How-to · 6 steps
How to Build a Governed AI Agent (Step-by-Step)
A practical walkthrough: define purpose, write policy, set approval gates, pin the policy cryptographically, and ship a tamper-evident AI agent your compliance team will sign off on.
Define purpose in one sentence
If you can't describe the agent's job in one sentence, you can't govern it. Example: "Reply to sales inquiries under $5k and book demos; never quote pricing or commit to terms."
Write the policy
List allowed tools, data sources, and actions in plain language. Keep it under a page. This becomes the source-of-truth document that gets hashed in step 4.
Set approval gates
Decide what the agent cannot do alone. Common gates: refunds over a threshold, emailing a new external domain, modifying production data, scheduling with an executive.
Pin the policy cryptographically
Hash the policy document (SHA-256 is fine) and attach the resulting pin to every action the agent takes. If the policy ever changes, the pin changes, and historical actions remain attributable to the exact version that authorized them.
Enable tamper-evident logging
Each log entry includes the hash of the previous entry. A single edit anywhere in history breaks the chain — auditors can verify the log was not rewritten after an incident.
Export and sign the trust manifest
The manifest declares which models, tools, and data sources the agent may use. Sign it. Ship it alongside the agent. Compliance can diff manifests across releases.