AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

Implementation Layer

AI Governance Controls

Operational controls for real-world enterprise AI systems — organized by domain, mapped to regulations, with maturity levels and implementation guidance.

Not sure where to start? Answer 3 questions and get a tailored compliance action plan.

What applies to me? →
HOC

Human Oversight

Review gates, approval workflows, and override mechanisms for AI decisions.

7 controls

AGT

Agentic AI

Goal constraints, action boundaries, and escalation paths for autonomous AI agents.

24 controls

SEC

Security

Adversarial input defense, prompt injection protection, and model access controls.

5 controls

ALC

Audit & Logging

Immutable records of AI decisions, inputs, outputs, and model versions.

5 controls

CHM

Change Management

Model release governance, version rollback, and change approval workflows.

5 controls

DGC

Data Governance

Training data provenance, privacy controls, and data retention policies.

6 controls

MON

Monitoring & Drift

Performance drift detection, anomaly alerting, and operational dashboards.

6 controls

SAF

Safety & Reliability

Graceful degradation, fail-safe defaults, and reliability under adversarial inputs.

6 controls

IRC

Incident Response

Containment, investigation, and remediation procedures for AI system failures.

6 controls

PRC

Procurement

Third-party AI vendor due diligence, contractual obligations, and offboarding.

15 controls

CMP

Regulatory Compliance

Multi-jurisdiction regulatory mapping, standards monitoring, and compliance architecture for AI systems.

10 controls

BRD

Board & Executive Governance

Board education, committee charters, executive reporting, risk appetite, and enterprise-wide AI governance program design.

9 controls

MGV

Model & Program Governance

Model lifecycle policy, intake and approval workflows, evaluation frameworks, and program-level AI governance maturity.

9 controls

SCT

Sector-Specific & Emerging

Healthcare, insurance, critical infrastructure, national security, and emerging-use-case controls not covered by domain-general frameworks.

9 controls

69 controls matching filters

HOC

Human Oversight

4 controls
AGT

Agentic AI

24 controls
AGT-001
Agenthigh

Agent Permission Boundaries

Apply least-privilege principles to AI agents by explicitly defining and enforcing the tools, APIs, data sources, and actions each agent is authorized to access.

AGT-002
Agentmedium

Agent Prompt Injection Defense

Protect AI agents from prompt injection attacks — adversarial instructions embedded in external content that hijack agent behavior.

AGT-003
Agentmedium

Agent Memory and Context Governance

Define policies governing what AI agents store in memory or persistent context, how long it is retained, who can access it, and under what conditions it is deleted.

AGT-004
Agenthigh

Multi-Agent Trust Hierarchy

Define explicit rules for which agents can instruct, invoke, or delegate authority to other agents in multi-agent systems.

AGT-005
Agentmedium

Human Approval Gate for Irreversible Agent Actions

Require explicit human approval before an AI agent takes actions that are difficult or impossible to reverse, such as sending communications, modifying records, executing transactions, or deleting data.

AGT-006
Agentmedium

Agent Action Audit Trail

Log every tool call, decision step, memory read/write, and external interaction made by an AI agent so that the full action sequence can be reconstructed after the fact.

AGT-007
Agentmedium

Agent Scope and Task Boundaries

Define and enforce the boundaries of what an AI agent is permitted to do, preventing it from expanding its activity beyond its intended purpose.

AGT-008
Agenthigh

Agent Environment Isolation

Run AI agents in isolated execution environments that limit their ability to access host systems, network resources, or data beyond what their task requires.

AGT-009
Agenthigh

Agent and Non-Human Identity Management

Issue every AI agent a distinct, bounded identity with scoped credentials, a defined lifecycle, and access controls — rather than sharing service accounts or running under user identities.

AGT-010
Agentmedium

Agent Knowledge Source Integrity

Validate that documents, databases, and external sources retrieved by AI agents during task execution have not been tampered with, poisoned, or substituted with adversarial content.

AGT-011
Agenthigh

Agent Behavior Monitoring and Anomaly Detection

Continuously monitor deployed agents for behavioral drift, unusual tool call patterns, unexpected resource consumption, and actions outside their defined operational envelope.

AGT-012
Agentmedium

Agent Kill Switch and Emergency Stop

Maintain the operational capability to halt any running agent session, workflow, or agent class immediately — without relying on the agent itself to stop — and recover to a known-safe state.

AGT-013
Agentmedium

Kill-Switch Propagation Testing

Regularly test that halt commands propagate correctly through all subagent layers and parallel orchestration environments, stopping all agent activity within a defined time window.

AGT-014
Agentmedium

Multi-Agent Delegation Chain Logging

Log and attribute every action in a multi-agent system with sufficient detail to trace any action back to its originating instruction, authorized agent, and human principal.

AGT-015
Agentmedium

Agent OAuth Scope Drift Detection

Monitor OAuth token scopes granted to AI agents and alert when scopes exceed the originally authorized set or when new permissions are acquired outside the formal provisioning process.

AGT-016
Agentmedium

Agentic AI Deployment Readiness Assessment

Require a structured pre-deployment readiness assessment for tool-enabled AI agents, verifying that key governance controls are in place and that the agent's impact on connected systems has been evaluated before go-live.

AGT-017
Agentmedium

Agentic Autonomy Expansion Criteria

Define standardized criteria for incrementally widening an AI agent's autonomy thresholds after initial deployment, ensuring that autonomy expansions are deliberate, evidence-based, and approved through the same governance process as initial deployment.

AGT-018
Agentmedium

Agent Data Modification Blast-Radius Containment

Define and enforce limits on the scope of data resources a single AI agent can modify, ensuring that an agent malfunction, misuse, or prompt injection cannot propagate data corruption beyond a bounded and recoverable scope.

AGT-019
Agentmedium

AI Tool and Plugin Supply Chain Risk Assessment

Assess and manage supply chain risk from third-party tools, plugins, and extensions used by AI agents, including AI-generated code committed to production repositories, applying software supply chain security controls at the AI extension layer.

AGT-020
Agentmedium

RAG Retrieval Boundary Controls for Regulated Data

Implement retrieval boundary controls in RAG (retrieval-augmented generation) pipelines to prevent regulated, classified, or out-of-scope data from entering an AI agent's context window, reducing the risk of unauthorized disclosure or cross-contamination of sensitive information.

AGT-021
Agentlow

Human Oversight Classification Rationale Log

Require documented rationale for each decision to classify an agentic AI action as requiring human-in-the-loop (HITL) or human-on-the-loop (HOTL) oversight, creating an auditable record of the reasoning behind oversight design choices.

AGT-022
Agentmedium

Agentic AI Governance Tooling Attestation

Require vendor attestation for platform-level tools used as primary agent oversight controls, validating that telemetry is complete, tamper-evident, and sufficient for governance purposes before the tool is relied upon as a control.

AGT-023
Agenthigh

Agentic AI Security Assessment — CBRN and Cyber Espionage

Conduct a threat-model assessment of agentic AI deployments covering high-consequence misuse vectors, including chemical, biological, radiological, and nuclear (CBRN) facilitation and AI-orchestrated cyber espionage, and implement mitigations proportionate to the identified risk.

AGT-024
Agentmedium

AI Permission Escalation Tabletop Exercise Program

Conduct recurring tabletop exercises that simulate AI agent permission escalation and propagation scenarios, testing whether existing controls contain the escalation, incident response teams can detect and respond effectively, and governance processes are sufficient.

SEC

Security

5 controls
ALC

Audit & Logging

2 controls
CHM

Change Management

3 controls
DGC

Data Governance

3 controls
MON

Monitoring & Drift

2 controls
SAF

Safety & Reliability

6 controls
IRC

Incident Response

6 controls
MGV

Model & Program Governance

7 controls
MGV-001
Agentmedium

AI Model Preview and Staged Release Policy

Establish an internal policy that distinguishes preview and experimental AI system access from approved production deployment, and requires documented governance sign-off at each release stage before a system advances to broader use.

MGV-002
Agentmedium

AI System Intake and Approval Workflow

Define a standardized intake process for all new AI system deployments that captures use case, data classification, risk tier, and ownership before the system enters the organization's environment, with cross-functional approval routing and GRC recordkeeping.

MGV-003
Agentmedium

AI Governance Program Milestone Framework

Define structured governance milestones — evaluated at intervals across a deployment's lifecycle — that must be completed before an AI system advances to the next stage, treating governance readiness as a project dependency rather than a parallel or post-hoc activity.

MGV-004
Agenthigh

Continuous AI Assurance Function Design

Design and operate an ongoing AI assurance function that generates regular evidence of control effectiveness across the AI governance program, moving beyond point-in-time audits to a continuous model that provides the board, regulators, and enterprise customers with current assurance on AI governance posture.

MGV-005
Agentmedium

Generative AI Input Data Classification

Establish a classification policy for data entering generative AI systems as inputs — prompts, context windows, retrieved documents, tool outputs, and conversation history — addressing privacy, confidentiality, and regulatory risks specific to the generative AI input surface that general data classification policies do not cover.

MGV-006
Agenthigh

RAI Benchmark-Aligned Evaluation Framework

Map internal AI system evaluations to published responsible AI benchmarks and standards (HELM Safety, AIR-Bench, FACTS, and equivalents) to produce evaluation evidence that is interpretable against an independent external standard by regulators, auditors, and enterprise customers.

MGV-007
Agentmedium

Emerging AI Modality Classification and Governance Extension

Establish a process for detecting when new AI modalities — ambient AI, multimodal agents, brain-computer interfaces, always-on AI assistants, and other emerging capability types — enter the organization's environment, and for extending governance coverage to those modalities before they are widely deployed.

SCT

Sector-Specific & Emerging

7 controls
SCT-001
Agentmedium

Anthropomorphic and Companion AI Safeguards

Establish design requirements and governance review processes for AI systems that simulate human personality, emotional connection, or companionship, addressing psychological influence risks, minor user protections, and disclosure obligations that apply to AI products designed for ongoing interpersonal interaction.

SCT-002
Agenthigh

Clinical AI Governance Committee Charter

Establish a healthcare-specific AI governance committee with clinical and technical expertise, defined quorum and decision rights, escalation authority over AI systems involved in clinical decision support and patient care, and a review cadence aligned to FDA Software as a Medical Device (SaMD) guidance and applicable state clinical standards.

SCT-003
Agenthigh

Critical Infrastructure AI Risk Assessment and Containment

Define a sector-specific risk assessment process for AI systems deployed in critical infrastructure environments — including energy, water, transportation, and financial market infrastructure — that addresses operational technology (OT) blast-radius containment, consequence-of-failure analysis, and cross-sector dependency risk distinct from standard enterprise AI risk frameworks.

SCT-005
Agenthigh

National Security and Dual-Use AI Risk Assessment

Establish a risk assessment process for AI systems and AI research activities that could constitute dual-use technology — with applications in both commercial and national security or weapons contexts — addressing BIS export control obligations, ITAR compliance for defense applications, dual-use research of concern protocols, and foreign adversarial misuse monitoring.

SCT-006
Agentmedium

Self-Hosted Open-Weight AI Model Governance

Establish an intake policy and governance controls for AI model weights downloaded from public repositories and deployed in the organization's own infrastructure, addressing integrity verification, license compliance, safety evaluation before deployment, and ongoing update management distinct from vendor-hosted AI procurement.

SCT-008
Agentmedium

AI-Specific External Complaints and Redress Mechanism

Design and operate a formal mechanism for external parties — customers, employees, subjects of AI decisions, and members of the public — to submit complaints about AI system outputs or decisions, receive timely responses, access human review of AI-assisted decisions upon request, and obtain meaningful redress where the AI decision was incorrect or unfair.

SCT-009
Agentmedium

AI System Algorithm Register

Design and maintain a standardized register of deployed AI systems — public-facing or internal — that documents each system's purpose, decision scope, risk classification, data inputs, and accountability contacts, meeting emerging algorithmic accountability requirements from the EU AI Act, New York Local Law 144, Amsterdam-model algorithm registers, and equivalent frameworks.