Prompt Template Provenance Governance

2. Summary

Prompt Template Provenance Governance requires that organisations track the origin, authorship, approval history, and lineage of every prompt template and prompt fragment used in AI agent systems. Prompt templates are reusable instruction components — system prompts, persona definitions, safety guardrails, tool-use instructions, and output format directives — that are assembled into complete agent configurations. Without provenance tracking, organisations cannot answer fundamental governance questions: who wrote this prompt? When was it approved? What was it derived from? Has it been modified since approval? Is it still appropriate for the current deployment context? This dimension mandates that every prompt template has a documented origin, an approval chain, a modification history, and a current status, enabling the organisation to demonstrate full chain of custody for the instructions that govern agent behaviour.

3. Example

Scenario A — Orphaned Prompt Template From Departed Employee: An organisation deploys 12 AI agents across three departments. Each agent uses a system prompt assembled from shared template fragments. One critical safety template — the financial advice guardrail — was written by an engineer who left the organisation 14 months ago. No record indicates who wrote it, what requirements it was based on, or whether it was ever reviewed by compliance. When a regulatory audit asks the organisation to demonstrate the governance basis for its financial advice constraints, the organisation cannot identify the template's author, approval authority, or the regulatory requirements it was designed to address. The regulator finds inadequate governance of AI system configuration. Remediation cost: £95,000 in consultant fees to reconstruct and re-approve all prompt templates across 12 agents.

What went wrong: No provenance records existed for prompt templates. The template was created informally, stored in a shared directory, and propagated to multiple agents without documentation. When the author departed, institutional knowledge of the template's purpose, basis, and limitations departed with them.

Scenario B — Unvetted Community Template Introduces Bias: A development team, under time pressure, adopts a prompt template from a public repository for their customer-facing agent's persona definition. The template includes: "Be friendly and conversational. Use casual language. Assume the user is technically sophisticated." The team does not review the template against the organisation's accessibility standards or bias policies. The "technically sophisticated" assumption causes the agent to use jargon and skip explanations when interacting with users who are not technically proficient, creating a barrier to service. Over 3 months, customer satisfaction scores for non-technical users drop 18 percentage points. The issue is traced to the template, but the organisation discovers that 4 other agents also use derivatives of the same unvetted community template.

What went wrong: A template from an external source was adopted without provenance assessment — no evaluation of the author's credentials, the template's intended context, or its alignment with organisational policies. The template proliferated across multiple agents because no provenance tracking connected the derivatives to the original source, making the blast radius invisible until the problem was identified.

Scenario C — Template Fragment Divergence Across Agents: An organisation creates a safety guardrail template and deploys it to 8 agents. Over 6 months, individual teams customise the template for their specific agents. Each customisation creates a derivative that drifts from the original. After 6 months, the 8 agents have 8 different versions of the "same" guardrail, with varying levels of constraint strength. An incident involving one agent reveals a weakened guardrail. Investigation shows that the weakening occurred in a template customisation 4 months earlier, but the organisation cannot determine which other agents share the same weakness because there is no lineage tracking connecting the derivatives to the original and to each other.

What went wrong: Template derivatives were not linked to their parent through provenance records. Each derivative was treated as an independent artefact with no connection to the original or to sibling derivatives. When a defect was found in one derivative, the organisation had no efficient mechanism to identify other affected derivatives.

4. Requirement Statement

Scope: This dimension applies to any AI agent deployment that uses prompt templates, prompt fragments, or any reusable instruction components that are assembled into complete agent configurations. This includes: system prompt templates, persona definitions, safety guardrail templates, tool-use instruction templates, output format directives, few-shot example libraries, and any text-based component that is maintained separately and composed into agent prompts at deployment or runtime. The dimension applies whether templates are stored in files, databases, template management systems, or embedded in application code. A deployment that uses a single, monolithic prompt with no reusable components is minimally within scope (provenance applies to the monolithic prompt itself). The test is: does any instruction component used by an agent exist as a reusable or shared artefact? If yes, this dimension applies in full.

4.1. A conforming system MUST maintain a provenance record for every prompt template and prompt fragment, including at minimum: the original author, creation date, the requirement or objective the template was designed to address, the approval authority and approval date, and the current status (active, deprecated, draft, retired).

4.2. A conforming system MUST track the lineage of template derivatives, linking each derivative to its parent template so that the impact of a defect in a parent template can be assessed across all descendants.

4.3. A conforming system MUST record the source of any externally-originated template (e.g., open-source repository, vendor-provided, community-sourced) and document the assessment performed before adoption, including fitness for purpose, bias review, and alignment with organisational policies.

4.4. A conforming system MUST ensure that every active prompt template has an identified current owner responsible for its maintenance, accuracy, and compliance alignment.

4.5. A conforming system MUST conduct periodic reviews of active prompt templates to confirm they remain appropriate for their deployed context, aligned with current policies, and consistent with the current regulatory environment.

4.6. A conforming system SHOULD implement a template registry that serves as the authoritative source for all prompt templates, with metadata including provenance, lineage, deployment map (which agents use this template), and review schedule.

4.7. A conforming system SHOULD automate lineage tracking so that when a parent template is updated, all derivative templates and their deploying agents are automatically identified for impact assessment.

4.8. A conforming system SHOULD require that externally-sourced templates undergo the same approval process as internally-created templates before deployment, with additional assessment for licensing, intellectual property, and hidden content.

4.9. A conforming system MAY implement template signing where approved templates are cryptographically signed and the agent runtime verifies the signature before using the template, preventing use of unapproved or tampered templates.

5. Rationale

Prompt templates are the building blocks of agent behaviour. In mature AI deployments, agents are not configured with monolithic prompts written from scratch — they are assembled from libraries of reusable components: safety guardrails, persona definitions, domain-specific instructions, output format templates, and tool-use directives. These components are shared across agents, customised for specific deployments, and evolved over time. They are, in effect, a codebase of behavioural instructions.

Yet most organisations treat prompt templates with less governance than they apply to software source code. Source code has version control, authorship attribution, code review, dependency tracking, and licensing compliance. Prompt templates frequently lack all of these. They are created informally, stored in shared directories or configuration dashboards, copied and modified without tracking, and deployed without provenance documentation. This creates governance gaps that compound over time.

Three specific risks drive the need for provenance governance. First, accountability gaps: when an agent's behaviour is questioned, the organisation must be able to identify who wrote the instructions that produced that behaviour, on what basis, and with what approval. Without provenance, this accountability chain is broken. Second, supply chain risk: organisations increasingly adopt prompt templates from external sources — open-source repositories, vendor libraries, community forums. These templates may contain hidden biases, unsuitable assumptions, or adversarial content. Without provenance assessment, externally-sourced templates enter the agent's instruction set without scrutiny. Third, change propagation blindness: when a defect is found in a template, the organisation must identify every agent that uses that template or a derivative of it. Without lineage tracking, this identification requires manual inspection of every agent's configuration — a process that does not scale.

Provenance governance converts prompt templates from informal text snippets into governed artefacts with documented origin, ownership, approval, and lineage — enabling the same accountability and change management that organisations apply to other critical operational components.

6. Implementation Guidance

Prompt Template Provenance Governance requires a centralised registry, structured metadata, and lineage tracking. The core mechanism is treating prompt templates as first-class governed artefacts with the same lifecycle management applied to software components, regulatory documents, or configuration artefacts.

Recommended patterns:

• Centralised template registry. Implement a registry (database, structured repository, or dedicated service) that stores all prompt templates with metadata: unique identifier, author, creation date, requirement basis, approval authority, approval date, current status, current owner, review schedule, source (internal/external), and deployment map (which agents use this template). All agents fetch templates from the registry at deployment time. Templates not in the registry cannot be used by agents.
• Lineage graph. Maintain a directed graph of template relationships. When a derivative is created from a parent template, the relationship is recorded. The graph supports impact queries: "which templates descend from template T-042?" and "which agents are affected if template T-042 has a defect?" This enables rapid impact assessment when a vulnerability or compliance issue is identified in a template.
• Provenance metadata schema. Define a structured metadata schema for all templates:

`` template_id: T-042 title: Financial Advice Safety Guardrail author: j.smith@org.com created: 2025-09-14 requirement_basis: FCA COBS 9.3 suitability requirements approved_by: compliance-team@org.com approved_date: 2025-09-21 current_owner: ai-governance@org.com status: active review_schedule: quarterly source: internal parent_template: null derivatives: [T-043, T-044, T-047] deployed_to: [agent-fin-001, agent-fin-002, agent-fin-003] last_reviewed: 2026-01-15 ``

• External source assessment checklist. For templates adopted from external sources, require a documented assessment covering: author/source reputation, licensing terms, fitness for the intended deployment context, bias and safety review, hidden content inspection (encoded text, invisible characters, comment fields), and alignment with organisational policies. The assessment is recorded as part of the template's provenance metadata.

Anti-patterns to avoid:

• Copy-paste template management. Copying templates between agents by pasting text, without recording the relationship or maintaining a link to the source. This is the most common failure mode and the primary cause of lineage blindness.
• Template registries without deployment mapping. Maintaining a registry of templates but not tracking which agents use which templates. The registry provides provenance but not impact assessment capability. When a template defect is found, the organisation still cannot efficiently identify affected agents.
• Provenance at creation only. Recording provenance metadata when a template is created but not updating it when the template is modified, reassigned, or deployed to additional agents. Provenance must be maintained throughout the template's lifecycle, not only at creation.
• Treating all external templates as trusted. Adopting templates from vendor libraries or open-source repositories without assessment, on the assumption that the source is reputable. Reputable sources can contain biased, inappropriate, or inadvertently harmful content. Assessment is required regardless of source reputation.
• Orphaned templates without owners. Allowing templates to remain in active use after their designated owner has departed or changed role. Ownerless templates cannot be maintained, reviewed, or updated in response to policy changes. A template without an owner should be flagged for reassignment or retirement.

Industry Considerations

Financial Services. Prompt templates for financial agents must have provenance that traces to specific regulatory requirements (e.g., "this guardrail implements FCA COBS 9.3 suitability requirements"). The FCA expects firms to demonstrate that their AI system configurations are based on identified regulatory obligations. Template reviews should be aligned with regulatory change cycles.

Healthcare. Prompt templates for clinical agents must trace to clinical guidelines, safety standards, or regulatory requirements. Template provenance should include the clinical evidence basis and the clinical authority who approved the template. Templates should be reviewed when underlying clinical guidelines are updated.

Public Sector. Prompt templates for citizen-facing agents must trace to policy requirements, equality obligations, and accessibility standards. Template provenance should include the policy basis and the authority responsible for ensuring alignment with public sector obligations.

Maturity Model

Basic Implementation — The organisation maintains a register of prompt templates with basic metadata: author, creation date, and current status. Templates are stored in a version-controlled repository. Externally-sourced templates are identified as such. Template ownership is assigned. This level meets the minimum mandatory requirements but may lack automated lineage tracking and deployment mapping.

Intermediate Implementation — All basic capabilities plus: a centralised template registry provides the authoritative source for all templates. Lineage tracking connects derivatives to parent templates. Deployment mapping shows which agents use which templates. Periodic reviews are scheduled and tracked. External source assessments are documented. Impact queries can identify all affected agents and derivatives when a template defect is found.

Advanced Implementation — All intermediate capabilities plus: template signing provides cryptographic assurance that agents use only approved, untampered templates. Automated lineage tracking identifies all downstream derivatives when a parent is updated. Real-time dashboards show template health metrics: review currency, orphan templates, unassessed external sources, and deployment coverage. The organisation can demonstrate to regulators the complete provenance of any instruction that any agent is following, from its original creation through every modification to its current deployed form.

7. Evidence Requirements

Required artefacts:

• Template registry export. Complete export of the template registry showing all templates with provenance metadata: author, creation date, requirement basis, approval authority, status, owner, review schedule, source, lineage, and deployment map.
• External source assessment records. For every externally-sourced template, the documented assessment including source evaluation, fitness assessment, bias review, and approval decision.
• Template review records. Records of periodic template reviews showing the review date, reviewer, findings, and any actions taken (update, retire, no change).
• Lineage graph. The template lineage graph showing parent-derivative relationships, with evidence that the graph is maintained and used for impact assessment.
• Ownership assignment records. Records confirming that every active template has a designated current owner, with evidence of ownership reassignment when personnel change.

Retention requirements:

• Template provenance records: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise. Provenance records must be retained for the lifetime of the template plus the applicable retention period.

Access requirements:

• Producible to regulators or auditors within 48 hours of request.

8. Test Specification

Test 8.1: Provenance Record Completeness

• Stimulus: Select 20 active prompt templates at random. Retrieve their provenance records from the registry.
• Expected behaviour: Every template has a complete provenance record with all required fields: author, creation date, requirement basis, approval authority, approval date, current owner, status, review schedule, and source.
• Pass criteria: 100% of sampled templates have complete provenance records with all required fields populated.
• Fail criteria: Any sampled template has a missing or incomplete provenance record.

Test 8.2: Lineage Tracking Accuracy

• Stimulus: Create a parent template, then create 3 derivatives. Modify the parent template. Query the lineage graph for all derivatives of the parent.
• Expected behaviour: All 3 derivatives are identified by the lineage query. The modification to the parent is flagged as requiring impact assessment on the derivatives.
• Pass criteria: The lineage query returns all 3 derivatives. Impact assessment notification is generated.
• Fail criteria: Any derivative is missing from the lineage query, or no impact assessment notification is generated.

Test 8.3: External Source Assessment Enforcement

• Stimulus: Attempt to deploy an externally-sourced template without completing the external source assessment. Attempt to deploy with a completed assessment.
• Expected behaviour: The unapproved external template is blocked from deployment. The assessed and approved external template deploys normally.
• Pass criteria: External templates cannot be deployed without a completed assessment. The assessment record is linked to the template's provenance.
• Fail criteria: An external template deploys without assessment, or the assessment is not linked to the provenance record.

Test 8.4: Orphan Template Detection

• Stimulus: Remove the designated owner from 3 active templates (simulating personnel departure). Verify that the system detects the orphaned templates.
• Expected behaviour: The system identifies the 3 templates as orphaned (active templates without a current owner) and generates alerts or flags for ownership reassignment.
• Pass criteria: All 3 orphaned templates are detected within the defined monitoring cycle. Reassignment alerts are generated.
• Fail criteria: Any orphaned template is not detected, or no alert is generated.

Test 8.5: Periodic Review Compliance

• Stimulus: Set a quarterly review schedule for 10 templates. Advance the clock past the review due date for 5 of them without performing the review. Verify that overdue reviews are flagged.
• Expected behaviour: The 5 overdue templates are flagged as requiring review. The 5 current templates are not flagged.
• Pass criteria: All overdue templates are flagged. No current templates are incorrectly flagged.
• Fail criteria: Any overdue template is not flagged, or any current template is incorrectly flagged.

Test 8.6: Deployment Mapping Accuracy

• Stimulus: Deploy a template to 3 agents. Retire the template. Verify that the deployment map accurately reflects the 3 agents and that retirement triggers notification to all deploying agents.
• Expected behaviour: The deployment map shows all 3 agents. Retirement triggers notifications to all 3 agents' operators, indicating that an active template has been retired and requires replacement.
• Pass criteria: Deployment map is accurate. Retirement notifications reach all deploying agents' operators.
• Fail criteria: Deployment map is inaccurate, or retirement does not trigger notifications.

Conformance Scoring

• Score 0: No provenance tracking exists — prompt templates are created, shared, and deployed without documentation of origin, approval, or lineage.
• Score 1: Basic provenance metadata is maintained (author, date, status) but lineage tracking, deployment mapping, and periodic reviews are not implemented.
• Score 2: A centralised registry with full provenance metadata, lineage tracking, deployment mapping, and periodic reviews is operational. External source assessments are documented. Every template has an assigned owner.
• Score 3: Verified through independent audit confirming provenance completeness, lineage accuracy, and deployment mapping across all active templates. Template signing provides cryptographic integrity. Real-time monitoring identifies orphans, overdue reviews, and unassessed external sources.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 11 (Technical Documentation)	Direct requirement
EU AI Act	Article 17 (Quality Management System)	Direct requirement
SOX	Section 404 (Internal Controls Over Financial Reporting)	Supports compliance
FCA SYSC	6.1.1R (Systems and Controls)	Supports compliance
NIST AI RMF	GOVERN 1.4, MAP 3.2	Supports compliance
ISO 42001	Clause 7.5 (Documented Information)	Direct requirement
DORA	Article 8 (ICT Risk Management — Asset Management)	Supports compliance

EU AI Act — Article 11 (Technical Documentation)

Article 11 requires providers of high-risk AI systems to maintain technical documentation that includes a description of the system's development and how it functions. For AI agents, prompt templates are a core component of how the system functions — they define behaviour, constraints, and operational parameters. The provenance of these templates (who created them, on what basis, with what approval) is part of the technical documentation required under Article 11. Without provenance, the technical documentation is incomplete.

EU AI Act — Article 17 (Quality Management System)

Article 17 requires quality management procedures for the design, development, and modification of AI systems. Prompt template management — including creation, approval, modification, and retirement — falls within this scope. Provenance tracking provides the traceability that the quality management system requires.

ISO 42001 — Clause 7.5 (Documented Information)

Clause 7.5 requires organisations to maintain documented information necessary for the effectiveness of the AI management system. Prompt templates are documented information that directly affects AI system effectiveness. Provenance governance ensures this documentation meets the requirements for identification, description, format, review, and approval.

10. Failure Severity

Field	Value
Severity Rating	Medium
Blast Radius	Organisation-wide where templates are shared across agents — a provenance failure in a widely-used template affects all agents using it or its derivatives

Consequence chain: Without provenance tracking, the organisation operates its AI agents on instructions of unknown origin, untraceable approval, and unmanaged lineage. The immediate technical risk is accountability loss — the organisation cannot identify who is responsible for any given instruction or demonstrate that it was approved. The operational impact includes: regulatory findings for inadequate technical documentation (the £95,000 remediation in Scenario A), bias propagation through unvetted external templates (the 18-point satisfaction decline in Scenario B), and inability to assess the blast radius of template defects (the uncontrolled derivative divergence in Scenario C). The business consequence includes regulatory enforcement for governance failures, reputational damage from bias or inappropriate agent behaviour traceable to unvetted templates, and operational inefficiency from manual impact assessment when automated lineage tracking is absent. The severity increases with the number of agents and the degree of template sharing — organisations with 50+ agents sharing template libraries face significantly higher exposure than those with isolated agent configurations.

Cross-references: AG-005 (Instruction Integrity Verification), AG-095 (Prompt Integrity Governance), AG-122 (Prompt Versioning & Rollback Control), AG-125 (Prompt Drift Detection), AG-127 (Prompt Testing & Validation Governance), AG-359 (Prompt Change Approval Governance), AG-367 (Prompt Variable Injection Validation Governance).