Owner: Agent Builder.
Input: Approval granted.
Sub-steps: Fill out the Agent Card template (framework.md §14, 13 sections):
- Identity (name, ID, owner, department, version)
- Purpose (workflow it serves, KPI it moves)
- Scope (what it will do / will not do)
- Risk tier + risk-driver tags
- Inputs / data sources (every system it reads from + classification per source)
- Outputs / tool calls (every API / system it writes to + permission scope per call)
- Autonomy level (Assistive / Validated / Autonomous + explicit thresholds)
- Identity & credentials (service principal name, rotation policy)
- HITL gates (where humans must approve, by rule)
- Failure modes & worst-case action (and whether worst-case is acceptable)
- Monitoring + alerts (what we watch, what triggers a page)
- Eval criteria (how we know it works; pre-prod test set definition)
- Retirement criteria (already defined in Step 4)
Output / gate criteria: Agent Card committed to the source repo + linked from the registry entry.
Decision branches:
- Worst-case action is not acceptable (e.g., agent could autonomously send unreviewed customer emails) → escalate back to Step 4 to constrain the autonomy level.
Skip-this-step risk: No shared understanding of what the agent does. Every reviewer downstream has to reconstruct it from scratch.