Successor and Coverage Planning Governance

2. Summary

Successor and Coverage Planning Governance prevents key-person dependency in critical AI agent governance roles and control operations. When a single individual holds a governance role with no trained, authorised successor, the organisation's governance capability is contingent on that individual's availability. If they leave, fall ill, are on holiday, or are simply in a meeting when an incident occurs, the governance function has a gap. AG-264 requires that every critical governance role has at least one identified, trained, and authorised successor, that coverage arrangements are tested, and that the organisation can demonstrate continuity of governance capability under personnel disruption. This dimension transforms governance from depending on individuals to depending on roles — ensuring the function persists regardless of which specific person fills it.

3. Example

Scenario A — Key-Person Departure Without Successor: A fintech company deploys 6 AI agents across trading, compliance monitoring, and customer service. The entire governance framework — mandate configurations, monitoring thresholds, escalation procedures, and regulatory relationships — is designed and maintained by a single senior engineer. When this engineer resigns with 4 weeks' notice, the company discovers that: no one else understands the mandate configuration system, the monitoring thresholds are undocumented, the engineer's personal credentials are used for kill authority, and the regulatory contact relationship is personal rather than institutional. After the engineer's departure, the company spends 3 months reconstructing governance knowledge, during which two of the six agents operate with outdated monitoring thresholds and one agent's kill mechanism is non-functional because the engineer's credentials have been revoked.

What went wrong: A single individual held critical governance knowledge and authority with no successor identified, trained, or authorised. The organisation's governance capability was entirely dependent on one person's availability. Consequence: 3-month governance degradation period, non-functional kill authority for 1 agent, outdated monitoring for 2 agents, estimated £120,000 in consultant costs to reconstruct governance knowledge, regulatory concern raised during a routine supervisory visit that occurred during the transition period.

Scenario B — Holiday Coverage Failure: An insurance company's AI claims-processing agent has a named accountability owner (the Head of Claims Technology) who is the only person authorised to approve mandate changes and the only person with escalation authority above Level 1. The Head of Claims Technology takes a 3-week holiday. During week 2, a business requirement arises to temporarily increase the agent's per-claim limit from £25,000 to £50,000 for a special claims event. No one else has the authority to approve the change. The business delays the claims event by 2 weeks, costing £180,000 in operational disruption. Separately, during week 3, an escalation event occurs that requires Level 2 authority. The on-call operator attempts to reach the Head of Claims Technology by phone during their holiday but cannot — they are in a location without mobile signal. The escalation is delayed by 14 hours until the Head returns to coverage.

What went wrong: The critical governance role had no coverage arrangement. A 3-week absence of a single individual created both operational disruption (inability to approve a legitimate business change) and governance risk (inability to escalate). Consequence: £180,000 in operational disruption from the delayed claims event, 14-hour escalation delay, post-incident review finding that governance continuity was inadequate.

Scenario C — Effective Succession Planning: A payment processor identifies 4 critical governance roles for its AI fraud-detection agent: accountability owner, mandate approver, kill authority holder, and on-call team lead. For each role, the organisation designates a primary holder and two successors. Each successor is trained on the role's responsibilities, has the necessary system access (activated when they assume coverage), and participates in quarterly exercises where they operate in the role for a full day. When the mandate approver takes parental leave for 6 months, the first successor steps into the role seamlessly — they have the knowledge, the authority, and the practice. When the kill authority holder changes jobs, the transition to the first successor is completed within 5 business days because the successor has already been operating in the role periodically. At no point does the organisation lack coverage in any critical role.

What went right: Every critical role had identified, trained, authorised successors. Successors practiced the role regularly. Coverage transitions were planned and tested before they were needed.

4. Requirement Statement

Scope: This dimension applies to all governance roles identified in AG-259 (build, operate, approve, validate, audit) and all authority designations in AG-261 (escalation authority), AG-262 (kill authority), and AG-263 (on-call responsibility) for material AI agent deployments. For each such role, the organisation must identify the key-person risk, designate successors, ensure successors are trained and authorised, and test coverage arrangements. The scope extends to knowledge continuity: critical governance knowledge (mandate configurations, monitoring thresholds, system architectures, regulatory relationships) must be documented sufficiently for a successor to assume the role without depending on verbal transfer from the predecessor. Organisations with fewer than 3 people in governance roles may designate external successors (from partner firms, consultancies, or shared-service arrangements) but must ensure they meet the same competence and authorisation requirements.

4.1. A conforming system MUST identify all critical governance roles for each material AI agent and designate at least one trained, authorised successor for each role.

4.2. A conforming system MUST ensure that each designated successor has received role-specific training within the preceding 12 months, covering the role's responsibilities, the systems they would need to access, the decisions they would need to make, and the escalation paths they would need to follow.

4.3. A conforming system MUST ensure that each designated successor has the necessary system access credentials provisioned (or provisionable within 4 hours) to assume the role when required.

4.4. A conforming system MUST test coverage arrangements at least annually by having the successor operate in the role for a defined period (minimum 1 business day) while the primary holder is not available.

4.5. A conforming system MUST maintain a documented succession register mapping each critical role to its primary holder and successor(s), with effective dates, training dates, and last coverage test date.

4.6. A conforming system MUST initiate a successor identification process within 10 business days when a primary role holder gives notice of departure, with the successor fully operational before the primary holder's last day.

4.7. A conforming system SHOULD document critical governance knowledge in a structured knowledge base accessible to successors, rather than relying on verbal transfer from the primary holder.

4.8. A conforming system SHOULD review the succession register quarterly, verifying that all successors are still available, still trained, and still have appropriate access.

4.9. A conforming system MAY implement cross-training programmes where governance team members rotate through different roles annually, building succession depth organically.

5. Rationale

Key-person dependency is one of the most common and most underestimated risks in AI agent governance. Organisations invest heavily in building governance frameworks but frequently concentrate the knowledge, authority, and relationships needed to operate those frameworks in a small number of individuals — sometimes a single person. This concentration creates a fragility that is invisible during normal operations (the key person is available and performing) but catastrophic when disrupted (the key person is unavailable and no one can substitute).

The risk is amplified in AI agent governance for three reasons. First, AI governance is technically complex, creating natural concentration — the few people who understand the system become bottlenecks because no one else can substitute. Second, AI agent governance is continuous — agents operate 24/7 (AG-263), meaning governance gaps cannot be covered by "waiting until the person returns" the way many business processes can. Third, AI agent governance is high-consequence — a governance gap in a trading agent's kill authority could result in millions in losses during a single incident.

AG-264 addresses this by requiring that every critical governance role has at least one identified, trained, and tested successor. The testing requirement is essential: a successor who has never operated in the role is unreliable under pressure, regardless of their theoretical training. Annual coverage testing ensures that successors have practical experience before they need it.

The knowledge documentation requirement (4.7) addresses the common failure mode where governance knowledge resides in one person's head. When that person departs, the knowledge is lost — not gradually, but immediately. Reconstructing governance knowledge from systems and documentation is expensive (typically 2-6 months and significant consultant cost) and during the reconstruction period, the organisation's governance capability is degraded.

6. Implementation Guidance

Successor and coverage planning should be treated as a governance control in its own right, not as an HR process. The goal is not to have names on a chart but to have people who can actually do the job.

Recommended patterns:

• Successor skills matrix. For each critical governance role, define the required competencies: technical skills (system access, configuration knowledge), domain skills (understanding the agent's business function), governance skills (regulatory knowledge, escalation procedures), and relationship skills (regulatory contacts, vendor relationships). Assess each potential successor against the matrix and create targeted training plans to close gaps. Update the matrix and assessments quarterly.
• Shadow rotation programme. Require designated successors to operate in a "shadow" capacity for 1 week per quarter — they perform the role's functions alongside the primary holder, who reviews their work. This builds practical competence and reveals gaps that classroom training does not. After 4 shadow rotations (1 year), the successor should be able to operate independently.
• Documented operational runbooks. For each critical governance role, maintain an operational runbook that a competent successor can follow to perform the role's functions. The runbook should include: daily/weekly/monthly tasks, decision criteria for common scenarios, system access instructions, escalation procedures, regulatory obligations, and contact lists. The runbook should be tested during annual coverage exercises — the successor should be able to perform the role using the runbook without verbal guidance from the primary holder.
• Succession register with automated alerts. Maintain a succession register in a structured format (database or structured file) with automated alerts for: training due (successor training older than 12 months), coverage test due (last test older than 12 months), successor departed (a designated successor has left the organisation), and primary departed (the primary holder has given notice or departed). Route alerts to the governance committee.
• Knowledge escrow for critical configurations. For highly critical governance configurations (mandate parameters, kill mechanism credentials, regulatory submission credentials), maintain a secure knowledge escrow — a documented, sealed record of access credentials and configuration details that can be opened by an authorised successor in the event of the primary holder's sudden unavailability. Update the escrow whenever the configuration changes.

Anti-patterns to avoid:

• Succession on paper only. Naming a successor who has never been trained, never accessed the relevant systems, and never performed the role's functions. This is a paper exercise that provides no actual coverage. The person named as successor may not even know they are the designated successor.
• Relying on notice periods. Assuming that departure transitions will always be managed during a notice period. People can become suddenly unavailable (illness, accident, personal emergency) without any notice period. Succession planning must account for sudden, unplanned unavailability.
• Single successor for multiple critical roles. Designating the same person as successor for 5 different critical roles concentrates risk in the successor the same way it was concentrated in the primary holder. If the successor is also unavailable, all 5 roles are uncovered. Successors should be diversified across individuals.
• Training without practice. Providing classroom or document-based training without hands-on practice. Governance roles require practical skills — accessing systems under pressure, making decisions with incomplete information, communicating with regulators. Practice (through shadow rotations and coverage tests) is essential.
• Ignoring knowledge continuity. Focusing on authority continuity (who has the role) without addressing knowledge continuity (what does the role-holder need to know). A successor who has the authority but not the knowledge cannot perform the role effectively. The documented knowledge base (4.7) is the mechanism for knowledge continuity.

Industry Considerations

Financial Services. SM&CR requires that Prescribed Responsibilities have identified holders at all times. A gap in a Prescribed Responsibility holder — even temporarily — is a regulatory breach. AG-264's succession requirements support SM&CR compliance by ensuring that governance functions have continuous coverage. The FCA's expectations under SYSC 4.3A (Senior Management Responsibilities) explicitly require firms to allocate responsibilities so that the firm can be effectively managed even when individuals are absent.

Healthcare. Clinical governance roles for AI agents (e.g., the clinician responsible for approving clinical AI agent configurations) must have clinical successors — the successor must have the same clinical standing and credentials as the primary holder. This may require coordination with clinical staffing and credentialing processes.

Critical Infrastructure. Safety-critical governance roles may require successors who hold specific safety qualifications (e.g., Functional Safety Engineer certification). The successor pipeline must account for the time required to obtain these qualifications (often 12-24 months), requiring earlier identification and longer development periods.

Maturity Model

Basic Implementation — The organisation has identified critical governance roles and designated at least one successor for each. Successors have been informed of their designation and have received initial training. A succession register exists. Coverage has been tested at least once. Knowledge documentation is partial — some critical knowledge is documented, some resides with the primary holder.

Intermediate Implementation — Successors are fully trained (within the past 12 months) and have system access provisioned. Annual coverage tests verify that successors can perform the role independently. The succession register is reviewed quarterly. Operational runbooks exist for all critical roles. Knowledge documentation covers all critical configurations. Automated alerts notify the governance committee when training, testing, or successor availability issues arise.

Advanced Implementation — All intermediate capabilities plus: shadow rotation programmes provide quarterly practical experience. Cross-training builds succession depth beyond designated successors. Knowledge escrow is maintained for critical configurations. Succession transitions have been tested through realistic scenarios (sudden departure, simultaneous unavailability of primary and first successor). The organisation can demonstrate that at no point in the past 12 months was any critical governance role without a reachable, capable, authorised holder or successor.

7. Evidence Requirements

Required artefacts:

• Succession register. Structured register mapping each critical governance role to primary holder and successor(s), with training dates, system access status, and last coverage test date. Must be current within 30 days.
• Training records. Records of successor-specific training for each designated successor, including training date, content covered, competency assessment, and next refresh date. Must demonstrate annual refreshment.
• Coverage test records. Documentation of annual (or more frequent) coverage exercises, including: the role tested, the successor who performed it, the duration, the primary holder's absence, and any issues identified. Minimum 24 months of history.
• Operational runbooks. Runbooks for each critical governance role, versioned and dated. Must be current (updated within 6 months or after any significant process change).
• Transition records. For any governance role transitions that occurred in the past 24 months, documentation of the transition plan, timeline, successor readiness assessment, and outcome.

Retention requirements:

• Succession registers and coverage test records: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. The succession register must be accessible to the governance committee at all times.

8. Test Specification

Testing AG-264 compliance requires verifying the completeness of succession designations, the readiness of successors, and the effectiveness of coverage arrangements.

Test 8.1: Succession Coverage Completeness

• Stimulus: Retrieve the succession register. Cross-reference against the list of critical governance roles from AG-259, AG-261, AG-262, and AG-263.
• Expected behaviour: Every critical governance role has at least one designated successor.
• Pass criteria: 100% of critical roles have at least one designated successor.
• Fail criteria: Any critical role lacks a designated successor.

Test 8.2: Successor Training Currency

• Stimulus: For each designated successor, verify that role-specific training was completed within the past 12 months.
• Expected behaviour: All successors have current training.
• Pass criteria: 100% of designated successors have training dated within the past 12 months.
• Fail criteria: Any successor's training is older than 12 months or unrecorded.

Test 8.3: Successor System Access

• Stimulus: For a sample of 30% of designated successors (minimum 3), verify that they can access the systems required for their designated role within 4 hours.
• Expected behaviour: System access is provisioned or provisionable within 4 hours.
• Pass criteria: All sampled successors can access required systems within 4 hours.
• Fail criteria: Any sampled successor cannot access required systems within 4 hours.

Test 8.4: Coverage Test Recency

• Stimulus: Verify that each critical governance role has been tested through a coverage exercise (successor operating in role) within the past 12 months.
• Expected behaviour: All critical roles have annual coverage test evidence.
• Pass criteria: 100% of critical roles have coverage test records within the past 12 months.
• Fail criteria: Any critical role has not been tested within the past 12 months.

Test 8.5: Successor Independent Operation

• Stimulus: During a coverage test, assign the successor to operate in the role for 1 business day without guidance from the primary holder. Assess their ability to perform core role functions using the operational runbook.
• Expected behaviour: The successor performs core role functions competently using the runbook.
• Pass criteria: The successor completes all core role functions for the test day without errors requiring primary holder intervention.
• Fail criteria: The successor cannot perform core functions or requires primary holder intervention for routine tasks.

Test 8.6: Knowledge Documentation Adequacy

• Stimulus: Present the operational runbook for a critical role to a person outside the governance team who has relevant technical skills but no specific knowledge of the role. Assess whether they can follow the runbook to perform basic role functions.
• Expected behaviour: The runbook is sufficiently detailed and clear for a competent person to follow.
• Pass criteria: The external reviewer can follow the runbook to perform basic functions without additional verbal guidance.
• Fail criteria: The runbook is insufficient — the reviewer cannot perform basic functions without verbal guidance from the primary holder.

Test 8.7: Departure Transition Readiness

• Stimulus: Simulate a primary role holder giving 4 weeks' notice. Verify that the successor identification and activation process can complete within 10 business days per requirement 4.6.
• Expected behaviour: The successor is identified and activated within 10 business days.
• Pass criteria: Successor activation (trained, authorised, access provisioned) completed within 10 business days.
• Fail criteria: Successor activation requires more than 10 business days.

Conformance Scoring

• Score 0: No succession planning — critical governance roles depend on single individuals with no identified successors.
• Score 1: Successors are identified on paper but are not trained, lack system access, and have not been tested — succession exists in name only.
• Score 2: Successors are identified, trained (within 12 months), have system access, and have been tested through annual coverage exercises — succession planning is operationally effective.
• Score 3: Verified by independent assessment — an independent party has tested successor readiness through unannounced coverage exercises, confirmed that knowledge documentation enables independent operation, and verified that the organisation can sustain governance capability through simultaneous multi-role unavailability.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 17 (Quality Management System)	Supports compliance
FCA SYSC	4.3A (Senior Management Responsibilities)	Direct requirement
FCA SM&CR	Prescribed Responsibilities continuity	Direct requirement
SOX	Section 404 (Internal Controls — continuity of control operation)	Supports compliance
NIST AI RMF	GOVERN 1.2 (Accountability Structures)	Supports compliance
ISO 42001	Clause 7.2 (Competence)	Direct requirement
DORA	Article 5 (Governance and Organisation)	Supports compliance
PRA SS1/23	Model Risk Management — Governance continuity	Supports compliance
Basel Committee	Principle 4 (Board and Senior Management Oversight)	Supports compliance

FCA SYSC — 4.3A (Senior Management Responsibilities)

SYSC 4.3A requires firms to allocate responsibilities so that the firm can be effectively managed, including when individuals are absent. For AI agent governance, this means every governance function — mandate approval, escalation authority, kill authority — must have coverage arrangements that ensure continuity during absences. AG-264 provides the framework for demonstrating compliance.

FCA SM&CR — Prescribed Responsibilities Continuity

Under SM&CR, there must be no gap in the allocation of Prescribed Responsibilities. If the Senior Manager responsible for AI governance departs, the Prescribed Responsibility must be reallocated immediately. AG-264's succession planning ensures that a trained, prepared successor is available to assume the responsibility without gap.

ISO 42001 — Clause 7.2 (Competence)

Clause 7.2 requires organisations to ensure that persons doing work affecting AI management system performance are competent based on appropriate education, training, or experience. Succession planning is the mechanism for ensuring that competence persists through personnel changes — the successor must meet the same competence requirements as the primary holder.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Role-specific but potentially organisation-wide if the uncovered role is a critical governance function

Consequence chain: Without successor and coverage planning, the departure or unavailability of a single individual can disable a critical governance function. If the only person with kill authority is unreachable during an incident, the agent cannot be terminated. If the only person who understands the mandate configuration departs, the organisation cannot maintain or modify agent boundaries. If the only person with escalation authority above Level 1 is on holiday, escalation beyond the operator level is blocked. The immediate consequence is a governance gap — a period during which a critical function cannot be performed. The duration of the gap depends on how long it takes to identify, train, and authorise a replacement: days if the departure was planned with notice, weeks if it was sudden, months if the role required specialised knowledge that was not documented. During the gap, the organisation's governance posture is degraded, creating regulatory exposure (particularly under SM&CR, where gaps in Prescribed Responsibilities are reportable) and operational risk (the ungoverned function cannot respond to incidents).

Cross-references: This dimension works in conjunction with AG-259 (Role-Segregated Control Ownership Governance) which defines the roles that require successors; AG-261 (Escalation Authority Governance) which requires fallback authority holders — a form of succession planning for escalation; AG-262 (Kill Authority Designation Governance) which requires primary and backup authority holders; AG-263 (On-Call Responsibility Governance) which requires a rotation of on-call responders — rotation itself is a form of coverage planning; AG-265 (Outsourced Operator Accountability Governance) which may provide external successor capability; and AG-159 (Agent Accountability and Named Ownership) which ensures that the agent's named owner role is included in succession planning.