The Decision Supply Chain
Governing the autonomous system at the centre is not enough. Accountability runs along the whole chain through which a consequential decision is produced, and the chain is only as governable as its least governed link.
DSI 001 Version 1.0. Effective [25 June 2026].
Decisions used to have authors
For most of the history of corporate governance, consequential decisions were made by identifiable people within defined organisational boundaries.
A credit officer approved a loan. A board voted on an acquisition. A general counsel advised on a contract. The chain of accountability was traceable because decisions had authors. That description no longer fits how many organisations operate.
A single operational decision in a contemporary AI-enabled business might involve an autonomous system generating a recommendation, an offshore analyst reviewing the output, a fractional executive approving the action, and a cloud provider executing the transaction. Each element operates in a different jurisdiction, under a different contractual relationship, with different accountability to the organisation at the centre. This is not an edge case. It is an increasingly common operating structure across financial services, legal technology, procurement and enterprise operations.
Distributed decision infrastructure
The modern organisation increasingly produces consequential decisions through distributed decision infrastructure: the network of human experts, autonomous systems, data infrastructure and external providers through which decisions are produced, operating across organisational boundaries, employment relationships and jurisdictional lines at the same time.
Governance built for hierarchical, human-authored decisions does not govern distributed decision infrastructure. That mismatch is the governance gap.
The decision supply chain
The decision supply chain is the sequence of systems, actors and processes through which a consequential decision is produced. It extends from the data inputs that inform the decision, through the autonomous systems and human actors that shape it, to the execution infrastructure that implements it.
Together, the decision supply chain and the network it traverses constitute an organisation's decision infrastructure: the full organisational and technical system through which consequential decisions are produced. Governance of autonomous systems is, in institutional terms, governance of that infrastructure.
Governing the decision supply chain means applying accountability architecture, evidence standards and classification logic not only to the autonomous system at the centre of the chain, but to each link in the sequence through which the decision travels.
Why the chain matters for accountability
The three questions that govern institutional accountability, who held authority, what they knew, and what they did, must be answerable for every link in the chain, not only the autonomous system at its centre.
The question regulators, insurers and investors will ask is not simply whether the AI system functioned correctly. It is whether the organisation deploying it can demonstrate who controlled it, where decisions were made, under which jurisdictional authority those decisions occurred, and what each participant in the chain knew and did.
When the accountability question is asked about a decision produced by distributed decision infrastructure, it does not have a single answer. It has a chain of answers, one for each link. The chain is only as governable as its least governed link.
The chain in practice
Governance must exist outside the model, at the boundaries through which the model's inputs and outputs flow. Four boundaries matter: the data boundary, governing what information enters the system; the inference boundary, governing how interaction with the model occurs; the action boundary, governing what consequential actions the system is permitted to take; and the jurisdictional boundary, governing where the decision's consequences take legal effect. Each boundary corresponds to a layer of the decision supply chain.
Typically the most visible component, and frequently the most governed. Classification, monitoring and evidence programmes tend to focus here. That focus is necessary, but it is not sufficient.
Training data, retrieval sources and real-time feeds that supply the system with inputs. Each source raises provenance questions: legal basis for use, intellectual property rights, and consent where personal data is involved. Training-data exposure is backward-compounding: created at the moment of training, it accumulates across the system's entire operational history.
An offshore analyst, a fractional executive, an internal approval function. These actors are links in the chain. Their accountability must be assigned by role and documented, supported by contractual structure that reflects their actual function, and included in the operational evidence record. A record that documents the system's decisions but not the human review stage does not satisfy the accountability requirement.
Cloud providers, payment processors and data-exchange platforms that carry out the decision. Where this infrastructure is operated by a third party in a different jurisdiction, the chain carries contractual and jurisdictional complexity that governance must address.
The jurisdictional boundary governs where the decision's consequences take legal effect. It is the governance point for cross-border liability, regulatory compliance, and provider designation risk. Agentic deployments routinely cross jurisdictions without a deliberate organisational decision: the foundation model may operate under one country's law; customer data may be subject to the GDPR, the Australian Privacy Act or other national frameworks; enterprise customers operate across multiple jurisdictions; and the agent executes actions inside those environments without regard for borders.
A system correctly governed at the action boundary, with scope enforcement functioning, may still produce ungoverned consequences at the jurisdictional boundary, where the action takes legal effect in a place the governance architecture does not reach. D3 Contract Infrastructure assesses the contractual layer at this boundary. Accountability here is regulatory: compliance in each jurisdiction where the chain produces consequences. The decision supply chain map must identify each jurisdictional boundary crossed and the governance treatment applied at each crossing.
A distinction applies across the chain. Commodity infrastructure providers, such as cloud compute, storage and network, require different contractual and governance frameworks from decision-participating providers, such as foundation model providers, fine-tuning services and retrieval operators, whose contributions shape the content of the decision. The governance obligation is proportional to a provider's influence on the decision the chain produces.
See the Six Dimensions, in particular D2 Data Sensitivity, for the data provenance assessment, and the Evidence Infrastructure Standard for what a chain-complete record contains.
Why the gap persists
Organisations that deploy autonomous systems often govern the system well and the chain poorly. Three reasons explain the pattern.
Visibility
The autonomous system is the visible technology. The offshore review team and the fractional approver are organisational arrangements, not technology. Governance attention follows technological visibility.
Contractual inertia
Standard contracts were drafted before decision supply chain governance was understood as a requirement. An offshore services agreement adequate for a human review function is not adequate for that same function operating as a link in a chain for an autonomous system making consequential decisions at scale.
Assumption of coverage
Organisations frequently assume their general liability, professional indemnity or technology errors and omissions cover addresses the full chain. It rarely does. Autonomous-action exposure is the liability category that falls into the gaps between existing policies, precisely because the chain that produced the decision was not governed as a chain.
Three principles
Three principles apply to decision supply chain governance regardless of organisational stage.
Govern the chain, not just the system
The autonomous system at the centre is one governance object. The chain is a different and larger one. An organisation that classifies its system against DSI 001 but does not map and govern the chain has addressed a subset of its risk.
Contracts must reflect function
Each link should be governed by a contract that reflects the governance function it actually performs. Standard offshore services agreements and standard fractional executive arrangements were not designed for decision supply chain participation.
Evidence must be chain-complete
The governance record for a decision supply chain is complete only when it covers every link through which the decision travelled. Chain-incomplete evidence records are the most common governance gap identified in DSI 001 assessments. Building that evidence now is substantially less expensive than building it in response to institutional pressure.