Risk
Missing Autonomy-Level Classification
Description
Agents lack a documented autonomy tier (e.g., supervised, semi-autonomous, fully autonomous) that drives the intensity of controls, oversight, and human-in-the-loop requirements.
Example
A fully autonomous agent with merge authority is deployed under the same control regime as a supervised summarization assistant, with no required human approval gates.
Assets Affected
AI Policy
AI Agent
Agent Config
Mitigation
- Define agent autonomy tiers in policy
- map control intensity (HITL, action authorization, sandboxing) to each tier
- document and review tier classification per agent.
Standards Mapping
- ISO: A.5.2, Clause 6.1.2
- OWASP agentic: ASI10
- EU AI Act: Art. 6, Art. 14
- DASF: Agents-Core 13.7
- AIUC-1: C001