Owner: Agent Builder. Input: Identity + access in place. Sub-steps:
- Work in dev environment only. Never start a new agent directly in prod.
- Use the approved stack (Step A4). If the build needs anything outside the stack, escalate to the CoE for an exception decision before adding it.
- Build the agent to the Agent Card spec. Every field in the card is a contract.
- Implement the three guardrail layers (
framework.md§19):- Policy guardrails — already in the Agent Card.
- Workflow guardrails — HITL gates, approval routing, RBAC at the orchestration layer.
- Runtime guardrails — input validation, output validation, tool allowlists, schema checks, kill switch.
- Implement the five control mechanisms (
framework.md§20):- Confidence thresholds per process.
- HITL checkpoints at irreversible decision points.
- Input validation + prompt-injection defense.
- Deterministic workflow boundaries (orchestration owns the process, not the agent).
- Least-privilege scoping at runtime.
- Wire in observability from day one (
framework.md§24):- Every execution logs the full field list (timestamp, user, agent ID + version, prompt, output, tool calls, model + version, tokens, cost, policy checks, HITL events, latency, outcome, error).
- Dashboards live before the agent ships, not after.
- Version everything — prompts, tool definitions, orchestration config — in source control. No production-only prompts.
- Write the runbook: what to do when this agent misbehaves, who to page, how to kill it.
Output / gate criteria: Agent runs in dev against test data. Logs flow. Guardrails fire in expected scenarios. Runbook exists.
Decision branches: none — this is the build.
Skip-this-step risk: "We'll add logging later" → never happens. Guardrails get bolted on as patches after the first incident. Production agent has no kill switch.