Every Medium- and High-risk agent passes a responsible-AI review before Pilot. This is where ethical principles become operational checks.
Checklist:
- Fairness / bias — if the agent makes decisions about people, has it been tested across demographic groups? Known limitations documented?
- Privacy / PII — data classification done; retention rules defined; masking applied where required; user deletion path available.
- Data residency — LLM calls hit providers in approved jurisdictions?
- Reliability and safety — failure modes documented; worst-case action assessed and acceptable?
- Transparency — when the agent talks to external parties, is its AI nature disclosed? When it talks to internal stakeholders, is it labeled as AI-generated?
- Explainability — for agents affecting individuals, can we explain why a given output was produced?
- Inclusiveness — does the agent serve all user groups, or does it exclude / disadvantage some by design or data?
- Accountability — single named human owner; clear path to override or stop the agent.
- Audit log retention — retention period defined per the company's data policy and per regulation (EU AI Act: high-risk logs retained ≥ 6 months).
- Disclosure for AI-generated content — synthetic content marked as such where applicable (EU AI Act Article 50).
These map directly to the principles common across NIST AI RMF, the EU AI Act, ISO 42001, OECD AI Principles, and UNESCO's AI ethics framework.