Enforcing rules on AI agent actions at runtime
View All Tags
The UAPK gateway returns structured responses for every evaluation. A DENY or ESCALATE response includes a reason code that tells you exactly which policy check failed and why. If you're building an integration and getting unexpected denies, this post is your reference.
The manifest defines what an AI agent is allowed to do over its entire deployed lifetime. That's too coarse for most real deployments. You want the agent to be able to read customer data when it's responding to a customer query — but not when it's running a batch analytics task. You want different agents deployed with the same manifest to have different effective permissions depending on what task they're executing.
Capability tokens solve this. They are signed credentials — issued per session or per task — that scope the agent's permissions to a subset of its manifest-defined capabilities, for a specific time window, with a maximum action count.
The fastest path from zero to a governed AI agent is: run the qualification funnel → get your framework list → configure a manifest → register it → make a call. This post walks through each step with real examples.
If you're impatient, the manifest for a simple US SaaS agent is at the bottom of this post. For everyone else, starting with the qualification funnel means you understand why each field is configured the way it is.
If your AI agent touches clinical decision-making, diagnostic recommendations, treatment planning, or patient risk scoring, it may be classified as a Software as a Medical Device (SaMD). SaMD classification triggers regulatory requirements that are separate from and stricter than HIPAA — you're now in the FDA's jurisdiction (US) or EU MDR/IVDR jurisdiction (EU), not just privacy law territory.
The distinction matters because SaMD regulations aren't primarily about privacy. They're about safety: ensuring that software used in medical decisions is clinically validated, properly labeled, manufactured under quality controls, and doesn't cause patient harm when it behaves unexpectedly.
Canada's Bill C-27 is moving through Parliament with two pieces that will affect any company operating AI in Canada: the Consumer Privacy Protection Act (CPPA) replacing PIPEDA, and the Artificial Intelligence and Data Act (AIDA) — Canada's first AI-specific legislation.
The CPPA modernizes Canadian privacy law along GDPR lines. AIDA creates obligations specifically for "high-impact" AI systems, with significant parallels to the EU AI Act's structure. For companies already navigating GDPR and the EU AI Act, the Canadian framework is familiar but has distinct elements.
NIST released Cybersecurity Framework 2.0 in February 2024. The major change from CSF 1.1: a new Govern function was added, making it a six-function framework (GV, ID, PR, DE, RS, RC). The Govern function addresses organizational context, risk management strategy, and cybersecurity supply chain — topics that were scattered across CSF 1.1 but are now first-class functions.
For AI agents, the new Govern function is the most directly relevant addition. It's where organizational accountability for AI systems lives.
NIST CSF is voluntary for most US organizations, but it functions as a de facto standard for:
ISO/IEC 42001:2023 — published December 2023 — is the first international standard for Artificial Intelligence Management Systems (AIMS). It provides a framework for establishing, implementing, maintaining, and continuously improving AI governance within organizations. Think of it as ISO 27001, but with AI as the subject rather than information security.
For organizations subject to the EU AI Act, Singapore's AI Verify framework, or any regulator that accepts ISO standards as evidence of conformance, ISO 42001 is becoming the certification path of choice. The standard was built to align with other ISO management system standards (ISO 27001, ISO 9001) — if your organization already has one, the implementation effort for ISO 42001 is substantially lower.
SOC 2 Type II is the most requested security certification in US enterprise software procurement. If your SaaS product touches customer data and you're selling to mid-market or enterprise buyers, you'll eventually get asked for a SOC 2 Type II report. For AI-native products, auditors are increasingly asking about AI-specific controls — not just the usual infrastructure checklist.
The difference between SOC 2 Type I and Type II matters: Type I says your controls are designed correctly as of a point in time. Type II says those controls operated effectively over a period of time (typically 6–12 months). The audit period is everything. An AI agent that behaved correctly in January means nothing if it went rogue in July and you have no logs to show it didn't.
NIS2 (Network and Information Security Directive 2) became applicable across EU member states in October 2024. It significantly expands the scope of its predecessor: where NIS1 covered a relatively narrow set of critical infrastructure operators, NIS2 covers essential entities and important entities across 18 sectors including energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, ICT service management, public administration, and space.
If your organization operates in any of these sectors in the EU and uses AI agents, NIS2 requirements apply to those AI systems as part of your overall cybersecurity obligations.
The California Privacy Rights Act (CPRA) went into full effect January 1, 2023, amending and strengthening CCPA. Among the most significant additions for AI teams: explicit rights around automated decision-making and profiling — the closest the US has come, at the state level, to GDPR Article 22.
If your AI agents process personal information of California residents, CCPA/CPRA applies regardless of where your company is incorporated. California has approximately 39 million residents and is the fifth-largest economy in the world. Treat it as its own regulatory jurisdiction.