On March 31, four UK regulators published a foresight paper on agentic AI. Not one regulator — four. The Competition and Markets Authority, Ofcom, the Information Commissioner’s Office, and the Financial Conduct Authority sat down together and mapped what autonomous AI systems mean for their overlapping jurisdictions.
Their conclusion: the challenges are outpacing the oversight.
That’s not a diplomatic warning. That’s four enforcement bodies saying the thing they are built to govern has moved faster than the frameworks they govern with.
When Regulators Ask For Help
The DRCF — the forum that coordinates these four agencies — published its findings from what firms are actually calling for. The ask isn’t lighter regulation. It’s different regulation: cross-regulator coordination, and outcome-based rules tied to specific levels of autonomy.
Cross-regulator coordination means: the rules currently live in silos. Data protection doesn’t talk to competition. Financial conduct doesn’t talk to communications. But an AI agent making a credit decision that uses personal data and routes it through a proprietary platform sits in all four jurisdictions simultaneously. The existing rulebooks assume hand-offs between departments that can’t happen at agent speed.
Outcome-based rules tied to autonomy levels means: the current frameworks ask “what did the system do?” Agentic AI forces the question back further — “what was the system designed to be allowed to do?” That question has to be answered before deployment. It’s a design question, not a compliance question.
The Enforcement Gap Stated Plainly
The regulators aren’t admitting weakness. They’re identifying a structural mismatch. Enforcement infrastructure was built for a world where humans make the consequential decisions and technology executes them. Agentic AI inverts that: the technology makes consequential decisions and humans are notified afterward, if at all.
In that world, the enforcement trigger — the moment of wrongdoing — is diffuse, distributed, and often invisible until something breaks. You can’t audit a credit decision made by an agent at 3am if nobody designed the rules that decision was supposed to follow.
This is the problem the DRCF is circling. It’s the same problem financial services firms are running into live. A 2026 survey by Responsible AI found that banks, payments networks, and lending platforms have agentic AI executing transactions and routing credit decisions today. Governance frameworks for those decisions were designed for human decision-makers. The agents are doing something the frameworks were never built to evaluate.
What “Listening and Learning Phase” Actually Means
DRCF’s Head of Innovation and Governance said the forum is currently in “a listening and learning phase” — analyzing perspectives to understand what practical support innovators need most (via IAPP coverage of the DRCF Responsible AI Forum, April 2026).
That’s an honest acknowledgment: regulators don’t yet have the vocabulary to write the rules. They know the problem exists. They’re learning what it requires.
For every organization deploying agents now, that gap is not a temporary exemption. It’s a window. When the frameworks arrive — and they will, cross-regulator and outcome-based — they’ll apply backward to what was already deployed. The question is whether what’s deployed was designed to answer the questions the regulators will eventually ask.
Designed. Not retrofitted. Not documented after the fact.
Designed.
The Design Layer Is the Answer
The regulators are circling the same gap from a different direction. They’re asking: how do we create oversight for systems that make consequential decisions autonomously? The answer starts where oversight can’t reach in real-time: inside the workflow, before deployment.
When an agent can show its rules — the decisions it was designed to make, the boundaries it was designed to respect, the stakeholder it was designed to serve — that’s not just compliance documentation. It’s the answer to the outcome-based rules the regulators are still working out how to write.
Four regulators said the problem is ahead of them.
The design work starts before they catch up.
Sources: DRCF Foresight Paper on Agentic AI, March 31, 2026 (CMA, Ofcom, ICO, FCA). IAPP coverage: UK DRCF highlights risk-based approach to agentic AI (iapp.org). Mondaq: DRCF Responsible AI Forum 2026. Responsible AI: “AgenticAI Governance Lessons from Financial Services,” April 2026 (responsible.ai).
wyrework.ai