Governance

Extend model risk assessment to include action risk, control dependency risk, systemic interaction risk (multi-agent/tool chains), and operational resilience risk

Extend acceptable use into explicit autonomy tiers, defined agent red lines, permitted action classes, tool boundaries, and approval thresholds (and link these to enforcement mechanisms in architecture/policy enforcement)

Enforce constraints at runtime on agent actions/tool calls (allowlists, thresholds, jurisdiction, data sensitivity), not post-hoc reviews; implement via a policy decision point intercepting tool invocation and configuration changes

Move from prompt tests to agent evaluations including tool-use, multi-step plans, trajectory correctness, and failure-mode behaviour

Clarify which committees approve what for autonomous actions and cross-domain tool access, beyond standard GenAI oversight

Define who approves autonomy levels, tool integrations, policy exceptions, and go-live, not just who owns the model

Expand portfolio triage to include agentic risk indicators (autonomy, tool access, action impact, resilience dependencies) and value indicators (throughput, cycle time, quality uplift), and use it to drive the required mitigations/controls

Map agent workflows/actions to applicable rules (recordkeeping, Consumer Duty, operational resilience, etc), not only model use

Establish traceability linking each agent bundle and action class to accountable humans and committees

Track realised value vs expected and incremental value attributable to autonomy (cycle time, throughput, error reduction, avoided escalations), alongside safety KRIs (incidents, overrides, drift)

Expand the existing AI/Responsible AI committee remit to include agentic AI and review membership to reflect deeper IT and operational involvement

Move from “how was this answer generated” to “why did the agent act” with action-level rationales and evidence links (supported by technology instrumentation)

Shift from static output bias checks to monitoring fairness of autonomous decisions and impacts (allocations, prioritisation, service levels) over time

Define where humans must approve/override autonomous actions (by action class and impact), not merely review generated content

Update the broader policy suite impacted by agents (eg responsible AI/data ethics, AI usage, privacy, cyber, resilience/operational risk, third-party risk, data quality, model risk/validation) and align definitions/requirements across them

Codify the most operational policies (autonomy tiers/red lines, privacy, security/tool access, resilience, validation/evals, recordkeeping) plus the SOPs that operationalise them, into versioned machine-readable rules

Expand logs from prompts/outputs to full action traces (inputs, tools, decisions, state, approvals) with consistent identifiers across systems

Maintain continuously updated evidence (policies, tests, logs, approvals, monitoring), enabled by automated evidence pipelines

Update existing escalation paths to include agent boundary violations, kill-switch invocation, and tool misuse scenarios

Upgrade playbooks to include agent disablement, tool credential rotation, rollback bundles, and customer remediation

Create rapid update mechanisms with testing and controlled rollout for policy rules and constraints

Define decision flows for go-live approvals, exception approvals, and incident decisions while preserving the ability to use ad hoc escalation when needed

Move from static principles to scenario-based rules for autonomous choices and trade-offs (eg prioritisation, customer impact, escalation)

Expand the enterprise control library to include agent-specific controls (ring-fencing, tool governance, eval thresholds, monitoring) and automate control selection/application by risk tier and agent classification

Shift ownership from “IT and data science innovation” to accountable business owners for agent outcomes and customer impact (with IT/data as delivery partners)

Expand compliance definitions from “AI use case” to explicit objects - agents, agent bundles, foundation models, connectors, tools, and AI platforms - and define required records, controls, and responsibilities per object

Define minimum monitoring for agent fleets (KPIs, KRIs, alert thresholds, evidencing, sampling regimes, response SLAs) and how it is operated

Define how exceptions are requested, approved, time-bound, monitored, and automatically revoked when expired, supported by workflow tooling and policy engines

Tie objectives to safe autonomy outcomes (quality, controls adherence, incident rates), not just delivery

Extend observability to include autonomy patterns, tool selection, boundary hits, override rates, and drift triggers, not only model accuracy

Stand up a governance platform to manage agent inventory/bundles, policies, approvals, monitoring views, and evidence automation (distinct from a “control hub” control library)

Add operational rhythms for agent fleets (observability, KRIs, incidents, drift, overrides, value metrics), not occasional reporting

Move from prompt edge cases to simulation of real workflows, adversarial tool inputs, cascading failures, and boundary violations (ideally executed in a controlled sandbox)

Update supplier due diligence and contract clauses for agent connectors/tools (data use, logging, breach handling, residency, sub-processors, change notification, audit rights)

Update risk appetite to include measurable autonomy limits (impact thresholds, decision classes, spend caps, customer harm tolerance, override requirements)

Govern and test degrade modes (stop, revert to human, limited autonomy), not just infrastructure failover

Log policy versions, decisions, enforcement outcomes, and overrides across multiple policy domains (privacy, cyber, resilience, responsible AI) with consistent identifiers

Combine pre-mortems and unintended consequence scanning into structured ceremonies (ethical purpose, explainability, and control-breakdown workshops) focused on autonomous action pathways

Extend from “model owner” to defined owners for foundation models, agent service/bundle, solution design, infrastructure design, connector use, and tool ownership with clear obligations

Extend retention to agent memory, action traces, and tool outputs, aligned to privacy, evidencing, and dispute requirements