Risk drives the rest of the framework — approval depth, monitoring intensity, HITL requirements, audit trail granularity, retention period. Three tiers, augmented by three structural risk drivers.
10.1 The three tiers
| Risk | Examples | Approval requirements | Required artifacts |
|---|---|---|---|
| Low | Meeting summaries, internal note drafting, knowledge retrieval, internal Q&A | CoE Lead sign-off | Agent Card, basic logging |
| Medium | Outbound communication drafts (human-reviewed), internal recommendations, ranking that informs human decisions, draft contract clauses | CoE Lead + Department Head sign-off | Agent Card + evaluation report + monitoring dashboard |
| High | Financial decisions, legal/HR decisions, customer-facing autonomous action, writes to systems of record, regulated decisions about people | CoE Lead + Department Head + Security + Legal sign-off | Full spec + responsible-AI review + DPIA where applicable + decision audit retention |
Heuristic: if a wrong action could embarrass the company publicly, cost money, or create legal exposure → High. If it costs only the user's time → Low.
10.2 The three structural risk drivers
Independent of the tier, every agent (and every vendor AI tool) is tagged on these three drivers. Tagging "yes" on any of them almost always pushes the agent to Medium or High.
- Personal data — does the agent process PII / customer / employee data?
- Consequential decisions — does its output influence decisions about people (hiring, lending, performance, access, healthcare)?
- Autonomous behavior — can it act without a human in the loop?
These are the three things regulators and auditors look for.
10.3 Alignment with the EU AI Act
The EU AI Act uses four tiers (unacceptable / high-risk / limited / minimal) and defines high-risk by specific use cases (Annex III: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice).
If we touch the EU market, an EU-Act-defined high-risk use case automatically maps to our High tier and triggers EU-Act-specific obligations (Articles 9–15: risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy/robustness/cybersecurity).
See §31 for the full compliance landscape.