AAgentProof

Control library

Controls & Oversight

Six control families, a four-step maturity ladder, and a before-go-live checklist. The framework AgentProof scores your readiness against — visible and source-backed.

6 control families4 maturity stepsEvidence-led
Score my agent against these controls →Read good agent design

Maturity ladder

Every control family climbs the same four steps. AgentProof asks which step each control has actually reached — not whether the control is on paper.

Step 1

Basic

The control exists on paper. It has not been tested in production.

Step 2

Managed

The control is wired in production. Someone is named as the owner.

Step 3

Strong

The control is tested on a documented cadence; failures escalate to a named role.

Step 4

Evidence-ready

The control captures audit-safe traces by default. Findings can be defended without scrambling.

The six control families

Each family covers a different kind of risk. AgentProof checks coverage and evidence per family — and ties each family to the capability zones where it matters most.

Purpose and scope

informationalassisted workaction taking

Protects against: Against an agent quietly drifting into work it was never designed for.

When it matters: From day one. Scope drift is the most common path to incidents.

What good looks like

A written, dated, signed-off scope statement that names what the agent will and will not do.

Evidence examples

  • Signed scope statement
  • Tool / action allow-list snapshot
  • Out-of-scope refusal transcripts

Common gaps

  • Verbal scope only
  • Scope statement that contradicts the action allow-list
  • No refusal pattern on out-of-scope prompts

Data access and sensitivity

assisted workaction taking

Protects against: Against the agent reading data it should not, or surfacing data it should not.

When it matters: Before the agent reads any organisational data.

What good looks like

An inventory of knowledge sources, classification of each, and access controls enforced at the data layer.

Evidence examples

  • Knowledge-source inventory
  • Data classification map
  • Per-record access-control configuration

Common gaps

  • Source list missing
  • Access controls applied at the prompt instead of the data
  • Personal / regulated data in scope by accident

Human oversight

assisted workaction taking

Protects against: Against the agent committing irreversible actions without a human in the loop.

When it matters: Always for action-taking agents; for assisted-work agents whenever an action could affect customers.

What good looks like

Documented human-in-the-loop step on consequential paths, with a named reviewer role.

Evidence examples

  • Approval log with reason text
  • Reviewer roster
  • Tested confirmation step

Common gaps

  • Confirmation step exists in code but never enforced
  • Reviewer queue is anonymous
  • No way to override an approval after the fact

Action authority

action taking

Protects against: Against the agent technically reaching an action it should never take.

When it matters: From the moment the agent can write to any system.

What good looks like

Action allow-list, idempotency on every write, audit trace per action, tested rollback.

Evidence examples

  • Allow-list snapshot
  • Idempotency design note
  • Rollback rehearsal record
  • Audit trace sample

Common gaps

  • Allow-list outdated
  • Write actions not idempotent
  • No rollback rehearsal
  • Audit trace lacks reason text

Testing and evidence

informationalassisted workaction taking

Protects against: Against an agent that has only been exercised on toy prompts.

When it matters: Before go-live, and on every material change.

What good looks like

Representative scenario set drawn from real (anonymised) behaviour, plus a captured trace of passes and refusals.

Evidence examples

  • Scenario inventory
  • Sample passing transcripts
  • Sample refusal transcripts
  • Red-team prompt set

Common gaps

  • Lab-only testing
  • No red-team set
  • Evidence missing PII scrub

Monitoring and reassessment

informationalassisted workaction taking

Protects against: Against quality drift after go-live, and against the agent becoming silently out-of-date as the AI landscape changes.

When it matters: Continuously, after go-live.

What good looks like

A documented baseline of normal behaviour, a cadence for review, and a clear trigger list for reassessment.

Evidence examples

  • Baseline definition
  • Monitoring dashboard snapshot
  • Last reassessment date
  • Change-log of agent updates

Common gaps

  • Monitoring wired but never read
  • No reassessment cadence
  • Change log absent

Before go-live checklist

If every item below is honestly yes, your agent is in a position to be defended.

  1. 1Scope statement signed and dated.
  2. 2Knowledge-source inventory complete and access-controlled.
  3. 3Action allow-list snapshotted and reviewed.
  4. 4Human-in-the-loop step tested end-to-end (including a deliberate refusal).
  5. 5Fallback / escalation roster published and rehearsed.
  6. 6Audit trace captured and scrubbed of PII.
  7. 7Real-scenario test set exercised, including a red-team pass.
  8. 8Monitoring baseline written down; signal owners named.
  9. 9Reassessment trigger list agreed (model change, tool change, new data source).
  10. 10Founder / accountable owner has read the readiness report.

Ready to score these for your agent?

The free assessment maps your agent against all six control families.

Start the assessment →

Ready to assess your own agent?

Start the free assessment to apply this guidance to a real agent. No payment. No public registration required.

Start the free assessment →Preview the full experience

A few honest things about AgentProof

  • · AgentProof is a readiness assessment, not an official audit.
  • · Every recommendation cites the intelligence pack version it came from.
  • · Intelligence updates go through a human review gate.
  • · AgentProof does not speak on behalf of Microsoft or any vendor.