Risk-Based Autonomy Limits, Duty Separation, and Periodic Reviews: The Three Pillars Procurement Leaders Are Using to Keep AI in Check

Based on insights from the Forrester Opportunity Snapshot: “Don’t Delegate AI,” commissioned by Zycus, February 2026  |  Survey of 261 procurement leaders (director-plus)

Throughout this series, we have built a progressive argument about agentic AI in procurement. We established that CPOs must personally own the AI strategy (Part 1), that autonomy must be calibrated by domain (Part 2), that a 38-point readiness gap threatens execution (Part 3), and that the top five procurement priorities for 2026 all point to AI readiness (Part 4). Each of those pieces addresses a dimension of the same problem: how procurement leaders retain control as AI gains autonomy.

This fifth installment moves from diagnosis to prescription. The Forrester study does not just identify the risks of over-delegation — it documents what leading organizations are actively doing to prevent it. What emerges is a practical governance playbook built on three pillars: risk-based autonomy limits, duty separation, and periodic model reviews. Together, these mechanisms ensure that AI accelerates procurement workflows without overstepping the boundaries that protect compliance, trust, and strategic intent.

Pillar 1: Risk-Based Autonomy Limits by Category (53%)

The most widely adopted safeguard, cited by 53% of procurement leaders, is risk-based autonomy limits by category. The principle is straightforward: not all procurement categories carry the same risk, so not all categories should be governed by the same autonomy thresholds. A tail-spend purchase of office supplies and a strategic sourcing decision for a critical raw material require fundamentally different levels of AI independence.

In practice, this means defining autonomy tiers that map to category risk profiles. Low-risk, high-volume categories — the kind where AP automation already operates at 63% autonomy according to the Forrester data — can tolerate high AI independence with minimal human intervention. Strategic categories that involve complex supplier relationships, regulatory exposure, or significant financial commitments demand tighter controls and explicit human approval at defined thresholds.

Implementing this requires technology that can enforce category-level rules across the lifecycle. Zycus’s AI-powered Spend Analysis provides the data foundation, automatically classifying spend by category, supplier, and risk profile with up to 97% accuracy. This classification becomes the backbone of risk-based governance — without clean, granular spend data, category-level autonomy limits are impossible to enforce consistently. Building on this, Zycus’s Merlin Agentic AI Platform allows procurement admins to configure agent behavior at the category level, setting different autonomy thresholds, escalation triggers, and approval requirements without writing code.

Pillar 2: Duty Separation Between Agents and Approvers (51%)

Fifty-one percent of organizations enforce a clear separation of duties between AI agents and human approvers. This mirrors a principle long established in financial controls: the entity that initiates a transaction should not be the same entity that approves it. In the context of agentic AI, this means that even when an agent autonomously identifies a sourcing opportunity, negotiates terms, or flags a compliance exception, a human approver validates the decision before it becomes binding.

Duty separation prevents a subtle but dangerous failure mode: AI systems that both identify problems and implement solutions without external validation. An agent that detects a contract deviation and autonomously renegotiates terms may optimize for cost while inadvertently compromising a strategic supplier relationship. The human approver provides the contextual judgment that the algorithm lacks.

Zycus’s eProcurement solution embeds this principle natively. AI-driven workflows automatically route requests to the right approvers based on policy rules, value thresholds, and category risk. The agent handles the analysis and routing; the human retains the approval authority. For tail-spend negotiations specifically, Zycus’s Merlin Autonomous Negotiation Agent (ANA) negotiates autonomously across price and non-price parameters, but the CPO defines the negotiation boundaries, spend caps, and compliance thresholds within which the agent operates — ensuring separation between execution and strategic authority.

Pillar 3: Periodic Model and Agent Performance Reviews (50%)

Half of the organizations conduct periodic reviews of AI model and agent performance. This is governance in its most dynamic form: not just setting rules, but actively monitoring whether those rules produce the intended outcomes. AI models drift over time as data patterns shift, market conditions evolve, and organizational priorities change. An agent that performed well in Q1 may produce suboptimal results in Q3 if its parameters are not recalibrated.

The Forrester study found that only 36% of leaders feel ready to retrain AI models — a gap we explored in detail in Part 3 of this series. Periodic reviews are how organizations begin to close that gap: they create a structured rhythm of evaluation that surfaces drift before it becomes damage. As one CPO from a logistics firm noted in the study, organizations should enforce risk-tiered gates and operational monitoring so every automated action remains auditable and reversible.

Zycus’s Procurement Analytics agents support this review discipline by providing real-time visibility into agent behavior, decision patterns, and outcome metrics. Rather than requiring data science expertise to audit model performance, procurement leaders can interrogate agent outputs in natural language and receive deep insights connecting spend, supplier, contract, and risk data. This makes periodic reviews a procurement-led exercise rather than an IT-dependent one.

Beyond the Three Pillars: A Living Governance Model

The three pillars are necessary but not sufficient. The Forrester data also documents additional safeguards including spending caps, human arbitration boards, supplier feedback loops, AI ethics committees, and independent QA reviews. What distinguishes mature governance is not the number of controls but the principle that governance must be living, not static. As AI capabilities evolve, the boundaries between human-led and AI-led work will shift. A governance model designed in January may be outdated by June.

This is why the preferred operating model among respondents — central governance with decentralized execution, favored by 43% — matters so much. It creates a framework where procurement leadership defines the principles and domain teams adapt execution within those guardrails. Zycus’s integrated Source-to-Pay suite provides the unified platform required for this model: governance rules, autonomy thresholds, and escalation paths defined once at the center and enforced consistently across every procurement workflow.

Governance Is Not the Brake — It’s the Steering

Over-delegation is not a technology failure. It is a leadership failure — the result of granting AI autonomy without defining the boundaries within which that autonomy operates. The three-pillar playbook that leading organizations are deploying demonstrates that governance and AI acceleration are not in tension. Risk-based limits enable faster deployment in low-risk domains. Duty separation builds the trust required to expand AI’s scope. And periodic reviews ensure that governance evolves alongside the technology.

For CPOs who have followed this series from strategy ownership through autonomy mapping, readiness gaps, and foundational priorities, this governance playbook is the operational mechanism that ties everything together. The question was never whether to adopt agentic AI. It was always how to adopt it without losing control. The answer, as these 261 procurement leaders demonstrate, is to govern deliberately, review continuously, and never delegate the design of your guardrails.

Source: Forrester Opportunity Snapshot, “Don’t Delegate AI: Why Procurement Leaders Must Personally Shape, Not Surrender, AI-Driven Decisions,” a custom study commissioned by Zycus, February 2026. Based on a survey of 261 procurement leaders (director-plus) across the US, Europe, and Asia Pacific.

Read the Series:

• Part 1: Why CPOs Must Own the AI Strategy — Not Delegate It to IT
• Part 2: Agentic AI in Procurement: Where Autonomy Works and Where It Doesn’t
• Part 3: The 38-Point Readiness Gap: Why Procurement’s AI Vision Outpaces Execution
• Part 4: Top 5 Procurement Priorities for 2026 — And Why They All Point to AI Readiness
  

Related Reads:

1. AI in Procurement: The Ultimate Guide to the New OS 
2. Podcast: Data Dilemma: Privacy, Quality, and Security in the Age of AI
3. Responsible AI in Procurement: Building Trust and Efficiency in the Supply Chain
4. Podcast: Built-In Ethics: Designing AI That Doesn’t Need Babysitting
5. Governance in the Age of AI: Procurement Governance and Compliance