This dimension governs the mechanisms by which AI systems operating in public sector enforcement, justice, and border and law enforcement contexts are constrained to recommend or take actions that are proportionate to the severity, context, and established legal thresholds of the matter at hand. Proportionality is a foundational principle of administrative law and human rights frameworks worldwide: an enforcement action that exceeds what is necessary and justified by the facts causes direct harm to individuals and erodes public legitimacy in state institutions. Failure in this dimension manifests as AI systems escalating enforcement responses beyond legally or ethically defensible levels — recommending custodial detention for minor regulatory infractions, flagging asylum seekers for expedited removal on statistically weak signals, or triggering asset freezes on the basis of a single unverified transaction match — with downstream consequences that include unlawful deprivation of liberty, discriminatory enforcement patterns, and successful legal challenges that compromise entire enforcement programmes.
A court-adjacent AI risk assessment tool is deployed to assist magistrates in determining pre-trial detention conditions for defendants charged with non-violent property offences. The tool's risk score model has been trained on historical recidivism data that encodes socioeconomic disadvantage as a proxy for flight risk. In a case involving a 24-year-old defendant charged with shoplifting goods valued at £180, the tool returns a risk score of 78/100 and recommends full custodial remand pending trial. The magistrate, facing a busy list of 40 cases that morning, accepts the recommendation without scrutiny. The defendant, who has two dependent children and stable employment, spends 11 days in pre-trial detention before a duty solicitor successfully challenges the basis of the score at a bail review hearing. The Equality and Human Rights Commission subsequently reviews the tool and finds that defendants from the most deprived postcode quintile receive scores that are, on average, 22 points higher than defendants with equivalent criminal histories from affluent areas. The entire bail recommendation programme is suspended pending a formal review, 340 prior remand decisions are audited, and the jurisdiction faces judicial review proceedings. The core failure is that the AI system had no enforceable ceiling on its recommended response severity relative to the gravity of the alleged offence. A proportionality constraint requiring that pre-trial detention recommendations for non-violent offences below a statutory threshold be flagged as requiring mandatory human deliberation would have intercepted this outcome.
A border management AI system integrated into primary inspection lanes at an international airport applies document verification, biometric matching, and watchlist comparison in a single automated pipeline. A traveller from a third country presents a legitimately issued passport. The biometric matching algorithm returns a 71% confidence match against a watchlist entry — below the agency's internal threshold of 85% for secondary screening escalation but above the system's legacy hard stop of 65%, which was never formally decommissioned after a configuration update. The system routes the traveller to a secondary holding area and, through an automated integration with the enforcement case management platform, generates a preliminary incident record coded as "watchlist positive — confirm and proceed." A junior officer, reading the case management entry as a confirmed match, initiates a formal inadmissibility process. The traveller — a medical professional travelling to attend a conference — is held for 7 hours, subjected to device search, and issued a preliminary order of removal before a supervisor recognises the confidence score ambiguity. The traveller's country of origin lodges a formal diplomatic complaint. An internal review finds that the system had no mechanism to communicate match confidence degradation to the human officer in a form that would prevent it from being interpreted as a confirmed hit. The failure is one of proportionality through information asymmetry: the enforcement action was calibrated to the output label rather than the underlying evidential quality. A proportionality constraint mandating that confidence intervals and match quality scores be prominently surfaced alongside any enforcement-triggering output, and that sub-threshold matches be explicitly coded as requiring deliberative human review before any enforcement action is logged, would have prevented the cascade.
A national financial intelligence unit deploys an AI-assisted transaction monitoring system integrated with the authority's Suspicious Activity Report processing pipeline. The system is configured to recommend immediate account freezes when a risk score exceeds 90/100 across a composite of 14 indicators. A small catering business with a 12-year operating history and no prior adverse findings makes three cash deposits totalling €9,400 over a single week — below the €10,000 mandatory reporting threshold — in a pattern that the model associates with structuring. The system scores the account at 91/100 and automatically generates a freeze recommendation that, under the authority's operational procedures, is treated as an approved action unless a senior analyst explicitly rejects it within a four-hour review window. The window lapses because the senior analyst team is managing a separate high-priority investigation. The account is frozen. The business cannot pay its staff wages due the following day. The owner, who has no legal representation and limited English, is unable to navigate the administrative dispute process. The freeze remains in place for 19 days before a compliance manager identifies it as an error and revokes it. The business loses two contracts worth approximately €34,000 due to payment failures during the freeze period. An ombudsman investigation finds that the automated procedure effectively inverted the proportionality of human oversight: the default position was maximum enforcement, with human review acting as an exception rather than a precondition. The investigation recommends that any enforcement action with irreversible or materially harmful short-term consequences must require affirmative human authorisation, not passive non-rejection.
This dimension applies to all AI systems that participate, directly or indirectly, in the production of enforcement recommendations, enforcement decisions, or inputs that trigger enforcement workflows within the public sector, justice, border management, and law enforcement landscape. This includes but is not limited to: bail and detention risk assessment systems; watchlist matching and secondary screening systems; administrative penalty recommendation engines; automated flagging systems that route cases for enforcement action; asset freeze and financial enforcement recommendation tools; civil penalty calculators; deportation or removal risk scoring tools; and any AI component embedded within a human-reviewed enforcement workflow where the AI output materially conditions the human decision. The scope extends to AI systems acting as upstream suppliers of scoring, classification, or summarisation outputs used by other AI or human decision-makers in enforcement contexts. It does not apply to passive analytics, research, or policy simulation tools that do not produce case-specific enforcement outputs.
The system MUST implement a proportionality ceiling mechanism that bounds the maximum severity of any enforcement action it can recommend or trigger to a level that is legally and factually commensurate with the gravest reasonable interpretation of the established facts in the case at the time of recommendation. The ceiling MUST be parameterised against the applicable legal framework's graduated response structure — whether criminal, administrative, civil, or regulatory — and MUST be updated whenever the governing legal framework is amended. The system MUST NOT recommend or trigger enforcement actions at the maximum permitted level unless the evidence basis independently satisfies the legal standard for that level.
The system MUST align its output recommendations to the full graduated response spectrum available in the applicable legal framework. Where a legal framework provides for warnings, conditional orders, fixed penalties, escalating penalties, custodial alternatives, and custodial measures as sequential options, the system MUST be capable of recommending each level and MUST NOT exhibit a structural bias toward higher-severity recommendations that is not justified by the case facts. The system SHOULD produce an explicit justification for each recommended severity level, referencing the specific factual and legal basis.
Where the system's enforcement-relevant output is derived from probabilistic matching, risk scoring, or predictive modelling, the system MUST represent the confidence interval or uncertainty range of that output alongside the output itself in any interface or downstream data feed used by a human decision-maker. The system MUST NOT present a probabilistic output in a form that is indistinguishable from a deterministic finding. The system MUST enforce a mandatory human deliberation gate before any enforcement action at or above a defined severity threshold is progressed, whenever the underlying evidence confidence falls below a defined minimum threshold. Both the severity threshold and the confidence minimum MUST be documented, reviewed at least annually, and approved by an accountable human authority within the deploying organisation.
The system MUST require affirmative, documented human authorisation before initiating, recommending completion of, or logging as approved any enforcement action that is irreversible or that causes material immediate harm to the subject — including but not limited to: custodial detention; asset freezes; licence revocations; removal or deportation orders; and publication of enforcement findings on public registers. Passive non-rejection, timeout-based approval, or silence-as-consent mechanisms MUST NOT be used as the authorisation mechanism for such actions. The system MUST enforce this requirement programmatically and MUST NOT allow it to be overridden by operational configuration at the point of deployment without a documented change management record approved at a senior governance level.
The system MUST provide a documented, accessible mechanism by which human operators can introduce contextual or mitigating factors that modify the system's enforcement recommendation prior to action. The system MUST record all such operator interventions in the audit trail required by AG-044. Where the system is configured to operate without real-time human modification capability, the deploying organisation MUST conduct and document a proportionality impact assessment demonstrating that the removal of contextual override capability is justified by operational necessity and does not create systematic disproportionality. The system SHOULD surface, during output generation, any case features that are statistically associated with mitigating circumstances in comparable historical cases within the same legal framework.
The deploying organisation MUST conduct regular population-level analysis of enforcement outputs to detect systematic disproportionality across protected characteristics, socioeconomic indicators, and jurisdictional groupings. This analysis MUST be conducted at a minimum every six months for Tier High-Risk/Critical deployments. Where population-level analysis reveals that any identifiable group receives enforcement recommendations at a materially higher average severity level than comparably situated individuals from other groups — after controlling for legally relevant case characteristics — the system MUST be taken offline or constrained to a lower-severity recommendation ceiling until the cause is identified and remediated. The threshold for triggering this constraint MUST be set in advance, documented, and approved by the accountable human authority.
The system MUST maintain a versioned mapping of the enforcement response options, legal thresholds, and penalty scales applicable to each jurisdiction in which it operates. Where an enforcement case involves elements from multiple jurisdictions — including cross-border cases, cases involving dual nationals, or cases where conflicting legal frameworks may apply — the system MUST flag the jurisdictional complexity to the human decision-maker and MUST NOT produce a single enforcement recommendation that resolves jurisdictional conflicts without surfacing them. The legal framework version in effect at the time of any recommendation MUST be recorded in the case audit trail.
The system MUST generate and retain an auditable record for every enforcement recommendation it produces, containing at minimum: the case identifier; the timestamp of the recommendation; the specific enforcement action recommended; the legal basis cited; the evidence inputs used; the confidence level of each probabilistic input; the proportionality ceiling applied; any operator modifications; the final human decision; and the legal framework version in force. This record MUST be retained for a period no shorter than the applicable statutory limitation period for legal challenge of the enforcement action, and in no case shorter than seven years. The system SHOULD be capable of producing a plain-language explanation of any individual enforcement recommendation that is comprehensible to the subject of the enforcement action without legal expertise.
Where the AI system is supplied by a third-party vendor or operated under a managed service arrangement, the deploying public authority MUST ensure that contractual provisions expressly preserve the authority's ability to impose, inspect, and modify proportionality constraints, confidence thresholds, graduated response parameters, and human authorisation gates without requiring vendor approval or incurring contractual penalties. The deploying authority MUST NOT accept a contractual position in which the vendor's configuration defaults govern enforcement proportionality in the absence of express deploying-authority override. The deploying authority SHOULD require the vendor to provide documented evidence of proportionality testing in analogous deployment contexts as a condition of procurement.
Proportionality is not merely a policy preference in enforcement contexts — it is a constitutional and treaty-level obligation in most democratic legal systems. Article 5 of the European Convention on Human Rights constrains deprivation of liberty to what is strictly necessary; Article 49(3) of the EU Charter of Fundamental Rights explicitly requires that the severity of penalties not be disproportionate to the offence; the US Fifth and Fourteenth Amendments protect against arbitrary state action through substantive due process; the UN Basic Principles on the Use of Force and Firearms impose proportionality obligations on law enforcement globally. When an AI system participates in enforcement decision-making, the system's structural outputs — its scoring ranges, its recommendation vocabularies, its default escalation pathways — become embedded features of the state's enforcement architecture. A system structurally biased toward high-severity recommendations does not merely produce individual errors; it systematically violates the legal obligations of the state that deploys it.
Beyond the legal framework, there is a well-documented behavioural dynamic in AI-assisted enforcement that this dimension directly addresses: automation bias. Human decision-makers in high-volume enforcement environments — court officers processing bail applications, border officers managing queue throughput, financial investigators handling hundreds of daily alerts — are subject to cognitive load conditions that elevate the probability of uncritical adoption of AI recommendations. Studies of criminal justice risk assessment tools in the United States and Europe consistently find that human operators override AI recommendations at significantly lower rates than they would in equivalent manual decision environments, and that the direction of influence is asymmetric: operators are more likely to escalate than to de-escalate when the AI recommendation is higher than their initial intuition. This means that a structurally unconstrained AI enforcement system does not merely reflect existing proportionality — it shapes it, and in conditions of automation bias, it shapes it upward. The preventive controls in this dimension are designed to intercept that dynamic before it becomes embedded in operational culture.
This control is classified as preventive rather than detective or corrective because enforcement harms are frequently irreversible at the individual level. A person who has been detained, deported, or had their assets frozen cannot be fully made whole by a subsequent detection and correction of the error. The blast radius of a single proportionality failure in a high-volume enforcement AI system extends rapidly — a systematic bias affecting 10% of recommendations in a system processing 500 cases per week produces 50 disproportionate enforcement actions per week before any detection mechanism can trigger a response. Prevention through structural constraints, mandatory human gates, and confidence-proportional escalation requirements is the only control architecture capable of operating at the speed and volume of AI-assisted enforcement.
Modern enforcement environments increasingly involve pipelines in which multiple AI components interact — a watchlist matcher feeding a risk scorer feeding a case management prioritisation system feeding a human officer interface. Each system may have been individually calibrated to appropriate thresholds, but the interactions between systems can produce compounding effects that individually calibrated components will never detect. A 70% confidence biometric match combined with a 65% confidence document anomaly flag combined with a prior travel pattern flag may individually trigger no enforcement response, but combined into a composite score they may exceed an escalation threshold. This dimension requires that the proportionality ceiling and human authorisation gate apply at the point of enforcement action, regardless of how many upstream components contributed to reaching that point, ensuring that compounding does not erode proportionality through the disaggregation of responsibility.
Graduated Severity Architecture with Hard Ceilings. Implement enforcement recommendation engines using a tiered output schema in which each tier is bounded above by a severity ceiling that is programmatically linked to the legal threshold for that tier. For example, in a civil penalty recommendation context, tier one (advisory notice) may be recommended for any risk score; tier two (fixed penalty) requires a minimum evidence quality score; tier three (escalated penalty) requires a minimum evidence quality score plus a human deliberation record; tier four (prosecution referral) requires a minimum evidence quality score, a human deliberation record, and affirmative senior authorisation. The ceiling at each tier is a hard constraint — it cannot be bypassed by higher risk scores alone.
Confidence Surface Requirement in Human Interfaces. Design all human operator interfaces to surface the full confidence distribution of probabilistic inputs as a primary visual element, not a tooltip or secondary screen. Use traffic-light or graduated bar representations that make sub-threshold confidence levels immediately perceptually distinct from confirmed findings. Require operator acknowledgement of confidence level before any enforcement action is recorded.
Affirmative Authorisation Workflows. Implement irreversible-action workflows as explicit two-step processes requiring a named, authenticated human authority to select the action, read a system-generated proportionality statement, and confirm. Log the identity of the authorising officer, the timestamp, and any accompanying free-text justification. Do not allow batch approval of multiple enforcement actions against multiple subjects in a single authorisation event.
Mitigation Factor Prompting. Build into the recommendation generation stage a structured prompt that surfaces any case features associated with statutory mitigating factors — vulnerability indicators, cooperation with prior investigations, first-offence status, exceptional circumstances — and requires the operator to document whether each factor was considered. This creates a contemporaneous record of proportionality deliberation that is valuable both for internal governance and for legal challenge resistance.
Automated Population-Level Monitoring Pipelines. Implement an automated statistical monitoring pipeline that runs against all enforcement recommendation outputs on a rolling 90-day basis, stratified by protected characteristics extracted from case records. Configure alerts for divergence above defined thresholds. Ensure the monitoring pipeline is operationally independent of the enforcement recommendation system it monitors.
Jurisdiction Conflict Tagging. Implement a pre-recommendation jurisdiction check that compares the case's geographic, national, and regulatory indicators against the system's jurisdiction matrix and halts output generation for multi-jurisdiction cases until the human operator has confirmed which legal framework applies and documented the basis for that confirmation.
Silence-as-Consent Authorisation. Never implement enforcement action authorisation as a timed expiry requiring active rejection to prevent action. This pattern systematically degrades human oversight in high-volume conditions and is directly prohibited by Section 4.4. Avoid it in any form, including "accept unless escalated within X hours" workflows.
Risk Score Normalisation Without Penalty Scale Anchoring. Do not produce risk scores on a normalised scale (0–100) without explicitly anchoring the score to the legal penalty scale applicable to the case. A score of 91/100 on an uncalibrated scale communicates urgency without communicating what urgency is justified. The score must reference specific enforcement tiers, not abstract severity levels.
Monolithic Pipeline Outputs Without Component Traceability. Do not present composite enforcement recommendations without decomposing the contribution of each component model. When a composite score triggers an enforcement recommendation, the operator must be able to see which sub-scores crossed which sub-thresholds, not merely the aggregate outcome. Opaque aggregation undermines both proportionality review and legal challenge resistance.
Default Maximum Enforcement. Do not configure systems with enforcement escalation as the default pathway and de-escalation as an exception requiring active operator justification. This pattern inverts the proportionality principle. The burden of justification must fall on escalation, not on restraint.
Single-Jurisdiction Assumption in Multi-Jurisdiction Deployments. Do not deploy enforcement systems in cross-border or federal/devolved contexts with a single legal framework hard-coded as default. Jurisdiction conflicts must be detected and surfaced, not silently resolved by the system in favour of the most restrictive available framework.
Retrospective Proportionality Washing. Do not implement proportionality review as a post-hoc audit process that validates already-executed enforcement actions. Proportionality governance must operate pre-action. Post-hoc review can supplement but cannot replace preventive constraints.
Criminal justice deployments require particular attention to the interaction between AI enforcement recommendation systems and the constitutional rights of defendants. In common law jurisdictions, the right to challenge the basis of a bail or sentencing recommendation has implications for explainability that exceed what is required in other contexts — the explanation must be legally challengeable, which means it must be expressed in terms that a lawyer and a court can examine for legal adequacy, not merely algorithmic correctness.
In border and immigration contexts, the speed of enforcement — measured in minutes at a primary inspection lane — creates operational pressure to reduce human deliberation gates. Implementations in this context should focus on upstream confidence calibration and pre-clearance pathway design to reduce the volume of cases requiring real-time deliberation, rather than compressing deliberation time as a throughput solution.
In financial intelligence contexts, the asymmetry between enforcement (account freeze) and remedy (unfreeze) requires that the proportionality ceiling be set with explicit attention to the reversibility timeline of the specific enforcement action. A freeze that takes 19 days to reverse requires a higher initial evidence threshold than one reversible within hours.
Level 1 — Compliant: System meets all MUST requirements. Proportionality ceilings are implemented. Affirmative authorisation is required for irreversible actions. Confidence intervals are surfaced. Audit trail is maintained.
Level 2 — Managed: All Level 1 requirements are met. Population-level monitoring is automated and generates alerts. Jurisdiction conflict detection is implemented. Mitigation factor prompting is embedded in operator workflows. Semi-annual proportionality reviews are conducted and documented.
Level 3 — Optimised: All Level 2 requirements are met. The system generates plain-language proportionality statements comprehensible to enforcement subjects. Proportionality ceilings are dynamically updated in response to legal framework changes within 30 days of amendment. Operator deliberation quality (not just presence) is monitored through structured decision records. Population-level disproportionality analysis is disaggregated to sub-group level and published in annual governance reports.
Proportionality Ceiling Documentation. A formal document, approved at senior governance level, specifying the enforcement severity tiers available to the system, the legal basis for each tier, the factual and evidential thresholds required for each tier to be recommended, and the programmatic ceiling configuration corresponding to each tier. This document MUST be updated within 30 days of any change to the applicable legal framework.
Confidence Threshold Register. A documented register of all confidence thresholds used in enforcement-triggering outputs, including the basis for setting each threshold, the date it was set, the individual or body that approved it, and the date of the most recent review. Retention: duration of system operation plus seven years.
Human Authorisation Records. For every irreversible enforcement action, a record containing: case identifier; action taken; authorising officer identity; timestamp; the system's proportionality statement at the time of authorisation; and any free-text justification provided by the authorising officer. Retention: the longer of the applicable statutory limitation period or seven years.
Population-Level Proportionality Analysis Reports. Completed reports from each mandatory semi-annual population-level analysis, including methodology, data sources, stratification variables, findings, any thresholds breached, and remedial actions taken. Retention: ten years.
Operator Override and Intervention Log. A machine-readable log of every instance in which a human operator modified or rejected a system enforcement recommendation, including the direction of modification (escalation or de-escalation), the stated reason, and the outcome of the case. Retention: seven years.
Jurisdiction Matrix. A versioned matrix documenting all jurisdictions in which the system operates, the applicable legal framework for each, the enforcement response options and penalty scales, and the date each entry was last validated by a qualified legal authority. Retention: duration of system operation plus seven years.
Vendor Contractual Evidence. Where applicable, copies of contractual provisions preserving the deploying authority's ability to configure proportionality constraints without vendor approval, as required by Section 4.9. Retention: duration of contract plus seven years.
Annual Governance Review Report. A documented annual review of the system's proportionality performance, conducted by or on behalf of the accountable human authority, covering: threshold settings, population-level findings, legal framework alignment, operator intervention patterns, and any incidents involving suspected disproportionate enforcement. Retention: ten years.
| Artefact | Minimum Retention Period |
|---|---|
| Proportionality Ceiling Documentation | System life + 7 years |
| Confidence Threshold Register | System life + 7 years |
| Human Authorisation Records | Longer of statutory limitation period or 7 years |
| Population-Level Analysis Reports | 10 years |
| Operator Override and Intervention Log | 7 years |
| Jurisdiction Matrix | System life + 7 years |
| Vendor Contractual Evidence | Contract duration + 7 years |
| Annual Governance Review Report | 10 years |
Maps to: Section 4.1 Objective: Verify that the system cannot produce enforcement recommendations above the legally defined ceiling for the given case facts. Method: Construct a test case set of 50 scenarios in which the case facts, by legal analysis, cap the maximum proportionate enforcement response at a defined level below the system maximum. Submit each scenario through the live system. Record all system outputs and compare against the legally determined ceiling. Pass Criteria:
Maps to: Section 4.2 Objective: Verify that the system's output vocabulary includes all tiers of the applicable graduated response spectrum and that lower-severity recommendations are accessible and structurally non-penalised. Method: Construct a test case set of 30 scenarios calibrated to warrant each tier of the graduated response spectrum (minimum five scenarios per tier). Submit through the live system. Record recommendation distributions. Conduct regression analysis to detect structural elevation toward higher tiers beyond what case facts warrant. Pass Criteria:
Maps to: Section 4.3 Objective: Verify that confidence intervals are surfaced in the human interface and that mandatory deliberation gates are enforced when confidence falls below the defined minimum threshold. Method: Submit 20 test cases with varying probabilistic input confidence levels, including 10 cases where one or more inputs fall below the documented minimum confidence threshold. Observe the human interface for confidence representation. Attempt to progress enforcement action in sub-threshold cases without completing the mandatory deliberation gate. Pass Criteria:
Maps to: Section 4.4 Objective: Verify that all irreversible enforcement actions require affirmative, documented human authorisation and that silence-as-consent mechanisms are not present. Method: Identify all enforcement actions classified as irreversible or materially immediately harmful in the system's configuration. For each action type, submit a test case and: (a) allow the authorisation window to expire without action; (b) attempt batch authorisation of multiple cases in a single event; (c) attempt to disable the authorisation gate through operational configuration. Pass Criteria:
Maps to: Section 4.6 Objective: Verify that the population-level monitoring mechanism detects and alerts on systematic disproportionality above the defined threshold. Method: Inject into the monitoring pipeline a synthetic six-month dataset in which one identifiable group (e.g., a nationality or age cohort) receives enforcement recommendations at an average severity level 25% above comparably situated individuals from other groups, constructed to exceed the deploying authority's defined threshold. Verify that the monitoring system generates an alert and that the alert triggers the defined constraint response (system offline or severity ceiling reduction). Pass Criteria:
Maps to: Section 4.7 Objective: Verify that the system detects and surfaces jurisdictional complexity in multi-jurisdiction cases and does not silently resolve jurisdictional conflicts. Method: Submit 15 test cases involving jurisdictional complexity (dual nationals, cross-border financial transactions, cases at regulatory boundaries between federal and devolved jurisdictions). Observe system output for jurisdiction flagging. Attempt to obtain a single enforcement recommendation from the system without operator confirmation of applicable legal framework. Pass Criteria:
###
| Regulation | Provision | Relationship Type |
|---|---|---|
| EU AI Act | Article 9 (Risk Management System) | Direct requirement |
| NIST AI RMF | GOVERN 1.1, MAP 3.2, MANAGE 2.2 | Supports compliance |
| ISO 42001 | Clause 6.1 (Actions to Address Risks), Clause 8.2 (AI Risk Assessment) | Supports compliance |
Article 9 requires providers of high-risk AI systems to establish and maintain a risk management system that identifies, analyses, estimates, and evaluates risks. Enforcement Proportionality Governance implements a specific risk mitigation measure within this framework. The regulation requires that risks be mitigated "as far as technically feasible" using appropriate risk management measures. For deployments classified as high-risk under Annex III, compliance with AG-567 supports the Article 9 obligation by providing structural governance controls rather than relying solely on the agent's own reasoning or behavioural compliance.
GOVERN 1.1 addresses legal and regulatory requirements; MAP 3.2 addresses risk context mapping; MANAGE 2.2 addresses risk mitigation through enforceable controls. AG-567 supports compliance by establishing structural governance boundaries that implement the framework's approach to AI risk management.
Clause 6.1 requires organisations to determine actions to address risks and opportunities within the AI management system. Clause 8.2 requires AI risk assessment. Enforcement Proportionality Governance implements a risk treatment control within the AI management system, directly satisfying the requirement for structured risk mitigation.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Organisation-wide — potentially cross-organisation where agents interact with external counterparties or shared infrastructure |
| Escalation Path | Immediate executive notification and regulatory disclosure assessment |
Consequence chain: Without enforcement proportionality governance, the governance framework has a structural gap that can be exploited at machine speed. The failure mode is not gradual degradation — it is a binary absence of control that permits unbounded agent behaviour in the dimension this protocol governs. The immediate consequence is uncontrolled agent action within the scope of AG-567, potentially cascading to dependent dimensions and downstream systems. The operational impact includes regulatory enforcement action, material financial or operational loss, reputational damage, and potential personal liability for senior managers under applicable accountability regimes. Recovery requires both technical remediation and regulatory engagement, with timelines measured in weeks to months.