Maintainer Trust and Project Health Governance

2. Summary

Maintainer Trust and Project Health Governance requires that organisations deploying AI agents systematically assess and continuously monitor the governance health, maintainer trustworthiness, and sustainability of critical open-source projects upon which their agents depend. An AI agent's security posture, reliability, and long-term viability are directly constrained by the health of its upstream dependencies — a project with a single anonymous maintainer, no security disclosure process, no code review practices, and declining commit activity represents a fundamentally different risk profile than a project with a diverse maintainer team, published security policy, enforced code review, and active community engagement. This dimension mandates that project health assessment is a formal, evidence-based, and continuously updated governance function, not an informal or one-time evaluation performed at initial adoption.

3. Example

Scenario A — Single-Maintainer Burnout Causes Critical Vulnerability Exposure: An enterprise workflow agent relies on an open-source serialisation library used to parse structured data from 23 upstream data sources. The library has 4.7 million weekly downloads across the ecosystem and is maintained by a single individual. The maintainer has been the sole committer for 6 years. In March 2025, the maintainer posts a message on the project's issue tracker: "I can no longer maintain this project. I have not reviewed pull requests in 4 months. Please fork if you need active maintenance." At this point, 3 unpatched security vulnerabilities exist in the issue tracker, including one rated CVSS 8.6 (high) that allows arbitrary code execution through crafted input. The enterprise discovers the abandonment 47 days after the maintainer's announcement — during a routine quarterly review rather than through any automated monitoring. By this time, two of the three vulnerabilities have been publicly disclosed with proof-of-concept exploits. The enterprise's 23 data source integrations all use the vulnerable library. Patching requires forking the library, applying fixes, testing across all 23 integrations, and redeploying. Total remediation takes 6 weeks and costs £310,000 in engineering effort. During the 47-day detection gap, the agent processed 1.2 million data records through the vulnerable serialisation path.

What went wrong: No maintainer health monitoring existed. The single-maintainer risk was never assessed. The 4-month gap in pull request reviews — a clear leading indicator of project distress — was not detected. The organisation had no alerting for maintainer activity decline, no threshold for acceptable bus-factor risk, and no contingency plan for dependency abandonment.

Scenario B — Compromised Maintainer Account Injects Malicious Code: A customer-facing AI agent for an insurance company uses an open-source natural language processing toolkit for claim document analysis. The toolkit has 12 listed contributors, but code review shows that one maintainer has merge authority and has authored 84% of commits in the past year. The maintainer's account credentials are compromised through a phishing attack. The attacker pushes a commit that adds a data exfiltration function disguised as a telemetry module — claim documents processed by the toolkit are silently copied to an external endpoint. The compromised version is published as a routine patch release (version 2.14.3). The insurance company's automated dependency update pipeline pulls the new version and deploys it within 48 hours. The exfiltration operates for 19 days before a security researcher discovers the malicious code and publishes an advisory. During those 19 days, 34,000 insurance claim documents containing personally identifiable information, medical records, and financial details are exfiltrated. The data breach notification costs £2.1 million, regulatory fines total £890,000, and customer remediation costs £1.4 million.

What went wrong: The project appeared healthy by download count and contributor list but had a single point of failure: one maintainer with unilateral merge authority and no enforced code review on maintainer commits. The project had no signed commits, no branch protection requiring multiple approvals, and no reproducible build process that would have detected the injected code. The organisation's health assessment — if one existed — did not evaluate maintainer account security practices, code review enforcement, or commit signing. The automated dependency update pipeline trusted the upstream project implicitly.

Scenario C — Governance Vacuum After Corporate Sponsor Withdrawal: A financial-value AI agent uses an open-source machine learning inference engine originally developed and maintained by a well-funded technology company. The company contributed 90% of commits and employed 8 of the project's 11 core maintainers. The company undergoes a strategic pivot and announces it will cease development of the inference engine, redirecting engineering resources to a proprietary product. The 8 company-employed maintainers stop contributing within 60 days. The remaining 3 community maintainers lack the expertise and capacity to maintain the engine's performance-critical optimisation layers. Within 6 months, the project has no new releases, 147 open issues with no responses, and 3 known performance regressions that affect the financial agent's latency. The financial agent's response time degrades from 120ms to 890ms, causing timeout failures in 12% of trading decisions. The organisation initiates a migration to an alternative inference engine, which requires 5 months of engineering work and £520,000 in development costs, plus £180,000 in additional infrastructure costs during the transition period due to running parallel systems.

What went wrong: The organisation did not assess the project's governance concentration — 90% of contributions from a single corporate sponsor created existential dependency on that sponsor's continued commitment. The 8-of-11 maintainer concentration was a quantifiable risk signal that was never measured. No early-warning monitoring detected the sponsor withdrawal announcement. No contingency plan existed for inference engine migration. The 6-month degradation period could have been reduced to 2 months with proactive monitoring and pre-identified alternative components.

4. Requirement Statement

Scope: This dimension applies to every AI agent deployment that depends on open-source software components in its operational stack — inference engines, model serving frameworks, orchestration libraries, database drivers, API clients, data processing libraries, cryptographic modules, serialisation libraries, and any other component where the source code is maintained by an external community or individual rather than the deploying organisation. The scope includes both direct dependencies and critical transitive dependencies. A transitive dependency is "critical" if its failure, compromise, or abandonment would affect the agent's core functionality, security posture, or regulatory compliance. The threshold for "critical" should be defined by the organisation but must at minimum include: any component that processes untrusted input, any component involved in security functions (authentication, encryption, access control), any component whose failure would halt agent operation, and any component with known CVE history. Organisations must identify their critical dependencies as a precondition to applying this dimension.

4.1. A conforming system MUST maintain a health assessment for every critical open-source dependency, evaluating at minimum: maintainer count and diversity (bus-factor analysis), commit activity trends over the trailing 12 months, issue and pull request responsiveness (median time to first response, median time to resolution), security disclosure process existence and adequacy, code review enforcement (whether all changes require peer review before merge), and release cadence and recency.

4.2. A conforming system MUST define quantitative thresholds for each health metric that trigger escalation when breached, including at minimum: a minimum acceptable bus-factor (recommended: 2 or more active maintainers with merge authority), a maximum acceptable period without commits (recommended: 90 days), a maximum acceptable median issue response time (recommended: 30 days), and a binary requirement for a published security policy (SECURITY.md or equivalent).

4.3. A conforming system MUST implement continuous monitoring of health metrics for all critical dependencies, with automated alerting when any threshold is breached, and MUST evaluate health metrics no less frequently than every 30 days.

4.4. A conforming system MUST assess the governance structure of critical dependencies, including: whether the project has a documented governance model, whether merge authority is distributed across multiple independent individuals or entities, whether the project has a code of conduct and conflict resolution process, and whether the project is backed by a foundation, corporate sponsor, or individual maintainers — with the concentration risk of each model documented.

4.5. A conforming system MUST maintain a contingency plan for each critical dependency that specifies: the trigger conditions for activating the contingency (e.g., project abandonment, maintainer compromise, security vulnerability with no upstream fix within defined SLA), the alternative component or mitigation strategy, the estimated migration effort and timeline, and the interim risk acceptance or mitigation measures during migration.

4.6. A conforming system MUST evaluate maintainer account security practices for critical dependencies, including at minimum: whether maintainers use multi-factor authentication on the hosting platform, whether commits are cryptographically signed, whether branch protection rules require multiple approvals for merges to release branches, and whether the project supports or requires reproducible builds.

4.7. A conforming system SHOULD implement automated dependency update policies that are conditional on project health — updates from projects meeting all health thresholds may be auto-merged after automated testing, while updates from projects below any threshold require manual security review before adoption.

4.8. A conforming system SHOULD track the corporate sponsor concentration for critical dependencies, alerting when a single entity contributes more than 70% of commits or employs more than 50% of maintainers, as this indicates elevated abandonment risk if the sponsor's priorities change.

4.9. A conforming system SHOULD participate in or monitor community health signals beyond code metrics, including: mailing list or forum activity, conference presentation frequency, downstream adoption trends, and public statements from maintainers about project direction or sustainability.

4.10. A conforming system MAY contribute to the maintenance of critical upstream dependencies — through direct code contributions, financial sponsorship, or maintainer support — as a risk mitigation strategy that improves the health of projects the organisation depends on.

5. Rationale

The security and reliability of an AI agent are bounded by the weakest link in its dependency chain. An organisation may invest millions in securing its own code, implementing rigorous testing, and deploying sophisticated monitoring — and all of that investment can be negated by a single compromised or abandoned upstream dependency. The open-source ecosystem's greatest strength — broad community participation enabling rapid innovation — is also its greatest governance challenge: there is no SLA, no contractual obligation, and no guaranteed continuity for open-source projects. Maintainers can walk away. Projects can be abandoned. Accounts can be compromised. Corporate sponsors can withdraw.

The scale of this risk is not theoretical. Research by the Linux Foundation and industry surveys consistently show that a significant percentage of open-source projects critical to enterprise infrastructure are maintained by one or two individuals, with no security policy, no code review enforcement, and no governance structure beyond the maintainer's personal commitment. The event-stream incident (2018), the colors.js/faker.js incident (2022), the xz-utils backdoor attempt (2024), and numerous similar events demonstrate that maintainer trust and project health are not abstract concerns — they are operational security requirements.

For AI agents specifically, the risk is amplified by three factors. First, AI agent stacks are dependency-heavy. A typical agent deployment includes inference runtimes, model serving infrastructure, vector databases, embedding libraries, orchestration frameworks, tool-calling interfaces, and monitoring instrumentation — each with its own dependency tree. The aggregate dependency count routinely exceeds 500 packages. Second, AI agents often process sensitive data — financial transactions, personal information, medical records, classified documents — making compromise of any component in the processing chain a high-severity data breach. Third, AI agents increasingly operate autonomously, executing actions with real-world consequences. A compromised dependency in an autonomous financial agent does not merely leak data — it can execute fraudulent transactions.

The preventive control type reflects the reality that project health degradation is a leading indicator, not a lagging one. Commit activity declines before abandonment. Pull request response times increase before security vulnerabilities go unpatched. Maintainer burnout manifests in reduced engagement before it manifests in public abandonment announcements. An organisation that monitors these leading indicators can initiate migration planning months before a crisis, reducing remediation cost by an order of magnitude. The alternative — reacting to abandonment or compromise after the fact — is consistently the most expensive and disruptive outcome.

The regulatory environment increasingly expects supply chain governance. DORA (Article 28) mandates ICT third-party risk management for financial entities. The EU Cyber Resilience Act will impose software supply chain security requirements on products with digital elements. NIST SP 800-218 (Secure Software Development Framework) requires organisations to verify the provenance and integrity of third-party components. Executive Order 14028 (US) mandates SBOMs and supply chain security for software sold to the federal government. AG-490 provides the governance framework that operationalises these regulatory expectations for the specific context of open-source dependencies in AI agent stacks.

6. Implementation Guidance

Maintainer Trust and Project Health Governance requires a systematic approach that combines quantitative health metrics with qualitative governance assessment, continuous monitoring with periodic deep review, and reactive contingency planning with proactive community engagement. The core principle is that dependency on an open-source project is a trust relationship, and trust must be earned through evidence, not assumed by default.

Recommended patterns:

• Automated health scorecard generation. Implement automated tooling that generates a health scorecard for each critical dependency on a defined schedule (recommended: weekly). The scorecard should pull data from the project's hosting platform (commit history, issue tracker, pull request activity, contributor list, branch protection settings) and compute quantitative metrics: bus-factor (number of active maintainers with merge authority in the last 90 days), commit velocity (commits per month, trend direction), issue responsiveness (median time to first response, median time to close), PR review coverage (percentage of merged PRs with at least one reviewer other than the author), and release recency (days since last release). Display scorecards on a dashboard visible to engineering and governance teams.
• Tiered trust classification. Classify critical dependencies into trust tiers based on their health scorecard: Tier 1 (High Trust) — projects meeting all health thresholds, with diverse maintainer base, active governance, and published security policy; Tier 2 (Conditional Trust) — projects meeting most thresholds but with identified risks (e.g., declining commit activity, single corporate sponsor); Tier 3 (Elevated Risk) — projects breaching one or more critical thresholds (single maintainer, no security policy, extended inactivity). Each tier maps to a different update policy, review frequency, and contingency urgency.
• Contingency planning with pre-qualified alternatives. For each critical dependency, identify and pre-qualify at least one alternative component that could replace it. "Pre-qualified" means the alternative has been evaluated for licence compatibility (per AG-489), functional adequacy, health scorecard metrics, and integration feasibility. Maintain a migration runbook for each critical dependency documenting the switch procedure, estimated effort, and testing requirements. This investment pays dividends when a contingency is triggered — the difference between a planned 4-week migration and a crisis 12-week migration is typically 60-70% cost reduction.
• Maintainer security practice verification. For Tier 1 and Tier 2 dependencies, verify maintainer account security practices by checking: whether the hosting platform enforces two-factor authentication for the project's organisation (many platforms make this publicly visible), whether commits to release branches are signed, whether branch protection rules require multiple approvals, and whether the project publishes reproducible build instructions. These are proxy indicators for maintainer security hygiene — they do not guarantee security, but their absence indicates elevated compromise risk.
• Upstream engagement as risk mitigation. For the most critical dependencies (those where no viable alternative exists or where migration cost is prohibitive), consider direct upstream engagement: contributing code fixes, sponsoring maintainer time, participating in governance discussions, or funding security audits. This is not altruism — it is a risk mitigation investment. Organisations that depend critically on a project and contribute nothing to its sustainability are free-riding on a resource whose depletion directly threatens their operations.

Anti-patterns to avoid:

• Download count as health proxy. Treating high download counts or GitHub stars as indicators of project health. Download counts measure popularity, not governance quality. The most downloaded packages in many ecosystems are maintained by single individuals with no security policy. Popularity and health are uncorrelated.
• One-time assessment at adoption. Evaluating project health when a dependency is initially adopted and never reassessing. Project health is dynamic — maintainers leave, sponsors withdraw, activity declines, governance degrades. A project that was healthy at adoption may be moribund two years later. Continuous monitoring is essential.
• Implicit trust in major projects. Assuming that well-known or widely-used projects are inherently trustworthy. The xz-utils incident demonstrated that even projects embedded in virtually every Linux distribution can be targeted by sophisticated supply chain attacks. Major projects require the same health assessment as minor ones — their blast radius is larger, making assessment more important, not less.
• Automated updates without health gating. Configuring automated dependency update tools to merge updates from all sources without considering the project's current health status. An update from a project whose sole maintainer account was recently compromised should not be auto-merged. Health-conditional update policies ensure that automation does not bypass trust evaluation.
• Ignoring governance structure. Focusing exclusively on code-level metrics (commit frequency, issue count) while ignoring governance structure (decision-making process, conflict resolution, maintainer selection criteria). A project with high commit frequency but a single individual controlling all merge authority is more vulnerable to compromise than a project with moderate activity but distributed governance.

Industry Considerations

Financial Services. Financial agents depend on libraries for numerical computation, data serialisation, cryptographic operations, and API communication — all high-trust functions. A compromised dependency in a trading agent can execute fraudulent transactions; a compromised dependency in a regulatory reporting agent can produce false reports. Financial regulators under DORA expect firms to manage ICT third-party risk including open-source dependencies. Firms should classify all dependencies in financial agent stacks as critical and apply Tier 1 or Tier 2 monitoring.

Crypto/Web3. The crypto ecosystem has a particularly high concentration of critical open-source dependencies — consensus implementations, smart contract libraries, bridge protocols, and wallet SDKs are almost exclusively open-source. The financial value at risk (total value locked) can be measured in billions. Maintainer compromise or project abandonment in this context can result in direct, immediate, and irreversible financial loss. Health monitoring must operate at a higher frequency (daily rather than weekly) for dependencies in the critical path of value transfer.

Safety-Critical / CPS. Agents controlling physical systems require extreme supply chain assurance. A compromised or degraded dependency in an autonomous vehicle controller, medical device agent, or industrial automation system creates physical safety risk. Safety certification frameworks (IEC 61508, ISO 26262) require evidence of supply chain integrity. Health assessments for safety-critical dependencies should include formal verification of the dependency's correctness properties where feasible.

Public Sector. Government agents handling citizen data must ensure that upstream projects meet security standards compatible with government information security frameworks. Projects with maintainers in sanctioned jurisdictions may present additional compliance risks. Public sector organisations should verify that maintainer governance does not create conflicts with procurement security requirements (per AG-495).

Maturity Model

Basic Implementation — The organisation has identified its critical open-source dependencies. A health assessment exists for each critical dependency, covering bus-factor, commit activity, issue responsiveness, and security policy presence. Quantitative thresholds are defined and monitored monthly. Contingency plans exist for the top 5 most critical dependencies. Alerts are generated when thresholds are breached.

Intermediate Implementation — All basic capabilities plus: automated health scorecards generated weekly with dashboard visibility. Tiered trust classification (Tier 1/2/3) with differentiated update policies. Pre-qualified alternatives identified for all Tier 2 and Tier 3 dependencies. Maintainer account security practices evaluated. Corporate sponsor concentration tracked. Health-conditional automated update policies prevent auto-merging from low-health projects.

Advanced Implementation — All intermediate capabilities plus: daily health monitoring for highest-criticality dependencies. Upstream engagement programme (code contributions, financial sponsorship, or security audit funding) for dependencies with no viable alternative. Governance structure assessment including decision-making process evaluation. Community health signal monitoring beyond code metrics. Integration with AG-491 SBOM attestation for end-to-end dependency trust chain. Predictive health modelling that forecasts project decline based on leading indicators, triggering proactive migration planning before thresholds are breached.

7. Evidence Requirements

Required artefacts:

• Critical dependency register. A complete list of all critical open-source dependencies for each deployed agent, with the criteria used to determine criticality and the classification rationale for each entry.
• Health assessment records. The most recent health scorecard for each critical dependency, showing all evaluated metrics, threshold comparisons, and the resulting trust tier classification. Historical scorecards for at least the trailing 12 months.
• Threshold definition document. The documented quantitative thresholds for each health metric, the rationale for each threshold, and the escalation procedures triggered when thresholds are breached.
• Contingency plans. Migration runbooks for each critical dependency, including: trigger conditions, alternative component identification, estimated migration effort, and interim risk mitigation measures.
• Monitoring alert records. Logs of all threshold breach alerts, including: the dependency, the breached metric, the threshold value, the actual value, the date of detection, and the response action taken.
• Maintainer security practice assessments. Records of account security evaluations for critical dependencies, including: MFA status, commit signing status, branch protection configuration, and reproducible build capability.

Retention requirements:

• Health assessment records and monitoring logs: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.
• Contingency plans: retained and updated for the lifetime of the dependency relationship plus 1 year post-decommissioning.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Health scorecards must be exportable in machine-readable format for regulatory analysis.

8. Test Specification

Test 8.1: Health Assessment Completeness

• Stimulus: Select 10 critical dependencies from the register. Retrieve the health assessment for each. Verify that every mandated metric is present: maintainer count and diversity, commit activity trends (12 months), issue/PR responsiveness, security disclosure process, code review enforcement, and release recency.
• Expected behaviour: All 10 assessments contain all mandated metrics with current values and threshold comparisons.
• Pass criteria: 100% of sampled assessments contain all mandated metrics. No metric field is empty, placeholder, or stale (older than the defined monitoring frequency).
• Fail criteria: Any assessment is missing a mandated metric, or any metric value is stale beyond the monitoring frequency.

Test 8.2: Threshold Breach Alerting

• Stimulus: Simulate a threshold breach for a critical dependency — for example, reduce the monitored maintainer count to 1 (below the minimum threshold of 2) in the monitoring system's data source. Verify that an alert is generated within the defined detection window.
• Expected behaviour: The monitoring system detects the breach and generates an alert. The alert identifies the dependency, the breached metric, the threshold value, and the actual value.
• Pass criteria: Alert is generated within one monitoring cycle of the breach. Alert contains all required fields (dependency name, metric, threshold, actual value). Alert is routed to the designated response team.
• Fail criteria: No alert is generated, alert is delayed beyond one monitoring cycle, or alert is missing required fields.

Test 8.3: Contingency Plan Existence and Completeness

• Stimulus: Select 5 critical dependencies classified as Tier 2 or Tier 3. Retrieve the contingency plan for each. Verify that each plan contains: trigger conditions, identified alternative component, estimated migration effort and timeline, and interim risk mitigation measures.
• Expected behaviour: All 5 dependencies have complete contingency plans with all required elements.
• Pass criteria: 100% of sampled Tier 2/3 dependencies have contingency plans. Each plan contains all four required elements. Alternative components have been pre-qualified (licence compatibility verified, functional adequacy confirmed).
• Fail criteria: Any Tier 2/3 dependency lacks a contingency plan, or any plan is missing a required element, or alternative components have not been pre-qualified.

Test 8.4: Governance Structure Assessment

• Stimulus: Select 5 critical dependencies. Verify that each has a documented governance structure assessment covering: governance model documentation, merge authority distribution, code of conduct presence, and sponsorship concentration analysis.
• Expected behaviour: All 5 assessments document the governance structure with specific findings for each evaluation criterion.
• Pass criteria: 100% of sampled dependencies have governance structure assessments. Each assessment addresses all four criteria with substantive findings (not placeholder text). Sponsorship concentration is quantified (percentage of commits from dominant entity, percentage of maintainers employed by dominant entity).
• Fail criteria: Any dependency lacks a governance structure assessment, or any assessment criterion is unaddressed.

Test 8.5: Maintainer Security Practice Evaluation

• Stimulus: Select 5 critical dependencies classified as Tier 1 or Tier 2. Retrieve the maintainer security practice assessment for each. Verify that the assessment evaluates: multi-factor authentication enforcement, commit signing, branch protection rules, and reproducible build support.
• Expected behaviour: All 5 assessments evaluate all four security practice dimensions with current findings.
• Pass criteria: 100% of sampled dependencies have security practice assessments covering all four dimensions. Findings are dated within the last 90 days.
• Fail criteria: Any dependency lacks a security practice assessment, any dimension is not evaluated, or findings are older than 90 days.

Test 8.6: Health-Conditional Update Policy Enforcement

• Stimulus: Configure a test dependency with a trust tier of Tier 3 (Elevated Risk). Submit a version update for this dependency through the automated update pipeline. Verify that the update is not auto-merged and instead requires manual security review.
• Expected behaviour: The update pipeline recognises the Tier 3 classification and routes the update for manual review rather than auto-merging. The review requirement is enforced — the update cannot bypass manual approval.
• Pass criteria: Tier 3 updates are blocked from auto-merge. Manual review is required and enforced. The update remains pending until explicit human approval.
• Fail criteria: The Tier 3 update is auto-merged without manual review, or the manual review requirement can be bypassed.

Test 8.7: Monitoring Frequency Compliance

• Stimulus: Retrieve health monitoring execution logs for the trailing 60-day period. Verify that health assessments were executed at least at the defined minimum frequency (recommended: every 30 days) for all critical dependencies.
• Expected behaviour: Monitoring logs show at least 2 complete assessment cycles within the 60-day window for all critical dependencies (assuming 30-day frequency).
• Pass criteria: No critical dependency has a monitoring gap exceeding 1.5 times the defined frequency (e.g., 45 days for a 30-day frequency). All cycles completed successfully (no timeout or error states).
• Fail criteria: Any critical dependency has a monitoring gap exceeding 1.5 times the defined frequency, or any monitoring cycle failed without a documented remediation.

Conformance Scoring

• Score 0: No project health assessment exists. Dependencies are adopted and retained without evaluation of maintainer trust, project governance, or sustainability. No monitoring, no thresholds, no contingency plans.
• Score 1: Critical dependencies are identified. Health assessments exist but are performed manually and infrequently (quarterly or less). Thresholds are defined but monitoring is not automated. Contingency plans exist for some but not all critical dependencies. Maintainer security practices are not evaluated.
• Score 2: Automated health scorecards are generated at the defined frequency. Threshold breach alerting is operational. Tiered trust classification drives differentiated update policies. Contingency plans with pre-qualified alternatives exist for all Tier 2/3 dependencies. Governance structure assessments are completed for all critical dependencies. Maintainer security practices are evaluated for Tier 1/2 dependencies.
• Score 3: Verified through independent assessment confirming daily monitoring for highest-criticality dependencies, predictive health modelling, upstream engagement programme, comprehensive governance structure evaluation, integration with SBOM attestation (AG-491), and demonstrated contingency plan execution capability through tabletop exercises or actual migrations.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 15 (Accuracy, Robustness and Cybersecurity)	Direct requirement
SOX	Section 404 (Internal Controls Over Financial Reporting)	Supports compliance
FCA SYSC	8.1 (Outsourcing and Third-Party Arrangements)	Supports compliance
NIST AI RMF	GOVERN 1.5, MANAGE 4.2	Supports compliance
ISO 42001	Clause 8.4 (Externally Provided Processes, Products and Services)	Direct requirement
DORA	Article 28 (ICT Third-Party Risk)	Direct requirement

EU AI Act — Article 15 (Accuracy, Robustness and Cybersecurity)

Article 15 requires that high-risk AI systems are resilient against attempts by third parties to exploit system vulnerabilities. A compromised upstream dependency is precisely such an exploitation vector — the attacker does not need to breach the organisation's defences directly; they compromise a trusted upstream component that the organisation voluntarily incorporates. AG-490 directly supports Article 15 compliance by requiring that organisations assess the security posture of their upstream dependencies, detect governance degradation that increases compromise risk, and maintain contingency plans for dependency compromise scenarios.

DORA — Article 28 (ICT Third-Party Risk)

DORA Article 28 mandates that financial entities identify, assess, and manage risks arising from ICT third-party service providers and dependencies. Open-source projects are ICT dependencies whose risk profile is determined by their governance health. A project with declining maintainer activity, no security policy, and concentrated merge authority presents higher risk than a well-governed project — and this risk must be assessed, monitored, and managed. AG-490 provides the assessment framework, monitoring cadence, and contingency planning that DORA Article 28 requires for open-source dependencies.

FCA SYSC — 8.1 (Outsourcing and Third-Party Arrangements)

The FCA expects firms to manage risks from all third-party dependencies, not only formal contractual outsourcing arrangements. Open-source dependencies are third-party arrangements without contractual protections — there is no SLA, no vendor support, and no contractual obligation of continuity. This makes governance assessment more important, not less. Firms must demonstrate that they understand the health and sustainability of the open-source projects they depend on and have contingency plans for degradation or failure.

SOX — Section 404 (Internal Controls Over Financial Reporting)

Financial reporting agents that depend on open-source components must ensure that those components are reliable, secure, and available. A dependency abandonment that forces emergency migration creates control disruption during the migration period. SOX auditors will assess whether the organisation has adequate controls over its software supply chain, including awareness of dependency health and migration readiness for critical components.

ISO 42001 — Clause 8.4 (Externally Provided Processes, Products and Services)

ISO 42001 requires organisations to ensure that externally provided components meet defined requirements and that risks from external providers are managed. For open-source components, "provider" is the maintainer community, and the "risk" is governed by project health metrics. AG-490 operationalises this clause by defining the specific health metrics to evaluate, the thresholds that trigger escalation, and the contingency measures required when health degrades.

NIST AI RMF — GOVERN 1.5, MANAGE 4.2

GOVERN 1.5 addresses organisational risk management policies that must encompass third-party component risk. MANAGE 4.2 addresses the monitoring and management of risks from AI system components over time, recognising that risk profiles change as components evolve (or decline). AG-490 implements continuous monitoring of dependency health, ensuring that risk assessments remain current throughout the dependency lifecycle.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	All agents sharing the affected dependency; potentially organisation-wide if the dependency is a foundational component (inference engine, database driver, serialisation library)

Consequence chain: A critical upstream dependency degrades in health — maintainers depart, commit activity declines, security vulnerabilities go unpatched, or a maintainer account is compromised. Without health monitoring, the organisation is unaware of the degradation until a crisis event: a published exploit for an unpatched vulnerability, a malicious code injection via compromised credentials, or a public abandonment announcement that triggers ecosystem-wide migration pressure. The immediate technical impact depends on the failure mode: for compromise, it is data exfiltration, code execution, or supply chain attack propagation through the agent to downstream systems and users; for abandonment, it is accumulating security vulnerabilities and performance degradation as the unpatched component falls behind security and compatibility requirements. The business impact cascades: data breach notification costs (£50-£200 per affected record under GDPR), regulatory fines (up to 4% of annual turnover for GDPR, material penalties under DORA), customer remediation costs, reputational damage, and emergency migration costs that are typically 3-5 times the cost of a planned migration. The systemic risk is amplified when multiple agents share the same compromised or abandoned dependency — the blast radius scales with the dependency's prevalence across the agent portfolio. The failure is particularly dangerous because it originates outside the organisation's control boundary — the organisation cannot patch a project it does not maintain, cannot compel a maintainer to respond to vulnerability reports, and cannot prevent a corporate sponsor from withdrawing. The only defence is awareness (monitoring), preparedness (contingency planning), and proactive engagement (upstream contribution), all of which AG-490 mandates.

Cross-references: AG-022 (Behavioural Drift Detection), AG-373 (Remote Server Trust Bootstrap Governance), AG-395 (Agent Marketplace Admission Governance), AG-489 (Open-Source Licence Policy Binding Governance), AG-491 (Dependency Provenance and SBOM Attestation Governance), AG-494 (Vendor Incident Disclosure Governance), AG-497 (End-of-Support Migration Governance), AG-498 (Upstream Policy Compatibility Governance).