Policies

Extend acceptable use into explicit autonomy tiers, defined agent red lines, permitted action classes, tool boundaries, and approval thresholds (and link these to enforcement mechanisms in architecture/policy enforcement)

Open Level 3 detail

Update the broader policy suite impacted by agents (eg responsible AI/data ethics, AI usage, privacy, cyber, resilience/operational risk, third-party risk, data quality, model risk/validation) and align definitions/requirements across them

Open Level 3 detail

Move from static principles to scenario-based rules for autonomous choices and trade-offs (eg prioritisation, customer impact, escalation)

Open Level 3 detail

Expand compliance definitions from “AI use case” to explicit objects - agents, agent bundles, foundation models, connectors, tools, and AI platforms - and define required records, controls, and responsibilities per object

Open Level 3 detail

Update supplier due diligence and contract clauses for agent connectors/tools (data use, logging, breach handling, residency, sub-processors, change notification, audit rights)

Open Level 3 detail

Update risk appetite to include measurable autonomy limits (impact thresholds, decision classes, spend caps, customer harm tolerance, override requirements)

Open Level 3 detail

Extend from “model owner” to defined owners for foundation models, agent service/bundle, solution design, infrastructure design, connector use, and tool ownership with clear obligations

Open Level 3 detail

Extend retention to agent memory, action traces, and tool outputs, aligned to privacy, evidencing, and dispute requirements

Open Level 3 detail