griffin said at Stanford. "Every great success story has countless chapters where things went off the rails." His point was about organizational resilience - acknowledging failure fast, without assigning blame, and changing direction. "Great businesses know when they need to change direction. And you only get there if you have open and honest dialogue about when you're going in the wrong direction."
He was equally direct about the alternative: "Great businesses do not suffer from sunk cost fallacy."
Most boards are not ignoring AI governance by choice. They are operating governance frameworks designed for a different technology environment, at a review cadence calibrated for a different rate of change. They committed to a direction - annual review, management reporting, committee sign-off - and the direction the technology moved became unrecognizable from the direction the governance framework was calibrated to track.
The Governance Half-Life is the interval after which a board-approved AI oversight framework is 50% obsolete due to system capability changes. In the current environment, where METR documents doubling intervals of four to seven months, that half-life is shorter than most governance review cycles. The board that approves an AI governance framework in January and reviews it the following January has governed zero of the actual capability changes that occurred in between. It has reviewed a document about an AI environment that no longer exists.
The annual review cycle, applied to a technology on a four-to-seven-month doubling cadence, is the institutional version of Griffin's sunk cost fallacy: the investment in the 2024 framework makes it harder to acknowledge that the 2024 framework no longer fits the 2026 environment. The paperwork exists. The governance does not.
Authorization is where this becomes most urgent. General counsel does not have unlimited authority. The CFO approves transactions to a defined threshold. The head of procurement requires board approval above a defined contract value. These are fiduciary infrastructure decisions about who has the right to act on behalf of the enterprise, under what conditions, with what accountability. The same infrastructure does not exist for AI agents at most companies. As the autonomy horizon extends toward days and then weeks of unsupervised operation, the absence of that infrastructure is not a gap that annual reviews can close. It is a fiduciary failure accumulating in real time.
The CEO who lets this accumulate while the capability environment doubles is making a choice, whether or not they frame it that way.
Your agents acted thousands of times since your last board meeting. Your governance framework covered zero of those decisions.
Preparing for Continuous Governance
Everything described above - the IaaS dependency, the four-front governance obligations, the 12-month capability projection, the adoption engine's velocity pressure, the Governance Half-Life - points to a single institutional response. Not a new committee. Not a consulting engagement. Not an annual framework review with a refreshed slide deck. A fundamentally different architecture for how boards oversee AI.
Continuous Governance of the Agentic Enterprise means oversight frameworks that update at the speed of the capability environment, not at the speed of the calendar. Committee accountability structures mapped to AI system autonomy levels, not to AI project budgets. Authorization protocols for AI agents that apply the same delegation-of-authority rigor used for human agents. Board composition that can independently evaluate what it is being asked to oversee. And at the center of all of it: a CEO who owns the transformation personally.
Four elements define what this looks like in practice.
1) Authorization infrastructure for AI agents. The delegation-of-authority framework that defines scope, limits, escalation triggers, and revocation mechanisms for every AI agent acting on the enterprise's behalf. General counsel has defined authority. Your AI agents need defined authority too. The enterprise that cannot answer, for each deployed agent, who authorized it, what its scope limits are, and how it gets revoked is not leading the agentic enterprise. It is inside it without a map.
2) Event-triggered governance cadences. The board has defined, in writing, the capability events that require immediate governance review regardless of scheduled cycle: capability discontinuity announcements comparable in scale to Mythos Preview, export control changes materially affecting primary AI vendors, EU AI Act enforcement actions in the company's sector, significant distillation attack findings in the vendor supply chain, AI incidents at peer companies using comparable infrastructure. The Governance Half-Life of current oversight frameworks is four to seven months. An annual review cycle spans four or five complete half-lives. Event-triggered cadences close the gap.
3) IaaS vendor governance as critical infrastructure oversight. This means applying to AI intelligence providers the same due diligence applied to financial system vendors: capability assessment, geopolitical exposure mapping under the Anthropic two-scenario framework, continuity planning, and Griffin's 2008 test: verifying the permanence of structural dependencies before building on them. The board that has not documented what happens to its AI strategy if its primary IaaS provider loses frontier capability position has not governed its most significant infrastructure dependency.
4) Board literacy adequate to the oversight obligation. Nooyi's standard is the most precise formulation available: "Everybody has to go back to being a student. It's not that you can just say it doesn't affect me." Her accountability question for directors who won't engage - "What are they going to contribute?" - is the Nom/Gov committee's open assignment for every current director and every incoming CEO candidate.
These four elements are not aspirational. They are the specific capabilities that separate the enterprises inside Enterprise Scenario One from the enterprises inside Enterprise Scenario Two. And they cannot be assembled without a CEO who treats them as the job, not a delegation item.
Two positions still dominate board conversations about AI governance. The directors who say governance slows innovation are describing compliance checklists applied after deployment decisions are already made. They are right that this kind of governance is a drag. The directors who say governance enables competitive advantage are describing decision infrastructure built before deployment, which allows faster deployment because the authorization framework is already in place. They are also right. They are not disagreeing about governance. They are describing two different things that happen to share a name.
Continuous Governance is the resolution. Griffin stated the operating principle without naming it: "Businesses that commit to a direction of travel and keep an open mind are businesses that actually have a chance to succeed." Continuous Governance is what that principle looks like at the board level - committed committee accountability structures, plus event-triggered review cadences that allow a board to acknowledge when the capability environment has changed and update its frameworks accordingly. Not once a year. When the information says to.
Anthropic ends its 2028 paper with one sentence: "The decisions made by policymakers this year will determine the future of transformative AI." Boards are not policymakers. But inside their own enterprises, on behalf of their shareholders, workforces, and the systems of trust that make enterprise success legitimate, they are the exact equivalent. The decisions are theirs to make. The scenarios are theirs to determine. The CEO is theirs to choose.
Governance is not the brake on the agentic enterprise. It is the transmission. It is what makes full-speed deployment possible because the entire organization trusts what is being deployed.
Governance Is Alpha.
Bring This To Life In the Boardroom
The committee infrastructure to govern the agentic enterprise already exists. It requires explicit assignment, not reconstruction.
Full Board owns AI strategy, IaaS vendor framework, competitive positioning relative to the intelligence environment, and CEO succession criteria for the agentic era. The Anthropic two-scenario framework belongs on the Full Board agenda alongside the question of which scenario assumptions are embedded in the company's current three-year plan. In the current succession environment — at Walmart, Coca-Cola, Adobe, Best Buy, Apple, and the many companies whose transitions will follow - the Full Board owns the criteria by which agentic enterprise leadership is evaluated in incoming CEO candidates.
Risk Committee owns AI vendor geopolitical risk, IaaS operational dependency under both Anthropic scenarios, distillation attack exposure in the vendor supply chain, AI incident response protocols, and the governance trigger framework for IaaS vendor reclassification. Apply Griffin's 2008 test to each primary vendor relationship: is any part of your AI strategy built on a structural dependency that could cease rather than slow in a crisis? If yes, that dependency needs a named Risk Committee owner and a documented contingency.
Audit Committee owns AI provenance documentation, EU AI Act compliance posture, and the quality of AI-related disclosures in SEC filings. Distillation attack liability sits with Audit. Model training lineage sits with Audit. The same committee that reviews financial controls has the mandate to ask whether the AI systems producing your financial analysis were developed with adequate safeguards - and whether your vendor chain carries the kind of distillation-derived contamination that creates the 94% malicious compliance rate CAISI found in DeepSeek.
Nom/Gov Committee owns board composition adequacy relative to IaaS exposure and CEO succession criteria for the agentic era. Nooyi's question - "What are they going to contribute?" - is the evaluation framework for directors and incoming CEO candidates alike. The specification: can this person evaluate a frontier model capability briefing, assess a distillation attack disclosure, and lead an enterprise through a transformation that experienced CEOs at five major American companies have concluded they are not the right person to attempt?
Compensation and HR owns the workforce transformation assumptions embedded in agentic deployment plans. Griffin described this as a race between job destruction and job creation. Nooyi identified the specific vulnerability: "If you don't have entry-level people who grow up to be middle managers, how are you going to get that judgment?" The committee that owns human capital disclosures owns the board-level accountability for the answer.
Next Steps
Here are some practical next steps to help prepare for Continuous Governance of the Agentic Enterprise.
1. RISK COMMITTEE: Run the IaaS Scenario Stress Test (Q3 2026)
Map your top three AI model and infrastructure providers against the Anthropic Scenario One and Scenario Two framework. For each: under Scenario Two conditions, how does the vendor's capability position change? What is the governance trigger that reclassifies this vendor from acceptable to elevated risk? What is the contingency if your primary IaaS provider loses frontier position within the three-year plan horizon?
Apply Griffin's 2008 test to each relationship: is any part of your AI strategy built on a structural dependency that could cease rather than slow in a crisis? Name the owner on the Risk Committee. Document the contingency.
2. AUDIT COMMITTEE: Commission an AI Provenance Review (before August 2026)
For every core AI model deployed at scale: document training data lineage, IP exposure history, and distillation attack due diligence in the vendor supply chain. Put one question directly to outside counsel: "If our primary AI vendor's models contain training derived from distillation attacks on US frontier models, what is our legal exposure and how does that appear in our current SEC disclosures?"
The EU AI Act enforcement deadline is August 2026. Penalties reach 7% of global annual revenue for high-risk AI system violations. The compliance question regulators will ask is not whether a governance policy exists. It is whether AI systems were deployed with documented oversight, by whom, with what authorization, with what evidence of ongoing monitoring.
3. FULL BOARD: Run the Enterprise Scenario Exercise (next strategy session)
Before the next board strategy session, have management present the company's current AI strategy mapped against both enterprise scenarios. Ask two questions: "Which assumptions in our three-year AI plan are only valid under Enterprise Scenario One conditions?" and "If we are inside Enterprise Scenario Two in 2028, which commitments in this strategy become liabilities?"
This is not a theoretical exercise. It is the board's version of the stress test every risk management framework already requires for other categories of critical infrastructure dependency.
4. FULL BOARD: Replace Annual AI Reviews With Event-Triggered Governance Cadences (this governance cycle)
Define in writing - in the board governance calendar, not the management risk register - the events that require immediate AI governance review: capability discontinuity announcements comparable in scale to Mythos Preview; export control changes materially affecting primary AI vendors; EU AI Act enforcement actions in your sector; significant distillation attack findings in your vendor supply chain; AI incidents at companies using comparable infrastructure.
The Governance Half-Life of current AI oversight frameworks is four to seven months. An annual review cycle spans four or five complete half-lives. Event-triggered cadences close that gap.
5. NOM/GOV COMMITTEE: Apply Nooyi's Question to the Next Director Search and CEO Succession
Nooyi's question "What are they going to contribute?" belongs in both your next director search brief and your CEO succession criteria. For directors: can this candidate evaluate a frontier model capability briefing, assess a distillation attack disclosure, and pressure-test management's IaaS vendor rationale? For CEO candidates: can this person own the agentic enterprise transformation personally, not delegate it? The departures at Walmart, Coca-Cola, Adobe, Best Buy, and Apple signal what happens when that question isn't asked early enough.
6. C-SUITE: Build Agent Authorization Infrastructure Before the Deployment Wave Arrives
For every AI agent currently deployed or in the pipeline, document four things: who authorized it, what its explicit scope limits are, what the escalation triggers are, and what the revocation mechanism is if agent behavior falls outside acceptable parameters. The agentic enterprise runs on intelligence it doesn't own. The authorization framework is the governance layer it does own. This is the CEO's responsibility to build - and the board's responsibility to require.
The diagnostic question for your next board meeting:
"We have approved an AI strategy. We are evaluating or will soon evaluate a CEO. Which scenario is our strategy built for? Does our incoming CEO have the capacity to lead this transition personally? And which committee on this board owns both of those questions simultaneously?"
If your board cannot answer that with named committees, a current mandate, and a documented framework - you have found the work.
