Risk
Inadequate AI and Agentic Policy
Description
AI policy lacks critical elements or hasn't been updated to reflect current AI and agentic capabilities, regulations, or organizational changes
Example
AI policy missing agentic deployment guidelines, leading to a coding agent being granted commit and merge authority without an action-authorization framework.
Assets Affected
AI Policy
Agentic Platform
AI App
AI Agent
3rd-Party AI Integration
Mitigation
- Regular policy review cycles
- map to current regulation including agentic provisions
- explicitly cover agent identity, MCP vetting, A2A, and action authorization
- stakeholder feedback loops
- version control. classified by class (read-only vs. write, reversible vs. irreversible, autonomous vs. HITL-gated)
- stakeholder feedback loops
- version control.
Standards Mapping
- ISO: A.2.2, A.2.4
- EU AI Act: Art. 17
- DASF: Platform 12.6
- AIUC-1: E010, E012