How-to · 6 steps

How to Build a Governed AI Agent (Step-by-Step)

A practical walkthrough: define purpose, write policy, set approval gates, pin the policy cryptographically, and ship a tamper-evident AI agent your compliance team will sign off on.

Step 1

Define purpose in one sentence

If you can't describe the agent's job in one sentence, you can't govern it. Example: "Reply to sales inquiries under $5k and book demos; never quote pricing or commit to terms."

Step 2

Write the policy

List allowed tools, data sources, and actions in plain language. Keep it under a page. This becomes the source-of-truth document that gets hashed in step 4.

Step 3

Set approval gates

Decide what the agent cannot do alone. Common gates: refunds over a threshold, emailing a new external domain, modifying production data, scheduling with an executive.

Step 4

Pin the policy cryptographically

Hash the policy document (SHA-256 is fine) and attach the resulting pin to every action the agent takes. If the policy ever changes, the pin changes, and historical actions remain attributable to the exact version that authorized them.

Step 5

Enable tamper-evident logging

Each log entry includes the hash of the previous entry. A single edit anywhere in history breaks the chain — auditors can verify the log was not rewritten after an incident.

Step 6

Export and sign the trust manifest

The manifest declares which models, tools, and data sources the agent may use. Sign it. Ship it alongside the agent. Compliance can diff manifests across releases.

Skip the plumbing

Agent Bob walks through all six steps in a wizard and exports the governance package — policy, pin, manifest, log schema — as a single download.