Skip to main content

Risk Governance and Safety

FactVerse AI Agent workflows can read operational context, run analysis, prepare drafts, and support controlled actions. Risk governance keeps each step aligned with tenant permissions, tool access, data evidence, review ownership, and audit records.

Use this page when deciding which outputs can be accepted directly, which outputs require confirmation, and which outputs need named human review before they affect an operating record or connected system.

Governance flow

Risk levels

The risk level should match the output's operating impact.

Risk levelTypical outputExpected handling
InformationalRead-only answer, source lookup, status summary, or document retrieval.Return evidence, timestamps, and open gaps.
Audited analysisHealth score, anomaly explanation, simulation comparison, or engineering summary.Record input boundary, assumptions, evidence, and reviewer notes.
Confirmed draftDraft work request, inspection note, scenario package, or recommended follow-up.Ask the user to confirm before creating or handing off the draft.
Human-approved actionWork-order dispatch, task assignment, controlled update, or operating change proposal.Route to a named reviewer or approver before the action is accepted.
Policy-controlled operationHigh-impact action governed by site policy, safety procedure, or change-control rule.Follow the customer's predefined operating policy, approval role, and audit requirement.

This model should be applied per output. A workflow can produce a read-only summary, then later move into a draft or approval path when the user asks for an operating action.

Agent role and risk boundary

Each configured agent should have a role that matches the highest-impact output it is expected to produce.

Agent roleNormal responsibilityGovernance focus
Capability agentRuns a calculation, model, data preparation step, or specialized analysis.Input quality, assumptions, and traceable output.
Assistant agentHelps users investigate context, prepare recommendations, or create reversible drafts.Evidence quality, user confirmation, and draft review.
Worker agentCarries an approved operating task through a controlled workflow.Approval path, action record, and rollback or follow-up handling.
Orchestrator agentCoordinates multiple agents, tools, or operating steps.Clear ownership for each sub-step, review gate, and final decision.

Use Agent Lifecycle and Configuration to define the agent purpose, owner, entry route, tool boundary, and review boundary.

Review gates

Review gates should be visible in the workflow design and run record.

GateUse whenWhat to record
Evidence onlyThe result is read-only and has clear source references.Source records, timestamps, and unresolved gaps.
AuditThe result is analysis or compute output that may guide a decision.Inputs, assumptions, output, reviewer notes, and trace ID.
ConfirmationThe agent prepares a reversible draft or follow-up record.User confirmation, draft content, and scope used.
Human approvalThe output affects a task, work order, operating record, or connected system.Approver, decision, reason, final record, and follow-up owner.
Policy-controlledThe output touches a high-impact operation or site-specific controlled process.Policy owner, operating rule, approval evidence, and audit record.

Use Workflow Run Record to capture the final evidence trail.

Guardrails

Guardrails reduce risk before a result or action reaches a reviewer.

Guardrail areaWhat to check
Tenant isolationThe request, records, tools, and output stay within the intended tenant and site boundary.
Tool input validationRequired fields, value ranges, and controlled options are present before a tool runs.
Evidence groundingAnswers that summarize operations cite source records, documents, scenes, or tool results.
Sensitive data handlingPersonal, confidential, or regulated data is minimized and handled according to policy.
External accessTools that call outside systems are reviewed for purpose, destination, and allowed data.
Emergency disablementOperators have a known way to pause an agent or workflow when risk conditions change.

Guardrail findings should be visible to the operating owner. A blocked output should leave enough context for the owner to fix data, scope, policy, or workflow design.

Audit trail

The audit trail should let another reviewer reconstruct the workflow run.

Audit itemExpected content
Request contextUser, tenant, boundary, workflow type, and time window.
Access contextEndpoint, scope set, visible tools, and client identity.
EvidenceSource systems, records, timestamps, scene versions, documents, and tool outputs.
Risk decisionOutput type, review gate, reviewer, and approval status.
ResultAccepted answer, draft, approved action, rejected output, or blocked reason.
FeedbackField result, correction, accepted change, or next review date.

The audit trail should connect with the customer's operating records, such as work orders, inspection tasks, scenario packages, or validation notes.

Evaluation and drift review

Before expanding an agent workflow, review whether it behaves consistently on representative cases.

Review areaCustomer-facing question
Baseline casesDoes the agent handle normal, weak-data, exception, and blocked-action cases?
Critical casesAre safety, compliance, tenant-boundary, and high-impact cases reviewed separately?
Accepted correctionsAre reviewer corrections fed back into the workflow design and runbook?
Behavior changeDo output quality, data coverage, approval rates, or field feedback show a change in behavior?
Scope adjustmentShould the agent keep the same tool boundary, move to a lower-impact mode, or return to pilot review?

Use this review to decide whether an agent remains ready for regular use, needs a narrower scope, or should be retired from Agent Hub.

Design checklist

CheckReady when
Risk levelEach output type has an expected risk level and review gate.
OwnerThe workflow has an operating owner and reviewer.
EvidenceSource references, timestamps, assumptions, and missing data are visible.
AccessEndpoint, scopes, and runtime-visible tools match the workflow boundary.
GuardrailsTenant, input, grounding, sensitive-data, and external-access checks are defined.
ApprovalDrafts, actions, and policy-controlled operations have clear approval paths.
AuditThe run record captures decisions, blocked results, approvals, and feedback.
NeedUse
Understand the platform modelAgent Platform Overview
Configure agent ownership and lifecycleAgent Lifecycle and Configuration
Plan endpoint and scope boundariesAccess and Scope Planning
Capture evidence and approvalsWorkflow Run Record
Diagnose access or audit failuresMCP Errors and Audit