AI agent risk has more than one owner.
Platform owns the SDK path. Security owns the control boundary. Compliance owns the evidence. ML owns the agent. The CTO owns the rollout. Pick the page that matches the review you need to pass.
Agent owners
Wrap the one tool call that can hurt you: refunds, sends, deletes, exports, database writes, or account changes.
KPIs: First risky workflow, review rate, incident avoidance
Platform engineers
An SDK-shaped policy boundary for tool dispatch, with decision records your platform team can operate.
KPIs: Dev velocity, change failure rate, incident count
Security engineers
Argument-level controls for agents that have valid credentials and OAuth scopes but no tool-call enforcement.
KPIs: Detection-to-response, findings closed
Compliance & risk officers
Decision records for AI agent decisions. Maps to EU AI Act, ISO 42001, SOC 2, and NIST AI RMF review workflows.
KPIs: Control coverage, evidence completeness, findings remediated
CTOs
Release AI rollouts with a runtime authorization primitive your team can inspect and keep close to code.
KPIs: Time-to-production for AI features, regrettable incidents, customer/security clearances
ML & AI engineers
Close the gap between eval behavior and production tool calls with per-call decision records.
KPIs: Tool-call success rate, postmortem volume
Why role-specific pages exist
A runtime control has to survive different objections. A platform engineer asks where it runs. A security engineer asks what it blocks. A compliance officer asks what evidence survives. Each page answers that role's real objection.
If you are choosing a page for a colleague, send the one that matches their review. Compliance officers should read the EU AI Act and SOC 2 mapping. Security engineers should read OWASP LLM06 and incident response. ML engineers should read the postmortem and replay sections.
Start with the risky workflow.
Wrap the agent once. Define the policy. Keep the record.