Agency as a Service (AaaS)

AI, Organisational Autonomy, and the Outsourcing of Business Judgment

This paper argues that contemporary enterprise AI deployments function less as tool adoption and more as Agency as a Service (AaaS): organisations increasingly rent patterns of judgment and decision-making from external AI vendors, gradually displacing internal managerial agency even as they describe the change as standard technology implementation. Under AaaS, the critical asset is not software functionality but vendor-controlled agents that perceive, plan and act across business processes, embedding external value assumptions and risk postures deep inside the firm’s operating model. The analysis distinguishes AaaS from traditional SaaS and automation paradigms, shows how the shift from workforce discretion to AI-mediated workflows constitutes a transfer of agency rather than a simple productivity gain, and examines how vendor concentration, lock-in and embedded policy layers reshape power inside and between organisations. It then proposes an AaaS-specific governance framework, focused on managing agency drift, that boards can use to monitor and deliberately design agency that is now, in effect, borrowed rather than owned.

1. Introduction: From Tools to Rented Agency

Most organisations still frame AI initiatives as technology projects, new tools to improve productivity, efficiency or insight. This framing obscures a more profound shift: many AI systems now operate not only as instruments but as agents that recommend, prioritise and, in practice, decide on actions in hiring, pricing, risk, content moderation, resource allocation and governance workflows. When these systems are designed, maintained and updated by external vendors, the locus of organisational agency quietly migrates outside the firm.

The notion of Agency as a Service (AaaS) captures this migration. Under AaaS, what is being purchased is less a software capability than an outsourced pattern of decision-making, a ready-made bundle of judgments, heuristics and value trade-offs encoded in models and orchestration layers that the client organisation neither fully specifies nor fully controls. The result is a new dependency structure in which critical business outcomes are shaped by non-transparent socio-technical systems whose objectives may only partially align with those of the adopting organisation.

This paper is best read as a theoretical synthesis of prior work on AI vendors, platform power and governance gaps: where earlier analyses traced how model providers, hyperscalers and vertical AI platforms accumulate influence over enterprise behaviour, the AaaS concept names what that influence looks like from inside the firm. Taken together, they suggest that AI strategy is now inseparable from questions of where agency resides, how much of it has been externalised and on what terms it might be taken back. 

2. Defining "Agency" in the Organisational AI Context

2.1 Conceptualising agency

In philosophy and social theory, agency denotes the capacity of an actor to initiate action, make choices and be responsible for outcomes. In organisational theory, agency is closely linked to decision rights, discretion and accountability relationships between boards, executives, managers and employees. In AI research, an "agent" usually means a system that perceives an environment, takes actions and pursues goals, even if it lacks consciousness or moral responsibility. 

For AaaS, the relevant notion of agency is pragmatic and institutional: who or what is effectively determining how work is organised, which options are surfaced or suppressed, and which trade-offs are made under uncertainty. Even when humans formally "remain in the loop", empirical studies of algorithmic decision-support show that people tend to defer to algorithmic recommendations, especially under time pressure or when the system is presented as authoritative. In practice, this means that agency can be functionally exercised by AI systems even if, on paper, humans retain final decision rights. 

2.2 From tools to delegated decision-makers

Traditional software and analytics tools primarily assist humans in executing decisions they have already made. By contrast, many contemporary AI systems propose, prioritise or automate decisions based on statistical patterns learned from data. Recommendation engines, scoring models, copilots and autonomous agents often operate as default decision-makers, where deviating from their suggestions requires extra effort, justification or override mechanisms.

When such systems are provided as managed services, hosted models, orchestration platforms or vertical AI solutions, organisations effectively subscribe to pre-packaged patterns of judgment. The shift from "we decide and use tools" to "tools decide unless we intervene" is the core dynamic that the AaaS concept seeks to capture.

3. From SaaS to AaaS: What Is New?

3.1 SaaS: Functionality as a service

Software as a Service (SaaS) emerged as a model in which software functionality is delivered over the internet, maintained by the vendor and licensed on a subscription basis. Organisations outsource infrastructure management, updates and some configuration effort while retaining control over how the software is used within their processes. The vendor provides features; the client organisation determines how those features translate into decisions.

3.2 AaaS: Judgment as a service

Agency as a Service extends the SaaS logic from functionality to judgment. Instead of merely provisioning capabilities, AaaS offerings deliver decisions, recommendations and policies, for example, risk scoring for loans, triage decisions for customer support, dynamic pricing strategies or AI agents that autonomously execute workflows. These decisions are shaped by vendor-designed architectures, training data, model objectives and continuous updates.

The innovation of AaaS is not only technical but institutional. The organisation accepts a vendor-defined configuration of decision rules, thresholds and fairness trade-offs as the operational baseline. Over time, continuous vendor updates can change these baselines without any explicit strategic decision by the client, effectively shifting control of key aspects of the organisation’s behaviour to external actors.

3.3 The illusion of standard technology adoption

From a distance, AaaS deployments resemble familiar IT roll-outs, requirement gathering, vendor selection, integration and change management. The hidden difference is that AI systems are path-dependent learners rather than static tools. Their performance depends on data pipelines, feedback loops and vendor-controlled experimentation, which together co-determine how decisions evolve over time.

Thus, a programme framed internally as "AI adoption" may, in substance, be agency outsourcing. Leadership may underestimate how much practical discretion over pricing, approvals, content, risk tolerance or workforce management is migrating from local managers to external models.

3.4 Agentic AI as the concrete face of AaaS

The emergence of agentic AI makes AaaS tangible. Agentic systems maintain goal awareness, plan multi-step workflows, call tools and application programming interfaces (APIs) and autonomously execute actions across multiple business systems with minimal human intervention. In enterprise settings, these agents are increasingly packaged as managed services: customer-operations agents that end-to-end resolve tickets, credit-decision agents that orchestrate data collection and risk scoring, or HR agents that screen, schedule and correspond with candidates.

In these deployments, what the client organisation actually consumes is a loop of perception - planning - action - reflection designed, tuned and updated by the vendor. The practical effect is that the vendor’s agent becomes the first-order decision-maker for entire workflows, determining when to escalate to humans, which options to surface and how aggressively to pursue goals such as cost reduction or throughput, while humans intervene mainly at the margins. This is AaaS in its most concrete form: an externally designed agentic control layer that increasingly substitutes for internal, human-centred patterns of discretion.

3.5 A hollowing residue: borrowed rather than owned

Viewed through the AaaS lens, the mature AI-enabled firm risks becoming a thin shell around vendor-supplied agency: core patterns of judgment about customers, workers and capital allocation are increasingly preconfigured elsewhere and delivered as a managed service. Decision-making becomes something the organisation subscribes to rather than something it fully designs and curates, so that over time the firm’s distinctive posture toward risk, fairness and strategy is effectively borrowed rather than owned, even as its legal accountability remains firmly in-house.

4. Workforce, AI and the Redistribution of Decision Rights

4.1 From workforce substitution to agency substitution

Discussions of AI and work often focus on task automation and job displacement. Yet what is being automated is not only labour but also elements of judgment and discretion historically embedded in roles. When AI systems replace or mediate frontline decision makers, such as loan officers, caseworkers, schedulers or editors, the organisation is not simply "doing the same work with fewer people"; it is re-architecting who decides what.

Algorithmic management research shows that AI systems now assign tasks, evaluate performance and enforce rules in sectors from logistics to ride-hailing to content moderation. In many of these settings, workers experience decisions as coming from an impersonal system whose logic they cannot contest, and managers themselves rely on dashboards and automated recommendations rather than direct oversight. This illustrates AaaS internally: business agency is largely exercised by an AI-mediated control layer inside the firm.

4.2 Internal vs external AaaS as a design choice

A useful distinction is between internal AaaS and external AaaS:

• Internal AaaS: The organisation builds or heavily customises AI agents and decision systems in-house, yet still centralises agency in technical systems rather than distributed human roles. Here, internal data science and AI teams become custodians of organisational agency.
• External AaaS: The organisation relies on third-party models, platforms or managed services whose inner workings and updates are controlled by vendors. In this case, external providers effectively exercise significant influence over the firm’s decisions and risk posture.

The internal and external AaaS distinction is not merely a build-versus-buy question; it is a governance choice about where agency is allowed to crystallise. Internal AaaS centralises practical decision-making power in technical teams and model owners, while external AaaS extends that power boundary to vendors and platforms; boards need visibility into both forms if they are to understand who, in practice, is running the firm.

4.3 Illustrative example: Credit decisioning as AaaS

Consider a mid-tier Australian lender that adopts a vendor-hosted agentic AI platform to handle end-to-end small-business credit origination: gathering financials, querying external data sources, scoring risk, drafting terms and issuing approvals subject to occasional human override. For illustration, suppose that within a year the large majority of applications below a certain threshold are processed without human contact, and credit committees mainly review exceptions and portfolio-level dashboards. This kind of straight-through processing is consistent with industry analyses suggesting that a high proportion of transactional operations and retail credit journeys can be automated in leading banks.

On paper, the board still approves the credit policy and remains legally responsible for lending decisions under the Corporations Act and sectoral conduct obligations. In practice, however, the effective risk appetite and approval pattern are now shaped by the vendor’s models, feature engineering and continuous updates, none of which the lender fully observes. When a drift in approvals toward certain industries is later discovered, the firm realises that its "AI project" has in fact been an AaaS arrangement: it has quietly outsourced credit agency while retaining full liability.

5. Vendor Power, Lock-In and Embedded Normativity

5.1 Concentration of AI capabilities

The most advanced AI capabilities, large-scale foundation models, extensive compute infrastructure and highly specialised talent, are currently concentrated in a small number of large technology firms and a growing ecosystem of AI platforms. This concentration increases vendor power: many customers cannot feasibly replicate the underlying capabilities in-house and thus rely on vendors for both technical functionality and continuous improvements.

Under AaaS, this reliance extends to embedded values and assumptions. Model objectives, reward functions, safety filters and fine-tuning choices encode particular views of what counts as "good" or "acceptable" behaviour. When organisations adopt these systems as decision-makers, they implicitly import the vendor’s normative stance. This can shape everything from how aggressively content is filtered to which customers are deemed risky or valuable.

5.2 Lock-in through decision architectures

Traditional SaaS lock-in often arises from data formats, integrations and switching costs. AaaS adds a subtler form of lock-in: cognitive and procedural dependence on vendor-supplied decision architectures. Once workflows, key performance indicators and managerial routines co-evolve with a particular model’s outputs, replacing that model is not only technically difficult but also disruptive to organisational sense-making.

Moreover, many AI services operate as black boxes with limited model documentation or transparency. This opacity makes it hard to benchmark alternative systems or to understand how a change in vendor would alter outcomes, further entrenching the incumbent provider.

5.3 Political economy: Asymmetry and oligopoly dynamics

At system level, AaaS is also a political-economic arrangement built on asymmetry. A small oligopoly of model and infrastructure providers now controls the most capable foundation models, the compute needed to run them and the surrounding orchestration and safety layers, while most client firms sit downstream as price-takers with limited technical leverage. As algorithmic management research in the gig economy has shown, when control over task allocation, evaluation and enforcement sits with platform operators rather than with workers or local managers, the balance of power and agency shifts decisively toward the platform.

AaaS extends this pattern into mainstream enterprises, with vendors increasingly setting the practical terms on which whole sectors see and act on their environments. The result is a layered asymmetry: firms carry the legal and reputational consequences of AI-mediated decisions, while vendors increasingly shape the decision logic, data flows and update cadence that drive those outcomes.

6. Accountability, Liability and the Governance Gap

6.1 Formal accountability vs practical control

Legal and regulatory frameworks typically treat organisations as responsible for decisions that affect customers, workers and the public, even when those decisions are made or influenced by automated systems. Boards and executives retain fiduciary duties and can be held liable for harm or regulatory breaches. However, when core decision logic is embedded in vendor-controlled AI services, a governance gap emerges: those formally accountable may not have sufficient visibility or control to meaningfully oversee the systems that shape outcomes.

Contracts and service-level agreements often address uptime and performance metrics but not the deeper questions of value alignment, fairness or explainability. This mismatch encourages a dangerous illusion that AI-mediated decisions can be "outsourced" when, in reality, only the mechanism is outsourced while accountability remains in-house.

6.2 Regulatory developments: EU AI Act and global trends

Emerging regulatory frameworks such as the European Union’s AI Act, sectoral guidance from financial and healthcare regulators and national AI safety strategies increasingly require organisations to perform risk assessments, maintain documentation and ensure human oversight for high-risk AI uses. The EU AI Act distinguishes between providers (vendors) and deployers (client organisations), assigning obligations to both and reinforcing the principle that deployers cannot treat vendor AI as a way to outsource compliance.

These developments support the AaaS lens: even when agency is partially externalised to vendor systems, deployers remain responsible for ensuring that AI-mediated decisions align with law, ethics and stakeholder expectations. Regulators are gradually recognising the structural dependencies created by AI platforms and are beginning to emphasise transparency, interoperability and post-market monitoring as counterweights.

6.3 Australian hooks: ASIC, APRA and director duties

For Australian boards, AaaS intersects directly with evolving guidance from ASIC and APRA. ASIC’s recent commentary on AI in financial services warns that a "governance gap" can emerge when firms adopt AI faster than they update their risk and oversight frameworks, and stresses that existing licensee obligations and director duties under the Corporations Act continue to apply regardless of whether decisions are made by humans or algorithms.

APRA’s CPS 230 standard on operational risk and service provider management explicitly requires prudentially regulated entities to treat material third-party arrangements, including technology and data services, as critical operations, with expectations around due diligence, resilience, exit planning and ongoing monitoring. Framed as AaaS, these instruments can be read as regulatory recognition that accountability cannot be outsourced even when agency is partially outsourced: boards remain responsible for demonstrating that vendor-supplied agents operate within the firm’s risk appetite, comply with law and can be replaced or re-configured without jeopardising critical services.

7. AaaS as a Strategic and Governance Problem

7.1 Strategic positioning and the commoditisation of judgment

From a strategy perspective, the spread of AaaS threatens to commoditise the judgment layer of the firm. If multiple competitors in a sector all subscribe to the same vendor’s credit-scoring agent, marketing optimisation agent or workforce-scheduling agent, then large parts of their behaviour converge around the vendor’s embedded heuristics, loss functions and policy settings. Competitive differentiation is then pushed either upstream into data access and fine-tuning, or downstream into how humans override and contextualise the system’s decisions, but the "default" behaviour becomes widely shared.[^3][^2][^6]

This raises a strategic design question that goes beyond generic "build vs buy": which domains of agency are we willing to share with our closest competitors by renting vendor agents, and which must remain uniquely ours? Organisations that treat AaaS as a generic efficiency play risk quietly standardising their risk appetite, customer posture and even ethical stance to match the vendor median; those that treat agency as a strategic asset will deliberately ring-fence certain decision domains for in-house models, human-centric processes or bespoke agentic architectures that preserve a distinctive way of seeing and acting in the world.

7.2 Organisational design and AI-mediated roles

AaaS adoption reshapes organisational design. Roles that previously combined execution and judgment may be split, with AI handling standard cases and humans focusing on exceptions or relationship management. New roles emerge around AI oversight, prompt engineering and incident response, often situated between business units and technical teams. If these changes occur without explicit design, organisations risk creating responsibility vacuums where no one feels fully accountable for AI-mediated outcomes.

Governance-aware design instead treats AI systems as organisational actors whose influence must be explicitly mapped and monitored alongside human roles. This includes clarifying who owns each agentic workflow, how escalations work and how feedback from frontline staff feeds into the evolution of AaaS usage.

8. An AaaS Governance Framework for Managing Agency Drift

To govern AaaS, boards need a framework that focuses less on generic AI risk and more on how agency can drift over time from internal actors to vendor-controlled systems. Four interlocking disciplines, Allocation, Anchoring, Audit and Adaptation, provide a practical structure.

8.1 Allocation: Decide which agency you can rent

Allocation is about consciously deciding which decision domains may rely on AaaS and which are non-delegable. Rather than letting vendor capabilities drive adoption, boards can require management to map critical decision classes, for example, credit approvals, pricing, disciplinary actions and safety-critical controls, and classify them as "retain", "share" or "rent".

Non-delegable decisions remain under strong human or in-house model control; shared decisions may use vendor agents with tight human sign-off; rented domains are those where agency can be safely externalised because the strategic and ethical stakes are lower. Making this allocation explicit helps prevent silent expansion of AaaS into domains where externalised agency would undermine the firm’s strategy or obligations.

8.2 Anchoring: Tie rented agency back to your values and rights

Anchoring ensures that borrowed agency still moves within boundaries set by the firm, not solely by the vendor. This involves translating board-level risk appetite and values into explicit constraints, success metrics and escalation rules for vendor agents, and then embedding those in contracts, configuration and technical architectures, for example, policy layers, approval thresholds and kill-switches.

Vendor terms should reflect rights to documentation, explainability artefacts, change notifications and, where proportionate, independent testing or audit access. Internally, anchoring includes clear ownership for each AaaS-mediated workflow and defined decision rights for changing model configurations or switching vendors.

8.3 Audit: Detect and correct agency drift

Audit focuses specifically on agency drift: the gradual shift in how decisions are made as models, data and vendor policies evolve. Beyond standard performance monitoring, organisations can implement periodic "agency audits" that compare actual AI-mediated decisions with declared policies and past baselines, using sampling, scenario testing and fairness or outcomes analysis.

The goal is to detect when vendor-supplied agents have, in practice, become more permissive, more restrictive or differently biased than the firm’s stated posture, and to trigger renegotiation, re-configuration or partial re-internalisation when misalignment appears. Audit also extends to resilience questions, how quickly the firm could revert to human or alternative processes if a vendor system failed, misbehaved or became unavailable.

8.4 Adaptation: Rebalance agency over time

Adaptation recognises that AaaS arrangements are dynamic political-economic relationships, not one-off procurements. As vendors consolidate, update models and change pricing or policy, firms may need to rebalance their portfolio of internal versus external agency, diversifying providers, investing in in-house capabilities or bringing critical decision logic back inside when dependence grows too great.

Board oversight here looks like periodic "AaaS resilience reviews" that assess concentration risk, portability and exit options, and treat major vendor or model changes as governance events requiring explicit approval, not just information technology change tickets. In this way, adaptation becomes an ongoing board-level practice rather than an ad hoc response to vendor surprises.

9. Board-Level Questions for AaaS Oversight

Boards seeking to oversee AaaS effectively can integrate targeted questions into existing risk, strategy and technology governance processes.

Illustrative questions include:

1. Agency location: In our most critical business processes, who or what is effectively making decisions, and how has this changed with AI adoption?
2. Internal versus external AaaS: Where is agency crystallising inside internal technical teams versus external vendors, and are we comfortable with that balance?
3. Vendor dependence: Which aspects of our decision-making are materially dependent on external AI vendors, and what concentration risks does this create?
4. Value alignment: How do we know that the objectives, guardrails and embedded assumptions of vendor AI systems align with our strategy, risk appetite and ethical commitments?
5. Accountability clarity: For AI-mediated decisions that affect customers, workers or the public, who on the management team is accountable, and what information do they receive for oversight?
6. Resilience and exit: If a key AI vendor were to fail or radically change terms, how would we continue to operate, and what is our strategy for portability or diversification?
7. Regulatory readiness: Are we prepared to demonstrate compliance with emerging AI regulations and guidelines, including documentation, testing and human oversight requirements, particularly where AaaS is involved?

These questions do not require boards to become technical experts; rather, they reframe AI adoption as a matter of organisational agency and fiduciary responsibility.

10. Implications for Practice and Research

10.1 Implications for practitioners

For executives and practitioners, the AaaS concept suggests several practical shifts. First, treat AI adoption projects as agency design exercises, not just technology deployments. This means explicitly deciding which decision-making capabilities are strategic core and must remain under strong internal control versus those that can be safely externalised. Second, embed AaaS considerations into procurement, vendor management and enterprise architecture, including explicit evaluation of vendor governance maturity, value alignment and exit options.

Third, build internal capabilities in AI oversight, impact assessment and incident response so that the organisation can challenge and, where necessary, override vendor-supplied agents. These steps can help organisations harness AI while preserving distinctive judgment and accountability.

10.2 Implications for researchers and policymakers

For researchers, AaaS offers a lens to study how AI reshapes power and agency within and between organisations. It connects literature on algorithmic management, platforms and corporate governance, and invites empirical studies on how AaaS arrangements affect outcomes, resilience and fairness across sectors.

For policymakers, recognising AaaS clarifies why AI regulation must address both providers and deployers: while accountability formally rests with organisations, meaningful control often sits with vendors. Regulatory frameworks that encourage transparency, interoperability and shared responsibility can help mitigate the risks of excessive agency outsourcing, particularly in high-stakes domains such as finance, healthcare and critical infrastructure.

11. Conclusion

Agency as a Service (AaaS) captures a defining feature of contemporary AI adoption: organisations are not merely acquiring powerful tools but, in many cases, outsourcing elements of their own agency to vendor-provided AI systems. This outsourcing can yield efficiency and capability gains, yet it also concentrates power in external actors, embeds opaque value judgments into organisational behaviour and creates governance gaps if not explicitly recognised.

By reframing AI initiatives as questions of who decides, on what basis and under whose control, boards and executives can better navigate the trade-offs of AI-enabled transformation. The task is not to reject AaaS outright but to manage it deliberately, deciding which forms of agency to retain, which to share and which, if any, to entrust to external systems.

In doing so, organisations can avoid becoming hollow shells around vendor-supplied agents and instead develop hybrid arrangements in which rented agency is tightly anchored to internal values, regularly audited for drift and continuously rebalanced as technologies and market structures evolve.