PALO-AM v2.0 — JUNE 2026

Agentic Governance Modality
From Model Governance to Delegated-Action Governance

PALO-AM is the agentic extension of the PALO Framework. It introduces a new layer of governance objects, control domains and evidence artefacts specifically designed for AI systems that select tools, write to systems, trigger workflows and act autonomously on behalf of the organization.

Fabrizio DegniChief AI Officer

5Object Cards

4Risk Tiers

11KPIs / KRIs

5Lifecycle Gates

PALO-AM

The Governance Shift

Model governance asks whether the model behaves responsibly. Delegated-action governance asks whether the authority delegated to the system has been justified, bounded, monitored and evidenced.

🧠

Model Governance

Does the model behave responsibly? Accuracy, bias, explainability, robustness, privacy, data lineage, output safety.

→

⚡

Delegated-Action Governance

Is the delegated authority justified, bounded, monitored and evidenced? Identity, permissions, tools, memory, autonomy, checkpoints.

A hallucinated sentence can mislead. A hallucinated tool call can alter a customer record, leak sensitive data, trigger a transaction or damage an operational environment.

Five Operational Object Cards

Each object is a governance domain that can be documented, implemented, tested and audited. Together they translate PALO-AM from a concept into a working operational model.

Agent Identity Profile

Defines who or what the agent is inside the enterprise environment. Records the agent identifier, cryptographic provenance, accountable human owner, business unit, topology, credential lifecycle, data clearance and revocation procedure. Eliminates anonymous or shared AI execution contexts and provides the basis for attribution.

Agent Authority Profile

Defines what the agent may do. Lists permitted tools, environments, data classes, read/write/delete privileges, financial thresholds, approval requirements, external endpoints, multi-agent coordination rules and abort conditions. The enforceable contract between the business and the agentic system.

Agentic Risk Matrix

Determines the risk tier by examining action-space impact, autonomy level, reversibility, data sensitivity, third-party dependency, speed/volume and multi-agent complexity. Acts as the routing mechanism for required controls and decision gates.

Agentic Control Layer

Implements structural safeguards around the agent: policy-as-code, API gateway constraints, token scopes, rate limits, schema validation, tool allow-lists, sandboxing, circuit breakers, human checkpoints and change-management rules.

Agentic Evidence Layer

Captures auditable execution evidence without relying on private model chain-of-thought: planning artifacts, tool calls, structured inputs/outputs, policy decisions, human approvals, overrides, anomalies, incidents, KPI values and decommissioning proofs.

Engineering Control Layer

PALO-AM treats governance as an enforceable architecture, not a policy statement. The language model is treated as an untrusted reasoning engine for purposes of authority. The model may propose an action; the orchestration layer decides whether it is allowed.

Why Prompt-Layer Safeguards Are Insufficient

A prompt instruction such as "do not access confidential data" is not equivalent to an access control. It can be misunderstood, bypassed, or contradicted. In agentic systems, the consequence is not merely an unsafe response — it may be an unauthorized action.

High-impact actions require deterministic controls.

Cryptographic Identity & Zero-Trust

Every agent execution must carry a verifiable identity. Tool calls must include signed identity headers. Credentials must be short-lived, rotated and centrally managed. No agent may share credentials with another agent or a human user.

Zero-trust: no implicit trust for any agent action.

Tool Allow-Lists & Schema Validation

Agents may only call tools explicitly listed in their Authority Profile. Each tool call must conform to a validated schema. Unrecognized tool calls must be blocked at the orchestration layer before execution.

Block first, allow explicitly.

Human-in-the-Loop Checkpoints (HITL)

Human checkpoints must be designed structurally, not optionally. High-stakes or irreversible actions require explicit human approval via a decision packet — not a vague approval button. Approval telemetry must be measured against the Automation Bias Index (ABI).

Meaningful oversight, not rubber-stamping.

Circuit Breakers & Abort Conditions

Each agent must have defined safe-state, rollback path and stop conditions. Circuit breakers must interrupt cascading failures in multi-agent topologies. Abort conditions must be tested in Phase 3 and validated against the CECR metric in Phase 4.

Design for safe failure, not only for success.

OpenTelemetry Observability

All tool calls, approval events, policy decisions and anomalies must feed into a tamper-evident audit endpoint (SIEM, OpenTelemetry collector or governance dashboard). Evidence must be structured and machine-readable for KPI measurement.

If it is not observed, it is not governed.

Action-Space vs Autonomy Matrix

The primary PALO-AM routing instrument. Examines two dimensions: what can the agent change (action-space impact) and how independently can it decide (autonomy level). Any increase in autonomy or action-space after approval triggers Phase 2 reassessment.

↕ Autonomy Level (rows) × → Action-Space Impact (columns)

Low Impact
(read-only, reversible)

Medium Impact
(internal write)

High Impact
(cross-system)

Critical Impact
(financial/safety/legal)

High Autonomy

Tier 2

Tier 1

PROHIBITED

Medium Autonomy

Tier 3

Tier 2

Tier 1

Low Autonomy

Tier 3

Tier 2

Supervised

Tier 4

Tier 3

Tier 1 — Maximum Controls

Tier 2 — Controlled

Tier 3 — Supervised

Tier 4 — Monitored

Prohibited / Redesign Required

⚠️ Prohibited tier: Open-ended judgment combined with production, financial, physical, legal or safety-critical write authority. The use case must be redesigned into deterministic workflow, reduced authority or human-operated execution.

PALO Five-Phase Lifecycle Overlay

PALO-AM does not create a parallel lifecycle. It overlays agentic controls onto the existing PALO five-phase architecture. Governance is embedded across the full system lifecycle, not concentrated at a single checkpoint.

Ideation & Agentic Screening

"Is an agent actually necessary?"

Could a deterministic workflow, conventional automation or human-controlled assistant achieve the same value with lower risk?

Gate: Proceed only if delegated action is justified and action-space is bounded.

Assessment & Planning

"What authority is being delegated?"

Complete Agent Identity Profile, Agent Authority Profile, AI System Impact Assessment, threat model, HITL design and KPI framework.

Gate: Proceed only if all five objects are documented and residual risk is accepted by the correct governance body.

Development & Validation

"Have structural controls been tested, not merely described?"

Tool schema validation, sandbox tests, agentic red-team report, policy-as-code bundle and control test evidence.

Gate: Proceed only if critical vulnerabilities are closed and approval gates cannot be bypassed.

Ethical Deployment & Monitoring

"Can the organization observe, interrupt and evidence the agent?"

Shadow-mode, phased rollout, runtime monitoring dashboard, incident playbook, override telemetry and KPI baseline.

Gate: Proceed only with phased rollout, active monitoring and an accountable decision to expand authority.

Continuous Improvement & Decommissioning

"Can the agent be retired without leaving hidden authority?"

Tradecraft audit, credential revocation log, memory retention/deletion record and decommissioning certificate.

Gate: Close only after credentials are revoked, logs are archived and manual fallback has been validated.

KPI / KRI Registry for Agentic AI

PALO-AM extends the PALO KPI compendium with indicators specific to delegated action. The goal: measure whether the organization can bound, observe, interrupt, recover from and retire autonomous behavior.

Metric	Category	Measurement	Governance Rationale	Phase
Human Override Rate (HOR)	Oversight	Overrides ÷ total action checkpoints	Detects rubber-stamping or unusual intervention patterns.	4
Review-Time Distribution (RTD)	Oversight	Median and distribution of review time by action complexity	Flags superficial validation or alert fatigue.	4
Automation Bias Index (ABI)	Behavioral	Composite of approval speed, rationale quality, dismissal clustering	Measures whether human oversight remains meaningful.	4/5
Tool Call Error Rate (TCER)	Technical	Malformed + hallucinated + unauthorized calls ÷ total calls	Detects semantic misalignment, poor schemas or tool-use drift.	3/4
Agent Identity Sprawl Index (AISI)	Security	Unregistered identities ÷ total detected identities	Detects shadow agents, rogue subprocesses or unmanaged credentials.	4/5
Multi-Agent Conflict Rate (MACR)	Systemic	Terminated/deadlocked workflows ÷ total multi-agent runs	Detects goal conflict, message loops or coordination failure.	3/4
Mean Time to Intervention (MTTI)	Response	Time from anomaly detection to human or automated intervention	Measures whether control is operationally real.	4
Cascading Error Containment Rate (CECR)	Systemic	Contained cascade events ÷ total cascade events	Shows whether circuit breakers stop downstream propagation.	3/4
Agent Identity Revocation Time (AIRT)	Decommission	Time from decommission trigger to confirmed credential revocation	Validates retirement and shadow-agent prevention.	5
Tradecraft Degradation Score (TDS)	Human Agency	Score from manual drills, fallback proficiency and skill-retention audits	Measures human resilience and dependency risk.	4/5
Policy Violation Rate per 1k Actions (PVR)	Governance	Violations of authority, data classification or compliance boundaries ÷ 1,000 actions	Signals control design failure or misuse.	4

No single metric is decisive. Interpret HOR, RTD, ABI and sampled audit results as a pattern, not in isolation.

Worked Scenarios

Concrete examples of PALO-AM applied to real enterprise agent configurations. Each shows the same pattern: define identity, bound authority, score risk, design controls, capture evidence, plan decommissioning.

💻

Software Engineering Agent

Tier 2 initially — Tier 1 if production deployment or protected branch write access is added

Inspects repository issues, writes code to non-protected branches, runs tests and opens pull requests.

Controls: Restrict write to non-protected branches; deny secret access; require human approval for PR creation; log diffs, tests, tool calls and failed access attempts.

A productivity tool becomes a deployment actor if authority expands. The matrix must be recalculated whenever the agent obtains new write or deployment privileges.

📦

Procurement Vendor Shortlisting Agent

Tier 2 (draft only) — Tier 1 if it can send offers or trigger contracts

Analyzes supplier proposals, ranks vendors and prepares negotiation questions.

Controls: Separate ranking from final decision; audit fairness signals; prohibit direct vendor communication without approval; preserve scoring rationale and conflict-of-interest checks.

Agentic procurement raises fairness and accountability risks. The agent should support deliberation, not silently replace governance judgement.

💰

Finance Payment Recommendation Agent

Tier 2 for recommendations — Prohibited for autonomous payment execution

Reads invoices, detects anomalies and recommends payment release.

Controls: Read-only invoice access; no direct payment execution; dual approval for thresholds; anomaly escalation; strict evidence logging and revocation tests.

Payment authority must never be hidden inside model autonomy. Financial execution demands deterministic workflow and human authorization.

🤝

Customer Support Refund Agent

Tier 2 — Controlled

Retrieves order status, drafts refund recommendations, sends support summaries, requests human approval.

Controls: Denied: refund execution above EUR 50; modification of customer master data; access to payment card data. HITL checkpoints for any refund above EUR 50, legal threats, vulnerable-customer flags.

Authority scope must be written explicitly. If the profile does not permit it, the orchestration layer must block it regardless of what the model proposes.

Standards Alignment

PALO-AM is designed as an operational extension that translates global governance standards into PALO-compatible lifecycle phases, templates, matrices, KPIs and evidence gates.

IMDA MGF v1.5 (2026)

Assess upfront, meaningful human accountability, technical controls, end-user responsibility.

Matrix + Authority Profile → Identity Profile + HITL → Engineering Control Layer → Tradecraft preservation + training.

ISO/IEC 42001:2023

AI management system, risk treatment, operational control, monitoring and improvement.

Agentic risk treatment plan, authority controls, monitoring dashboard, management review.

ISO/IEC 42005:2025

AI system impact assessment and documentation of impacts on individuals, groups and society.

Agentic AI System Impact Assessment with action-space, autonomy, reversibility and tradecraft sections.

EU AI Act (2024/1689)

Risk classification, prohibited-practice screening, high-risk obligations, post-market monitoring.

Phase 1 legal screening, Phase 2 documentation, Phase 4 telemetry, incident and change records.

NIST AI RMF 1.0

Govern, Map, Measure and Manage AI risks.

Govern with object cards; Map with matrix; Measure with KPI/KRI registry; Manage with controls and decommissioning.

GDPR

Purpose limitation, data minimization, access control, retention, deletion or anonymization.

Data scope in Authority Profile, memory governance, retention schedule, data deletion/anonymization records.

🚀 Coming Soon: Interactive Matrix Simulator

The natural next step for PALO-AM is an interactive simulator that allows teams to plot proposed agents on the Action-Space vs Autonomy Matrix and immediately receive required controls, evidence artifacts, KPI recommendations and decision gate routing.

v0.1

Static matrix with tier explanations and downloadable templates.

v0.2

Interactive risk inputs with automatic tier assignment.

v0.3

Control recommendation output and PDF export.

v0.4

Policy-as-code snippets and KPI dashboard starter configuration.

v1.0

Full scenario simulator with saved assessments and audit pack generation.