Platform Agentic
Compliance, governance, and accountability for teams building agentic AI systems.
Part 1 — For the Business
The Landscape
-
2.Know Your Risk Level
How to classify your agents by risk — and why that classification determines everything else about your compliance obligations.
1749 words · 9 min -
3.Vendor and Model Governance
Your compliance obligations extend to every vendor in the agent's chain — including your model provider. What BAAs, DPAs, and vendor assessments look like when the vendor is an LLM.
3059 words · 15 min
Your Obligations
-
4.Transparency and the Right to Know
What users, regulators, and auditors must be able to see — and why no framework tolerates a black box acting on real data with real consequences.
2597 words · 13 min -
5.Data Rights and Minimisation
Why agents that fetch broad context "because it might be useful" are a liability — and what GDPR, HIPAA, and PCI-DSS all say about it.
2392 words · 12 min -
6.Audit, Evidence, and Accountability
The log is the evidence — what every framework requires you to record, who must own it, and why "the model decided" is never a sufficient answer.
2904 words · 15 min
From Understanding to Action
-
7.The Five Principles
Across every framework, five obligations keep reappearing. Get these right and you are most of the way there — regardless of which regulations apply to you.
1150 words · 6 min -
8.Your Governance Roadmap
A practical five-step starting point for business teams who need to move from understanding to action — and know exactly what to do on Monday morning.
1760 words · 9 min
Part 2 — For the Developer
Design Time
-
9.The Architecture of a Compliant Agent
A shared blueprint — components, data flows, and trust boundaries every compliant agent system must define.
2508 words · 13 min -
10.Risk Classification and System Boundaries
How to define and enforce the boundaries of what your agent system is — and what it is not allowed to become.
2250 words · 11 min -
11.Identity, Access, and Authorization
How to design agent identity, scope permissions, and enforce access control across systems and users.
1561 words · 8 min -
12.What Agents Are Allowed to Do — Permission Models and Action Boundaries
Designing the action layer — what agents can call, write, send, and execute, and how to enforce those limits.
1513 words · 8 min -
13.Securing the Model Layer
Prompt injection, hallucination, and non-determinism — compliance risks unique to LLM-based agents and how to mitigate them.
1640 words · 8 min
Runtime
-
14.Audit Trails and Explainability
Building logs that satisfy auditors — what to capture, how to structure it, and how to make agent decisions explainable.
1682 words · 8 min -
15.Data Handling — Retention, Minimization, Encryption
How agents must handle data in motion and at rest — what to keep, what to drop, and how to protect it.
1484 words · 7 min -
16.Human-in-the-Loop — When Agents Must Stop and Ask
Designing escalation and approval flows — the engineering patterns that keep humans appropriately in control.
2016 words · 10 min -
17.Testing, Validation, and Ongoing Monitoring
Evals, regression testing, and production monitoring — building the discipline that compliance requires over time.
2112 words · 11 min -
18.Incident Response for Agentic Systems
What to do when an agent does something wrong — detection, containment, root cause, and regulatory notification.
1929 words · 10 min