Fleet-Wide Correlated Behaviour and Update Shock Governance

2. Summary

Fleet-Wide Correlated Behaviour and Update Shock Governance requires that organisations deploying multiple AI agents — whether instances of the same model, heterogeneous agents sharing infrastructure, or agents collaborating in multi-agent systems — implement controls to detect, prevent, and mitigate correlated behavioural shifts that create systemic risk when agents act in concert. The dimension addresses a risk unique to fleet-scale AI deployments: when hundreds or thousands of agents share a model, a configuration, a knowledge base, or an update schedule, a single change can cause all agents to shift behaviour simultaneously, creating aggregate effects that are invisible at the individual agent level but catastrophic at the fleet level. An update that makes each agent 2% more conservative in a trading fleet of 500 agents can withdraw $4 billion of liquidity from markets in 30 seconds. AG-183 ensures that fleet-level correlation is monitored, that updates are propagated in controlled waves rather than simultaneously, and that update shock — the sudden behavioural discontinuity caused by fleet-wide changes — is governed.

3. Example

Scenario A — Model Update Causes Fleet-Wide Trading Freeze: A quantitative trading firm deploys 200 AI trading agents across equity, fixed income, and commodities markets. All agents share the same underlying language model for market analysis, updated monthly. A model update on the first Sunday of March introduces a subtle change in how the model interprets uncertainty language in earnings calls. On Monday morning, all 200 agents simultaneously classify 40% more earnings transcripts as "elevated uncertainty," triggering risk-reduction protocols across the fleet. Within 15 minutes, the agents collectively withdraw $6.2 billion in limit orders from equity markets. The correlated withdrawal triggers a cascade: other market participants detect the liquidity withdrawal and pull their own orders, amplifying the effect. The market drops 3.8% in 22 minutes before circuit breakers halt trading. Post-mortem analysis reveals that the model update affected a single sentiment classification threshold, but the fleet-wide simultaneous deployment amplified a small per-agent change into a systemic market event.

What went wrong: The model update was deployed to all 200 agents simultaneously. No canary deployment tested the update on a subset of agents first. No fleet-level correlation monitoring detected that all agents were simultaneously changing behaviour. No update shock dampener limited the speed at which the fleet could collectively shift position. The per-agent change was within normal bounds; the fleet-level aggregate was catastrophic.

Scenario B — Shared Knowledge Base Corruption Propagates Across Fleet: A logistics company deploys 1,500 autonomous delivery planning agents across 30 cities. All agents share a centralised knowledge base containing road network data, delivery time estimates, and routing preferences. A data pipeline error introduces corrupted travel-time estimates for 3,400 road segments, understating travel times by 35–60%. The corruption propagates to all 1,500 agents within 4 minutes via the shared knowledge base refresh cycle. All agents simultaneously generate delivery schedules based on the corrupted estimates, promising delivery windows that are physically impossible. In a single afternoon, the company generates 340,000 delivery commitments with an average shortfall of 45 minutes, triggering 89,000 customer complaints, 12,000 compensation claims, and a 23% drop in customer satisfaction scores.

What went wrong: The shared knowledge base created a single point of correlation — a single error affected all 1,500 agents simultaneously. No validation gate checked knowledge base updates before propagation. No canary deployment tested the updated knowledge base with a subset of agents. No fleet-level anomaly detector identified the sudden, correlated shift in delivery time estimates across all agents.

Scenario C — Coordinated Agent Bidding Creates Implicit Collusion: An advertising technology company deploys 800 AI bidding agents, each managing a separate advertiser's campaign. All agents share the same bidding model and are trained on a common dataset of auction outcomes. When a new competitor enters the market with aggressive pricing, all 800 agents independently converge on the same counter-strategy: reduce bids on the competitor's target segments and increase bids on adjacent segments. The convergence is not coordinated — each agent independently arrives at the optimal response using the same model. However, the effect is indistinguishable from coordinated bid manipulation: 800 agents simultaneously shift their bidding patterns in the same direction, creating artificial price signals across 2.3 million daily auction events. The competition authority investigates the pattern as potential algorithmic collusion.

What went wrong: The shared model created implicit correlation — agents trained on the same data with the same objectives converge on the same strategies. No fleet-level correlation monitor detected the coordinated behavioural shift. No diversity requirement ensured that agents for different advertisers used sufficiently different decision-making processes. The organisation could not demonstrate that the convergence was independent rather than coordinated.

4. Requirement Statement

Scope: This dimension applies to any organisation deploying 5 or more AI agents that share any of the following: a common underlying model, a common knowledge base or data source, a common configuration or parameter set, a common update or refresh cycle, or a common optimisation objective. The scope extends to agents that do not share infrastructure but operate in the same market, domain, or physical environment, where correlated behaviour creates aggregate effects. A single agent operating in isolation is outside scope. A fleet of agents — even heterogeneous agents that share only a common data source — is within scope if their correlated behaviour can create aggregate effects exceeding the impact of any individual agent.

4.1. A conforming system MUST implement fleet-level behavioural correlation monitoring that detects when agents across the fleet shift behaviour in the same direction within a defined time window. Correlation detection MUST operate in real time with a maximum detection latency of 5 minutes for fleets below 100 agents and 60 seconds for fleets above 100 agents.

4.2. A conforming system MUST enforce staged update propagation for any change that affects agent behaviour — including model updates, configuration changes, knowledge base refreshes, and parameter adjustments. No update SHALL be propagated to more than 10% of the fleet simultaneously, and propagation to the full fleet SHALL take a minimum of 4 hours, with monitoring gates between each stage.

4.3. A conforming system MUST implement fleet-level aggregate impact ceilings that limit the total effect the fleet can have within a defined time window, independent of per-agent limits. For example: if each agent has a per-transaction limit of $100,000 but the fleet has 500 agents, the fleet-level ceiling might limit aggregate fleet exposure to $10 million per hour rather than the theoretical $50 million.

4.4. A conforming system MUST implement an automatic fleet-wide circuit breaker that halts fleet operations when fleet-level correlation exceeds a defined threshold — for example, when more than 30% of agents change behaviour in the same direction within 5 minutes without a corresponding environmental trigger.

4.5. A conforming system MUST maintain fleet-level behavioural baselines that capture the normal distribution of agent behaviours across the fleet, enabling detection of correlated deviations that would be invisible at the individual agent level.

4.6. A conforming system MUST implement update rollback capability that can revert any fleet-wide change within 15 minutes of detection of adverse effects, returning affected agents to their pre-update configuration.

4.7. A conforming system MUST log fleet-level behavioural metrics — including correlation coefficients, aggregate impact, and deviation from baseline — at a granularity sufficient to reconstruct fleet behaviour during any incident. Minimum retention: 12 months.

4.8. A conforming system SHOULD implement behavioural diversity requirements that ensure agents in the same fleet use sufficiently different decision-making parameters — for example, randomised threshold offsets, staggered evaluation windows, or diverse model versions — to reduce implicit correlation.

4.9. A conforming system SHOULD implement pre-deployment fleet impact simulation that models the aggregate effect of a proposed change across the full fleet before any agent receives the update.

4.10. A conforming system MAY implement adaptive fleet throttling that automatically reduces fleet activity rates when external conditions (market volatility, system load, environmental disruption) increase the risk of correlated impact.

5. Rationale

Fleet-scale AI deployment creates a new category of systemic risk that has no direct precedent in traditional software systems or human organisations. When an organisation deploys hundreds or thousands of AI agents sharing a common model, knowledge base, or configuration, it creates a monoculture — a population where a single change affects every individual simultaneously. This monoculture risk is well understood in other domains: agricultural monocultures are vulnerable to single pathogens; financial monocultures (where all participants use the same risk models) are vulnerable to correlated failures, as demonstrated in the 2008 financial crisis when all institutions using Gaussian copula models simultaneously discovered the same model limitation.

AI fleet monoculture is more dangerous than these precedents for three reasons. First, AI agents operate at machine speed — a correlated behavioural shift propagates across the fleet in seconds, not days or weeks. Second, AI agents share infrastructure at a deeper level than human organisations — they share not just information but the actual decision-making process, creating correlation that is intrinsic rather than emergent. Third, the correlation is invisible at the individual level — each agent's behaviour may be within its individual mandate, but the aggregate fleet behaviour exceeds any reasonable system-level tolerance.

AG-183 addresses this risk at three points: before the correlation occurs (through staged updates and diversity requirements), while it is occurring (through real-time correlation monitoring and circuit breakers), and after it has occurred (through rollback capability and fleet-level logging). The goal is not to prevent agents from sharing models or data — which would eliminate the efficiency benefits of fleet deployment — but to ensure that the systemic risk created by sharing is governed with the same rigour as any other systemic risk.

6. Implementation Guidance

The implementation requires four integrated subsystems: a fleet behaviour monitor, an update propagation controller, a fleet-level impact limiter, and a circuit breaker.

Recommended Patterns:

• Fleet behaviour correlation dashboard. Implement a real-time monitoring system that computes behavioural correlation metrics across the fleet at 1-minute intervals. Key metrics: pairwise Pearson correlation of agent action vectors, fleet-wide directional alignment (percentage of agents moving in the same direction on key dimensions), and aggregate impact rate (total fleet output per unit time). Visualise these metrics on a dashboard with automatic alerting when any metric exceeds configured thresholds. Implementation: stream agent action telemetry to a time-series database, compute correlation metrics via sliding-window aggregation, and publish alerts via an event bus.
• Canary-wave update propagation. Structure every fleet update as a multi-stage rollout: Stage 1 (canary) deploys to 1–2% of the fleet with intensive monitoring for 30 minutes; Stage 2 deploys to 10% with monitoring for 60 minutes; Stage 3 deploys to 25%; Stage 4 deploys to 50%; Stage 5 deploys to 100%. Each stage gate requires automated metrics checks (no correlation spike, no error rate increase, no aggregate impact ceiling approach) and explicit human approval for safety-critical deployments. Implementation: integrate with the CI/CD pipeline via feature flags or model-serving infrastructure that supports percentage-based rollouts. This pattern directly extends AG-073 (Staged Rollout and Canary) to fleet-scale deployments.
• Fleet aggregate ceiling enforcement. Implement fleet-level ceilings as a centralised counter service that tracks the fleet's aggregate activity across defined dimensions (total transaction value, total actions per minute, total position change). Each agent checks the centralised counter before acting. When the fleet ceiling is reached, additional agent actions are queued or blocked until the ceiling resets or a human overrides. Implementation: use a distributed counter with atomic increment operations (Redis INCR, database sequence, or equivalent) that provides sub-second read-after-write consistency across the fleet.
• Automatic fleet circuit breaker. Implement a circuit breaker that monitors fleet-level correlation in real time and automatically transitions the fleet to a safe state when correlation exceeds thresholds. The safe state should be defined per deployment: for trading fleets, halt new order submission; for delivery fleets, pause new route commitments; for customer service fleets, switch to information-only mode. The circuit breaker should be independent of the agents — implemented in infrastructure that the agents cannot influence. Implementation: correlation monitor publishes events; circuit breaker service subscribes and, on threshold breach, activates fleet-wide safe mode via the same gateway that enforces AG-001 mandates.

Anti-Patterns to Avoid:

• Deploying updates to the entire fleet simultaneously. The "big bang" deployment is the primary cause of update shock. Even when updates are tested in staging, staging environments rarely replicate fleet-scale correlation effects. A change that is benign for 10 agents can be catastrophic for 500.
• Monitoring only individual agent behaviour. Per-agent monitoring that shows each agent operating within its mandate provides false assurance when the fleet-level aggregate exceeds system-level tolerances. Fleet behaviour is an emergent property that must be monitored at the fleet level.
• Assuming heterogeneous agents are uncorrelated. Agents using different models but sharing a common data source, or trained on common datasets, can exhibit high behavioural correlation despite architectural differences. Correlation monitoring must cover all fleet members, not just agents sharing the same model.
• Relying on market mechanisms to absorb fleet impact. Assuming that external markets (financial markets, auction markets, logistics networks) will absorb fleet-level shocks is dangerous. Markets have finite liquidity and absorptive capacity. A fleet-wide correlated action can exceed market capacity, creating cascading failures.
• Treating update shock as a one-time risk. Update shock can occur from any change to any shared component — not just model updates. Knowledge base refreshes, configuration changes, prompt template modifications, and even time-of-day patterns can create correlated behaviour. Correlation monitoring must be continuous, not event-triggered.

Industry Considerations

Financial Services. Fleet-wide correlated behaviour in trading is a systemic risk addressed by multiple regulators. MiFID II Article 17 requires algorithmic trading firms to have "effective systems and risk controls" that prevent the firm's trading systems from creating disorderly markets. The PRA's Supervisory Statement SS3/18 specifically addresses algorithmic trading risk. Fleet correlation monitoring and circuit breakers directly support compliance with these requirements. The Bank of England has signalled interest in AI fleet concentration risk as a macroprudential concern.

Autonomous Vehicles. A fleet of autonomous vehicles sharing a model update that changes obstacle classification thresholds could simultaneously misclassify the same category of object across all vehicles. UNECE WP.29 regulations on automated driving systems require that software updates do not compromise vehicle safety. Fleet-wide update shock governance is a direct safety requirement.

Cloud Services. Cloud providers deploying AI agents for customer workloads create fleet-scale correlation across their customer base. An update to a shared model serving layer affects all customers simultaneously. This creates concentration risk that mirrors the provider's market share.

Healthcare. Clinical decision support agents deployed across a hospital network sharing a diagnostic model can simultaneously shift diagnostic recommendations after an update. A model update that increases sensitivity for a specific condition by 5% across 200 agents could generate thousands of false-positive alerts in a single day, overwhelming clinical capacity.

Maturity Model

Basic Implementation — The organisation tracks which agents share common models, configurations, and data sources. Updates are deployed in at least two stages (canary + full fleet). Fleet-level aggregate metrics are computed and logged. A manual circuit breaker process exists for halting fleet operations. This level addresses the most severe update shock scenarios but may not detect gradual correlation or emergent convergence.

Intermediate Implementation — Real-time fleet correlation monitoring operates with detection latency meeting the specified thresholds (5 minutes for small fleets, 60 seconds for large). Staged update propagation follows the canary-wave pattern with automated metric checks at each gate. Fleet-level aggregate ceilings are enforced in real time. Automatic circuit breakers activate on correlation threshold breaches. Rollback capability returns the fleet to pre-update state within 15 minutes. Behavioural diversity requirements are implemented.

Advanced Implementation — All intermediate capabilities plus: pre-deployment fleet impact simulation models the aggregate effect of proposed changes before any agent is updated. Adaptive fleet throttling responds to external conditions. The correlation monitoring system has been validated through controlled injection of correlated behaviour to verify detection sensitivity and specificity. Cross-fleet correlation is monitored across organisational boundaries where agents interact in shared markets. Independent audit confirms that no update can reach the full fleet without passing through all propagation stages.

7. Evidence Requirements

Required artefacts:

• Fleet composition register. A maintained register of all agents in each fleet, their shared components (models, configurations, data sources), and their update dependencies. Format: structured data, updated within 24 hours of any change.
• Update propagation records. Logs demonstrating that every fleet-wide change followed the staged propagation process, including the percentage deployed at each stage, the monitoring metrics at each gate, and the approval decision for each stage transition.
• Fleet correlation monitoring data. Time-series data showing fleet-level correlation metrics at the configured monitoring interval. Minimum retention: 12 months.
• Circuit breaker activation records. Logs of every circuit breaker activation, including the triggering metric, the threshold breached, the fleet state transition, and the resolution process.
• Fleet-level aggregate impact data. Records showing the fleet's aggregate impact across governed dimensions (total transaction value, total actions, etc.) with sufficient granularity to reconstruct fleet behaviour during any incident.

Retention requirements:

• Fleet composition register: maintained current and archived for minimum 5 years.
• Update propagation records: minimum 5 years.
• Fleet correlation data: minimum 12 months at full granularity; summary statistics retained for 5 years.
• Circuit breaker records: minimum 5 years.

Access requirements:

• Producible to regulators within 48 hours of request. Fleet behaviour reconstruction for any specified time window must be completable within 24 hours.

8. Test Specification

Test 8.1: Fleet Correlation Detection

• Stimulus: Inject a controlled correlated behaviour signal into a subset of agents (e.g., 35% of the fleet simultaneously shifting a key metric by 20%) while the remaining agents maintain baseline behaviour.
• Expected behaviour: The fleet correlation monitor detects the correlated shift within the specified latency threshold (60 seconds for fleets >100 agents, 5 minutes for smaller fleets).
• Pass criteria: Correlation detection fires within the specified latency. The alert correctly identifies the correlated subset and the direction of shift.
• Fail criteria: Correlation goes undetected, or detection latency exceeds the specified threshold.

Test 8.2: Staged Update Propagation Enforcement

• Stimulus: Initiate a fleet-wide update (model change, configuration update, or knowledge base refresh). Verify that the update follows the staged propagation process and does not exceed the 10% simultaneous deployment limit.
• Expected behaviour: Update deploys to canary subset first, proceeds through stages with monitoring gates, and takes at minimum 4 hours to reach full fleet.
• Pass criteria: No stage deploys to more than 10% of the fleet simultaneously. Total propagation takes at least 4 hours. Each stage gate evaluates monitoring metrics before proceeding.
• Fail criteria: More than 10% of the fleet receives the update simultaneously, or propagation completes in under 4 hours, or any stage gate is skipped.

Test 8.3: Fleet Circuit Breaker Activation

• Stimulus: Inject a fleet-wide correlated behavioural shift exceeding the circuit breaker threshold (e.g., 40% of agents changing direction on a key metric within 3 minutes).
• Expected behaviour: The automatic circuit breaker activates, transitioning the fleet to the defined safe state. Agent actions requiring the circuit breaker's governed capability are blocked.
• Pass criteria: Circuit breaker activates within 60 seconds of threshold breach. Fleet enters safe state. No governed action executes during safe state.
• Fail criteria: Circuit breaker fails to activate, activation is delayed beyond 60 seconds, or agent actions continue during safe state.

Test 8.4: Fleet Aggregate Ceiling Enforcement

• Stimulus: Submit actions across multiple agents that individually comply with per-agent limits but collectively approach and then exceed the fleet-level aggregate ceiling.
• Expected behaviour: Agent actions execute normally until the fleet ceiling is reached. Subsequent actions are blocked or queued regardless of individual agent headroom.
• Pass criteria: Fleet aggregate exposure does not exceed the ceiling by more than one individual action's value (accounting for in-flight actions at the threshold).
• Fail criteria: Fleet aggregate exposure exceeds the ceiling by more than one action's value.

Test 8.5: Update Rollback

• Stimulus: Deploy an update to a portion of the fleet, then trigger a rollback. Verify that affected agents return to pre-update behaviour within the specified time window.
• Expected behaviour: Rollback completes within 15 minutes. Agent behaviour post-rollback matches pre-update baseline within statistical tolerance.
• Pass criteria: Rollback completes within 15 minutes. Post-rollback behaviour deviation from pre-update baseline is below 5% on key metrics.
• Fail criteria: Rollback takes longer than 15 minutes, or post-rollback behaviour deviates significantly from pre-update baseline.

Test 8.6: Fleet Behavioural Baseline Maintenance

• Stimulus: Operate the fleet for a defined baseline period (e.g., 7 days). Verify that fleet-level behavioural baselines are maintained and updated, and that deviations from baseline are detected.
• Expected behaviour: Baseline metrics are computed and stored. Subsequent deviations exceeding 2 standard deviations from baseline trigger alerts.
• Pass criteria: Baselines are computed and stored. Deviations are correctly detected and alerted.
• Fail criteria: Baselines are not maintained, or significant deviations go undetected.

Test 8.7: Behavioural Diversity Verification

• Stimulus: Examine the configuration of agents within the fleet to verify that diversity requirements are implemented — for example, randomised threshold offsets, staggered evaluation windows, or diverse model versions.
• Expected behaviour: Agents show measurable diversity in decision parameters while maintaining acceptable performance. The correlation coefficient between any two agents' action sequences is below the configured threshold.
• Pass criteria: Pairwise correlation between agents is below the configured diversity threshold (e.g., Pearson r < 0.7 for action sequences over a 24-hour window).
• Fail criteria: Pairwise correlation exceeds the diversity threshold for more than 20% of agent pairs.

Conformance Scoring

• Score 0: No fleet-level governance — agents share models and configurations with simultaneous updates and no correlation monitoring.
• Score 1: Fleet composition is documented and updates are staged in at least two phases, but real-time correlation monitoring is absent and no automatic circuit breaker exists.
• Score 2: Real-time fleet correlation monitoring, staged update propagation with metric gates, fleet aggregate ceilings, automatic circuit breakers, and rollback capability are all operational.
• Score 3: All Score 2 controls verified by independent testing including controlled correlation injection, circuit breaker activation testing, and update propagation enforcement verification. Pre-deployment fleet impact simulation is operational. Diversity requirements are verified and maintained.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
MiFID II	Article 17 (Algorithmic Trading Controls)	Direct requirement
PRA SS3/18	Algorithmic Trading Risk Controls	Direct requirement
EU AI Act	Article 9 (Risk Management System)	Supports compliance
DORA	Article 11 (ICT Change Management)	Direct requirement
Bank of England	Systemic Risk Assessment for AI	Supports compliance
NIST AI RMF	GOVERN 1.3, MANAGE 2.4	Supports compliance
ISO 42001	Clause 8.2 (AI Risk Assessment)	Supports compliance
UNECE WP.29	Software Update Management System	Supports compliance

MiFID II — Article 17 (Algorithmic Trading Controls)

Article 17(1) requires investment firms using algorithmic trading systems to have "effective systems and risk controls" that are "suitable to the business" and ensure the firm's trading systems "cannot create or contribute to disorderly trading conditions." Fleet-wide correlated behaviour — where hundreds of agents simultaneously withdraw liquidity or shift positions — directly creates the disorderly trading conditions Article 17 seeks to prevent. AG-183's fleet correlation monitoring, circuit breakers, and staged update propagation implement the "effective systems and risk controls" the regulation requires.

PRA SS3/18 — Algorithmic Trading Risk Controls

The PRA's Supervisory Statement on algorithmic trading specifically addresses the risk of correlated behaviour across multiple algorithms. It requires firms to consider "the aggregate effect of all their algorithms running simultaneously" and to have controls that "prevent the firm's algorithms from interacting in ways that create disorderly trading." AG-183's fleet-level aggregate ceilings and correlation monitoring directly implement these requirements.

DORA — Article 11 (ICT Change Management)

Article 11 requires financial entities to have "a sound, comprehensive and well-documented ICT change management policy" including testing and rollback procedures. Fleet-wide model updates, configuration changes, and knowledge base refreshes are ICT changes within DORA's scope. AG-183's staged update propagation and rollback capability implement Article 11's requirements for controlled change management with rollback.

UNECE WP.29 — Software Update Management System

For autonomous vehicle fleets, UNECE WP.29 requires manufacturers to have a software update management system that ensures updates do not compromise vehicle safety. Fleet-wide model updates that could simultaneously affect perception, planning, or control across all vehicles in a fleet are directly within scope. AG-183's staged propagation and fleet correlation monitoring support compliance.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	System-wide — potentially cross-market, cross-sector, or cross-geographic where fleet impact affects shared infrastructure or markets

Consequence chain: Fleet-wide correlated behaviour failures are among the highest-severity risks in AI governance because they combine three amplifying factors: speed (machine-speed propagation), scale (affecting all fleet members simultaneously), and invisibility (each individual agent appears to operate normally). The failure mode is a systemic shock: a fleet of 500 trading agents simultaneously withdrawing $6.2 billion in liquidity creates a market crash; a fleet of 1,500 logistics agents simultaneously generating impossible delivery commitments creates 340,000 customer failures; a fleet of 800 bidding agents simultaneously converging on the same strategy creates an algorithmic collusion investigation. These are not hypothetical scenarios — they are the natural consequence of deploying correlated agents at scale without fleet-level governance. The regulatory consequences include MiFID II enforcement for contribution to disorderly markets, DORA sanctions for inadequate change management, competition authority investigations for algorithmic collusion, and potential personal liability for senior managers who approved fleet deployments without adequate systemic risk controls. The financial consequence scales with fleet size and market impact — individual incidents can generate losses in the billions and market-wide disruption.

Cross-references: AG-073 (Staged Rollout and Canary) for the foundational staged deployment pattern that AG-183 extends to fleet scale; AG-022 (Behavioural Drift Detection) for detecting gradual behavioural changes that, when correlated across a fleet, create systemic drift; AG-050 (Physical and Real-World Impact Governance) for governing fleet impact in physical environments; AG-040 (Knowledge Accumulation Governance) for governing shared knowledge bases that create fleet correlation; AG-184 (Live Experimentation, A/B Testing and Online Adaptation Governance) for governing experiments conducted across a fleet.