Last updated: April 3, 2026

AI Governance Readiness Checklist

This checklist guides enterprises through the preparation required to deploy AI agents in production. Use it to identify gaps in your governance, compliance, and operational readiness. The checklist includes over 50 specific items organized by phase. Track your progress as you work through each section. This resource is designed to be bookmarked and referenced throughout your deployment project.

Your Progress: 0 of 0 items completed

Pre-Deployment: Risk Assessment and Policy Definition

Before deploying an agent, establish the governance framework that will control it.

Identify the agent's intended function Document what the agent is authorized to do. Example: "Process expense reports under 5000 dollars".
Map the agent's data access requirements List all data sources the agent needs to read. Categorize each as public, internal, or sensitive. Estimate the volume of data the agent will access daily.
List the systems the agent will integrate with Document every service, API, or database the agent will connect to. For each, note whether communication will be read-only or write-enabled.
Identify stakeholders who could be affected by agent actions Who will the agent's decisions impact? Employees? Customers? Regulators? Partners? List each category.
Conduct a threat model for the agent What could go wrong? Prompt injection? Data exfiltration? Unauthorized decisions? Document at least five realistic threat scenarios.
Define tiers for agent authorization Classify agent actions into tiers based on risk: Tier 1 (low-risk, auto-approved), Tier 2 (moderate, manager approval), Tier 3 (high-risk, compliance review), Tier 4 (critical, multi-signature required).
Document approval workflows for each tier Who approves tier-2 requests? Who approves tier-3? How long do they have to approve? What happens if approval times out?
Identify skill categories the agent will use What capabilities does the agent need? Email sending? Data transformation? External API calls? List each skill that will be enabled.
Define data classification for agent processing Establish tiers: Public (can be logged), Internal (restricted logging), Confidential (minimal logging), Secret (no logging). Assign each data source to a tier.
Identify regulatory requirements that apply GDPR? SOC 2? HIPAA? NIST? List all frameworks the agent must satisfy. For each framework, document the key requirements.
Establish the incident response team Designate roles: incident commander, security lead, operations lead, compliance liaison. Schedule a call to walk through the incident response plan before deployment.
Get executive sign-off on the risk assessment Risk acceptance must be documented and approved by leadership. Do not deploy without explicit approval of known risks.

Runtime: Execution Gating and Monitoring

During agent operation, enforce policies and monitor for anomalies.

Deploy the policy bundle to the agent platform Load the tier definitions, skill authorizations, and approval workflows into the governance platform. Validate that the policy is correctly parsed and enforced.
Configure execution gating for the agent Set up mechanical controls that reject policy violations before they execute. Test that tier-2 actions are gated and require approval before proceeding.
Enable comprehensive action logging Capture every action the agent attempts. For each action, log: request time, action type, target resource, authorization decision, approval chain, result.
Set up real-time monitoring dashboards Create dashboards showing: authorization requests per hour, approval rates by tier, error rates, external communication attempts, tier escalations. Update dashboards every minute.
Configure alert thresholds for anomalies Set alerts for: 50% increase in tier escalations, 10% error rate, unauthorized data access attempts, external communications to unapproved endpoints, latency above 3 sigma baseline.
Create a user-reporting channel Set up a Slack channel or ticket form where users can report unexpected agent behavior. Monitor this channel continuously. Respond to reports within 15 minutes.
Establish authority receipt generation Confirm that cryptographic receipts are being generated for all authorization decisions. Verify that receipts are being signed and timestamped. Validate that the receipt chain is cryptographically verifiable.
Configure data access controls Implement tier-based data access gates. Test that the agent cannot read data above its authorized tier. Verify that confidential data is hidden from agent attempts to access it.
Set up approval workflow notifications Configure approvers to receive notifications when tier-2 or higher requests need their attention. Set escalation rules for approvals that are pending too long.
Test emergency tier elevation Practice elevating the agent to lockdown tier where all actions require approval. Ensure the process can be executed in under 5 minutes. Document the specific commands needed.
Test emergency skill revocation Practice removing a skill from the agent's authorization. Verify that the agent can no longer invoke the revoked skill. Ensure the change deploys within 2 minutes.
Configure automated compliance metrics Set up reports that compute: percentage of actions with proper authorization, approval times by tier, tier escalation frequency, denied request rate. Generate these metrics daily.
Enable request tracing for debugging Ensure that you can follow a single request through the entire execution pipeline: initial input, intent canonicalization, authorization check, execution, result logging. Make tracing accessible to operations team.
Test deterministic execution Send the same request to the agent multiple times. Verify that it produces identical results every time. This proves the agent is operating deterministically, not stochastically.

Compliance: Regulatory Mapping and Audit Preparation

Ensure that your governance approach satisfies regulatory requirements.

Map NIST AI RMF requirements to your implementation For each of the four core functions (Govern, Map, Measure, Manage), document how your governance system satisfies NIST requirements. Create a mapping table.
Map SOC 2 criteria to your implementation For each of the five trust service criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy), document the controls you have implemented. Reference authority receipts as evidence.
Document your agent governance policy Create a formal policy document describing how the agent is governed. Include: tier definitions, approval workflows, data access rules, incident response procedures. This document will be reviewed by auditors.
Create the authority receipt chain documentation Explain how receipts are generated, signed, and stored. Explain why receipts are cryptographically verifiable. Provide sample receipts for auditor review.
Prepare an audit evidence package Collect sample authority receipts, logs, monitoring dashboards, and policy documents. Organize them by regulatory criterion so that an auditor can easily find evidence for each requirement.
Identify gaps between current state and compliance requirement For each regulatory framework you must satisfy, list what you have implemented and what is still missing. Create a remediation plan for each gap with a target completion date.
Document data handling procedures for personal data If the agent processes personal data (names, emails, account numbers), document what personal data it accesses, how long it is retained, who can access it, and how subject access requests are handled.
Establish a compliance review schedule Schedule monthly reviews where the governance team verifies that policies are in effect and controls are operating. Document these reviews. Auditors will look for evidence of continuous compliance monitoring.
Create incident reporting templates Define what information must be documented when an incident occurs. Include: start time, detection time, root cause, impact, remediation actions, lessons learned. This makes incident reporting consistent.
Plan for compliance certification If you need SOC 2 or other certification, schedule an audit for 6 months out. Work with auditors to understand what evidence they will require. Start collecting evidence immediately.
Prepare data breach response procedures Document what happens if the agent causes a data breach (personal data is exposed). Who needs to be notified? How quickly? What regulatory notifications are required? Create a decision tree for different breach scenarios.
Document change management for policy updates Establish a process for updating the agent's policy. This process should require: version numbering, documentation of what changed, who approved the change, when it was deployed, audit trail of the deployment.
Assign a compliance owner Designate a single person responsible for maintaining compliance. This person is accountable to leadership for compliance status and acts as the primary contact for auditors.

Ongoing: Policy Evolution and Continuous Improvement

Maintain governance as the agent operates and the business evolves.

Review authority receipt metrics weekly Examine this week's metrics: authorization requests, approval times, tier escalations, error rates. Compare to baseline. Investigate any significant deviations.
Conduct monthly policy review meetings Gather the governance team (security, operations, compliance, business owner) to review whether the current policy is appropriate. Discuss: Are tiers correct? Should any skills be restricted or enabled? Are there new risks?
Maintain a skill catalog Document every skill the agent uses: what it does, what tier it is gated at, what data it accesses, what downstream systems it impacts. Update this catalog when skills are added or modified.
Update the threat model quarterly Revisit the initial threat model. Are the threats still valid? Have new threats emerged? Are you aware of any new attack techniques that could apply? Update the threat model and adjust policies accordingly.
Track policy version history Maintain a clear version history of all policy changes. For each version: list what changed, who approved it, when it was deployed, why it was necessary. This history satisfies compliance audits.
Establish a tier elevation appeal process If an agent's request is denied, how does the business owner appeal? Create a process where they can request tier elevation, justify the business need, and have compliance review it.
Train staff on governance procedures Conduct quarterly training for the operations and approval team. Cover: how to approve requests, how to detect anomalies, how to report incidents, how the incident response plan works.
Conduct governance drills Simulate an agent incident twice per year. Practice: detecting the incident, containing it, investigating it, remediating it, reporting it. Time the response. Identify what can be improved.
Review and update incident response playbook After each incident, update the playbook with lessons learned. After each drill, update procedures that were slow or unclear. Keep the playbook current and realistic.
Monitor regulatory developments Stay aware of emerging AI governance regulations. Subscribe to regulatory update services. When new requirements appear, assess whether your governance system can satisfy them.
Plan for scaling the agent If the agent will be deployed to new use cases, new data, or new teams, plan how governance will scale. Will the same tier structure work? Do you need new approval workflows?
Document lessons learned from incidents Every incident provides a learning opportunity. Document what happened, why it happened, and what changed as a result. Share these lessons with the team and with auditors.
Maintain an inventory of agent capabilities Keep an up-to-date list of what the agent is authorized to do. When business requirements change, update this inventory and assess whether policy changes are needed.
Plan annual compliance certifications If you need SOC 2 or other annual certifications, plan the audit timeline now. Understand what the auditor will need and ensure you are collecting that evidence continuously.
Continuously benchmark against governance standards Compare your governance implementation against NIST AI RMF, industry standards, and peer organizations. Identify best practices you can adopt. Share your own best practices with the community.

The Checklist is Your Foundation

Use this checklist to guide your entire AI agent deployment. Check off items as you complete them. When you are ready to deploy, every item in Pre-Deployment and Runtime should be checked. Compliance and Ongoing items will be worked through as the agent operates. Request Early Access

Related Resources