Governance Profile Examples
Tier 2
Compliance Review Agent
A document review agent with conditional autonomy. Requires human approval for compliance determinations affecting regulatory filings.
- YAML
- JSON
compliance-agent.adl.yaml
$schema: https://adl-spec.org/profiles/governance/1.0/schema.json
adl_spec: 0.1.0
name: Compliance Review Agent
description: Reviews documents for regulatory compliance against SOC 2 Type II controls. Flags potential violations and
recommends remediation actions.
version: 2.0.0
profiles:
- urn:adl:profile:governance:1.0
- urn:adl:profile:registry:1.0
lifecycle:
status: active
effective_date: 2026-01-15T00:00:00Z
data_classification:
sensitivity: confidential
categories:
- regulatory
provider:
name: Acme Compliance
url: https://compliance.acme.example
contact: compliance@acme.example
model:
capabilities:
- function_calling
tools:
- name: review_document
description: Review a document against compliance controls
parameters:
type: object
properties:
document_id:
type: string
framework:
type: string
required:
- document_id
- framework
read_only: true
- name: generate_report
description: Generate a compliance report
parameters:
type: object
properties:
review_id:
type: string
format:
type: string
enum:
- pdf
- json
- html
required:
- review_id
permissions:
network:
allowed_hosts:
- docs.acme.example
- api.acme.example
allowed_protocols:
- https
deny_private: true
filesystem:
allowed_paths:
- path: /data/documents/**
access: read
- path: /data/reports/**
access: read_write
security:
authentication:
type: oauth2
required: true
scopes:
- compliance:read
- compliance:write
encryption:
in_transit:
required: true
min_version: "1.2"
autonomy:
tier: 2
basis: Agent reviews documents independently but requires human approval for compliance determinations affecting
regulatory filings.
classified_by: AI Ethics Committee
classified_at: 2026-01-10T00:00:00Z
compliance_framework:
primary_framework: SOC2_TYPE_II
audit_dates:
last_audit: 2025-11-15T00:00:00Z
next_audit: 2026-11-15T00:00:00Z
risk_classification:
level: medium
autonomy_level: L3
assessed_by: AI Ethics Committee
assessed_at: 2026-01-10T00:00:00Z
rationale: Agent processes sensitive compliance data with conditional autonomy within defined review boundaries
safety_reviews:
required: true
frequency: quarterly
last_review: 2026-01-15T00:00:00Z
review_board: AI Safety Board
human_oversight:
level: on_exception
role: Compliance Officer
triggers:
- Compliance determination affecting regulatory filing
- Document classified as restricted sensitivity
- Remediation recommendation with estimated cost exceeding $50,000
response_time_minutes: 60
intervention_model: approve_reject
incident_response:
policy_documented: true
last_tested: 2026-02-01T00:00:00Z
disclosure:
required: true
known_limitations:
- May produce inaccurate regulatory citations for jurisdictions outside the US and EU
- Not trained on regulatory guidance published after 2025-12-01
prohibited_uses:
- Final regulatory determination without human review
- Legal advice to external parties
reporting_contact: mailto:ai-issues@acme.example
governance:
lifecycle_governance:
transition_policy:
requires_approval: true
approvers:
- security-team
- compliance-lead
approval_type: all
last_transition:
from_status: draft
to_status: active
approved_by: compliance-lead
approved_at: 2026-01-15T00:00:00Z
reason: Passed SOC2 audit, security review, and Tier 2 governance validation
ownership:
owner: Compliance Team
delegate: Security Team
contact: compliance@acme.example
user_escalation_contact: mailto:ai-support@acme.example
decision_boundaries:
- decision_type: regulatory_filing
owner: human_only
rationale: Regulatory filings require human sign-off per SOC2 CC6.1
- decision_type: document_review
owner: agent
rationale: Routine document reviews are within the agent's authorized scope
- decision_type: remediation_recommendation
owner: human_in_loop
rationale: Remediation actions may have budgetary implications
approval_workflow:
required: true
approvers:
- compliance-lead
- security-lead
approval_type: all
audit_trail:
enabled: true
retention_days: 730
destination: s3://acme-audit-logs/compliance-agent/
governance_record_ref: https://gorvnd.acme.example/agents/compliance-review/governance-record
registry:
catalog_id: urn:acme:agents:compliance-review:2.0.0
catalog_classification:
- domain: compliance
subdomain: document-review
capability: soc2-review
visibility: internal
federation:
registries:
- https://registry.acme.example
- https://enterprise-agents.example
primary: https://registry.acme.example
metadata:
authors:
- name: Compliance Team
email: compliance@acme.example
license: Proprietary
documentation: https://docs.acme.example/agents/compliance-review
tags:
- compliance
- soc2
- enterprise
compliance-agent.adl.json
{
"$schema": "https://adl-spec.org/profiles/governance/1.0/schema.json",
"adl_spec": "0.1.0",
"name": "Compliance Review Agent",
"description": "Reviews documents for regulatory compliance against SOC 2 Type II controls. Flags potential violations and recommends remediation actions.",
"version": "2.0.0",
"profiles": [
"urn:adl:profile:governance:1.0",
"urn:adl:profile:registry:1.0"
],
"lifecycle": {
"status": "active",
"effective_date": "2026-01-15T00:00:00Z"
},
"data_classification": {
"sensitivity": "confidential",
"categories": [
"regulatory"
]
},
"provider": {
"name": "Acme Compliance",
"url": "https://compliance.acme.example",
"contact": "compliance@acme.example"
},
"model": {
"capabilities": [
"function_calling"
]
},
"tools": [
{
"name": "review_document",
"description": "Review a document against compliance controls",
"parameters": {
"type": "object",
"properties": {
"document_id": {
"type": "string"
},
"framework": {
"type": "string"
}
},
"required": [
"document_id",
"framework"
]
},
"read_only": true
},
{
"name": "generate_report",
"description": "Generate a compliance report",
"parameters": {
"type": "object",
"properties": {
"review_id": {
"type": "string"
},
"format": {
"type": "string",
"enum": [
"pdf",
"json",
"html"
]
}
},
"required": [
"review_id"
]
}
}
],
"permissions": {
"network": {
"allowed_hosts": [
"docs.acme.example",
"api.acme.example"
],
"allowed_protocols": [
"https"
],
"deny_private": true
},
"filesystem": {
"allowed_paths": [
{
"path": "/data/documents/**",
"access": "read"
},
{
"path": "/data/reports/**",
"access": "read_write"
}
]
}
},
"security": {
"authentication": {
"type": "oauth2",
"required": true,
"scopes": [
"compliance:read",
"compliance:write"
]
},
"encryption": {
"in_transit": {
"required": true,
"min_version": "1.2"
}
}
},
"autonomy": {
"tier": 2,
"basis": "Agent reviews documents independently but requires human approval for compliance determinations affecting regulatory filings.",
"classified_by": "AI Ethics Committee",
"classified_at": "2026-01-10T00:00:00Z"
},
"compliance_framework": {
"primary_framework": "SOC2_TYPE_II",
"audit_dates": {
"last_audit": "2025-11-15T00:00:00Z",
"next_audit": "2026-11-15T00:00:00Z"
}
},
"risk_classification": {
"level": "medium",
"autonomy_level": "L3",
"assessed_by": "AI Ethics Committee",
"assessed_at": "2026-01-10T00:00:00Z",
"rationale": "Agent processes sensitive compliance data with conditional autonomy within defined review boundaries"
},
"safety_reviews": {
"required": true,
"frequency": "quarterly",
"last_review": "2026-01-15T00:00:00Z",
"review_board": "AI Safety Board"
},
"human_oversight": {
"level": "on_exception",
"role": "Compliance Officer",
"triggers": [
"Compliance determination affecting regulatory filing",
"Document classified as restricted sensitivity",
"Remediation recommendation with estimated cost exceeding $50,000"
],
"response_time_minutes": 60,
"intervention_model": "approve_reject"
},
"incident_response": {
"policy_documented": true,
"last_tested": "2026-02-01T00:00:00Z"
},
"disclosure": {
"required": true,
"known_limitations": [
"May produce inaccurate regulatory citations for jurisdictions outside the US and EU",
"Not trained on regulatory guidance published after 2025-12-01"
],
"prohibited_uses": [
"Final regulatory determination without human review",
"Legal advice to external parties"
],
"reporting_contact": "mailto:ai-issues@acme.example"
},
"governance": {
"lifecycle_governance": {
"transition_policy": {
"requires_approval": true,
"approvers": [
"security-team",
"compliance-lead"
],
"approval_type": "all"
},
"last_transition": {
"from_status": "draft",
"to_status": "active",
"approved_by": "compliance-lead",
"approved_at": "2026-01-15T00:00:00Z",
"reason": "Passed SOC2 audit, security review, and Tier 2 governance validation"
}
},
"ownership": {
"owner": "Compliance Team",
"delegate": "Security Team",
"contact": "compliance@acme.example",
"user_escalation_contact": "mailto:ai-support@acme.example",
"decision_boundaries": [
{
"decision_type": "regulatory_filing",
"owner": "human_only",
"rationale": "Regulatory filings require human sign-off per SOC2 CC6.1"
},
{
"decision_type": "document_review",
"owner": "agent",
"rationale": "Routine document reviews are within the agent's authorized scope"
},
{
"decision_type": "remediation_recommendation",
"owner": "human_in_loop",
"rationale": "Remediation actions may have budgetary implications"
}
]
},
"approval_workflow": {
"required": true,
"approvers": [
"compliance-lead",
"security-lead"
],
"approval_type": "all"
},
"audit_trail": {
"enabled": true,
"retention_days": 730,
"destination": "s3://acme-audit-logs/compliance-agent/"
}
},
"governance_record_ref": "https://gorvnd.acme.example/agents/compliance-review/governance-record",
"registry": {
"catalog_id": "urn:acme:agents:compliance-review:2.0.0",
"catalog_classification": [
{
"domain": "compliance",
"subdomain": "document-review",
"capability": "soc2-review"
}
],
"visibility": "internal",
"federation": {
"registries": [
"https://registry.acme.example",
"https://enterprise-agents.example"
],
"primary": "https://registry.acme.example"
}
},
"metadata": {
"authors": [
{
"name": "Compliance Team",
"email": "compliance@acme.example"
}
],
"license": "Proprietary",
"documentation": "https://docs.acme.example/agents/compliance-review",
"tags": [
"compliance",
"soc2",
"enterprise"
]
}
}
Key Governance Fields
| Field | Value | Why |
|---|---|---|
autonomy.tier | 2 | Agent acts within boundaries; human oversight on exceptions |
human_oversight.triggers | 3 triggers defined | Required at Tier 2+ |
incident_response.policy_documented | true | Required at Tier 2+ |
disclosure.required | true | Required at Tier 2+ |
governance_record_ref | URI | Links to operational detail in registry |
Tier 3
Autonomous Risk Assessment Agent
A fully autonomous agent that continuously scans portfolios, classifies risks, and generates regulatory reports without human initiation.
- YAML
- JSON
risk-assessment-agent.adl.yaml
$schema: https://adl-spec.org/profiles/governance/1.0/schema.json
adl_spec: 0.1.0
name: Autonomous Risk Assessment Agent
description: Performs continuous risk assessment across the enterprise portfolio. Independently identifies, classifies,
and prioritizes risks. Escalates critical findings and generates regulatory reports without human initiation.
version: 1.0.0
profiles:
- urn:adl:profile:governance:1.0
- urn:adl:profile:registry:1.0
lifecycle:
status: active
effective_date: 2026-02-01T00:00:00Z
data_classification:
sensitivity: restricted
categories:
- regulatory
- financial
provider:
name: Acme Risk Management
url: https://risk.acme.example
contact: risk-platform@acme.example
model:
capabilities:
- function_calling
tools:
- name: scan_portfolio
description: Scan the enterprise portfolio for risk indicators
parameters:
type: object
properties:
scope:
type: string
enum:
- full
- incremental
since:
type: string
format: date-time
required:
- scope
read_only: true
- name: classify_risk
description: Classify an identified risk by severity and category
parameters:
type: object
properties:
finding_id:
type: string
evidence:
type: array
items:
type: string
required:
- finding_id
- name: generate_risk_report
description: Generate a risk assessment report for regulatory submission
parameters:
type: object
properties:
report_type:
type: string
enum:
- quarterly
- annual
- incident
period_start:
type: string
format: date
period_end:
type: string
format: date
required:
- report_type
requires_confirmation: true
permissions:
network:
allowed_hosts:
- risk-api.acme.example
- data.acme.example
- notifications.acme.example
allowed_protocols:
- https
deny_private: true
filesystem:
allowed_paths:
- path: /data/risk-assessments/**
access: read_write
- path: /data/portfolio/**
access: read
- path: /data/regulatory/**
access: read
denied_paths:
- /data/risk-assessments/**/drafts
resource_limits:
max_memory_mb: 2048
max_duration_sec: 3600
security:
authentication:
type: mtls
required: true
encryption:
in_transit:
required: true
min_version: "1.3"
at_rest:
required: true
algorithm: AES-256-GCM
autonomy:
tier: 3
basis: Agent operates continuously without human initiation. Independently scans portfolio, classifies risks, and
generates reports. Human oversight is periodic review of outputs, not real-time approval of actions.
classified_by: Chief Risk Officer
classified_at: 2026-01-20T00:00:00Z
compliance_framework:
primary_framework: NIST_800_53
audit_dates:
last_audit: 2025-12-01T00:00:00Z
next_audit: 2026-06-01T00:00:00Z
risk_classification:
level: high
autonomy_level: L4
assessed_by: Chief Risk Officer
assessed_at: 2026-01-20T00:00:00Z
rationale: High autonomy agent processing restricted financial and regulatory data with independent decision-making authority
safety_reviews:
required: true
frequency: monthly
last_review: 2026-02-15T00:00:00Z
review_board: AI Safety Board
human_oversight:
level: periodic
role: Risk Management Director
triggers:
- Risk classified as critical severity
- Finding implicates a regulatory filing deadline within 30 days
- Agent detects potential fraud indicators
- Cumulative risk score for any business unit exceeds threshold
response_time_minutes: 30
intervention_model: approve_reject
incident_response:
policy_documented: true
last_tested: 2026-02-10T00:00:00Z
evaluation_attestation:
result: passed
evaluator: External AI Audit Partners LLP
evaluation_date: 2026-01-25T00:00:00Z
methodology: third_party_audit
expires_at: 2026-07-25T00:00:00Z
disclosure:
required: true
known_limitations:
- Risk classifications are probabilistic and may produce false positives
- Does not assess risks in jurisdictions outside US, EU, and Singapore
- Cannot evaluate risks requiring physical inspection or site visits
prohibited_uses:
- Sole basis for regulatory submission without human review of generated reports
- Direct communication of risk findings to regulators without human approval
user_responsibilities:
- Review all critical risk classifications before acting on them
- Validate regulatory report accuracy before submission
reporting_contact: mailto:risk-ai-issues@acme.example
disclosure_version: "1.0"
governance:
lifecycle_governance:
transition_policy:
requires_approval: true
approvers:
- cro
- ciso
- ai-safety-board
approval_type: all
notice_period_days: 30
ownership:
owner: Risk Management Team
delegate: Security Operations
contact: risk-platform@acme.example
user_escalation_contact: mailto:risk-support@acme.example
decision_boundaries:
- decision_type: risk_classification
owner: agent
rationale: Agent classifies risks independently; periodic human review validates accuracy
- decision_type: regulatory_report_generation
owner: human_in_loop
rationale: Reports require human validation before regulatory submission
- decision_type: risk_remediation_action
owner: human_only
rationale: Remediation actions have operational and budgetary impact requiring human authorization
- decision_type: external_communication
owner: human_only
rationale: All external communications require human approval
audit_trail:
enabled: true
retention_days: 2555
destination: s3://acme-audit-logs/risk-assessment-agent/
governance_record_ref: https://gorvnd.acme.example/agents/risk-assessment/governance-record
registry:
catalog_id: urn:acme:agents:risk-assessment:1.0.0
catalog_classification:
- domain: risk-management
subdomain: portfolio-assessment
capability: continuous-monitoring
visibility: internal
metadata:
authors:
- name: Risk Management Team
email: risk-platform@acme.example
license: Proprietary
documentation: https://docs.acme.example/agents/risk-assessment
tags:
- risk
- autonomous
- enterprise
- restricted
risk-assessment-agent.adl.json
{
"$schema": "https://adl-spec.org/profiles/governance/1.0/schema.json",
"adl_spec": "0.1.0",
"name": "Autonomous Risk Assessment Agent",
"description": "Performs continuous risk assessment across the enterprise portfolio. Independently identifies, classifies, and prioritizes risks. Escalates critical findings and generates regulatory reports without human initiation.",
"version": "1.0.0",
"profiles": [
"urn:adl:profile:governance:1.0",
"urn:adl:profile:registry:1.0"
],
"lifecycle": {
"status": "active",
"effective_date": "2026-02-01T00:00:00Z"
},
"data_classification": {
"sensitivity": "restricted",
"categories": [
"regulatory",
"financial"
]
},
"provider": {
"name": "Acme Risk Management",
"url": "https://risk.acme.example",
"contact": "risk-platform@acme.example"
},
"model": {
"capabilities": [
"function_calling"
]
},
"tools": [
{
"name": "scan_portfolio",
"description": "Scan the enterprise portfolio for risk indicators",
"parameters": {
"type": "object",
"properties": {
"scope": {
"type": "string",
"enum": [
"full",
"incremental"
]
},
"since": {
"type": "string",
"format": "date-time"
}
},
"required": [
"scope"
]
},
"read_only": true
},
{
"name": "classify_risk",
"description": "Classify an identified risk by severity and category",
"parameters": {
"type": "object",
"properties": {
"finding_id": {
"type": "string"
},
"evidence": {
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"finding_id"
]
}
},
{
"name": "generate_risk_report",
"description": "Generate a risk assessment report for regulatory submission",
"parameters": {
"type": "object",
"properties": {
"report_type": {
"type": "string",
"enum": [
"quarterly",
"annual",
"incident"
]
},
"period_start": {
"type": "string",
"format": "date"
},
"period_end": {
"type": "string",
"format": "date"
}
},
"required": [
"report_type"
]
},
"requires_confirmation": true
}
],
"permissions": {
"network": {
"allowed_hosts": [
"risk-api.acme.example",
"data.acme.example",
"notifications.acme.example"
],
"allowed_protocols": [
"https"
],
"deny_private": true
},
"filesystem": {
"allowed_paths": [
{
"path": "/data/risk-assessments/**",
"access": "read_write"
},
{
"path": "/data/portfolio/**",
"access": "read"
},
{
"path": "/data/regulatory/**",
"access": "read"
}
],
"denied_paths": [
"/data/risk-assessments/**/drafts"
]
},
"resource_limits": {
"max_memory_mb": 2048,
"max_duration_sec": 3600
}
},
"security": {
"authentication": {
"type": "mtls",
"required": true
},
"encryption": {
"in_transit": {
"required": true,
"min_version": "1.3"
},
"at_rest": {
"required": true,
"algorithm": "AES-256-GCM"
}
}
},
"autonomy": {
"tier": 3,
"basis": "Agent operates continuously without human initiation. Independently scans portfolio, classifies risks, and generates reports. Human oversight is periodic review of outputs, not real-time approval of actions.",
"classified_by": "Chief Risk Officer",
"classified_at": "2026-01-20T00:00:00Z"
},
"compliance_framework": {
"primary_framework": "NIST_800_53",
"audit_dates": {
"last_audit": "2025-12-01T00:00:00Z",
"next_audit": "2026-06-01T00:00:00Z"
}
},
"risk_classification": {
"level": "high",
"autonomy_level": "L4",
"assessed_by": "Chief Risk Officer",
"assessed_at": "2026-01-20T00:00:00Z",
"rationale": "High autonomy agent processing restricted financial and regulatory data with independent decision-making authority"
},
"safety_reviews": {
"required": true,
"frequency": "monthly",
"last_review": "2026-02-15T00:00:00Z",
"review_board": "AI Safety Board"
},
"human_oversight": {
"level": "periodic",
"role": "Risk Management Director",
"triggers": [
"Risk classified as critical severity",
"Finding implicates a regulatory filing deadline within 30 days",
"Agent detects potential fraud indicators",
"Cumulative risk score for any business unit exceeds threshold"
],
"response_time_minutes": 30,
"intervention_model": "approve_reject"
},
"incident_response": {
"policy_documented": true,
"last_tested": "2026-02-10T00:00:00Z"
},
"evaluation_attestation": {
"result": "passed",
"evaluator": "External AI Audit Partners LLP",
"evaluation_date": "2026-01-25T00:00:00Z",
"methodology": "third_party_audit",
"expires_at": "2026-07-25T00:00:00Z"
},
"disclosure": {
"required": true,
"known_limitations": [
"Risk classifications are probabilistic and may produce false positives",
"Does not assess risks in jurisdictions outside US, EU, and Singapore",
"Cannot evaluate risks requiring physical inspection or site visits"
],
"prohibited_uses": [
"Sole basis for regulatory submission without human review of generated reports",
"Direct communication of risk findings to regulators without human approval"
],
"user_responsibilities": [
"Review all critical risk classifications before acting on them",
"Validate regulatory report accuracy before submission"
],
"reporting_contact": "mailto:risk-ai-issues@acme.example",
"disclosure_version": "1.0"
},
"governance": {
"lifecycle_governance": {
"transition_policy": {
"requires_approval": true,
"approvers": [
"cro",
"ciso",
"ai-safety-board"
],
"approval_type": "all",
"notice_period_days": 30
}
},
"ownership": {
"owner": "Risk Management Team",
"delegate": "Security Operations",
"contact": "risk-platform@acme.example",
"user_escalation_contact": "mailto:risk-support@acme.example",
"decision_boundaries": [
{
"decision_type": "risk_classification",
"owner": "agent",
"rationale": "Agent classifies risks independently; periodic human review validates accuracy"
},
{
"decision_type": "regulatory_report_generation",
"owner": "human_in_loop",
"rationale": "Reports require human validation before regulatory submission"
},
{
"decision_type": "risk_remediation_action",
"owner": "human_only",
"rationale": "Remediation actions have operational and budgetary impact requiring human authorization"
},
{
"decision_type": "external_communication",
"owner": "human_only",
"rationale": "All external communications require human approval"
}
]
},
"audit_trail": {
"enabled": true,
"retention_days": 2555,
"destination": "s3://acme-audit-logs/risk-assessment-agent/"
}
},
"governance_record_ref": "https://gorvnd.acme.example/agents/risk-assessment/governance-record",
"registry": {
"catalog_id": "urn:acme:agents:risk-assessment:1.0.0",
"catalog_classification": [
{
"domain": "risk-management",
"subdomain": "portfolio-assessment",
"capability": "continuous-monitoring"
}
],
"visibility": "internal"
},
"metadata": {
"authors": [
{
"name": "Risk Management Team",
"email": "risk-platform@acme.example"
}
],
"license": "Proprietary",
"documentation": "https://docs.acme.example/agents/risk-assessment",
"tags": [
"risk",
"autonomous",
"enterprise",
"restricted"
]
}
}
Additional Tier 3 Requirements
| Field | Value | Why |
|---|---|---|
autonomy.tier | 3 | Agent operates independently; periodic oversight |
evaluation_attestation.result | passed | Required at Tier 3 with passed result |
evaluation_attestation.evaluator | External auditor | Third-party evaluation |
human_oversight.level | periodic | Post-hoc review model |