Agentic AI
Operational controls for agentic ai — with maturity levels, evidence requirements, and implementation guidance.
Not sure where to start? Answer 3 questions and get a tailored compliance action plan.
What applies to me? →24 controls
Agent Permission Boundaries
Apply least-privilege principles to AI agents by explicitly defining and enforcing the tools, APIs, data sources, and actions each agent is authorized to access.
Agent Prompt Injection Defense
Protect AI agents from prompt injection attacks — adversarial instructions embedded in external content that hijack agent behavior.
Agent Memory and Context Governance
Define policies governing what AI agents store in memory or persistent context, how long it is retained, who can access it, and under what conditions it is deleted.
Multi-Agent Trust Hierarchy
Define explicit rules for which agents can instruct, invoke, or delegate authority to other agents in multi-agent systems.
Human Approval Gate for Irreversible Agent Actions
Require explicit human approval before an AI agent takes actions that are difficult or impossible to reverse, such as sending communications, modifying records, executing transactions, or deleting data.
Agent Action Audit Trail
Log every tool call, decision step, memory read/write, and external interaction made by an AI agent so that the full action sequence can be reconstructed after the fact.
Agent Scope and Task Boundaries
Define and enforce the boundaries of what an AI agent is permitted to do, preventing it from expanding its activity beyond its intended purpose.
Agent Environment Isolation
Run AI agents in isolated execution environments that limit their ability to access host systems, network resources, or data beyond what their task requires.
Agent and Non-Human Identity Management
Issue every AI agent a distinct, bounded identity with scoped credentials, a defined lifecycle, and access controls — rather than sharing service accounts or running under user identities.
Agent Knowledge Source Integrity
Validate that documents, databases, and external sources retrieved by AI agents during task execution have not been tampered with, poisoned, or substituted with adversarial content.
Agent Behavior Monitoring and Anomaly Detection
Continuously monitor deployed agents for behavioral drift, unusual tool call patterns, unexpected resource consumption, and actions outside their defined operational envelope.
Agent Kill Switch and Emergency Stop
Maintain the operational capability to halt any running agent session, workflow, or agent class immediately — without relying on the agent itself to stop — and recover to a known-safe state.
Kill-Switch Propagation Testing
Regularly test that halt commands propagate correctly through all subagent layers and parallel orchestration environments, stopping all agent activity within a defined time window.
Multi-Agent Delegation Chain Logging
Log and attribute every action in a multi-agent system with sufficient detail to trace any action back to its originating instruction, authorized agent, and human principal.
Agent OAuth Scope Drift Detection
Monitor OAuth token scopes granted to AI agents and alert when scopes exceed the originally authorized set or when new permissions are acquired outside the formal provisioning process.
Agentic AI Deployment Readiness Assessment
Require a structured pre-deployment readiness assessment for tool-enabled AI agents, verifying that key governance controls are in place and that the agent's impact on connected systems has been evaluated before go-live.
Agentic Autonomy Expansion Criteria
Define standardized criteria for incrementally widening an AI agent's autonomy thresholds after initial deployment, ensuring that autonomy expansions are deliberate, evidence-based, and approved through the same governance process as initial deployment.
Agent Data Modification Blast-Radius Containment
Define and enforce limits on the scope of data resources a single AI agent can modify, ensuring that an agent malfunction, misuse, or prompt injection cannot propagate data corruption beyond a bounded and recoverable scope.
AI Tool and Plugin Supply Chain Risk Assessment
Assess and manage supply chain risk from third-party tools, plugins, and extensions used by AI agents, including AI-generated code committed to production repositories, applying software supply chain security controls at the AI extension layer.
RAG Retrieval Boundary Controls for Regulated Data
Implement retrieval boundary controls in RAG (retrieval-augmented generation) pipelines to prevent regulated, classified, or out-of-scope data from entering an AI agent's context window, reducing the risk of unauthorized disclosure or cross-contamination of sensitive information.
Human Oversight Classification Rationale Log
Require documented rationale for each decision to classify an agentic AI action as requiring human-in-the-loop (HITL) or human-on-the-loop (HOTL) oversight, creating an auditable record of the reasoning behind oversight design choices.
Agentic AI Governance Tooling Attestation
Require vendor attestation for platform-level tools used as primary agent oversight controls, validating that telemetry is complete, tamper-evident, and sufficient for governance purposes before the tool is relied upon as a control.
Agentic AI Security Assessment — CBRN and Cyber Espionage
Conduct a threat-model assessment of agentic AI deployments covering high-consequence misuse vectors, including chemical, biological, radiological, and nuclear (CBRN) facilitation and AI-orchestrated cyber espionage, and implement mitigations proportionate to the identified risk.
AI Permission Escalation Tabletop Exercise Program
Conduct recurring tabletop exercises that simulate AI agent permission escalation and propagation scenarios, testing whether existing controls contain the escalation, incident response teams can detect and respond effectively, and governance processes are sufficient.