Control Framework

GOV: Governance

The Governance domain establishes organizational context through policy, ownership, and oversight requirements. Five controls ensure that agents operate within defined boundaries with clear accountability.

GOV-01 Acceptable Use Policy

Requirement: The organization shall maintain a documented policy defining acceptable uses of AI agents, prohibited actions, and consequences for policy violations.

Rationale: Establishes organizational boundaries for agent deployment and provides basis for enforcement actions.

Evidence: Policy document with approval signature and distribution records.

Profile: Essential

GOV-02 Ownership Assignment

Requirement: Each deployed agent shall have a designated owner responsible for security configuration, monitoring, and incident response.

Rationale: Ensures accountability and prevents orphaned agents from operating without oversight.

Evidence: Ownership registry with contact information and escalation procedures.

Profile: Essential

GOV-03 Agent Inventory

Requirement: The organization shall maintain a comprehensive inventory of all deployed agents, including capabilities, permissions, and integration points.

Rationale: Enables security assessment and ensures no agents operate outside visibility.

Evidence: Inventory database or configuration management system export.

Profile: Standard

GOV-04 Human Oversight Policy

Requirement: The organization shall define criteria for actions requiring human approval and procedures for obtaining such approval.

Rationale: Establishes boundaries for autonomous operation and ensures human control over high-risk actions.

Evidence: Policy document and workflow configuration.

Profile: Standard

GOV-05 Risk Assessment Cadence

Requirement: Agent deployments shall undergo security risk assessment at initial deployment and at defined intervals not exceeding 12 months.

Rationale: Ensures ongoing evaluation as threat landscape and agent capabilities evolve.

Evidence: Risk assessment reports with findings and remediation tracking.

Profile: Elevated

Previous
Framework architecture
Next
IDN: Identity