AI Agent Governance

Authors:

Odun Fadahunsi - Senior Security, Risk and Compliance Advisor, Office of the CISO
Igor Podebrad - Director, Office of the CISO

In the financial services industry, the proliferation of End-User Developed Applications (EUDAs) taught a crucial lesson: unmanaged innovation, however beneficial, could introduce unexpected operational and regulatory risks. Today, a similar and faster challenge has emerged with the rapid deployment of AI agents- ‘Shadow AI’. These autonomous systems are deployed independently by business units, shifting control away from centralized IT oversight. Crucially, these agents are platform-agnostic, operating across diverse cloud environments and outside traditional enterprise boundaries.

This decentralized growth creates "Agentic Sprawl"—a governance gap where risk can multiply faster than the ability to manage it. Relying on siloed, platform-locked oversight is impractical and directly conflicts with a multi-cloud strategy. The solution isn't to lock down innovation, but to build a robust, flexible, and cloud-agnostic governance strategy that can provide consistent oversight across your entire agent ecosystem.

This strategy would integrate established best practices from EUDA governance and Generative AI governance, applying them to the unique requirements of AI agents to create a sustainable, enterprise-wide solution.
 

A Shared Philosophy: From EUDA to Agent Governance

The fundamental regulatory principles that have guided EUDA risk management— transparency, accountability, and control—are the same ones that must underpin AI agent governance. The goal is to move beyond a "tool-specific" approach and create a unified system that can be audited and controlled from a single point of truth.

A framework for achieving this is built on three essential, cloud-agnostic pillars:
 

1. Registration & Discovery: The Central Agent Registry

You cannot govern what you don't know about. The first step in any robust governance strategy is to establish a comprehensive inventory.

Instead of relying on a single vendor's inventory system, a central agent registry should be an independent, canonical source of truth. This could be a purpose-built application, an enterprise-wide data governance platform, or a dedicated repository. The key is that every agent, regardless of where it is built or deployed, must be registered here.
 

The "Agent Card" Concept:
 

For each registered agent, a standardized "Agent Card" should be created. This is a metadata-rich record that captures:

• Purpose: The specific business function the agent performs, including which core business processes are involved or affected.
• Owner: The business and technical teams responsible for the agent.
• Risk Tier and alignment with ERM: Modern agent governance requires a transition from traditional ‘static access’ models to a classification system based on operational impact. To ensure proper oversight, every agent must be anchored to a specific business process, allowing organizations to integrate AI-specific risks, such as unintended autonomous actions or unauthorized disclosures directly into their Enterprise Risk Management (ERM) framework. A critical distinction must be made between an agent’s data consumption and its data dissemination. Restricting an agent’s internal data access may not always be the most effective risk mitigation measure; broader context often enhances performance, reduces hallucinations, and allows the agent to better meet user expectations. Consequently, risk is not inherently driven by what an agent ‘knows’, but by its level of authority. The ERM framework would prioritize two primary risk vectors: (i) disclosure permissions- the agent’s authority to expose sensitive information (e.g. PII or intellectual property) to end users or external systems (ii) transactional authority- the agent’s ability to execute changes within a business process, e.g. modifying records or triggering financial APIs. By defining risk through the lens of authority rather than mere access, organizations can develop more precise failure scenarios (e.g. ‘Agent erroneously authorizes a high value payment file’ ). This approach enables a smoother transition from high-level policy to technical guardrails: (i) Process mapping: assign risk tiers based on the sensitivity of the supported business process; (ii) Scenario integration: map these tiers to existing ERM categories to treat AI risks as standard operational liabilities rather than isolated technical issues. Risk management must be fluid. As an agent’s utility grows- moving from ‘read-only’ to ‘write-access’; its risk profile must scale accordingly. This dynamic authority model ensures that ERM controls stay synchronized with the agent’s actual power, balancing high-context utility with rigorous operational control.  
• Deployment Environment: The specific cloud provider, open-source framework, or application where it operates.
• Dependencies and State of Maturity: This element requires assessing the agent's entire ecosystem, focusing not just on what the agent relies on, but the quality and reliability of those components. The models, APIs, and data sources required are evaluated alongside the governance maturity of supporting business processes. This assessment answers critical risk questions, such as: (i) To what extent is the data properly curated, validated, and kept current? (e.g., poorly curated data directly increases the risk of erroneous AI output.) (ii) Are the business processes that feed the agent adequately defined, documented, and consistently followed? (e.g., a high-risk agent relying on an undefined, manual process introduces significant operational risk.) Understanding this maturity level is crucial for accurately classifying the agent's risk profile and determining the necessary control measures.
   

This centralized, structured information is the foundation for all subsequent governance activities and is a non-negotiable requirement for regulatory compliance. Furthermore, given the dynamic and often self-improving nature of AI agents, governance cannot be a separate, periodic review. It must be embedded directly into the agent's lifecycle, operations, and deployment pipelines. This embedded governance helps to ensure that compliance, risk management, and ethical considerations are monitored continuously and fit seamlessly into the organization's overall Enterprise Governance Structure.

On Google Cloud, for the centralized registry and Agent Card concept, you can use a combination of Google Cloud services. A good starting point is  Gemini Enterprise Agent Platform, announced at Google Cloud Next ’26, to build, scale, govern and optimize agents. Within Agentspace, you can use the Agent Gallery to serve as your central registry. For each agent, you'll create a detailed "Agent Card" that outlines its purpose, owner, and risk level.

For a more custom solution, you can build your own registry using Cloud Firestore or Cloud Spanner to store the Agent Card metadata. You can then create a frontend application using App Engine or Cloud Run to provide a user interface for teams to register and discover agents. This approach gives you granular control over the data model and workflows.
 

2. Monitoring & Observability: A Single Pane of Glass

Once an agent is registered, continuous monitoring is critical. Regulators need to see not just what an agent is intended to do, but what it is actually doing in real time.

The solution here lies in open standards and protocols. Agents should be instructed to emit standardized logs and metrics, such as those defined by initiatives like OpenTelemetry. This ensures that regardless of whether an agent is built using a proprietary platform or an open-source framework, its activities can be collected and interpreted consistently.

An enterprise observability platform (which could be hosted on any cloud or on-prem) should serve as the "single pane of glass." This hub collects logs and metrics from all agents, providing a unified view of their activities, performance, and compliance status. Key metrics to monitor include:

• Data Access Logs: Which data sources the agent is querying.
• API Calls: All external APIs the agent is invoking.
• Decision Tracing: A clear, auditable trail of the agent's reasoning and actions.
• Compliance Alerts: Automated flags for any behavior that deviates from predefined policies.

In addition, the following business and data hygiene metrics are essential for managing the risk associated with data and process maturity:

• Input Data Quality Score: A metric tracking the consistency, currency, and integrity of the data sources the agent consumes. This should include alerts for stale, incomplete, or improperly curated data.
• Process Drift Index: A measurement of how often the agent's actions or outputs deviate from expected business outcomes or defined processes. High drift suggests an underlying issue with process documentation or data quality.
• Human Intervention Rate (HITL): The frequency at which the agent escalates a query or action to a human operator. A rising rate suggests the agent is encountering more ambiguous situations, which could be due to unexpected changes in the business environment or degraded input quality.
• Business Outcome Accuracy: Direct measurement of the agent's output against a defined business goal (e.g., for a loan agent, measuring the accuracy of provisional loan terms provided). This links the agent's technical performance directly to its business utility and risk exposure.

This model decouples monitoring from the execution environment, providing the necessary oversight for a truly heterogeneous agent ecosystem.

For Google Cloud customers, to achieve a "single pane of glass" for monitoring, leverage Google Cloud's robust observability suite. Agents running on Google Cloud, regardless of the underlying service (e.g., Cloud Run, Gemini Enterprise, GKE, Gemini Enterprise Agent Platform, should be configured to emit logs and metrics to Cloud Logging and Cloud Monitoring.

You can then use Looker or BigQuery for detailed analysis of the collected data. Create custom dashboards in Cloud Monitoring or Looker to visualize key metrics like agent activity, latency, and resource consumption. This allows you to track agent performance and identify anomalies across your entire ecosystem, providing a unified view of your agents' behavior.

3. Policy & Control: Enforcing Rules Universally

Governance without control is just documentation. This final pillar establishes the ability to define and enforce policies consistently across all agent types and to intervene immediately when necessary. This control is delivered through a centralized policy engine that defines universal, enterprise-level rules. These rules apply to all registered agents, ensuring that policies are defined once, are not tied to a specific Cloud Provider's guardrails, and are enforced everywhere.
 

Proactive Policy Enforcement: 

The primary goal is to prevent erroneous behavior using Policy-as-Code (PaC). Policies are defined in a portable, version-controlled format and enforced continuously by a Decoupled Control Plane. 

This control plane uses the policies to intervene before catastrophic failure by:

• Blocking unauthorized API calls to sensitive data sources.

• Pausing or revoking an agent's permissions upon rule violation.

• Alerting a Human-in-the-Loop (HITL) for immediate review of suspicious activity.

Reactive Response: Contained Rollback

When a severe malfunction or policy violation is detected, the immediate, automated action is not a simple kill switch, but a layered containment and rollback strategy that is directly enabled by the auditability mechanisms established under the Proactive Enforcement pillar.

1. Automated Containment:  The system's first priority is to limit the blast radius:

• Suspend External Interactions: Immediately revoke the agent's credentials and access to all external APIs and sensitive databases. This stops further erroneous actions.

• Quarantine Results: Redirect all subsequent outputs away from production systems into a secure quarantine folder for review.

2. Time-Based Damage Assessment: This is the critical forensic step for cleanup, relying on the agent's audit records:

• Pinpoint Failure: Using immutable Decision Tracing and logs, quickly pinpoint the Moment of Failure and scope the damage (all actions/data results generated during the error window).

3. Automated Rollback and Remediation: The process then systematically reverses the erroneous state based on the scope of the damage:

• Easily Reversible: Automatically delete or revert results that have not yet been consumed by downstream systems.

• External Impact: For damage that is external or irreversible, the system must flag all impacted entities and escalate a detailed forensic report to a HITL team, strictly limiting human cleanup effort to the confirmed scope of damage.

On Google Cloud, the policy and control pillar can be implemented using a combination of Google Cloud's native security and governance tools. For agent access control, use Agent Identity and Access Management with service accounts to enforce the principle of least privilege. You can create specific IAM roles that limit an agent's access to only the necessary data sources and APIs.

For broader policy enforcement, AI Guardrails provide a powerful mechanism to implement rules for Large Language Models (LLMs) and agent output, helping to prevent policy violations like PII leakage, Sensitive Data Loss Prevention (DLP), is used to scan and protect sensitive data that agents might process. Lastly, Cloud Armor and Model Armor can be used to protect agent APIs from malicious traffic and enforce rate limits, acting as a crucial line of defense.
 

The Path Forward

The lessons of EUDA governance have prepared us for this moment. By focusing on open, cloud-agnostic architectural patterns, organizations can build a robust governance strategy that doesn't just pass a regulatory "smear test" but also enables safe, responsible, and scalable innovation.

The next step is to move from theory to practice. A focused, collaborative workshop can help your organization:

• Validate these principles against your internal risk and compliance frameworks.

• Co-create a high-level architectural blueprint for a CSP-agnostic agent governance hub.

• Define a pilot project to test the registration, monitoring, and control mechanisms on a small, representative set of agents.

By taking this approach, you can build a governance model that is resilient, flexible, and ready for the heterogeneous future of AI. Let's co-create your agent governance blueprint. Schedule a focused workshop with our experts. You can learn more about securing agents and using agents securely from our recent Cloud CISO Perspectives newsletter.