Agentic AI Security CMM — D1 Governance & Accountability (Deep Dive)
Companion deep-dive to the CMM’s D1 domain, written under the recalibration method. D1 fixes who is accountable for agent behavior, with what authority, and on what auditable record. The recalibration makes one material change: L5 no longer mandates a single certification. The regulated-FI stress test flagged that pinning L5 to AIUC-1 both moves the bar on a vendor’s cadence and concentrates assurance in one certifier; the AIUC-1 critical evaluation examined the question and found the mandate indefensible. D1-L5 now states a capability that several schemes satisfy: current, independent, third-party assurance of the governance program.
Single-source grounding
The level criteria and cost model synthesize the wiki’s own recalibration method against one representative-customer source (the regulated-FI stress test) plus the AIUC-1 evaluation. They are wiki-internal calibration, not an externally ratified standard, and will firm up as later domains and crosswalks test them.
Threat coverage
D1 is the accountability wrapper, so its threats are cross-cutting rather than a single ASI category; it is the only domain that addresses Class 5 (jurisdictional adversary) — vendor abstraction, jurisdiction tagging, and contract resilience against a regulatory cutoff, the one threat no technical plane control mitigates. The full mapping is in the Threat Taxonomy Reconciliation matrix; the class detail is on the threat-classes page.
Control landscape (dated)
Governance has no enforcement engine. Its controls are documents, committees, and audits, so the landscape comprises assurance schemes and the platforms that hold the evidence.
| Layer | What ships today | Status (May 2026) |
|---|---|---|
| Governance frameworks | NIST AI RMF (Govern function), IEC 42001, EU AI Act Art. 9 (risk management system) + Art. 17 (quality management system), CSA ATF; CoSAI WS3 (AI Security Risk Governance) + AI Shared Responsibility Framework (2026-05-28); SAIF Governance category (Risk Governance, Product Governance) | Stable; an agentic Govern profile from NIST is not yet shipped (expected later 2026). EU AI Act Art. 9/Art. 17 anchors verified in the 2026-Q2 EU AI Act review as duties and process, not graded criteria. CoSAI/SAIF anchors verified in CoSAI review — category-level only, no graded criteria. ISO 42001’s Annex A controls (A.2 Policies, A.3 Internal organization, A.5 Impact assessment anchor D1) are organizational, not technical-control, and the IEC 42001 + 27090 review confirms them against the public structure only — citation-only, paywall-bounded |
| Third-party assurance schemes | ISO/IEC 42001 certification (multi-auditor: Schellman, BSI, SGS, A-LIGN); AIUC-1 certification (single ANAB auditor); SOC 2 + AI controls as a partial proxy | ISO 42001 audits available now; AIUC-1 certified population is small — see the evaluation |
| Evidence and crosswalk platforms | GRC suites (ServiceNow, OneTrust, AuditBoard); platform-native governance — Microsoft Purview / Compliance Manager for an E5 tenant; the standards-crosswalk matrix | GA; Purview governance is included in E5 entitlements, so the licensing delta is near zero for an incumbent |
| Decision-rights and inventory | Decision Rights for AI Agents matrices; agent / NHI inventory; shadow-agent reaper (Shadow Automation) | Pattern-level, not a single product; assembled from identity-platform inventory plus policy |
The platform-native column matters for single-stack buyers. An all-Microsoft enterprise reaches the L4 evidence layer (crosswalk, board metrics, risk register) on Purview and Compliance Manager already in its licensing, without a separate GRC purchase. The Microsoft ZT4AI Governance pillar (verify explicitly) grounds this layer in named controls — the Responsible AI Standard and the Purview Compliance Manager AI templates — crosswalked to D1 in the 2026-Q2 ZT4AI review. The RAI Standard is a responsible-AI goals standard, not a control catalogue: its Accountability and Transparency goals carry D1 at the goal level — A1 Impact Assessment, A2 Oversight of significant adverse impacts, A5 Human oversight and control, T1 System intelligibility, T2 Communication to stakeholders. The goal-level mapping is set out in Agent 365 review, which separates RAI’s goals from the ZT4AI control catalogue.
Capability-decoupled levels
Stated as capabilities per rule 1; a control counts when it operates in production per rule 2.
- L1 — Initial. No accountable owner; agents deploy without governance review.
- L2 — Developing. A named accountable owner holds the role; an AI-use policy is published; an agent risk-tier scheme exists; a signed RACI assigns ownership.
- L3 — Defined. A cross-functional AI risk body (security, legal, privacy, engineering) meets on a fixed cadence; risk tiers gate deployment; a decision-rights matrix is documented per agent type; a shadow-agent inventory and reaper SLA operate.
- L4 — Managed. Quantitative governance metrics (incidents, drift events, escalations, with
ASI##/ AIVSS rollups) are reported at board level; the standards-crosswalk matrix is maintained; a readiness assessment is completed against a recognized third-party assurance scheme — ISO/IEC 42001, AIUC-1, or a documented internal equivalent. - L5 — Optimizing (amended). The capability is current, independent, third-party assurance of the agentic-AI governance program, scheme-neutral, satisfied by any one of:
- (a) a current IEC 42001 certification under active surveillance — preferred, because it is standards-body-governed, multi-auditor, and regulator-recognized;
- (b) a current AIUC-1 certification at the latest quarterly refresh — accepted, with the concentration and freshness caveats the evaluation documents;
- (c) a documented internal-equivalent governance attestation, independently reviewed by a qualified third party and crosswalk-mapped to a recognized framework.
- Plus board-attested risk metrics, an AI risk body decision history of at least one year, and a crosswalk refreshed each quarter.
- L5+ — Leading Edge. All of L5, plus an active named contribution to a governance or standards body (PR / RFC / spec authorship, not membership) and an externally published governance or risk-observability artifact.
The amendment removes a defect, not a requirement. The security bar is unchanged: independent assurance that the governance program does what it claims. What changes is that meeting it no longer depends on one vendor’s product or audit cadence.
OWASP’s State of Agentic AI Security and Governance supplies a parallel governance-maturity ladder (Levels 0–4, from unaware/ad-hoc through experimentation, policy-defined HITL, integrated continuous oversight, to adaptive self-regulation) that this domain’s levels track closely. Its central finding is the load-bearing context for D1: organizations are deploying agents faster than they can govern them, and additional budget for existing programs does not close that gap. The report pairs the governance ladder with an Adoption Tier (AT0–AT8) so required governance scales with what is deployed rather than against a flat checklist — the same right-sizing logic the deployment-shape table below applies.
Right-sizing by deployment shape
The realistic target per rule 4:
| Deployment shape | Realistic D1 target | Why |
|---|---|---|
| Internal RAG / support chatbot (no tools) | L2 → L3 | Owner, policy, risk body, decision-rights. Certification is not warranted near-term |
| Data-science / coding copilot | L3 → L4 | Adds board metrics and crosswalk once the agent touches the SDLC |
| MCP / skill provider serving others | L4 | Third-party exposure raises the accountability bar; readiness assessment expected |
| High-autonomy multi-agent mesh | L4 → selective L5 | Certification earns its cost where autonomy and blast radius are highest |
Most enterprises land at L4 with selective L5 in the domains tied to their exposure. A contained, low-agency design that legitimately needs less governance records the choice as an intentional trade-off in the effective-score strategic-rationale field, not as a deficiency.
Cost model
Governance is labor-heavy, and for an incumbent the licensing line is the smallest of the three.
| Level | Licensing | Operational labor | Run-rate |
|---|---|---|---|
| L2 | ~0 (policy authored in-house) | ~0.25–0.5 FTE to write policy, stand up the RACI and risk-tier scheme | — |
| L3 | ~0 | ~0.5–1 FTE recurring: risk-body cadence, decision-rights upkeep, shadow-agent reaping | — |
| L4 | GRC platform where used; ~0 on Purview for an E5 tenant | board reporting + crosswalk upkeep; a one-time readiness assessment | — |
| L5 (ISO 42001 path) | certification audit + optional consulting | the dominant cost: internal hours to build and sustain the management system, plus annual surveillance | — |
| L5 (AIUC-1 path) | certification fee (not publicly listed) | heavier recurring labor than ISO’s annual surveillance, because the certificate is re-tested on a quarterly cadence | — |
The signal: the spend is governance labor and the certification-evidence treadmill, not tools. A buyer choosing the AIUC-1 path inherits a quarterly re-test cycle; the ISO 42001 path runs on annual surveillance. Both are recurring labor. Price the rhythm, not the first audit alone.
Customer critiques folded in
- “L5 is unreachable because it names a just-GA’d certification we can’t procure in time.” Addressed: L5 is scheme-neutral and the production-maturity qualifier applies. Assurance “via a scheme in your approved-vendor pipeline with a documented production date” satisfies it.
- “A single-certifier mandate is a concentration risk and reads as a vendor play.” Addressed: AIUC-1 is demoted to one option among several, with ISO 42001 preferred. Full reasoning in the evaluation.
- “Cost is under-told.” Addressed: the cost model names labor and the evidence treadmill as the real spend, and marks licensing as near-zero for incumbents.
- “Authority to certify is itself contested.” Acknowledged but out of scope here. The wiki records the assurance-scheme landscape; an organization preparing for a regulator should map D1 to its examiner’s expectations via the forthcoming FFIEC/GLBA crosswalk.
Open questions
- No official AIUC-1 certified-organization count is published; the figure in the evaluation is reconstructed from press releases and should be re-checked each quarter.
- AIUC-1 pricing is not public, so the L5 AIUC-1 cost line is directional.
- The exact 2026 ISO/IEC 42001 certified population is not cleanly published.
- NIST has not shipped an agentic-specific Govern profile; the EU AI Act’s agentic provisions remain preliminary, so D1’s regulatory anchors will shift as both land.