Most enterprises that have shipped AI agents to production cannot tell you who owns each one, what it's authorized to do, or what happens when its builder leaves. This framework closes that gap. Six disciplines. Six principles. The same governance discipline HR has applied to human employees, translated into language that fits a category of worker we never used to need it for.
Operate an AI agent workforce with the same discipline you apply to your human workforce — known, owned, governed, monitored — so that every agent in production has a charter, every lifecycle event has a process, and every audit question has an answer.
Every other section of this framework serves that single objective.
Ask a mid-sized enterprise how many AI agents they have in production. You will get four different answers from four different leaders, and someone will eventually mention the LangChain experiment that's been running on a forgotten server for a year and is, somehow, still answering customer emails.
That experiment isn't a security incident yet, but it's also not not one. Nobody knows what it's authorized to do. Nobody knows what it's actually been doing. The builder left in March. Nobody picked it up.
This is the modal state of enterprise AI in 2026. Agents are being shipped to production by builders who move teams, change roles, and leave the company — and the agents stay, because no one was ever told they needed to pick them up. The fix isn't more AI strategy. It's the boring discipline HR has been running on humans for decades, applied to a workforce that didn't used to exist.
How every decision about the agent fleet gets made. The discipline that turns a sprawl of unowned agents into a managed workforce.
Not a team. Not a Slack channel. A single named person with a backup. If you cannot point at a human and say “they own this agent,” the agent is unowned — and unowned production code is the failure mode this entire model exists to prevent.
An agent that isn't in the registry doesn't exist. An agent that's in the registry but missing its owner, scope, or sunset date is an open ticket. The registry is the artifact every other discipline plugs into.
Not every agent needs the same governance. A production-critical agent operating on customer money requires on-call response and audit-grade logging. A productivity tool somebody built for themselves does not. Match the tier to the investment.
When a builder transfers teams or leaves the company, the agents they built are workforce-events too. HR offboards humans; somebody has to offboard agents. If nobody does, the shadow workforce grows by the same number every quarter.
An agent you can't observe is an agent you can't manage. Latency, error rate, drift, cost — these are the vitals. You don't promote an agent to higher decision authority without first being able to see how it's behaving at lower authority.
Audit readiness is not a quarterly slide deck. It's the state of being able to answer, on any given Tuesday: who owns each agent, what is each authorized to do, who approved each, what has each done in the last 90 days. If that's only available at quarter-end, you don't have audit readiness — you have audit theater.
Six concrete capabilities every agent program needs in place. Each one has an artifact (what gets produced), a practice (how the artifact stays current), an outcome (what good looks like), and an anti-pattern (how it most commonly fails).
Governance isn't a layer that sits on top of the program. It's how the program is designed.
Every production agent has a written charter — owner, scope, decision authority, data sources. No charter, no production access.
What an agent can do is enforced in code and access controls — not described in a system prompt. Prompt-only governance is theater.
Every consequential agent action is logged with inputs, the action taken, the alternatives considered, and the rationale. Logs are append-only and reviewable.
The person who built an agent may also own it on day one, but ownership and authorship are distinct. Ownership transfers; authorship is historical.
What gets measured at the executive level. These are the numbers that translate “we have AI agents in production” into something a CISO, a CFO, and a risk committee can read at a glance.
| Dimension | Metric |
|---|---|
| Registry Coverage | % of known production agents with complete registry entries — target 100% |
| Ownership Coverage | % of production-critical agents with named primary AND backup owners — target 100% |
| Active Builders | % of agents whose builder is still at the company — track for offboarding gaps |
| Observability Coverage | % of production-critical agents with active monitoring — target 100% |
| Sunset Discipline | # of agents past their sunset date still running — target zero |
| Audit Readiness | Time to answer “who owns, what authorized, who approved, what done” — target under 5 minutes per agent |
The two numbers that matter most: 100% ownership coverage on production-critical agents, and zero agents past their sunset date still running. Hit those two and most of the rest follows.
Four operational needs. What's available off-the-shelf today, what tends to require custom work, and how we'd recommend you decide between them. These recommendations are current as of 2026 and assume mid-market scale.
These are reference choices, not required ones. Pick the components that fit your stack; the model is independent of any specific vendor.
What the organization gets when this model is in place:
Agents have owners, charters, and sunset dates. The unowned tail goes from accumulating to managed.
Offboarding triggers an agent review by default. Ownership transfers happen on a checklist, not by accident.
Registry + observability + decision logs together produce the answers auditors ask for — at any time, not at quarter-end.
Production-critical agents get the governance they need. Productivity tools get the lightweight registration they deserve. Nobody over-builds or under-protects.
The model is the map. The diagnostic is how you locate yourself on it.
The onboarding and offboarding checklists in detail — fourteen gates total, with criteria and done-conditions for each.
Read the guideWalk through the Agent Compass demo — a working dashboard populated with a fictional 50-agent fleet, showing exactly what this model produces.
Open the demoIf you want a conversation about your fleet today and where the gaps are, that's our diagnostic engagement — a structured 2–4 week sprint that produces a populated version of this model for your organization.
Get in touch