Governance / L2 detail
Policy enforcement
Linked Level 3 activities
Level 3
Automated policy checks
Enforce constraints at runtime on agent actions/tool calls (allowlists, thresholds, jurisdiction, data sensitivity), not post-hoc reviews; implement via a policy decision point intercepting tool invocation and configuration changes
Open Level 3 detail
Level 3
Policy-as-code
Codify the most operational policies (autonomy tiers/red lines, privacy, security/tool access, resilience, validation/evals, recordkeeping) plus the SOPs that operationalise them, into versioned machine-readable rules
Open Level 3 detail
Level 3
Policy update workflows
Create rapid update mechanisms with testing and controlled rollout for policy rules and constraints
Open Level 3 detail
Level 3
Exception handling processes
Define how exceptions are requested, approved, time-bound, monitored, and automatically revoked when expired, supported by workflow tooling and policy engines
Open Level 3 detail
Level 3
Governance platform (system of record and workflow)
Stand up a governance platform to manage agent inventory/bundles, policies, approvals, monitoring views, and evidence automation (distinct from a “control hub” control library)
Open Level 3 detail
Level 3
Policy audit logs (across risk taxonomy areas)
Log policy versions, decisions, enforcement outcomes, and overrides across multiple policy domains (privacy, cyber, resilience, responsible AI) with consistent identifiers
Open Level 3 detail