AI Governance Checklist for Production AI Agents

Key takeaways

Governance is a set of implemented controls, not a document you file.
Make oversight proportionate to risk — automate the routine, gate the high-stakes.
If you cannot evidence it, you cannot defend it to an auditor.
Work the checklist per workflow, then scale it as more agents go live.

Most organisations have an AI policy. Far fewer can show, for a given agent, what it can access, what it did, who approved it and what it cost. That gap — between stated intent and operated control — is where governance actually lives. This checklist is what we work through when we put an agent into production.

Why a checklist beats a policy

A policy is a statement; a checklist is a set of actions. Governance only protects you once each item is implemented and producing evidence. Treat the list below as per-workflow work: apply it to your first agent, then reuse it as more go live. None of it requires slowing the business down — well-designed controls run automatically for routine actions and only add friction where risk genuinely concentrates.

The eight controls

For each agent heading to production, confirm you have:

An inventory entry — what it does, what it can touch, and who owns it.
A risk classification — so controls are proportionate to the stakes.
Least-privilege access — tools and data scoped to the workflow and nothing more.
Human oversight — defined approval points, review and escalation.
Evaluation suites — regression tests run before and after every change.
An audit trail — every tool call, decision, escalation and approval logged.
Monitoring — quality, throughput and cost, with alerting on drift.
Incident response — the ability to pause, roll back or restrict, with an owner.

If you want the reasoning behind these, we cover it in governed AI agents; here the point is simply to have each one in place.

How to use the checklist

Run it as a gate, not a survey. An agent should not reach production with open items, and each item should point to evidence — a register entry, a permissions config, an evaluation report, a log query — not a tick in a spreadsheet. Reviewed this way, the checklist doubles as your audit-ready evidence base.

Where this sits

The first six controls are largely technical — the substance of AgentOps & AI governance. Inventory, risk classification and evidence extend to the organisational level, which is the role of AI assurance and evaluation. We deliver both, so the checklist is implemented end to end rather than split across teams who each assume the other owns it.

Questions

Frequently asked.

What should an AI governance checklist cover?

At minimum: an inventory of AI systems and agents, risk classification for each use case, least-privilege access, human oversight design, evaluation and regression testing, a complete audit trail, monitoring of quality and cost, and an incident-response process. Together these turn AI policy into controls you can operate and evidence.

Who owns AI governance?

It is shared. Technology owns the implementation — permissions, logs, evaluation and incident response. Risk, compliance and leadership own the organisational layer — inventory, risk classification, policy and assurance. The two reinforce each other; gaps appear when one assumes the other has it covered.

Is an AI policy enough for governance?

No. A policy states intent; governance proves it. The value is in implementing the controls and producing the evidence that shows they work in day-to-day operation. A policy with no implemented controls protects no one and convinces no auditor.

How does this checklist relate to AgentOps and AI assurance?

AgentOps is the technical control layer — the permissions, logs, evaluation and incident response in this list. AI assurance is the organisational layer — inventory, risk classification, oversight and audit evidence. This checklist spans both, which is why we deliver them together.

Where this leads

Related services.

↗

Put one workflow to work.

Tell us the workflow you want to automate, the systems involved and any risk or compliance concerns. We reply to every serious enquiry within one business day.

Send a message → Book a 30-min call

Reply within one business day Human oversight by design Senior team, always

An AI governance
checklist.