Where does your AI agent governance actually stand?

1 of 10 · identity

Does every AI agent in your organization have its own unique cryptographic identity (not a shared service account or API key)?

Per-agent identity is the foundation of any audit trail. Shared API keys or service accounts make it impossible to attribute actions to a specific agent.

2 of 10 · audit

Are your AI agent audit logs tamper-evident — meaning you can prove they have not been modified after the fact?

EU AI Act Article 12 requires records that allow ex-post verification. SQL audit tables alone do not meet this bar; hash-linked or signed audit chains do.

3 of 10 · permissions

Are AI agent permissions scoped narrowly (least privilege) and time-bounded (auto-expire), rather than long-lived broad access?

Time-bounded scoped permissions limit blast radius. Long-lived shared credentials are a known anti-pattern in agentic systems.

4 of 10 · governance

Can a human reviewer pause, revoke, or intervene in an AI agent action in real time — and is that intervention itself logged?

Article 14 requires effective human oversight for high-risk AI systems. Theoretical oversight without working revocation is not effective.

5 of 10 · audit

Can a regulator or auditor verify your AI agent records independently — without being granted privileged access to your production database?

Records that only your team can read or vouch for are weaker evidence in an audit. Cryptographically signed exports a regulator can verify offline are stronger.

6 of 10 · risk

Have you classified your AI agents by risk category (e.g. high-risk under Annex III, limited-risk under Article 50, etc.) and documented why?

The AI Act applies different obligations by risk class. Operating without an explicit classification means you cannot defend any compliance claim.

7 of 10 · governance

Do you have documented data governance policies covering how AI agents access, process, and retain personal data?

Article 10 requires data governance for high-risk AI systems. Overlaps heavily with GDPR; agent-specific extensions matter for systems acting autonomously.

8 of 10 · transparency

When an AI agent acts on behalf of a user, can the affected user understand and (if needed) challenge that action after the fact?

Article 13 requires transparency to deployers and affected persons. Internal logs alone do not satisfy this if affected users cannot access their own record.

9 of 10 · identity

When your AI agent transacts with another company's system, can that counterparty verify your agent's identity without trusting your vendor?

Cross-organization agent transactions need a neutral verification layer. Vendor-locked verification creates a single point of failure for every counterparty.

10 of 10 · governance

If an AI agent caused an incident at 02:00 tomorrow, could you produce — within an hour — an exportable audit bundle showing exactly what happened, when, and under whose authority?

Article 26 requires deployers to keep logs and produce them on request. Sub-day response capability is the practical bar regulators are converging on.