Dual-Control for Policy Change Governance

2. Summary

Dual-Control for Policy Change Governance requires that changes to high-impact governance policies — the rules that define approval tiers, delegation structures, mandate limits, and other governance configurations — require independent approval from at least two qualified individuals from different organisational functions. A single individual must not be able to unilaterally modify the governance policies that constrain AI agent operations. This is the meta-governance control: it governs the governance itself, preventing the scenario where a single person weakens governance controls to enable actions that the original controls would have blocked.

3. Example

Scenario A — Single-Person Policy Change Enables Self-Dealing: A finance team manager has administrative access to the AI agent governance configuration. The manager raises the agent's per-transaction approval threshold from £10,000 (requiring two-party approval) to £100,000 (single-approver) to "reduce operational friction." The manager then uses the agent to approve a series of payments totalling £340,000 to a company controlled by a family member. Under the original £10,000 threshold, each payment would have required a second approver who would have identified the conflict of interest. Under the modified threshold, the manager is the sole approver. The modification is discovered during an annual audit, eight months later.

What went wrong: A single individual had the ability to modify the governance policy that constrained the agent's (and their own) authority. No second party was required to approve the policy change. The person who benefited from the policy change was the same person who made it. Consequence: £340,000 in fraudulent payments, criminal investigation, regulatory enforcement, audit finding for inadequate change control over governance policies.

Scenario B — Automated Policy Drift Through Configuration Change: An operations engineer modifying the AI agent platform's configuration file changes the "approval_required" flag from "true" to "false" for a category of data processing operations, intending to fix a performance bottleneck. The change is deployed through the standard CI/CD pipeline, which has no governance-policy-aware review step. The effect is that an entire category of data processing operations now executes without approval. Over the next three weeks, the agent processes 12,000 data operations that should have required privacy review, including 847 involving personal data from EU residents. The privacy team discovers the issue when a data subject makes an access request and the processing log shows no approval records.

What went wrong: The governance policy was stored as a configuration value in a deployment pipeline without dual-control protection. A single engineer's change to a configuration file modified a governance policy. The CI/CD pipeline did not distinguish between functional configuration and governance configuration. Consequence: 12,000 unapproved data processing operations, 847 potential UK GDPR violations, ICO investigation, mandatory breach notification for affected data subjects.

Scenario C — Policy Reversal During Organisational Transition: During a reorganisation, a new department head reviews the AI agent governance policies and determines that the existing approval requirements are "unnecessarily bureaucratic." The department head unilaterally reverts the policies to minimal approval requirements — removing multi-party approval for transactions below £250,000 and eliminating the cross-functional diversity requirement. No second individual reviews or approves the change. Over the following quarter, the agent processes £7,200,000 in transactions under the weakened governance, including several with compliance issues that the removed controls would have caught.

What went wrong: A single individual with administrative access reversed governance policies without requiring a second, independent approval. The policy change was not subject to the same rigour as the actions it governed. Consequence: £7,200,000 in inadequately governed transactions, compliance findings on several transactions, regulatory inquiry into governance change control.

4. Requirement Statement

Scope: This dimension applies to all changes to governance policies that affect AI agent operations. This includes changes to: approval tier definitions and thresholds, delegation structures and limits, mandate configurations, approval quorum requirements, approval pathway routing, emergency authority definitions, and any other configuration that governs how AI agents are authorised, constrained, or overseen. The scope covers all mechanisms for policy change: configuration file modifications, database updates, API calls, administrative interface changes, and deployment pipeline configurations. Any mechanism that, if changed, would alter the governance constraints on an AI agent is within scope.

4.1. A conforming system MUST require approval from at least two independent individuals from different organisational functions for any change to a governance policy that affects AI agent authorisation, approval, delegation, or oversight.

4.2. A conforming system MUST ensure that neither of the two approvers is the person requesting the policy change — the requestor, first approver, and second approver must be three distinct individuals.

4.3. A conforming system MUST enforce dual-control at the infrastructure layer — the system must not accept a governance policy change without two independent, verified approvals.

4.4. A conforming system MUST log every governance policy change with: the change specification, the requestor identity, both approver identities, the approval timestamps, and the rationale for the change.

4.5. A conforming system MUST classify all governance policy configurations distinctly from functional configurations, ensuring that governance configurations cannot be modified through standard deployment pipelines without the dual-control gate.

4.6. A conforming system SHOULD implement a mandatory review period (default: 48 hours) between the first and second approval for high-impact policy changes, preventing rushed approval of significant governance modifications.

4.7. A conforming system SHOULD require an impact assessment for governance policy changes, estimating how many agents, actions, and transaction volumes would be affected by the proposed change.

4.8. A conforming system SHOULD implement version control for all governance policies with the ability to roll back to any previous version, where rollback itself requires dual-control approval.

4.9. A conforming system MAY implement a staged rollout mechanism for governance policy changes — applying the change to a subset of agents or transactions before full deployment.

5. Rationale

Governance policies are the rules that constrain AI agent operations. They define the approval thresholds, the delegation scopes, the mandate limits, and the oversight requirements. If these rules can be changed by a single individual without independent review, then the governance framework has a single point of failure at the meta-governance level. The entire governance structure can be weakened or disabled by one person — through malice, error, or misguided optimisation.

The dual-control principle is one of the oldest governance mechanisms in finance and security. No single individual should be able to authorise their own transaction, approve their own access request, or sign their own contract. The same principle applies to governance configuration: no single individual should be able to weaken the rules that constrain AI agents, because those rules may be the constraints that prevent the individual (or the agent they control) from taking harmful actions.

The specific risk for AI agent governance is that policy changes have amplified effects. When a human governance policy changes (e.g., a new approval threshold for purchase orders), the effect is bounded by human processing speed — the number of affected transactions accumulates gradually. When an AI agent governance policy changes, the effect is immediate and scaled — the agent may process thousands of transactions under the new policy within minutes. A policy change that removes a £10,000 approval threshold could result in millions of pounds in unreviewed transactions within hours.

6. Implementation Guidance

Dual-control implementation requires separating governance configuration from functional configuration, enforcing the two-approver gate, and managing the policy change lifecycle.

Recommended patterns:

• Governance configuration as code with dual-review. Store governance policies in a dedicated repository (separate from functional code). All changes require a merge request with two approvals from reviewers on a designated governance approver list. The approver list is itself governed by dual-control. The CI/CD pipeline for governance configuration includes: schema validation (the change conforms to the governance policy format), impact assessment (automated calculation of affected agents and transaction volumes), dual-approval verification (two valid approvals from distinct, qualified, cross-functional reviewers), and audit logging.
• Administrative interface with dual-approval workflow. If governance policies are managed through an administrative UI, implement a workflow where the requestor submits the change, a first approver reviews and approves, and a second approver from a different function reviews and approves. The change is not applied until both approvals are recorded. The UI enforces the three-person rule (requestor ≠ first approver ≠ second approver) by checking identities.
• Configuration classification tagging. Tag every configuration parameter with a classification: "functional" (standard deployment pipeline, standard review) or "governance" (dual-control pipeline, enhanced review). The tagging is itself governed by dual-control. Any attempt to modify a governance-classified parameter through the standard pipeline is blocked.
• Policy change impact preview. Before applying a governance policy change, generate a preview showing: number of agents affected, transaction types affected, volume of transactions that would have been handled differently under the new policy over the past 30 days, and any policy weakening (reduced approval requirements, wider delegation scope, higher thresholds). Policy changes classified as "weakening" require additional justification.

Anti-patterns to avoid:

• Administrative superuser bypassing dual-control. If a system administrator can modify governance configuration through direct database access, CLI tools, or infrastructure management consoles without dual-control, the control is bypassed. Governance configuration must be protected from direct modification by any single individual, including system administrators.
• Governance configuration in functional repositories. Storing governance configuration alongside functional code in the same repository with the same review process means that governance changes receive functional-level review (typically one reviewer focused on code quality), not governance-level review (two independent reviewers focused on control impact).
• Dual-control without cross-functional requirement. Requiring two approvals but allowing both from the same department provides numeric dual-control but not independent scrutiny. Both approvers may share the same incentive to weaken the policy. Cross-functional independence is essential.
• Bulk policy changes without individual assessment. A single change request that modifies 20 governance parameters at once, approved en masse, subverts the intent of dual-control. Each governance parameter change should be individually described and justified.
• Rollback without dual-control. If a governance policy can be rolled back to a previous version by a single individual, then dual-control can be circumvented: make the desired policy the current version, advance to a different policy through dual-control, then roll back to the desired version unilaterally.

Industry Considerations

Financial Services. Dual-control for governance policy changes aligns with existing trading limit change controls. FCA-regulated firms must demonstrate that changes to risk limits, approval authorities, and control parameters are subject to appropriate change management. SYSC 6.1.4R addresses requirements for information systems to detect and report irregularities — changes to governance policies are a critical irregularity type.

Healthcare. Changes to clinical governance policies (e.g., prescription checking rules, clinical decision thresholds) must follow established clinical governance change processes. Dual-control ensures that changes to AI agent clinical governance are at least as rigorous as changes to human clinical governance.

Public Sector. Governance policy changes affecting citizen-facing AI agents may require democratic accountability. Dual-control provides the minimum safeguard; additional requirements may include public consultation or ministerial approval for significant changes.

Maturity Model

Basic Implementation — Governance configurations are identified and separated from functional configurations. Changes to governance configurations require two approvals. The three-person rule is enforced (requestor ≠ approver 1 ≠ approver 2). All changes are logged with requestor and approver identities. This meets minimum mandatory requirements but cross-functional independence may not be enforced, and impact assessment may not be automated.

Intermediate Implementation — Cross-functional independence is enforced for governance approvals. Automated impact assessment previews the effect of policy changes. Policy weakening is automatically detected and flagged for enhanced justification. Version control enables audit trail of all historical governance configurations. Governance configuration is stored separately from functional code with a dedicated review pipeline.

Advanced Implementation — All intermediate capabilities plus: staged rollout for governance policy changes, with monitoring for adverse effects before full deployment. Automated regression testing validates that governance policy changes do not create unintended gaps or conflicts. Independent adversarial testing confirms that single-person bypass, administrative override, bulk change obfuscation, and rollback circumvention attacks all fail. The governance configuration is integrity-protected with cryptographic signatures that detect tampering.

7. Evidence Requirements

Required artefacts:

• Governance configuration repository. The complete, versioned repository of all governance policy configurations, with full change history including requestor, approvers, rationale, and timestamps.
• Dual-approval enforcement log. Records of every governance policy change attempt, showing whether dual-approval was satisfied, including rejected attempts where dual-approval was not met.
• Impact assessment records. For each governance policy change, the impact assessment showing affected agents, transaction types, volumes, and any weakening classification.
• Governance change audit report. Periodic analysis (at least quarterly) of governance policy changes, reviewing patterns, frequency, and whether changes were appropriate.

Retention requirements:

• Governance configuration versions, approval logs, and impact assessments: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request.

8. Test Specification

Test 8.1: Single-Person Change Prevention

• Stimulus: Attempt to modify a governance policy configuration with only one approval.
• Expected behaviour: The change is rejected. The system requires two independent approvals.
• Pass criteria: No governance policy change is applied with fewer than two approvals.
• Fail criteria: A governance policy change is applied with a single approval.

Test 8.2: Three-Person Rule Enforcement

• Stimulus: Submit a governance policy change where the requestor is also one of the approvers.
• Expected behaviour: The approval is rejected. The requestor cannot approve their own change.
• Pass criteria: The requestor is excluded from the approver set.
• Fail criteria: The requestor's approval is accepted.

Test 8.3: Cross-Functional Independence

• Stimulus: Submit a governance policy change with two approvals from the same organisational function.
• Expected behaviour: The approvals are rejected for lacking cross-functional independence.
• Pass criteria: Approvers must be from different organisational functions.
• Fail criteria: Two approvers from the same function satisfy the dual-control requirement.

Test 8.4: Infrastructure-Level Enforcement

• Stimulus: Attempt to modify governance configuration through direct database access, CLI tool, or infrastructure management console, bypassing the dual-approval workflow.
• Expected behaviour: The modification is blocked or immediately detected and reverted. Governance configuration is protected from direct modification.
• Pass criteria: No bypass mechanism allows single-person governance policy modification.
• Fail criteria: Direct modification succeeds without dual-control approval.

Test 8.5: Governance vs. Functional Classification

• Stimulus: Attempt to modify a governance-classified configuration parameter through the standard (non-dual-control) deployment pipeline.
• Expected behaviour: The deployment pipeline rejects the change for governance-classified parameters, directing the change through the dual-control pipeline.
• Pass criteria: Governance configurations cannot be modified through standard deployment pipelines.
• Fail criteria: Governance configurations are modifiable through standard pipelines.

Test 8.6: Rollback Under Dual-Control

• Stimulus: Attempt to roll back a governance policy to a previous version with only one approval.
• Expected behaviour: The rollback is rejected. Rollback requires the same dual-control as forward changes.
• Pass criteria: Policy rollback requires dual-control approval.
• Fail criteria: A single individual can roll back a governance policy.

Conformance Scoring

• Score 0: No dual-control for governance policy changes — single individuals can modify governance configurations unilaterally.
• Score 1: Dual-control is documented as a process requirement but not structurally enforced — policy changes can bypass the dual-control process through direct access or administrative tools.
• Score 2: Dual-control is structurally enforced at the infrastructure layer with cross-functional independence and three-person rule — no governance policy change is applied without verified dual approval.
• Score 3: Verified by independent adversarial testing — single-person bypass, administrative override, classification manipulation, and rollback circumvention attacks all fail under independent testing.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Direct requirement
SOX	Section 404 (Internal Controls Over Financial Reporting)	Direct requirement
FCA SYSC	6.1.1R (Systems and Controls)	Direct requirement
FCA SYSC	6.1.4R (Information Reporting)	Supports compliance
NIST AI RMF	GOVERN 1.2 (Processes for Risk Management)	Supports compliance
ISO 27001	A.12.1.2 (Change Management)	Direct requirement
DORA	Article 9 (ICT Risk Management Framework)	Supports compliance

SOX — Section 404 (Internal Controls Over Financial Reporting)

SOX requires that internal controls are effective and that changes to controls are themselves controlled. A governance policy change that weakens an internal control is itself a control event that requires appropriate authorisation. Dual-control for policy changes directly satisfies the SOX requirement that control modifications be subject to adequate oversight. SOX auditors specifically look for: whether control configurations can be changed by a single individual, whether changes are logged, and whether the change management process itself is subject to review.

EU AI Act — Article 9 (Risk Management System)

The risk management system must be maintained throughout the lifecycle of the AI system. Changes to governance policies that weaken risk controls must be subject to appropriate review. Dual-control ensures that risk control modifications are not unilateral.

ISO 27001 — A.12.1.2 (Change Management)

Change management requirements under ISO 27001 include controls over changes to information processing facilities. Governance policy configurations that control AI agent behaviour are information processing controls and are subject to change management requirements.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Organisation-wide — a governance policy change affects all agents and actions subject to that policy

Consequence chain: Without dual-control for governance policy changes, a single individual can weaken or disable the governance controls that constrain AI agents across the organisation. The failure is multiplicative: a single policy change can affect thousands of agent actions. If the change is made with malicious intent (Scenario A), it enables fraud or self-dealing. If made through error (Scenario B), it creates unintended governance gaps. If made through misguided optimisation (Scenario C), it systematically removes controls that exist for good reason. In all cases, the consequence is that AI agents operate under weakened governance without independent review or approval of the weakening. The regulatory consequence is severe: demonstrating that governance controls were unilaterally weakened by a single individual indicates a fundamental control environment failure. SOX auditors would classify this as a material weakness. FCA supervisors would classify this as a systems and controls failure. The financial consequence scales with the volume and value of actions processed under the weakened governance.

Cross-references: AG-007 (Governance Configuration Control) provides the underlying configuration control framework that AG-296 extends with the dual-control requirement. AG-290 (Tiered Approval Threshold Governance) defines the tier structure that dual-control protects from unilateral modification. AG-291 (Approval Quorum Diversity Governance) provides the diversity principles applied to the dual-control approver set. AG-297 (Approval Chain Visibility Governance) makes policy changes and their approvals visible for audit. AG-295 (Emergency Delegated Authority Governance) addresses emergency changes to governance policies, which must still meet minimum dual-control requirements. AG-017 (Multi-Party Authorisation) provides the foundational multi-party framework. Siblings in this landscape: AG-289 through AG-298.