Agentic AI Security CMM — D1 Governance & Accountability (Deep Dive)

Companion deep-dive to the CMM’s D1 domain, written under the recalibration method. D1 fixes who is accountable for agent behavior, with what authority, and on what auditable record. The recalibration makes one material change: L5 no longer mandates a single certification. The regulated-FI stress test flagged that pinning L5 to AIUC-1 both moves the bar on a vendor’s cadence and concentrates assurance in one certifier; the AIUC-1 critical evaluation examined the question and found the mandate indefensible. D1-L5 now states a capability that several schemes satisfy: current, independent, third-party assurance of the governance program.

Single-source grounding

The level criteria and cost model synthesize the wiki’s own recalibration method against one representative-customer source (the regulated-FI stress test) plus the AIUC-1 evaluation. They are wiki-internal calibration, not an externally ratified standard, and will firm up as later domains and crosswalks test them.

Threat coverage

D1 is the accountability wrapper, so its threats are cross-cutting rather than a single ASI category; it is the only domain that addresses Class 5 (jurisdictional adversary) — vendor abstraction, jurisdiction tagging, and contract resilience against a regulatory cutoff, the one threat no technical plane control mitigates. The full mapping is in the Threat Taxonomy Reconciliation matrix; the class detail is on the threat-classes page.

Control landscape (dated)

Governance has no enforcement engine. Its controls are documents, committees, and audits, so the landscape comprises assurance schemes and the platforms that hold the evidence.

LayerWhat ships todayStatus (May 2026)
Governance frameworksNIST AI RMF (Govern function), IEC 42001, EU AI Act Art. 9 (risk management system) + Art. 17 (quality management system), CSA ATF; CoSAI WS3 (AI Security Risk Governance) + AI Shared Responsibility Framework (2026-05-28); SAIF Governance category (Risk Governance, Product Governance)Stable; an agentic Govern profile from NIST is not yet shipped (expected later 2026). EU AI Act Art. 9/Art. 17 anchors verified in the 2026-Q2 EU AI Act review as duties and process, not graded criteria. CoSAI/SAIF anchors verified in CoSAI review — category-level only, no graded criteria. ISO 42001’s Annex A controls (A.2 Policies, A.3 Internal organization, A.5 Impact assessment anchor D1) are organizational, not technical-control, and the IEC 42001 + 27090 review confirms them against the public structure only — citation-only, paywall-bounded
Third-party assurance schemesISO/IEC 42001 certification (multi-auditor: Schellman, BSI, SGS, A-LIGN); AIUC-1 certification (single ANAB auditor); SOC 2 + AI controls as a partial proxyISO 42001 audits available now; AIUC-1 certified population is small — see the evaluation
Evidence and crosswalk platformsGRC suites (ServiceNow, OneTrust, AuditBoard); platform-native governance — Microsoft Purview / Compliance Manager for an E5 tenant; the standards-crosswalk matrixGA; Purview governance is included in E5 entitlements, so the licensing delta is near zero for an incumbent
Decision-rights and inventoryDecision Rights for AI Agents matrices; agent / NHI inventory; shadow-agent reaper (Shadow Automation)Pattern-level, not a single product; assembled from identity-platform inventory plus policy

The platform-native column matters for single-stack buyers. An all-Microsoft enterprise reaches the L4 evidence layer (crosswalk, board metrics, risk register) on Purview and Compliance Manager already in its licensing, without a separate GRC purchase. The Microsoft ZT4AI Governance pillar (verify explicitly) grounds this layer in named controls — the Responsible AI Standard and the Purview Compliance Manager AI templates — crosswalked to D1 in the 2026-Q2 ZT4AI review. The RAI Standard is a responsible-AI goals standard, not a control catalogue: its Accountability and Transparency goals carry D1 at the goal level — A1 Impact Assessment, A2 Oversight of significant adverse impacts, A5 Human oversight and control, T1 System intelligibility, T2 Communication to stakeholders. The goal-level mapping is set out in Agent 365 review, which separates RAI’s goals from the ZT4AI control catalogue.

Capability-decoupled levels

Stated as capabilities per rule 1; a control counts when it operates in production per rule 2.

  • L1 — Initial. No accountable owner; agents deploy without governance review.
  • L2 — Developing. A named accountable owner holds the role; an AI-use policy is published; an agent risk-tier scheme exists; a signed RACI assigns ownership.
  • L3 — Defined. A cross-functional AI risk body (security, legal, privacy, engineering) meets on a fixed cadence; risk tiers gate deployment; a decision-rights matrix is documented per agent type; a shadow-agent inventory and reaper SLA operate.
  • L4 — Managed. Quantitative governance metrics (incidents, drift events, escalations, with ASI## / AIVSS rollups) are reported at board level; the standards-crosswalk matrix is maintained; a readiness assessment is completed against a recognized third-party assurance scheme — ISO/IEC 42001, AIUC-1, or a documented internal equivalent.
  • L5 — Optimizing (amended). The capability is current, independent, third-party assurance of the agentic-AI governance program, scheme-neutral, satisfied by any one of:
    • (a) a current IEC 42001 certification under active surveillance — preferred, because it is standards-body-governed, multi-auditor, and regulator-recognized;
    • (b) a current AIUC-1 certification at the latest quarterly refresh — accepted, with the concentration and freshness caveats the evaluation documents;
    • (c) a documented internal-equivalent governance attestation, independently reviewed by a qualified third party and crosswalk-mapped to a recognized framework.
    • Plus board-attested risk metrics, an AI risk body decision history of at least one year, and a crosswalk refreshed each quarter.
  • L5+ — Leading Edge. All of L5, plus an active named contribution to a governance or standards body (PR / RFC / spec authorship, not membership) and an externally published governance or risk-observability artifact.

The amendment removes a defect, not a requirement. The security bar is unchanged: independent assurance that the governance program does what it claims. What changes is that meeting it no longer depends on one vendor’s product or audit cadence.

OWASP’s State of Agentic AI Security and Governance supplies a parallel governance-maturity ladder (Levels 0–4, from unaware/ad-hoc through experimentation, policy-defined HITL, integrated continuous oversight, to adaptive self-regulation) that this domain’s levels track closely. Its central finding is the load-bearing context for D1: organizations are deploying agents faster than they can govern them, and additional budget for existing programs does not close that gap. The report pairs the governance ladder with an Adoption Tier (AT0–AT8) so required governance scales with what is deployed rather than against a flat checklist — the same right-sizing logic the deployment-shape table below applies.

Right-sizing by deployment shape

The realistic target per rule 4:

Deployment shapeRealistic D1 targetWhy
Internal RAG / support chatbot (no tools)L2 → L3Owner, policy, risk body, decision-rights. Certification is not warranted near-term
Data-science / coding copilotL3 → L4Adds board metrics and crosswalk once the agent touches the SDLC
MCP / skill provider serving othersL4Third-party exposure raises the accountability bar; readiness assessment expected
High-autonomy multi-agent meshL4 → selective L5Certification earns its cost where autonomy and blast radius are highest

Most enterprises land at L4 with selective L5 in the domains tied to their exposure. A contained, low-agency design that legitimately needs less governance records the choice as an intentional trade-off in the effective-score strategic-rationale field, not as a deficiency.

Cost model

Governance is labor-heavy, and for an incumbent the licensing line is the smallest of the three.

LevelLicensingOperational laborRun-rate
L2~0 (policy authored in-house)~0.25–0.5 FTE to write policy, stand up the RACI and risk-tier scheme
L3~0~0.5–1 FTE recurring: risk-body cadence, decision-rights upkeep, shadow-agent reaping
L4GRC platform where used; ~0 on Purview for an E5 tenantboard reporting + crosswalk upkeep; a one-time readiness assessment
L5 (ISO 42001 path)certification audit + optional consultingthe dominant cost: internal hours to build and sustain the management system, plus annual surveillance
L5 (AIUC-1 path)certification fee (not publicly listed)heavier recurring labor than ISO’s annual surveillance, because the certificate is re-tested on a quarterly cadence

The signal: the spend is governance labor and the certification-evidence treadmill, not tools. A buyer choosing the AIUC-1 path inherits a quarterly re-test cycle; the ISO 42001 path runs on annual surveillance. Both are recurring labor. Price the rhythm, not the first audit alone.

Customer critiques folded in

  • “L5 is unreachable because it names a just-GA’d certification we can’t procure in time.” Addressed: L5 is scheme-neutral and the production-maturity qualifier applies. Assurance “via a scheme in your approved-vendor pipeline with a documented production date” satisfies it.
  • “A single-certifier mandate is a concentration risk and reads as a vendor play.” Addressed: AIUC-1 is demoted to one option among several, with ISO 42001 preferred. Full reasoning in the evaluation.
  • “Cost is under-told.” Addressed: the cost model names labor and the evidence treadmill as the real spend, and marks licensing as near-zero for incumbents.
  • “Authority to certify is itself contested.” Acknowledged but out of scope here. The wiki records the assurance-scheme landscape; an organization preparing for a regulator should map D1 to its examiner’s expectations via the forthcoming FFIEC/GLBA crosswalk.

Open questions

  • No official AIUC-1 certified-organization count is published; the figure in the evaluation is reconstructed from press releases and should be re-checked each quarter.
  • AIUC-1 pricing is not public, so the L5 AIUC-1 cost line is directional.
  • The exact 2026 ISO/IEC 42001 certified population is not cleanly published.
  • NIST has not shipped an agentic-specific Govern profile; the EU AI Act’s agentic provisions remain preliminary, so D1’s regulatory anchors will shift as both land.

Notes