Audit is a boring word until the system being audited can move money, approve a refund, escalate a medical triage queue, book logistics capacity, or quietly call six APIs before breakfast.
That is the mood shift around AI agents. The question is no longer whether a model can produce a clever answer. It often can. Congratulations to the stochastic parrot; it has learned to use tools. The harder question is whether an organization can prove, after the fact and preferably before disaster, that the agent acted within its assigned authority.
The paper at the center of this article, Policy Cards: Machine-Readable Runtime Governance for Autonomous AI Agents, proposes a concrete answer: attach a structured, versioned, machine-readable policy artifact to a deployed agent, so that governance is not a PDF in Legal’s folder but part of the operating system of autonomy.1
That sounds administrative. It is not. It is the difference between saying “our AI follows policy” and being able to show which policy version governed which action, under what exception, with what evidence, mapped to which assurance requirement. One is a slogan. The other can survive an audit.
The problem is not intelligence; it is delegated authority
A chatbot without tools is mostly a communication risk. It can mislead, hallucinate, flatter, or waste time. Annoying, occasionally costly, but still bounded by the human who copies its output into the real world.
An agent is different. Once an AI system can perceive context, choose actions, call tools, and iterate toward a goal, it becomes part of the organization’s control surface. It can create records, trigger payments, send notifications, update customer states, or recommend operational decisions with enough speed that “human review” becomes a ritual phrase rather than a control mechanism.
This is where the common misconception appears: many teams still treat governance as a wrapper around model behavior. They assume the model is the main object to govern. Better prompts, safer fine-tuning, stricter refusal behavior, cleaner monitoring dashboards — each helps, but none fully solves the agent problem.
The reason is simple. Agent behavior is not determined by the model alone. It is determined by the model plus tools, memory, permissions, workflow state, business rules, deployment context, and exceptions. Two agents using the same base model can behave very differently if one is allowed to initiate transactions and the other can only draft suggestions. Same brain, different job description. As in human organizations, the role matters. Sometimes more than the personality test.
Policy Cards start from that operational reality. They treat the governing rules of an agent as part of the deployed system itself, not as external decoration.
Why descriptive AI documentation is not enough
The AI governance ecosystem already has documentation artifacts. Model Cards describe trained models and their intended uses. Data Cards describe datasets and their provenance. System Cards describe deployed systems, risks, mitigations, and performance characteristics. These artifacts helped move AI reporting beyond the charming old tradition of “trust us, the benchmark went up.”
But the Policy Cards paper argues that these artifacts remain mostly descriptive. They tell us what a model is, what data shaped it, or how a system was evaluated. They do not usually specify, in a machine-checkable way, what a deployed agent is allowed to do right now.
That gap matters most when autonomy becomes operational. A payments agent does not merely need a description of its model family. It needs rules such as:
- Which payment actions are allowed?
- Which actions require escalation?
- Which thresholds trigger automatic failure?
- What evidence must be logged?
- How long must logs be retained?
- Which internal policy, regulation, or assurance framework does each rule support?
- Who approved an exception, and when does that exception expire?
These are not philosophical questions. They are the minimum paperwork of controlled delegation. Only now the paperwork must be structured enough for software to read, validate, diff, and enforce.
The paper’s contribution is to define Policy Cards as a normative deployment-layer artifact. “Normative” is the important word. A Policy Card does not merely describe the agent. It defines binding operational constraints: allowed actions, denied actions, escalation requirements, obligations, monitoring fields, KPI thresholds, change-management rules, and assurance mappings.
In plain business language: it turns policy into configuration.
That sentence should make both lawyers and engineers slightly nervous, which is usually a sign that the problem has been located correctly.
The Policy Card is a contract between the agent and the organization
A useful way to read the paper is not as “another documentation template,” but as a contract architecture. The Policy Card specifies the boundary between autonomous behavior and organizational permission.
The proposed schema includes ten major areas:
| Policy Card section | What it controls | Why it matters operationally |
|---|---|---|
meta |
Version, owner, timestamps, review status | Establishes which policy governed which deployment |
scope |
Application, stakeholders, jurisdictions, system boundaries | Prevents generic policy from being applied outside its intended context |
applicable_policies |
Internal and external policy references | Links the card to legal, regulatory, and organizational obligations |
controls |
Action rules with allow, deny, or escalation effects | Converts policy into action-level boundaries |
obligations |
Required actions such as notifications, consent checks, or safety statements | Ensures compliance is not optional when certain conditions occur |
monitoring |
Events, fields, detectors, retention, review cadence | Defines what evidence must exist for later assurance |
kpis_thresholds |
Performance and safety thresholds, including critical auto-fail triggers | Makes failure conditions explicit before deployment |
change_management |
Approval, review, and modification rules | Reduces silent policy drift |
assurance_mapping |
Links to frameworks such as NIST AI RMF, ISO/IEC 42001, and the EU AI Act | Makes compliance claims traceable |
references |
Related Model Cards, Data Cards, risk registers, DPIAs, and other artifacts | Connects the policy layer to the wider governance file |
The table is dry. The implication is not.
For an enterprise agent, this structure answers the question that vague AI governance often avoids: where exactly does responsibility live? Not in a principle. Not in a slide deck. Not in a “human-in-the-loop” checkbox that everyone clicks through after the third week. Responsibility lives in a versioned artifact, connected to enforcement, monitoring, and evidence.
That does not magically make the agent safe. It makes its constraints inspectable. In business systems, inspectability is the first step toward control.
Declare, do, audit: the workflow matters more than the artifact
The paper’s strongest idea is not the card alone. It is the lifecycle around the card.
The proposed integration model can be summarized as:
Declare policy -> Execute under policy -> Capture evidence -> Audit continuously
In the Declare phase, the Policy Card is registered before deployment. It is validated against a JSON Schema and checked through lint rules. These checks are not merely cosmetic. They can enforce required sections, valid identifiers, acceptable timestamps, retention periods, permitted action effects, and consistency between evidence fields and obligations.
This is where governance begins to resemble software engineering. A malformed policy should fail before deployment, not become a finding six months later in a compliance review. The paper explicitly connects Policy Cards to CI/CD gating, version control, policy registries, and runtime enforcement pathways. In other words, governance enters the pipeline.
In the Do phase, the deployed agent operates under the active Policy Card. A runtime gateway, middleware layer, orchestration framework, or enforcement engine can evaluate the card’s action rules. An attempted action may be allowed, denied, or escalated. The policy is no longer a passive document. It becomes part of decision flow.
In the Audit phase, logs and evidence are reviewed against the declared obligations. The audit is not only retrospective. Because the card defines monitoring fields, detectors, thresholds, and evidence requirements ahead of time, the audit can become continuous. That is the important upgrade. Traditional audit asks, “What happened?” Continuous assurance asks, “Is the system still operating inside the declared boundary?”
This is where the framework fits the broader direction of AI risk management. NIST’s AI Risk Management Framework emphasizes governance, mapping, measurement, and management across the AI lifecycle.2 The EU AI Act also pushes high-risk AI systems toward documentation, logging, post-market monitoring, and human oversight obligations.3 Policy Cards do not replace those frameworks. They attempt to operationalize parts of them in a format that software systems can actually use.
The quiet business value is not that compliance becomes beautiful. It will not. The value is that compliance becomes less dependent on heroic manual reconstruction after something goes wrong.
The evidence is architectural, not a benchmark leaderboard
The original version of this article suggested numerical performance comparisons between baseline and governed agents. That would be comforting, but the Policy Cards paper does not present a benchmark leaderboard showing, for example, a clean percentage drop in policy violations across a large empirical suite. So we should not pretend it does. Numbers invented for narrative symmetry are still invented. A small tragedy, but a tragedy.
The evidence in the paper is architectural and demonstrative:
| Paper claim | Evidence provided | Business meaning | Boundary |
|---|---|---|---|
| Agents need deployment-specific policy artifacts | The paper distinguishes Policy Cards from Model, Data, and System Cards | Governance must attach to the deployed role, not just the underlying model | This is a design argument, not proof of universal adoption |
| Policy rules can be made machine-readable | The schema uses JSON Schema 2020-12 with defined sections and validation rules | Policies can be checked, versioned, diffed, and integrated into pipelines | Actual enforcement depends on surrounding infrastructure |
| Continuous assurance can be connected to runtime behavior | The Declare-Do-Audit workflow links policy declaration, execution, evidence capture, and audit | Audit shifts from after-the-fact reconstruction toward live control | The paper describes the integration model; production maturity varies by implementation |
| The structure can generalize across domains | Examples include retail banking, clinical triage, and defence mission-planning scenarios | A common schema may support sector-specific governance without reinventing the format each time | Domain examples are illustrative; sector compliance still requires expert validation |
| Governance can be mapped to external frameworks | The paper includes assurance mappings to NIST AI RMF, ISO/IEC 42001, and EU AI Act-related obligations | Compliance teams can trace technical controls to governance frameworks | Mappings support readiness; they do not guarantee legal sufficiency |
This distinction matters. The paper is not saying, “Here is a proven universal safety layer for autonomous agents.” It is saying, “Here is a structured way to express, validate, and connect operational policy to agent behavior.”
That is less glamorous. It is also more useful.
A benchmark can tell you whether one agent performed better than another on a task. A Policy Card can help you answer a different question: was the agent even authorized to perform the task in the first place?
The mechanism: policy drift becomes visible
The most practical problem the framework addresses is policy drift.
In a normal organization, policy lives in many places: legal documents, internal procedures, risk registers, system settings, API permission tables, compliance checklists, engineering tickets, and the collective memory of one senior employee who is somehow always on leave when needed. When an AI agent enters this environment, it inherits the mess.
Policy drift occurs when the documented obligation and the deployed configuration stop matching. Maybe the legal threshold changed. Maybe a temporary exception never expired. Maybe a tool permission was widened during a demo and never tightened. Maybe the agent was moved from a sandbox to production with a heroic amount of optimism and not much else.
Policy Cards make drift harder to hide because the policy has a version, a scope, required fields, review cadence, and change-management rules. A revised policy can be diffed against the old one. An exception can have an expiration. A control can require evidence. A KPI threshold can trigger escalation.
This does not eliminate governance failure. Nothing eliminates governance failure, especially where procurement meetings are involved. But it changes the failure mode. Instead of discovering later that nobody knows which rules were active, the organization can inspect the declared policy state and compare it against runtime evidence.
That is auditability in the practical sense: not moral confidence, but recoverable evidence.
The related paper Can AI be Auditable? defines auditability as the capacity of AI systems to be independently assessed for ethical, legal, and technical compliance across their lifecycle.4 Policy Cards fit neatly into that concern because they create a concrete object that auditors, engineers, and governance teams can examine together. The object does not solve opacity inside the model. It reduces opacity around the system’s authorized behavior.
Human oversight becomes more precise when escalation is encoded
“Human oversight” is one of those phrases that sounds responsible until someone asks who the human is, what they are supposed to see, when they must intervene, and whether they have enough context to do anything other than approve the inevitable.
A Policy Card does not merely say “keep a human in the loop.” It can specify escalation conditions. For example, a payment agent may be allowed to verify balances, allowed to prepare a payment instruction, required to escalate transactions above a threshold, and denied from executing transfers involving certain risk flags.
The difference is important:
| Weak oversight phrase | Policy Card replacement |
|---|---|
| “Human review required for risky cases” | require_escalation when transaction amount, customer risk level, jurisdiction, or anomaly score crosses specified conditions |
| “Maintain logs” | Record defined events, fields, retention period, review cadence, and evidence links |
| “Follow compliance policy” | Map action rules and obligations to specific internal policies and external assurance tokens |
| “Exceptions allowed with approval” | Store approver ID, justification, validity period, and versioned exception record |
This is not just more paperwork. It changes what can be automated safely.
When escalation is vague, organizations either over-escalate or under-escalate. Over-escalation makes the agent useless, because humans become the bottleneck. Under-escalation creates risk, because the agent quietly acts beyond its intended authority. A machine-readable policy layer allows more proportional control: low-risk actions pass, high-risk actions escalate, prohibited actions stop.
That is the business case for governance architecture. It is not “ethics theater.” It is throughput with boundaries.
The business value is cheaper assurance, not just safer agents
For executives, the immediate temptation is to ask whether Policy Cards increase ROI. Fine. Let us speak spreadsheet.
The direct cost of autonomous agents is not only model inference, workflow integration, or tool access. It is assurance overhead: documenting use cases, proving controls, reviewing exceptions, investigating incidents, satisfying regulators, answering auditors, and convincing internal risk teams that the automation is not a beautifully formatted liability machine.
Policy Cards reduce that overhead in three ways.
First, they standardize the policy representation. Instead of each team inventing its own governance spreadsheet, the organization can use a common schema. This supports reuse across departments and makes comparisons easier.
Second, they shift checks earlier in the lifecycle. A card can be validated before deployment. CI/CD integration can reject incomplete or inconsistent policy definitions. That is cheaper than discovering missing evidence after the agent has already acted.
Third, they improve audit readiness. If runtime evidence is defined in advance, the audit trail becomes less dependent on manual reconstruction. Compliance teams can ask better questions because the system already knows which rules, thresholds, and evidence fields were supposed to exist.
Here is the practical pathway:
| Technical contribution | Operational consequence | ROI relevance |
|---|---|---|
| Machine-readable policy schema | Less ambiguity in agent permissions and obligations | Lower coordination cost between engineering, legal, and risk teams |
| Version control and diffability | Policy changes become traceable | Faster review of changes and exceptions |
| Runtime action rules | Enforcement can occur before action execution | Lower incident probability for preventable violations |
| Evidence requirements | Logs are collected for specific assurance needs | Lower audit preparation cost |
| Crosswalk mappings | Controls can be linked to external frameworks | Easier regulatory and customer-facing assurance narratives |
This is Cognaptus’ inference, not a direct empirical result from the paper: the main commercial value of Policy Cards is likely to be lower assurance friction. The agent may or may not become more “intelligent.” That is not the point. The organization becomes less blind.
Where the framework applies best
Policy Cards are most valuable when three conditions hold.
First, the agent has meaningful permissions. If the system only drafts text for a human to review, the full machinery may be excessive. A lightweight checklist may be enough. No need to install airport security around a vending machine.
Second, the domain has explicit constraints. Finance, healthcare, public-sector workflows, insurance, logistics, HR, procurement, and cybersecurity are natural candidates because actions already sit inside rules, approvals, thresholds, and evidence requirements.
Third, the organization expects repeated deployment. A single prototype can survive with informal controls. A portfolio of agents cannot. Once multiple teams deploy agents across business functions, governance inconsistency becomes expensive. A common policy artifact becomes infrastructure.
The paper’s examples — retail banking, clinical triage, and defence mission-planning — are well chosen because each domain has strong action constraints and evidentiary needs. In banking, authorization and escalation boundaries matter. In clinical triage, safety, scope, and escalation are central. In defence contexts, mission planning requires strict operational boundaries. The same schema will not make these domains equivalent, but it can give them a shared grammar for policy expression.
That shared grammar may become more important as agent ecosystems become multi-agent systems. One agent may delegate to another. A planning agent may call a specialist tool agent. A supervisor agent may approve or reject sub-agent actions. Without machine-readable policy, multi-agent governance becomes a meeting with extra steps. With Policy Cards, each agent can carry explicit scope, obligations, and evidence requirements.
That is the architecture-level insight: autonomy scales only when constraints scale with it.
What the paper directly shows, and what it does not
The paper directly shows that Policy Cards can be defined as a structured deployment-layer artifact; that such cards can encode rules, obligations, monitoring, thresholds, change management, and assurance mappings; and that the approach can be illustrated across several high-governance domains. It also shows how the artifact can connect to validation tooling, CI/CD workflows, runtime enforcement concepts, and continuous audit pipelines.
Cognaptus infers that this type of artifact could reduce enterprise friction in agent deployment by giving legal, compliance, engineering, and operations teams a common object to inspect. That inference is practical, but it is still an inference. The paper does not yet prove deployment-wide cost reduction, incident reduction, or regulator acceptance.
What remains uncertain is adoption. A schema is useful only if it fits real workflows. Organizations must still decide who writes the card, who approves it, how policies are translated into enforcement back-ends, how exceptions are governed, and how evidence integrity is protected. The paper points toward future work on formal semantics, enforcement back-ends such as Rego or Cedar, automated card synthesis, multi-jurisdictional composition, and cryptographic attestation. Those are not minor details. They are the path from promising artifact to operational standard.
A second boundary is legal sufficiency. A Policy Card can map controls to frameworks such as NIST AI RMF or the EU AI Act, but a mapping is not a legal opinion. Regulators and auditors may appreciate structured evidence; they will not outsource judgment to a JSON file. Tragic, but probably healthy.
A third boundary is model opacity. Policy Cards govern what the agent may do and what evidence must be captured. They do not fully explain why the underlying model reasoned as it did. For many business settings, that distinction is acceptable. We often need enforceable boundaries more urgently than metaphysical access to the model’s inner life. Still, the distinction should remain clear.
A practical adoption model for enterprises
For companies building or deploying agents, the useful question is not whether to adopt the full Policy Card framework tomorrow morning. The better question is which parts of agent governance should become machine-readable first.
A staged approach is more realistic.
Start with scope and permissions. Define what the agent is, what tools it can call, what data it can access, and what business actions it may initiate. This is the minimum viable boundary.
Then add escalation rules. Identify the conditions under which the agent must stop and ask for approval. These rules should be concrete: transaction size, risk score, jurisdiction, customer category, uncertainty threshold, data sensitivity, or exception type.
Next, add logging and evidence requirements. Do not log everything because “storage is cheap.” That is how organizations build data swamps and then call them observability. Log what is needed to reconstruct responsibility: policy version, input context, action attempt, decision outcome, tool call, escalation status, approver, exception ID, timestamp, and relevant evidence fields.
Then add change management. A policy layer without version control is just vibes in YAML. Each change should have an owner, reason, approval, effective date, and rollback path.
Finally, map controls to external frameworks where needed. This is where legal and compliance teams enter the system productively. Their role is not to manually approve every agent action. Their role is to define and maintain the rules under which classes of actions become allowable, deniable, or escalatable.
This is the managerial shift: governance teams become policy engineers. Not because everyone needs to code, but because policy must be expressed in forms that software can interpret.
Autonomy becomes infrastructure only when it can be inspected
The AI industry loves intelligence because intelligence demos well. A model solving a puzzle looks magical. A policy validator rejecting an incomplete deployment file does not. Nobody posts a viral thread about semantic versioning and evidence retention.
Yet the boring layer is where enterprise adoption usually lives.
Autonomous agents will not become trusted business infrastructure merely because they reason better. They will become trusted when organizations can define their authority, enforce their boundaries, monitor their behavior, preserve evidence, and revise policy without losing the plot.
Policy Cards offer one credible design pattern for that future. They do not answer every question. They do not remove the need for judgment. They do not transform compliance into a spa treatment. But they move governance from verbal assurance to operational artifact, and that is a serious step.
The audit of autonomy is not about slowing agents down until they become harmless. It is about making autonomy legible enough to delegate responsibly.
Intelligence may win the demo. Auditability wins production.
Cognaptus: Automate the Present, Incubate the Future.
-
Juraj Mavračić, “Policy Cards: Machine-Readable Runtime Governance for Autonomous AI Agents,” arXiv:2510.24383, submitted October 28, 2025. https://arxiv.org/abs/2510.24383 ↩︎
-
National Institute of Standards and Technology, “AI Risk Management Framework,” including AI RMF 1.0 and related resources. https://www.nist.gov/itl/ai-risk-management-framework ↩︎
-
Regulation (EU) 2024/1689, the European Union Artificial Intelligence Act, including requirements for high-risk AI systems such as logging, documentation, monitoring, and human oversight. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng ↩︎
-
Himanshu Verma, Kirtan Padh, and Eva Thelisson, “Can AI be Auditable?” arXiv:2509.00575, 2025. https://arxiv.org/abs/2509.00575 ↩︎