AI GOVERNANCE
Most AI platforms treat governance as a documentation deliverable. We treat it as part of the runtime. Model risk monitoring, explainability of every output, human oversight as a configurable control, decision audit on every action - all built into how the platform operates, not bolted on for compliance review.
APPROACH
Data governance asks "where is this data, who has access, how is it protected." AI governance asks a different set of questions: how does this model behave, who is accountable for its decisions, what happens when it gets something wrong, how do we know it hasn't drifted, can we explain a specific decision to a regulator or a customer six months from now. We built the platform around those questions.
What "AI governance" often means
A risk policy document. A model inventory spreadsheet. An annual review process. Mostly: documentation produced after the model is built, often by people not involved in building it.
What it actually requires
Continuous: monitoring that catches drift in production. Explainable: a clear chain from input to decision, traceable months later. Reversible: a kill switch you can pull without breaking the rest of the system. Accountable: a logged decision owner for every meaningful action.
What AgentX makes default
Continuous monitoring built into the runtime. Decision logs auto-generated for every agent action. HITL configurable per workflow as a governance control. Kill switches at the agent, workflow, and workspace level - exercisable in seconds, not days.
MODEL RISK
Traditional model risk management was designed for one statistical model doing one job. An AI agent platform has many models - orchestrators, sub-agents, evaluation judges, embedders - each potentially from different providers, updated on different schedules. We treat each model as an inventory item, each version as an artifact, and each deployment as a tracked use case.
MODEL INVENTORY - INVOICE PROCESSING WORKFLOW
Acme Corp · Production · Last validated May 11, 2026
Orchestrator - Anthropic Claude 4.6 Sonnet 2026.04.12 - Routing - Validated May 11
Sub-agent: PO matching - Anthropic Claude 4.6 Sonnet 2026.04.12 - Extraction - Validated May 11
Sub-agent: Code GL - OpenAI GPT-5 mini 2026.05.02 - Coding - Validated May 9
Evaluation judge - Anthropic Claude 4.6 Sonnet 2026.04.12 - Scoring - Validated May 11
Embeddings - OpenAI text-embed-3 2024.01 - Retrieval - Validated Apr 23
CHANGE LOG
May 2 - GPT-5 mini swapped in for GL coding sub-agent. Reason: cost optimization. Validation: re-eval passed (95.2% vs 94.8% baseline). Approved by: M. Torres (Acme Risk).
✓ Every model in production listed in workspace inventory with role, version, validation date
✓ Model version changes trigger automatic re-validation against eval datasets
✓ Change log captures who, what, why, and validation outcome
✓ Quarterly validation cadence by default; triggered validation on any meaningful change
EXPLAINABILITY
Explainability is about decisions, not weights.
We don't claim mechanistic interpretability of the underlying LLM - nobody can honestly claim that today. We do provide explainability at the level a risk committee actually needs: for any specific agent decision, you can reconstruct the input, the knowledge retrieved, the tools called, the sub-agent chain, the reasoning trace, and the final output. Six months later, in an audit, in a regulator's office, in a customer complaint review.
DECISION TRACE - RUN ID: invoke_2026_05_19_kqm7x
TRIGGER → Incoming invoice #INV-0047, $124,500, flagged for approval
RETRIEVAL → Retrieved 3 similar approved invoices from vendor history (avg $118K, same GL code)
REASONING → Within 5% of historical avg, vendor trust score 91/100, PO #PO-2890 exists and matches
DECISION → Approve, route to GL code 4210, notify AP team, log under M. Torres (approval authority)
CONFIDENCE → 0.94 · EVAL SCORE → passed (threshold: 0.85) · LATENCY → 1.2s
What this gives you
✓ A reconstructable record of every agent decision, retained per your retention policy
✓ Exportable in formats your audit and compliance teams use (PDF for audits, JSON for systems)
✓ Linkable from your case management / ticketing / complaint review systems
HUMAN OVERSIGHT
Human-in-the-loop as a governance control, not just a quality gate.
HITL is often discussed as a way to improve agent accuracy. That's true, but secondary. The primary purpose of HITL in a governance-regulated environment is to keep a human accountable for decisions the regulation requires a human to be accountable for. We make HITL a first-class control - configurable per workflow, per risk threshold, per amount, per outcome type.
HITL RULES - INVOICE PROCESSING WORKFLOW
Amount threshold: any invoice > $50,000 requires human review before approval
Pattern exception: new vendor (first 3 invoices) - always requires human approval regardless of amount
Logging: all autonomous approvals logged with rationale and eval score for weekly risk review
CONTINUOUS VALIDATION
Models drift. Production reveals it.
The platform detects it before users do.
LLM providers update models on their own schedules. A model that scored 94% accuracy in March may behave differently in May - even on the same prompts. New document types arrive. New user patterns emerge. The world around the agent shifts. Drift monitoring is how governance survives in production.
DRIFT MONITOR - PO MATCHING SUB-AGENT - ROLLING 30d
Acme Corp · Baseline: 94.8% accuracy (validation, May 11) · Current: 91.2% · Threshold: 90.0%
Status: MONITORING - Within acceptable range. Alert threshold at 90.0% not breached.
Last incident: Apr 23 - vendor B SKU-matching accuracy dropped to 88.1% (below threshold). Auto-alert sent. Cause: upstream data schema change. Resolved: Apr 24 via prompt adjustment.
✓ Continuous accuracy monitoring against production traffic and held-out test sets
✓ Alert thresholds configurable per workflow, per metric, per environment
✓ Automatic workflow hold on threshold breach (configurable - hold, alert-only, or both)
✓ Incident audit trail with root cause, action taken, resolution, validation evidence
ACCOUNTABILITY
Every decision has an owner. Every owner is logged.
The hardest governance question isn't "what did the AI do." It's "who is accountable for what the AI did." Our model: every agent operates under a designated process owner. Every HITL decision is owned by a named reviewer. Every workflow change is approved by an authorized role. Every override is attributed. The audit isn't about catching bad actors - it's about being able to answer a regulator's question six months from now.
What gets attributed:
- Workflow design - process owner at deployment time
- Agent configuration changes - approver per change request
- HITL decisions - reviewer at time of decision
- Override of agent recommendation - reviewer + reason
- Kill switch activation - authorized role + reason
- Production model version changes - risk-team validator
- Test set modifications - eval owner
- Threshold changes - process owner + risk team co-sign
How attribution is enforced:
- SSO-authenticated identity on every action
- Role-based approval workflows for governance-critical changes
- Two-person approval for high-risk configuration changes (configurable)
- Immutable audit log - actions can be added, never modified
- Export to customer SIEM, GRC, or model risk inventory system
- Retention configurable per workspace, default 7 years for governance-critical events
REGULATORY ALIGNMENT
Built to fit the frameworks your team has to comply with.
We do not certify against these frameworks. We build the platform so your team can comply with these frameworks while operating on top of us. The capabilities below are what we provide to support your compliance work - the certification is yours to obtain, with our documentation and controls as inputs.
EU AI Act (High-Risk)
Requires: risk management system, data governance, technical documentation, human oversight, accuracy and robustness. AgentX: model inventory, validation logs, HITL controls, decision traces, drift monitoring all satisfy the core technical requirements for high-risk AI system documentation.
DORA (Digital Operational Resilience Act)
Requires: ICT risk management, incident reporting, operational resilience testing, third-party risk oversight. AgentX: audit logs for all AI operations, kill switch controls for operational continuity, model version pinning for reproducibility, third-party model tracking in inventory.
SR 11-7 (Model Risk Management)
Requires: model development standards, validation independent of development, ongoing monitoring. AgentX: model inventory with validation dates and outcomes, eval judge provides independent scoring, drift monitoring provides continuous performance tracking, change log documents all model substitutions.
MAS / HKMA AI Guidelines
Singapore MAS and HKMA guidelines require explainability, fairness monitoring, and human oversight of AI in financial services. AgentX decision traces, HITL controls, and drift monitoring address the core operational requirements of both frameworks.
GDPR (Automated Decision-Making)
Article 22 requires meaningful information about automated decisions and a right to human review. AgentX decision traces provide the explanation infrastructure; HITL controls provide the human review mechanism. Data minimisation is enforced at the context retrieval layer.
- SSO-authenticated identity on every action
- Role-based approval workflows for governance-critical changes
- Two-person approval for high-risk configuration changes (configurable)
- Immutable audit log — actions can be added, never modified
- Export to customer SIEM, GRC, or model risk inventory system
- Retention configurable per workspace, default 7 years for governance-critical events
HONEST LIMITS
The claims we don't make.
The AI governance category is full of vendors claiming capabilities they can't defend. We're explicit about the things we don't claim - because over-claiming on governance damages your audit more than under-claiming.
✕
Mechanistic interpretability of LLMs
We don't claim to explain *why* a language model produced a specific token. Nobody can honestly claim that today. What we provide is decision-level traceability - input, retrieval, reasoning chain, tools called, output - which is what a regulator or auditor actually asks for.
✕
Regulatory certification against frameworks
We're not SR 11-7 certified, DORA certified, EU AI Act certified, or MAS certified — and neither is anyone else, because most of these frameworks don't have a certification mechanism. We align to them. Your institution certifies its operations on top of us.
✕
Bias guarantees
We don't guarantee an AI system will be free of bias. We provide bias evaluation capability - measurable per use case, per protected attribute - and documentation supporting your fairness assessment. Bias-free is a moving target; measurable bias is a defensible posture.
The other enterprise deep dives.
AI Governance is one of four enterprise pillars. The others cover delivery model, security controls, and infrastructure deployment.
How We Work
Security
Deployment
GET STARTED
See the governance controls in practice.
We'll walk through how AgentX handles model risk, explainability, and audit for your specific use case.
