Owner: CoE + Legal (+ Ethics where applicable). Input: Security review complete. Sub-steps:
- Required for all Medium- and High-risk agents.
- Walk the Responsible-AI checklist (
framework.md§18):- Fairness / bias (especially if decisions about people)
- Privacy / PII (classification, retention, masking, deletion path)
- Data residency (LLM provider jurisdiction)
- Reliability / safety (worst-case acceptable?)
- Transparency / disclosure (is AI nature disclosed where required?)
- Explainability (can we explain decisions to affected individuals?)
- Inclusiveness (does it serve all user groups?)
- Accountability (single named human owner, override path)
- Audit log retention (≥ 6 months for High; longer per regulation)
- Synthetic content disclosure (EU AI Act Article 50 if applicable)
- If a checklist item is unanswered, do not pass. Either resolve it or constrain the agent's scope.
Output / gate criteria: Signed Responsible-AI Review document attached to the registry entry.
Decision branches:
- Bias / fairness issue not yet addressed → require a bias audit before pilot.
- Disclosure required but not designed in → back to Step 5 to add disclosure to the Agent Card.
Skip-this-step risk: The agent ships, makes a biased / opaque / undisclosed decision about a real person, and the company has no defensible answer.