Start with the action the reviewer will ask about.

Phased enforcement: February 2025 through August 2028

Risk classification mapping, Article-by-Article requirements (Art. 6, 9, 14, 26, 50), and where runtime authorization creates evidence.

• High-risk classification review for autonomous-agent workflows
• Art. 9 risk management via policy-as-code
• Art. 14 human oversight through approval gates
• Art. 26 deployer obligations and decision records

Active, enforced by HHS Office for Civil Rights

PHI protection for healthcare AI agents. Maps specific HIPAA rules (45 CFR 164.312, 164.530) to runtime authorization controls, output redaction, access controls, and decision records.

• 45 CFR 164.312 technical safeguards for AI tool calls
• PHI output redaction before data reaches the agent
• Minimum necessary access via per-tool policies
• Decision record evidence for breach notification (164.408)

Active, AICPA Trust Services Criteria

Map SOC 2 trust service criteria (CC6.1, CC6.3, CC7.1, CC7.2, CC8.1) to AI agent authorization controls. Decision record evidence, access control documentation, and continuous monitoring for Type II.

• CC6.1 logical access controls for agent tool calls
• CC6.3 role-based authorization policies
• CC7.1 and CC7.2 monitoring and anomaly detection
• CC8.1 change management via policy version control

Published ISO/IEC 42001:2023

ISO/IEC 42001:2023 is the first AI management system standard used for certification programs. Annex A controls can be mapped to runtime authorization, policy version control, and approval workflows for AI agents.

• Annex A.6: AI system impact assessment evidence
• Annex A.8: operational controls for deployed agents
• A.9: third-party and data lifecycle controls
• Policy and decision records for audits

In force since May 2018

Article 22 governs solely-automated decisions. Article 25 requires data protection by design. Article 35 demands DPIAs for high-risk processing. Runtime authorization turns all three into reviewable tool-call controls.

• Art. 22: meaningful human intervention via approval gates
• Art. 25: privacy by design through pre-action policy
• Art. 35: DPIA evidence from decision records
• Art. 30: record of processing for agent actions

AI RMF 1.0 + Generative AI Profile (July 2024)

The NIST AI Risk Management Framework's four functions (GOVERN, MAP, MEASURE, MANAGE) translate into concrete agent controls when paired with runtime authorization and decision records.

• GOVERN: policy as code, role assignment, accountability
• MAP: agent capability inventory and impact mapping
• MEASURE: decision metrics and drift signals
• MANAGE: incident response and approval queues

Federal baseline and FedRAMP control source

AC-3 access enforcement, AU-2 event logging, CM-3 change control, IR-4 incident handling. Runtime authorization gives AI agent actions the control evidence federal assessors already expect.

• AC-3: access enforcement for agent tool calls
• AU-2 and AU-12: decision event logging by default
• CM-3: policy change control with reviewer approval
• IR-4: incident investigation from policy outcomes

Rev 5 baselines and modernization

FedRAMP authorization depends on clear control implementation and current evidence. Veto's policy bundle, decision records, and human approval queue help explain agent action control in SSP and assessment work.

• Agent authorization evidence for ConMon review
• Policy-as-code for SSP control narrative
• Decision records that support 3PAO sampling
• Pre-action approval for higher-risk tool calls

Mandatory since 31 March 2025

Requirement 7 (least privilege), 8 (identification), and 10 (logging) apply when an AI agent touches cardholder data. Runtime authorization is a practical way to enforce them without putting policy inside prompt instructions.

• Req. 7: least-privilege tool access per CHD scope
• Req. 8: agent identity binding for governed calls
• Req. 10: decision record
• Req. 6.4: change control on policies, not code

Sarbanes-Oxley Sections 302 and 404, PCAOB AS 2201

ICFR programs need clear authorization, segregation of duties, and evidence for material financial actions. When an agent posts a journal entry or moves money, reviewers need a clean approval context.

• Section 404 ICFR: maker-checker via approval gate
• Section 302: executive sign-off backed by decision records
• AS 2201: independent evidence on agent controls
• Segregation of duties enforced before execution

Federal Reserve SR 11-7 and OCC 2011-12

Banking model risk management requires conceptual soundness review, ongoing monitoring, and effective challenge for models and model-adjacent systems. Runtime authorization helps keep agent actions inside the validated envelope.

• Agent inventory: policy YAML as registry
• Ongoing monitoring: decision metrics by default
• Effective challenge: independent approval reviewers
• Documented governance and remediation trail