Owner: CoE Lead. Input: Registry + intake form live. Sub-steps: Create and publish:
- Risk classification rubric (
framework.md§10) — Low / Medium / High plus the 3 risk drivers (PII / consequential decisions / autonomous). Include the EU-AI-Act mapping if EU exposure exists. - Agent Card template (
framework.md§14) — the 13-section spec template. Markdown file in a shared GitHub / GitLab / Notion location. - Responsible-AI checklist (
framework.md§18). - Pre-build checklist (built from the gate criteria in this workflow document).
- Pilot-to-prod checklist (same).
- Retirement checklist.
- Observability standard — what every agent logs (
framework.md§24). - Incident-response runbook for AI-specific events (prompt injection, data exfiltration, model compromise). Output / gate criteria: All seven documents exist, are linked from the registry, and reference the framework. Decision branches: none — these are all required. Skip-this-step risk: Every agent gets a hand-rolled spec; no audits possible; no consistency.