The Reviewer and the Reviewed Cannot Be the Same Agent

Separation of duties is one of the oldest controls in the book. The person who writes the check does not sign it. The engineer who writes the code does not approve its own deployment. Agentic AI is quietly testing whether that principle survives when the actor and the reviewer are the same kind of thing.

Walk into any conversation about governance, risk, and compliance and you will hit separation of duties within the first ten minutes. It predates computers. It predates most of the frameworks that now codify it. The idea is almost embarrassingly simple: no single party should both perform a sensitive action and be the only one who attests that the action was performed correctly. Split the work from the review, and fraud and error both get much harder, because catching them no longer depends on the honesty of one actor.

SOC 2 enforces it. ISO 27001 enforces it. ISO 42001 inherits it. Financial-controls regimes are built almost entirely around it. When an auditor asks who approved a change, the wrong answer is "the same person who made it." That answer is not a minor finding. It is the finding, because it means the control that everything else rests on was never really there.

Now put an AI agent into that sentence and watch what happens.

What agentic systems quietly collapse

The selling point of agentic AI is that it closes the loop. An agent drafts the code, another agent reviews the pull request, a third runs the tests, and a service account ships it. An agent reads the claim, an agent checks it against policy, an agent approves the payout. The pitch is that the whole chain runs without a human bottleneck. The part nobody says out loud is that the chain also runs without the separation the bottleneck used to provide.

When the actor and the reviewer are two instances of the same model, or two prompts against the same system, the independence is cosmetic. They share weights, training data, failure modes, and blind spots. A reviewer that fails in exactly the same way as the actor is not a control. It is a copy of the actor wearing a different label. If the first agent hallucinates a fact, the second agent is disposed to accept it, because it would have produced the same fact. Separation of duties was never about having two steps. It was about the second party being structurally unable to share the first party's mistakes.

This is not an argument against agents. Agents are genuinely useful, and a great deal of work that used to need a human in the chair does not anymore. It is an argument about what we are allowed to call a control once an agent is in the chair. A workflow that has an agent review another agent has automated the labor of review. It has not preserved the independence that made review meaningful. Those are different things, and the gap between them is exactly where the next generation of findings will live.

The tempting fix that is not one

The obvious response is to add a human approver back at the end. A person clicks approve, and the artifact the auditor wants reappears. On paper the control is restored.

In practice it is often restored in name only. A human asked to approve fifty agent-generated decisions an hour, on material they cannot realistically re-derive, is not exercising independent judgment. They are providing a signature. The signature satisfies the documentation, but it does not reconstitute the separation, because the human is not actually able to verify what the agent did. We have moved the cosmetic independence from one AI reviewing another to a person rubber-stamping work they cannot check. The box is ticked. The control is still hollow.

The honest version of the problem is this. Real independence requires that the reviewer have access to something the actor cannot fake: a record of what actually happened that does not come from the actor's own account of itself. With humans, we approximated that through roles, segregation of access, and the friction of separate people. With agents that act and review at machine speed, roles and access controls are not enough on their own, because the thing being reviewed is a claim the system makes about its own behavior, and the reviewer is reading that same claim.

Where this lands for ISO 42001

ISO 42001 asks organizations to govern their AI systems and to keep operational records of how those systems behave. The performance-evaluation clauses assume you can show what the system did. As agents take over more of the action and more of the review, the question underneath those clauses sharpens: when the actor and the reviewer are both AI, what plays the role of the independent party?

I do not think the answer is to ban agents from reviewing agents. The answer is to be precise about what review requires. If the reviewing agent is checking the acting agent against an independent, tamper-evident record of what actually executed, rather than against the acting agent's own narration, then something like separation has been preserved, because the reviewer is anchored to a fact the actor could not quietly rewrite. If the reviewing agent is simply reading the actor's output and forming an opinion, then no amount of workflow diagramming makes it a control.

So the test an auditor will eventually ask, and that GRC practitioners should start asking now, is not "is there a review step." It is "what is the review anchored to, and could the thing being reviewed have produced that anchor itself." If the answer is that the actor produced its own evidence, the separation is an illusion, however many agents are in the chain. The oldest control in the book still applies. It just needs something the actor cannot forge to be anchored to, and in a world of agents reviewing agents, supplying that anchor is a harder problem than drawing one more box on the diagram.

Try the live demo · Follow on LinkedIn · RSS