AACG Toolkit

A 1-2 page document that captures identity, purpose, authority envelope, consequential actions, monitoring, and containment for each agent or AI system.

Required for every registered agent. Provides at-a-glance governance view.

Enterprise-wide definitions of consequential action classes with default tiers, gates, verification requirements, logging standards, and rollback procedures.

Define once, apply everywhere. Prevents "one-off" rules and makes approvals auditable.

Formal documentation of accepted risks with business justification, controls in place, compensating controls, scope, duration, and approver sign-off.

Required when accepting residual risk for Tier 4-5 systems or when waiving controls.

A 10-item exportable evidence bundle proving governance and control: registry entries, traces, eval results, drill records, and exception status.

Export within hours for customer assurance requests, audits, or incident response.

Step-by-step playbook for agentic incidents: containment, evidence preservation, investigation, rollback, communications, and corrective actions.

Prepare before incidents occur. Cover leakage, unauthorized actions, spoofing, poisoning, chaining runaway, and drift.

ACR/STRIKE-aligned questions for vendor procurement: enforcement, evidence export, connector governance, model updates, data handling, incident response, and testing rights.

Use before purchasing agentic SaaS or AI platforms to ensure governance is implementable.