SAIL 2.0

/

AI Policy & Safe experimentation (Plan)

/

Inadequate AI and Agentic Policy

1.1

.

Inadequate AI and Agentic Policy

sail
1.1
Risk

Inadequate AI and Agentic Policy

Description

AI policy lacks critical elements or hasn't been updated to reflect current AI and agentic capabilities, regulations, or organizational changes

Example

AI policy missing agentic deployment guidelines, leading to a coding agent being granted commit and merge authority without an action-authorization framework.

Assets Affected

AI Policy

Agentic Platform

AI App

AI Agent

3rd-Party AI Integration

Mitigation
  • Regular policy review cycles
  • map to current regulation including agentic provisions
  • explicitly cover agent identity, MCP vetting, A2A, and action authorization
  • stakeholder feedback loops
  • version control. classified by class (read-only vs. write, reversible vs. irreversible, autonomous vs. HITL-gated)
  • stakeholder feedback loops
  • version control.
Standards Mapping
  • ISO: A.2.2, A.2.4
  • EU AI Act: Art. 17
  • DASF: Platform 12.6
  • AIUC-1: E010, E012