Alert Deduplication Governance

2. Summary

Alert Deduplication Governance requires that systems operating AI agents under governance controls implement structured, auditable mechanisms to deduplicate repetitive alerts without suppressing genuinely novel or escalating incidents. Uncontrolled alert volumes — where thousands of near-identical notifications flood operators within minutes — create alert fatigue that degrades human oversight to the point of non-existence, causing critical governance violations to be ignored or delayed. This dimension mandates that deduplication logic be formally defined, that deduplication decisions be logged and auditable, that suppressed alerts be retrievable for forensic review, and that deduplication rules never permanently silence a category of alert without explicit human authorisation subject to periodic review.

3. Example

Scenario A — Alert Storm Masks a Genuine Exposure Breach: A Financial-Value Agent managing a multi-currency derivatives portfolio encounters a market volatility spike that triggers the exposure-limit warning threshold. The governance layer generates an alert. However, because 6 of the portfolio's 14 currency pairs simultaneously breach their individual warning thresholds, the alerting system generates 847 near-identical "exposure_warning" alerts in 12 minutes — each referencing a slightly different currency pair, timestamp, and exposure figure. The operations team, receiving alerts at a rate of more than one per second, applies a manual blanket mute on the "exposure_warning" category. At minute 19, the aggregate portfolio exposure breaches the hard limit of €50 million, reaching €53.7 million. The hard-limit breach alert is also classified as "exposure_warning" and is suppressed by the blanket mute. The breach persists for 4 hours and 22 minutes until the next scheduled portfolio reconciliation.

What went wrong: No structured deduplication mechanism existed. The operators were forced to choose between drowning in alerts and blanket suppression. The blanket mute did not distinguish between warning-level and breach-level alerts within the same category. No governance control prevented permanent category suppression without review. Consequence: €3.7 million excess exposure for 4+ hours, breach of internal risk limits, regulatory notification required under EMIR margin requirements, €890,000 in additional margin calls, and supervisory finding for inadequate alert management.

Scenario B — Deduplication Logic Silently Merges Distinct Incidents: A Customer-Facing Agent serving an insurance platform generates fairness-monitoring alerts when quote disparities exceed the configured threshold. Two genuinely distinct incidents occur within the same 30-minute window: (1) a pricing model update causes systematic overpricing for customers aged 60-65 by 12%, and (2) a separate data-quality issue causes postcodes in three regions to be mapped to incorrect risk zones, affecting customers of all ages. Both incidents generate alerts with the category "fairness_disparity." The deduplication system, configured to merge alerts with matching categories within a 30-minute window, merges the 23 alerts from incident 1 and the 31 alerts from incident 2 into a single deduplicated alert. The operations team investigates the pricing model issue (incident 1), resolves it, and closes the deduplicated alert. Incident 2 is never investigated. Over the next 11 days, 4,200 customers in the affected postcodes receive incorrect quotes.

What went wrong: The deduplication logic used category matching alone without considering distinguishing attributes (root cause, affected population, geographic scope). Merging distinct incidents into a single alert caused one incident to be lost when the other was resolved. No post-resolution verification checked whether all merged alerts shared a common root cause. Consequence: 4,200 incorrect quotes, £1.6 million in customer remediation, FCA complaint for inadequate systems and controls, and 6-month remediation programme.

Scenario C — Alert Fatigue Causes Safety-Critical Escalation Delay: An Embodied / Edge / Robotic Agent operating a warehouse logistics system generates collision-avoidance alerts when sensor readings indicate proximity violations. A faulty proximity sensor on Bay 7 generates 2,300 false-positive collision alerts per hour — each referencing Bay 7 with slightly varying proximity readings. The operations team, overwhelmed by the volume, reduces the alert severity for all collision-avoidance alerts from "critical" to "informational" across the entire facility. Two hours later, a genuine collision event occurs in Bay 12. The collision-avoidance alert for Bay 12 is generated at "informational" severity and is not reviewed for 47 minutes. During this period, the robotic agent continues operating in Bay 12 with a damaged sensor array, creating ongoing collision risk for warehouse personnel.

What went wrong: No deduplication mechanism existed to consolidate the Bay 7 false positives into a single ongoing alert, so operators resorted to severity downgrade across all bays. The severity change was applied globally rather than scoped to the specific source. No governance control prevented severity downgrade of safety-critical alert categories without compensating controls. Consequence: 47-minute delay in responding to a genuine safety event, near-miss incident with warehouse personnel, HSE investigation, facility operations suspended for 48 hours pending safety review, £680,000 in lost productivity and investigation costs.

4. Requirement Statement

Scope: This dimension applies to every system that generates governance-related alerts for AI agent operations, including but not limited to: compliance violation alerts, threshold-breach alerts, behavioural-drift alerts, security alerts, performance degradation alerts, and escalation triggers. The scope encompasses the deduplication logic, the rules governing how alerts are grouped and suppressed, the auditability of deduplication decisions, the recoverability of suppressed alerts, and the governance controls over deduplication rule changes. Systems that delegate alerting to third-party platforms remain responsible for ensuring those platforms' deduplication mechanisms conform to these requirements. The dimension does not prohibit deduplication — it mandates that deduplication be governed, transparent, and reversible. Organisations that choose not to implement deduplication must demonstrate that their alert volumes do not create fatigue conditions that impair human oversight, per AG-019.

4.1. A conforming system MUST implement a formally defined deduplication policy that specifies: the attributes used to determine alert similarity, the time window within which similar alerts are grouped, the maximum number of alerts that may be suppressed per group before mandatory re-alerting, and the conditions under which deduplication is bypassed entirely.

4.2. A conforming system MUST log every deduplication decision, recording: the original alert identifiers that were grouped, the attributes that matched, the deduplication rule applied, the timestamp of the decision, and the identifier of the surviving (representative) alert. These logs MUST be retained for the same period as governance telemetry records.

4.3. A conforming system MUST ensure that all alerts suppressed by deduplication remain retrievable for forensic review and audit, with their full original content intact, for the retention period defined in the evidence requirements.

4.4. A conforming system MUST implement a severity-escalation bypass such that any increase in severity level within a deduplicated group — for example, a warning-level alert followed by a breach-level alert on the same topic — immediately breaks the deduplication group and surfaces the higher-severity alert as a new, independent notification.

4.5. A conforming system MUST implement a maximum suppression duration for any deduplicated alert group, not exceeding 60 minutes for Safety-Critical / CPS Agent alerts and 240 minutes for all other profiles, after which the system MUST re-emit a summary alert regardless of whether new instances of the alert continue to occur.

4.6. A conforming system MUST require explicit human authorisation, logged with the authoriser's identity and justification, before any deduplication rule can suppress an entire alert category (as opposed to grouping individual instances). Such category-level suppressions MUST have a defined expiry not exceeding 24 hours and MUST be reviewed for renewal.

4.7. A conforming system MUST use at least three distinguishing attributes beyond alert category when determining similarity for deduplication — for example, source component, affected entity, geographic scope, root-cause indicator, or numeric threshold value — to prevent merging of distinct incidents that share a category label.

4.8. A conforming system MUST generate a periodic deduplication effectiveness report (at least weekly) showing: total alerts generated, total alerts deduplicated, deduplication ratio per alert category, number of severity-escalation bypasses triggered, number of category-level suppressions active, and any categories where deduplication ratio exceeds 95% (indicating a potential underlying issue requiring investigation rather than continued deduplication).

4.9. A conforming system SHOULD implement adaptive deduplication windows that automatically shorten when alert velocity within a category exceeds a defined threshold, ensuring that rapid-onset incidents are detected faster even during alert storms.

4.10. A conforming system SHOULD correlate deduplicated alerts with root-cause identifiers so that resolution of a root cause automatically resolves all alerts in the corresponding group, and failure to resolve the root cause triggers re-alerting when the group's suppression duration expires.

4.11. A conforming system MAY implement machine-learning-assisted similarity detection for alert deduplication, provided that the similarity model's decisions are explainable, auditable, and subject to the same logging requirements as rule-based deduplication, and that a human-reviewable explanation is attached to each grouping decision.

5. Rationale

Alert fatigue is one of the most well-documented and persistent failure modes in operational monitoring. Research across healthcare, cybersecurity, and industrial safety consistently shows that when alert volumes exceed human processing capacity, operators begin ignoring alerts — not selectively, but categorically. A study of clinical alert systems found that override rates exceed 90% when daily alert volumes surpass 100 per clinician. The same dynamic applies to AI agent governance: when a single governance violation triggers hundreds of repetitive alerts, the human oversight function mandated by AG-019 is effectively defeated by the alerting system itself.

The problem is compounded by the characteristics of AI agent operations. Agents operate continuously, often processing thousands of transactions per hour. A single misconfiguration or environmental change can trigger a cascade of near-identical governance alerts — each technically correct but collectively overwhelming. Without deduplication, the alerting system punishes operators for paying attention: the more diligently an operator reads alerts, the less time they have to respond to any of them. The rational operator response — learned helplessness leading to blanket suppression — is precisely the failure mode that governance controls are designed to prevent.

However, naive deduplication introduces its own risks. If deduplication logic is too aggressive, distinct incidents are merged, and resolving one incident silently closes the other. If deduplication is not auditable, forensic investigation cannot determine what was suppressed or why. If deduplication rules can be modified without governance controls, they become an attack vector — an adversary can configure deduplication rules to suppress evidence of their activity. And if deduplication can permanently silence an alert category, it creates a blind spot that persists until the suppression is explicitly reviewed and renewed.

The regulatory context reinforces the need for governed deduplication. The EU AI Act Article 14 requires effective human oversight of high-risk AI systems; an alerting system that overwhelms its human operators does not provide effective oversight. DORA Article 10 requires prompt detection of anomalous activities; prompt detection is impossible when genuine anomalies are buried in thousands of repetitive alerts. FCA SYSC 6.1.1R requires adequate systems and controls; an alerting system that routinely induces blanket suppression is not adequate. SOX Section 404 requires effective internal controls; alert-fatigue-induced oversight failures represent a control deficiency.

The specific numerical parameters in this dimension — 60-minute and 240-minute maximum suppression durations, 24-hour maximum for category-level suppressions, three-attribute minimum for similarity determination, 95% deduplication ratio threshold — are calibrated against operational experience. The suppression durations balance the need to reduce noise against the risk of sustained blindness. The 24-hour expiry for category suppressions ensures that no alert category is permanently silenced without periodic human review. The three-attribute minimum addresses the Scenario B failure mode where category-only matching merges distinct incidents. The 95% threshold flags categories where the volume of alerts suggests an underlying issue that deduplication is masking rather than managing — a symptom being treated as a diagnosis.

6. Implementation Guidance

Alert deduplication should be implemented as a distinct, configurable layer in the alerting pipeline — positioned between the alert generation layer (which emits raw alerts) and the alert presentation layer (which delivers alerts to operators and automated responders). The deduplication layer receives raw alerts, applies grouping logic, and emits either individual alerts or group summaries. All raw alerts pass through to the audit log regardless of deduplication decisions, ensuring forensic recoverability.

Recommended patterns:

• Multi-attribute fingerprinting. Compute a deduplication fingerprint for each alert based on a configurable set of attributes: alert category, source component, affected entity, severity level, and one or more domain-specific attributes. Alerts with identical fingerprints within the deduplication window are grouped. The fingerprint algorithm must be deterministic and documented, so that any alert's group membership can be independently verified from the raw alert data.
• Sliding-window grouping with cardinality limits. Maintain a sliding time window for each active deduplication group. New alerts matching the group's fingerprint extend the window up to the maximum suppression duration. Emit a group summary when: the window closes (no new matching alerts), the maximum suppression duration is reached, or the group's cardinality (number of suppressed alerts) reaches a configurable threshold (e.g., 500 alerts per group). The cardinality limit ensures that high-volume alert storms produce periodic summaries rather than unbounded suppression.
• Severity-break injection. When the deduplication layer receives an alert whose fingerprint matches an active group but whose severity is higher than the group's current maximum severity, immediately close the existing group and emit both a group summary for the prior period and the new higher-severity alert as an independent notification. This ensures that escalations within a topic are never suppressed by prior lower-severity alerts on the same topic.
• Suppression-expiry alerting. When a deduplication group reaches its maximum suppression duration, emit a summary alert that includes: the count of suppressed alerts, the time span covered, the fingerprint attributes, and a flag indicating that the underlying condition may persist. This summary serves as both an operational notification and an audit record that the deduplication system is functioning within its governance parameters.
• Root-cause tagging. Where root-cause analysis is available (either automated or operator-annotated), attach root-cause identifiers to deduplication groups. When an operator resolves a root cause, automatically resolve all groups tagged with that root cause. When a group's suppression expires without root-cause resolution, re-emit the alert with an annotation indicating that the condition persists unresolved.

Anti-patterns to avoid:

• Category-only deduplication. Grouping alerts solely by category name without considering source, affected entity, or other distinguishing attributes. This is the direct cause of Scenario B — distinct incidents merged because they share a category label. The three-attribute minimum in Requirement 4.7 explicitly prohibits this pattern.
• Unbounded suppression windows. Deduplication groups that remain active indefinitely as long as matching alerts continue to arrive. This creates permanent blind spots for persistent conditions. The maximum suppression duration in Requirement 4.5 prevents this.
• Operator-initiated blanket mutes without governance controls. Allowing operators to silence entire alert categories without time limits, justification requirements, or review cadences. This converts a deduplication mechanism into a suppression mechanism. Requirement 4.6 mandates governance controls for category-level suppressions.
• Deduplication without logging. Implementing deduplication logic that discards suppressed alerts or does not record grouping decisions. This makes forensic reconstruction impossible and violates the audit trail requirements of 4.2 and 4.3.
• Static deduplication windows for all alert types. Using the same time window for all alert categories regardless of their operational characteristics. A 30-minute window may be appropriate for infrastructure health alerts but dangerously long for real-time trading compliance alerts. Deduplication windows should be configurable per alert category.
• Deduplication applied to human-escalation triggers. Deduplicating alerts that are specifically designated as human escalation triggers under AG-019. Escalation triggers represent governance's demand for human attention and should not be subject to suppression. If escalation triggers are generating excessive volume, the underlying issue must be addressed rather than the symptoms deduplicated.

Industry Considerations

Financial services organisations operating under MiFID II or EMIR face specific alert-management requirements related to transaction monitoring and position reporting. Deduplication logic for financial-value alerts must preserve the ability to reconstruct every individual threshold breach for regulatory reporting — deduplication at the operator notification layer must not affect the completeness of regulatory data feeds. Crypto and Web3 agents may generate alerts at extremely high velocity during on-chain congestion events; deduplication windows for blockchain-event-driven alerts should be calibrated to block times rather than wall-clock time. Safety-Critical / CPS Agents in healthcare, manufacturing, or transport contexts must ensure that deduplication logic is validated as part of the safety case — deduplication that suppresses a genuine safety alert may constitute a safety-related failure. Public Sector / Rights-Sensitive Agents must ensure that deduplication of rights-related alerts (fairness violations, bias detections, access-denial patterns) does not obscure systemic issues; the 95% deduplication ratio threshold in Requirement 4.8 serves as a canary for this risk.

Maturity Model

Basic Implementation — The organisation has implemented a formally defined deduplication policy with documented similarity attributes and time windows. Deduplication decisions are logged. Suppressed alerts are retained and retrievable. Severity-escalation bypasses are implemented. Maximum suppression durations are enforced. Category-level suppressions require human authorisation with 24-hour expiry. A weekly deduplication effectiveness report is generated manually or semi-automatically.

Intermediate Implementation — All basic capabilities plus: multi-attribute fingerprinting uses at least three distinguishing attributes beyond category. Deduplication windows are configurable per alert category. Adaptive window shortening activates during alert storms. Root-cause tagging links deduplication groups to incident records. Deduplication effectiveness reports are generated automatically and include trend analysis. Deduplication rules are version-controlled with change-history tracking.

Advanced Implementation — All intermediate capabilities plus: deduplication logic is integrated with the incident management pipeline, automatically resolving alert groups when root causes are resolved. Deduplication effectiveness is independently audited annually. Simulation capabilities allow modelling the impact of proposed deduplication rule changes against historical alert data. Cross-system deduplication correlates alerts from multiple agents to detect organisation-wide patterns. Deduplication performance is benchmarked against alert-fatigue metrics (operator response times, override rates, escalation delays).

7. Evidence Requirements

Required artefacts:

• Deduplication policy document. The formally defined deduplication policy, including: similarity attributes per alert category, time window configurations, maximum suppression durations, severity-escalation bypass rules, and category-level suppression governance procedures. Must be versioned with change history.
• Deduplication decision logs. Complete logs of every deduplication decision, showing original alert identifiers, matching attributes, applied rule, decision timestamp, and surviving alert identifier. Must cover all alerts processed through the deduplication layer.
• Suppressed alert archive. Full content of all alerts suppressed by deduplication, stored in a format that preserves original content, timestamps, and metadata. Must be searchable and retrievable for forensic investigation.
• Category-level suppression authorisation records. Records of every category-level suppression authorisation, including authoriser identity, justification, expiry time, and renewal history. Must demonstrate compliance with 4.6.
• Deduplication effectiveness reports. Weekly reports showing alert volumes, deduplication ratios, severity-escalation bypass counts, and categories exceeding the 95% deduplication threshold. Must cover at least the most recent 90 days.
• Deduplication rule change history. Version-controlled history of all changes to deduplication rules, including who made the change, when, and why. Must demonstrate that rules are not modified without appropriate authorisation.

Retention requirements:

• Deduplication decision logs and suppressed alert archives: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.
• Deduplication effectiveness reports: minimum 3 years for all sectors.
• Policy documents and rule change history: current version plus all prior versions for the retention period above.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Suppressed alert archives must be queryable by time range, alert category, source component, and affected entity.

8. Test Specification

Test 8.1: Deduplication Grouping Correctness

• Stimulus: Generate 100 alerts with identical fingerprints (same category, source, affected entity, and severity) within the configured deduplication window. Simultaneously generate 10 alerts with the same category but different source components.
• Expected behaviour: The 100 identical-fingerprint alerts are grouped into a single deduplication group. The 10 alerts with different sources are not merged into the same group.
• Pass criteria: Exactly one deduplication group contains the 100 matching alerts. The 10 different-source alerts are either in separate groups or presented individually. Deduplication decision logs exist for all 110 alerts.
• Fail criteria: Alerts with different fingerprints are incorrectly merged into the same group, or alerts with identical fingerprints are not grouped, or deduplication decision logs are missing for any alert.

Test 8.2: Severity-Escalation Bypass

• Stimulus: Generate 20 "warning"-severity alerts with identical fingerprints within the deduplication window, forming a group. Then generate 1 "critical"-severity alert with the same fingerprint attributes except severity.
• Expected behaviour: The critical-severity alert breaks the deduplication group and is surfaced as an independent notification. A group summary for the 20 prior warnings is also emitted.
• Pass criteria: The critical alert is delivered independently within 60 seconds of generation. A group summary for the prior warnings exists. The deduplication log records the severity-escalation bypass event.
• Fail criteria: The critical alert is suppressed or merged into the existing warning-level group, or no severity-escalation bypass event is logged.

Test 8.3: Maximum Suppression Duration Enforcement

• Stimulus: Generate a continuous stream of identical-fingerprint alerts at a rate of 10 per minute for a duration exceeding the maximum suppression window (60 minutes for Safety-Critical / CPS, 240 minutes for others). Monitor for summary alert emission.
• Expected behaviour: A summary alert is emitted when the maximum suppression duration is reached, regardless of the continuing alert stream. The summary includes the count of suppressed alerts and the time span covered.
• Pass criteria: Summary alert emitted within 5 minutes of the maximum suppression duration expiry. Summary contains accurate count and time span. A new deduplication group begins after the summary.
• Fail criteria: No summary alert is emitted, summary is emitted more than 5 minutes late, or the suppression continues beyond the maximum duration without a summary.

Test 8.4: Category-Level Suppression Governance

• Stimulus: Attempt to suppress an entire alert category through three methods: (a) without human authorisation, (b) with human authorisation but no justification, (c) with human authorisation, justification, and a 24-hour expiry. After 24 hours, verify that method (c) suppression has expired.
• Expected behaviour: Methods (a) and (b) are rejected. Method (c) is accepted. After 24 hours, the suppression expires and alerts in that category resume delivery.
• Pass criteria: Methods (a) and (b) are rejected with appropriate error messages. Method (c) is accepted and logged with authoriser identity, justification, and expiry. After 24 hours (plus a 5-minute grace period), alerts in the category are delivered normally.
• Fail criteria: Category suppression is accepted without authorisation or justification, or the suppression persists beyond 24 hours without renewal.

Test 8.5: Suppressed Alert Forensic Recoverability

• Stimulus: Generate 500 alerts that are deduplicated into 5 groups of 100. After deduplication, query the suppressed alert archive for the full content of all 500 original alerts using time range and category filters.
• Expected behaviour: All 500 original alerts are retrievable with full content intact, including original timestamps, alert bodies, source identifiers, and severity levels.
• Pass criteria: 500 alerts retrieved. Each alert's content matches the original generation parameters. Retrieval query returns results within 30 seconds.
• Fail criteria: Any suppressed alert is not retrievable, any alert's content is truncated or modified, or the archive is not queryable by the specified filter dimensions.

Test 8.6: Multi-Attribute Similarity Enforcement

• Stimulus: Configure a deduplication rule that uses only alert category as the similarity attribute (violating Requirement 4.7). Attempt to activate the rule.
• Expected behaviour: The system rejects the rule or flags it as non-conformant, requiring at least three distinguishing attributes beyond category.
• Pass criteria: The single-attribute rule is rejected or flagged. The rejection message references the minimum attribute requirement. The rule does not become active.
• Fail criteria: The single-attribute rule is accepted and activates without warning.

Test 8.7: Deduplication Effectiveness Reporting

• Stimulus: Operate the deduplication system for one full week with known alert volumes and deduplication activity. Retrieve the weekly effectiveness report and verify its contents.
• Expected behaviour: The report contains: total alerts generated, total alerts deduplicated, deduplication ratio per alert category, severity-escalation bypass count, active category-level suppressions, and any categories exceeding the 95% deduplication ratio threshold.
• Pass criteria: Report exists and is generated within 24 hours of the week's end. All six required data categories are present with values consistent with the known operational activity. Categories exceeding 95% deduplication are explicitly flagged.
• Fail criteria: Report is missing, is generated more than 24 hours late, omits any required data category, or fails to flag categories exceeding the 95% threshold.

Conformance Scoring

• Score 0: No deduplication governance exists — either no deduplication is implemented (operators receive raw alert volumes without grouping) or deduplication operates without formal policy, logging, or oversight, creating ungoverned suppression of governance signals.
• Score 1: A deduplication policy exists and is documented. Deduplication decisions are logged. Suppressed alerts are retained. However, severity-escalation bypass is not implemented, maximum suppression durations are not enforced, or category-level suppressions lack governance controls.
• Score 2: The deduplication system implements all MUST requirements: multi-attribute fingerprinting, severity-escalation bypass, maximum suppression duration enforcement, governed category-level suppressions, forensic recoverability, deduplication decision logging, and weekly effectiveness reporting. Deduplication rules are version-controlled.
• Score 3: Verified by independent audit — an independent party has validated deduplication logic correctness, severity-escalation bypass effectiveness, suppression duration enforcement, forensic recoverability, and reporting accuracy. Adaptive deduplication windows and root-cause correlation are operational. Deduplication performance is benchmarked against alert-fatigue metrics.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 14 (Human Oversight)	Supports compliance
EU AI Act	Article 9 (Risk Management System)	Supports compliance
SOX	Section 404 (Internal Controls)	Supports compliance
FCA SYSC	SYSC 6.1.1R (Systems and Controls)	Supports compliance
NIST AI RMF	GOVERN 1.5 (Ongoing Monitoring)	Supports compliance
ISO 42001	Clause 9.1 (Monitoring, Measurement, Analysis)	Supports compliance
DORA	Article 10 (Detection)	Direct requirement

EU AI Act — Article 14 (Human Oversight)

Article 14 requires that high-risk AI systems be designed to allow effective human oversight during the period of use, including the ability for human overseers to correctly understand the system's capacities and limitations and to be able to decide not to use or to interrupt the system. An alerting system that overwhelms human overseers with thousands of repetitive alerts directly undermines Article 14's requirements. If the human overseer cannot distinguish between a genuine escalation and the 847th repetition of a known warning, effective oversight does not exist regardless of the technical capabilities provided. AG-414 ensures that deduplication preserves the human overseer's ability to process alerts effectively while guaranteeing that genuinely novel or escalating conditions are surfaced independently.

SOX — Section 404 (Internal Controls)

For organisations subject to SOX where AI agents participate in financial reporting processes, the alert management system is an internal control. Alert fatigue that causes operators to blanket-suppress governance alerts constitutes a control deficiency — the control exists but is not operating effectively. AG-414's governed deduplication ensures that the alerting control remains operationally effective by preventing the volume-induced override behaviour that would otherwise render it a paper control.

FCA SYSC — SYSC 6.1.1R

SYSC 6.1.1R requires adequate systems and controls. An alerting system that routinely generates volumes exceeding human processing capacity is not adequate. The FCA has issued enforcement actions against firms where alert volumes caused monitoring failures — the root cause was not absence of monitoring but absence of effective alert management. AG-414 directly addresses this by requiring that deduplication maintain the signal-to-noise ratio necessary for effective human monitoring.

NIST AI RMF — GOVERN 1.5

GOVERN 1.5 addresses ongoing monitoring of AI systems. Effective ongoing monitoring requires that monitoring outputs (alerts) are actionable by human operators. The NIST framework's emphasis on human-AI teaming implicitly requires that AI-generated alerts be structured for human consumption. AG-414's deduplication governance ensures that monitoring outputs remain within the bounds of human cognitive processing capacity, supporting the ongoing monitoring function that GOVERN 1.5 requires.

ISO 42001 — Clause 9.1

Clause 9.1 requires organisations to determine the methods for monitoring, measurement, analysis, and evaluation to ensure valid results. An alerting system where 95% of alerts are ignored due to volume does not produce valid results — it produces results that are systematically disregarded. AG-414 ensures that the monitoring method (alerting) produces outputs that are actually consumed and acted upon, satisfying the "valid results" requirement of Clause 9.1.

DORA — Article 10 (Detection)

DORA Article 10 requires financial entities to have mechanisms for the prompt detection of anomalous activities, including ICT-related incidents. Alert fatigue is a direct impediment to prompt detection — when operators ignore alerts due to volume, detection latency becomes unbounded. AG-414's requirements for maximum suppression durations, severity-escalation bypasses, and periodic summary re-alerting ensure that DORA's "prompt detection" standard is maintained even during high-volume alert conditions. The maximum suppression durations (60 minutes for safety-critical, 240 minutes for others) provide concrete upper bounds on detection latency that can be demonstrated to regulators.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Cross-agent — affects human oversight effectiveness for all agents whose alerts pass through the deduplication layer

Consequence chain: When alert deduplication governance fails, one of two outcomes occurs, both damaging. In the first outcome (no deduplication), alert volumes overwhelm operators, inducing alert fatigue that causes blanket suppression or systematic ignoring of governance alerts. This transforms the human oversight function from an active safety mechanism into a passive rubber stamp — operators nominally exist in the loop but functionally do not process governance signals. Any governance violation that generates an alert during a fatigue period goes unaddressed. In the second outcome (ungoverned deduplication), overly aggressive or misconfigured deduplication logic silently merges distinct incidents, suppresses escalating conditions, or permanently silences entire alert categories. This creates false confidence — operators believe that the low alert volume reflects low incident rates, when it actually reflects high suppression rates. The downstream consequence in both cases is delayed or absent human response to governance violations. For Financial-Value Agents, this maps to undetected exposure breaches and regulatory findings. For Safety-Critical / CPS Agents, this maps to undetected safety constraint violations and potential physical harm. For Customer-Facing Agents, this maps to undetected fairness violations and customer harm at scale. The blast radius is cross-agent because a shared alerting infrastructure typically serves multiple agents, and fatigue or misconfiguration affects all agents simultaneously. Recovery requires not only fixing the deduplication logic but also retrospectively reviewing all alerts during the affected period to identify any incidents that were suppressed or ignored — a forensic exercise that requires the suppressed alert archive mandated by Requirement 4.3.

Cross-references: AG-409 (Critical Event Taxonomy Governance) defines the event categories that the deduplication system must handle, providing the taxonomy of alert types referenced in deduplication rules. AG-019 (Human Escalation & Override Triggers) defines the escalation triggers that must not be subject to deduplication suppression. AG-413 (Observer-of-Observer Integrity Governance) ensures that the deduplication layer itself is monitored by an independent meta-observer — a deduplication system that silently drops alerts without logging is a meta-observation failure. AG-417 (Telemetry Sampling Bias Governance) addresses sampling decisions that occur upstream of deduplication and may interact with deduplication ratios. AG-418 (Cross-System Trace Correlation Governance) enables cross-agent alert correlation that supports more accurate deduplication by linking alerts to shared root causes. AG-383 (Runtime Scheduler Fairness Governance) interacts with deduplication when scheduling-related alerts are generated at high volume during resource contention events. AG-022 (Behavioural Drift Detection) generates alerts that must be handled carefully by the deduplication layer — drift alerts with similar signatures may represent a single drift event or multiple independent drift vectors. AG-004 (Action Rate Governance) generates rate-limit alerts that are particularly prone to high-volume storms during burst conditions and benefit significantly from governed deduplication.