Existing AI governance frameworks, including ISO/IEC 42001:2023 and the EU AI Act (Regulation (EU) 2024/1689), govern individual AI systems at the point of deployment. Neither provides a mechanism to measure or constrain the aggregate decision-making authority delegated to autonomous systems across an enterprise portfolio. This gap creates a structural governance vulnerability: organisations can deploy many individually compliant AI systems while accumulating an unconstrained total exposure to machine-made decisions that no board has explicitly authorised. This paper introduces the Autonomy Budget, a portfolio-level governance construct that treats delegated machine authority as a bounded, board-managed resource analogous to financial delegation limits, and the Autonomous Decision Authority Exposure (ADAE) scoring model that operationalises it. The ADAE model quantifies the authority exposure of each autonomous system across four weighted dimensions: Financial Authority (40%), Customer Reach (30%), Operational Reach (20%), and Decision Velocity (10%), with multiplicative conservative loading adjustments for irreversibility (+15%) and multi-agent orchestration (+20%). Individual ADAE scores are summed to form a Portfolio ADAE figure, which is compared against a Board-approved Autonomy Budget ceiling. Four utilisation bands define escalating governance responses — from standard operations at below 80% utilisation to a Full Board resolution requirement at 100%. The framework further addresses the distinction between historical authorisation and current admissibility — recognising that a delegation of machine authority does not permanently confer the right to bind consequence, and that governance must continuously test whether delegated authority remains admissible under present conditions, not merely whether it was correctly granted at the point of deployment. The paper further introduces the Governance Maturity Index (GMI), a five-level certification framework that gates the expansion of autonomy behind demonstrated governance capability, preventing organisations from deploying high-autonomy systems until the governance infrastructure required to oversee them is in place. Together, the Autonomy Budget and GMI constitute a portfolio governance layer that operates above and beyond the system-level requirements imposed by existing standards and regulations. The framework has been operationalised in the MANDATE Suite, a purpose-built AI governance framework for regulated industries. Two worked examples are provided to demonstrate ADAE scoring in practice. The paper concludes with a discussion of the framework’s relationship to existing regulatory requirements, its limitations, and directions for empirical validation.
M Maruf Hossain (Tue,) studied this question.