AI Agents Can Delete Your Production Database. Here's the Governance Framework That Stops Them.

This article presents COA-MAS — a governance framework for autonomous agents grounded in organizational theory, institutional design, and normative multi-agent systems research. The full paper is published on Zenodo: doi.org/10.5281/zenodo.19057202 The Problem No One Is Talking About Something unusual happened in early 2026. The IETF published a formal Internet-Draft on AI agent authentication and authorization. Eight major technology companies released version 1.0 of the Agent-to-Agent Protocol. And a widely-read post demonstrated why the prevailing credential model for AI agents was structurally broken. The convergence wasn't coincidental. It was the signal that a structural problem — long present in early agentic deployments — had reached the threshold of production consequence. We've built agents that can: Delete production databases Execute financial transactions Modify business logic Spawn other agents And we gave them API keys . An API key authorizes access . It does not authori