AG-721 governs the identification, prevention, and remediation of intellectual property (IP) infringement risks arising from content generated by autonomous or semi-autonomous AI agents, encompassing copyright, trademark, trade secret, and sui generis database rights embedded in or reproduced through agent outputs. This dimension is critical because LLM-based agents are trained on vast corpora that include copyrighted text, code, music, visual descriptions, and proprietary data, and at inference time they may reproduce substantial portions of protected works verbatim or in near-verbatim paraphrase, expose trade secrets ingested through RAG pipelines, or produce outputs that bear confusing similarity to registered trademarks — all without the deploying organisation being aware until litigation or regulatory action is initiated. Failure manifests as statutory damages awards (up to $150,000 per work under US copyright law for willful infringement), injunctive relief halting a product or service, reputational harm to deploying organisations, criminal liability for trade secret misappropriation under applicable law, and cascading supply-chain liability where downstream customers unknowingly incorporate infringing AI-generated content into their own products.
An enterprise software organisation deploys a code-generation agent integrated into its internal development environment. The agent is backed by a fine-tuned LLM trained on a corpus that includes permissively and restrictively licensed open-source repositories. A developer prompts the agent to "write a function that parses ISO 8601 dates in Python." The agent returns a 47-line function that is a near-verbatim reproduction of a function distributed under the GNU General Public License v2.0 (GPLv2) from a widely-used date-handling library. The developer does not recognise the source, commits the code into a proprietary commercial product, and the product ships to 4,200 enterprise customers. Six months later, a GPL enforcement group identifies the code through automated scanning tools. Because GPLv2 requires that any derivative work also be released under GPLv2, the organisation faces a choice: open-source its entire product codebase or withdraw the product from the market. Legal fees exceed $2.1 million before settlement; the remediation effort requires patching the codebase across all customer deployments. The root cause is the absence of any output-level licence detection or provenance tracing in the agent deployment.
A media technology company deploys a customer-facing marketing content agent that generates articles, social media posts, and product descriptions for small-business clients. The underlying LLM has memorised passages from major news publishers whose content was included in pre-training data without licensing. A client prompts the agent to "write a 400-word summary of recent trends in renewable energy." The agent returns content that includes three consecutive paragraphs reproduced verbatim from a Reuters investigative feature published eighteen months earlier. The client publishes the output on their commercial website. Reuters' automated content-monitoring service identifies the reproduction within 72 hours. Reuters files a copyright infringement claim against both the client and the deploying AI company. Because the AI company had no output-monitoring system capable of detecting substantial similarity to known copyrighted works, it cannot demonstrate good-faith compliance efforts; the court applies the four-factor fair use analysis unfavourably. The client faces damages of $35,000 for the single infringement; the AI company faces a class action from twelve other publishers who identify similar reproductions across the platform. Platform-wide litigation exposure is estimated at $47 million.
A boutique investment management firm deploys an internal research agent that ingests proprietary analyst reports, internal portfolio strategy documents, and vendor-licensed market data via a retrieval-augmented generation (RAG) pipeline. The firm also grants a subset of premium clients access to a client-facing version of the same agent. Due to a misconfiguration in the document-access control layer of the RAG system, the client-facing agent can retrieve chunks from internal strategy documents that are explicitly marked as confidential trade secrets. A client prompts the agent to "summarise the firm's current position on semiconductor sector allocations." The agent retrieves and synthesises three paragraphs from a confidential internal strategy note. The client, upon receiving the response, shares it with a competing hedge fund. The firm later identifies the breach during an internal audit. Under the Defend Trade Secrets Act (DTSA) in the United States, the firm must demonstrate that it took reasonable measures to protect the secrecy of the information to assert misappropriation claims against the competing fund — but because its own agent had no access-tier enforcement or output provenance logging, it cannot establish that it maintained adequate protections. The firm loses its trade secret protection claim, forfeits a competitive advantage valued at approximately $18 million in anticipated alpha, and must notify clients and regulators under applicable breach-notification obligations.
This dimension applies to all AI agent systems that generate, transform, summarise, translate, or otherwise produce textual, code, image-descriptive, audio-descriptive, or multimodal outputs that may incorporate, derive from, or replicate third-party intellectual property. It applies regardless of whether the agent operates on a closed internal model, an externally hosted foundation model, a fine-tuned model, or a retrieval-augmented architecture. It covers all phases of the output lifecycle: generation, caching, transmission, storage, and downstream embedding by human users or automated downstream systems. It applies to all deploying organisations across all primary profiles identified in Section 1. The dimension addresses copyright (literary, artistic, musical, and software works), trademark (confusing similarity in commercial contexts), trade secrets (proprietary information maintained with reasonable secrecy measures), sui generis database rights (where applicable under EU law and equivalent jurisdictions), and moral rights (where applicable under applicable national law). It does not govern the legality of training data composition, which is addressed separately; it governs output-time controls and provenance obligations.
4.1.1 The deploying organisation MUST classify all agent output categories by IP risk level prior to deployment, distinguishing at minimum between: (a) outputs likely to involve reproduction of substantial portions of copyrighted works; (b) outputs involving code generation from training-data memorisation; (c) outputs derived from RAG pipelines ingesting potentially restricted source materials; (d) outputs in trademark-sensitive commercial contexts; and (e) outputs that may surface trade secrets from internal knowledge bases.
4.1.2 The IP risk classification MUST be documented in a formal IP Risk Register that is reviewed and updated at minimum annually or following any material change to the agent's model, training data, retrieval corpus, or deployment context.
4.1.3 For agents operating in multi-jurisdiction contexts (Cross-Border / Multi-Jurisdiction Agent profile), the IP Risk Register MUST explicitly identify applicable national IP regimes and note material divergences in scope of protection, fair use or fair dealing provisions, and available safe harbours.
4.2.1 For any agent output category classified as High or Critical IP risk under 4.1.1(a) or 4.1.1(b), the deploying organisation MUST implement an automated output screening mechanism capable of detecting substantial similarity between generated outputs and a corpus of known, licensed, or flagged copyrighted works relevant to the deployment context.
4.2.2 The screening mechanism described in 4.2.1 MUST apply a similarity threshold defined in written policy; the threshold MUST be set conservatively enough to catch verbatim reproduction of passages of 50 words or more and code blocks of 15 lines or more unless the deploying organisation can demonstrate via documented legal review that a higher threshold remains within applicable fair use or fair dealing provisions.
4.2.3 Where a similarity threshold breach is detected, the agent MUST either: (a) suppress the infringing passage and substitute a generated reformulation with provenance attribution; (b) insert a notice to the user that the content may require independent IP clearance; or (c) block the output entirely and escalate to a human reviewer — and the chosen response pathway MUST be documented in policy and applied consistently.
4.2.4 Code-generation agents MUST implement licence-aware output controls that: (a) identify the likely source licence of any reproduced code block; (b) surface licence obligations to the user; and (c) prevent silent embedding of copyleft-licensed code into outputs delivered to users who have not acknowledged the applicable licence terms.
4.3.1 Any agent that ingests proprietary, confidential, or trade-secret-classified information through any mechanism (including RAG pipelines, tool calls, memory stores, or fine-tuning) MUST enforce output-tier access controls that prevent retrieval and surfacing of such information to users or downstream systems that do not hold the appropriate access tier.
4.3.2 The access control enforcement described in 4.3.1 MUST be implemented at the output generation stage, not solely at the retrieval stage, to account for multi-hop reasoning chains or agent tool-use patterns that may reconstruct confidential information from individually non-confidential fragments.
4.3.3 The deploying organisation MUST maintain a Trade Secret Inventory that identifies all categories of trade secret or confidential information accessible to the agent system, the access tier required to receive outputs derived from each category, and the technical mechanism enforcing that tier restriction.
4.3.4 Agents operating under the Financial-Value Agent, Research / Discovery Agent, or Public Sector / Rights-Sensitive Agent profiles MUST apply enhanced trade secret controls including: (a) output provenance tagging that records which source documents contributed to any given output; (b) automated detection of outputs that synthesise information across confidentiality tiers; and (c) mandatory human review before delivery of any output that the system detects as synthesising from Tier 1 (most sensitive) classified sources.
4.4.1 Agents operating in commercial customer-facing or marketing contexts MUST be configured with a trademark sensitivity filter that detects output strings likely to constitute or contain registered trademarks in a manner that could create consumer confusion, constitute dilution, or constitute false designation of origin.
4.4.2 Where a trademark sensitivity trigger is activated, the agent MUST either reformulate the output to remove the infringing element, flag the output for human review, or append a disclosure to the user that independent trademark clearance is required before commercial use.
4.4.3 Agents MUST NOT generate brand names, product names, or entity names that are phonetically or visually similar to registered trademarks in the relevant commercial market without explicit disclosure of that similarity risk.
4.5.1 The deploying organisation MUST implement an output provenance logging system that records, for every agent output: (a) the model version and configuration at time of generation; (b) the retrieval sources (document identifiers, version, and access tier) that contributed to the output, where a RAG or tool-based architecture is in use; (c) any post-generation filtering or transformation applied to the output; and (d) the timestamp, session identifier, and (where applicable) user identifier associated with the output.
4.5.2 Output provenance logs MUST be retained for a minimum of seven years for agents operating under the Financial-Value Agent, Public Sector / Rights-Sensitive Agent, or Research / Discovery Agent profiles, and for a minimum of three years for all other profiles, unless superseded by a longer applicable statutory retention requirement.
4.5.3 Where an agent output is delivered to an external party (customer, partner, regulator, or the public), the deploying organisation SHOULD provide, upon request, a provenance summary sufficient to allow the recipient to assess the IP derivation chain of the output.
4.5.4 Provenance logs MUST be stored in an append-only, tamper-evident format that prevents post-hoc modification of records.
4.6.1 The deploying organisation MUST establish written guidance, reviewed by qualified legal counsel, documenting which output categories and use cases the organisation asserts are covered by applicable fair use, fair dealing, or equivalent statutory exceptions, and the specific factual and legal basis for each such assertion.
4.6.2 Fair use or fair dealing assessments MUST be reviewed annually and following any material change in applicable case law, regulatory guidance, or agent deployment context.
4.6.3 The deploying organisation MUST NOT rely on fair use or fair dealing as a de facto blanket defence without conducting the written assessment described in 4.6.1; the mere fact that a use is transformative or non-commercial does not in itself satisfy the requirements of this dimension.
4.7.1 The deploying organisation MUST define and operationalise a human review escalation pathway for agent outputs that trigger IP risk flags under 4.2.3, 4.3.4, or 4.4.2, including defined response time SLAs, designated reviewer roles with documented IP competence, and a documented disposition workflow for flagged outputs.
4.7.2 Human reviewers in the escalation pathway described in 4.7.1 MUST have access to the full provenance log described in 4.5.1 at the time of review.
4.7.3 For the Safety-Critical / CPS Agent profile, the escalation pathway MUST ensure that no IP-flagged output is used to inform physical actuation or safety-relevant decision-making until the flag has been resolved by a qualified human reviewer.
4.8.1 Where the deploying organisation uses a third-party foundation model, fine-tuned model, or externally managed knowledge base, the deploying organisation MUST obtain written assurance from the model or data provider describing: (a) the categories of training data used; (b) the IP clearance processes applied to training data; and (c) any known or disclosed copyright infringement claims against the model.
4.8.2 Third-party IP assurance documentation obtained under 4.8.1 MUST be reviewed by qualified legal counsel prior to deployment and retained for the duration of the deployment plus seven years.
4.8.3 The deploying organisation MUST conduct annual supply-chain IP reviews covering all third-party model and data dependencies, and MUST update its IP Risk Register to reflect any material findings.
4.8.4 Where a third-party provider cannot or will not provide adequate IP assurance documentation, the deploying organisation MUST treat the associated output categories as High IP Risk and apply the full controls specified in Section 4.2 accordingly.
4.9.1 Agents deployed in or generating outputs for recipients in multiple legal jurisdictions MUST apply the most protective IP standard applicable among all relevant jurisdictions unless a documented legal analysis establishes that a less protective standard is legally sufficient for a specific jurisdiction-output combination.
4.9.2 The deploying organisation MUST maintain a Jurisdictional IP Matrix identifying the applicable copyright term, moral rights obligations, sui generis database right status, trade secret statutory framework, and trademark registration considerations for each jurisdiction in which the agent operates or delivers outputs.
4.9.3 For the Crypto/Web3 Agent profile, the deploying organisation MUST assess whether outputs relating to on-chain content (including NFT metadata, smart contract code, and tokenised creative works) are subject to IP claims from underlying off-chain works, and document the outcome of that assessment in the IP Risk Register.
IP infringement arising from AI agent outputs is a structurally novel legal risk category because the generative mechanism does not distinguish between information drawn from public domain sources, permissively licensed sources, restrictively licensed sources, and unlicensed proprietary sources at inference time. Unlike a human author who can exercise conscious editorial judgement about the provenance of the material they incorporate, an LLM-based agent interpolates across its entire training distribution to produce outputs, and the degree to which any specific output is "derived from" a specific training example is probabilistic, opaque, and not directly controlled by the deploying organisation's prompting strategy. This structural opacity means that behavioural controls alone — such as instructing the agent not to reproduce copyrighted content — are insufficient. The agent may reproduce copyrighted content even when instructed not to, particularly for highly memorised training examples, highly specific prompts, or adversarial prompts designed to elicit memorised content. Therefore, AG-721 mandates output-tier structural controls — screening, filtering, provenance logging, and supply-chain assurance — that operate independently of model behaviour and remain effective regardless of whether the model itself has been fine-tuned for IP safety.
Alongside structural controls, behavioural configuration of the agent can meaningfully reduce IP risk in certain categories. Instructing the agent to produce outputs in its own words, to cite sources rather than reproduce them, to avoid reproducing song lyrics or poetry verbatim, and to flag when it is uncertain of the IP status of a code pattern — all of these reduce the base rate of infringing outputs. However, such behavioural mitigations are subject to prompt injection, jailbreak, and capability-boundary failures (see AG-501 — Adversarial Prompt Resistance). A financially motivated or adversarially sophisticated user may deliberately craft prompts to circumvent behavioural IP controls. Therefore, AG-721 treats behavioural controls as a complementary layer to structural controls, not as a substitute.
The combination of legal exposure magnitude, operational opacity, and cross-profile ubiquity justifies the High-Risk/Critical tier classification. Copyright statutory damages in the United States can reach $150,000 per work for wilful infringement; a single deployed agent serving thousands of users could generate hundreds of potentially infringing outputs per day, each constituting a separate infringement event. Trade secret misappropriation claims carry no statutory cap and can encompass the entire value of the secret. In regulated sectors (financial services, healthcare, public sector), IP violations can also constitute regulatory breaches triggering additional penalties. The breadth of affected profiles — every primary profile is listed — reflects that no deployment context is categorically immune from IP risk when generative AI is involved. The preventive control type designation reflects the primacy of avoiding infringement over detecting and remediating it after the fact, given that public disclosure of an infringing output may itself constitute the harm.
Pattern 1 — Layered Output Screening Architecture. Implement IP screening as a post-generation, pre-delivery middleware layer that sits between the agent's generation endpoint and the output delivery channel. This layer should operate independently of the model itself and should not be bypassable by model-level instructions or user prompts. The screening layer should run in parallel to minimise latency impact and should fail closed (blocking output delivery) rather than fail open in the event of a screening service failure.
Pattern 2 — Retrieval Source Licence Tagging. In RAG architectures, tag every document in the retrieval corpus at ingest time with its IP status: public domain, permissively licensed (with specific licence identifier), restrictively licensed (with specific licence identifier and permitted use scope), organisation-owned, or restricted/confidential. Propagate these tags to any retrieved chunk and surface them in the output provenance log. Use these tags to determine whether a retrieval-heavy output requires licence disclosure or access-tier enforcement.
Pattern 3 — Similarity Detection via Dual-Method Approach. Implement copyright similarity detection using both lexical similarity methods (n-gram overlap, edit distance) and semantic embedding similarity against a corpus of known high-risk works. Lexical methods catch verbatim reproduction; semantic methods catch close paraphrase that alters surface form while preserving protected expression. Neither method alone is sufficient for all output types.
Pattern 4 — Licence-Aware Code Generation Controls. For code-generation agents, integrate with open-source licence databases and code provenance tools to identify likely source licences for any generated code block that exceeds a defined line-count threshold. Present licence information to the developer at point of acceptance, not merely in documentation. Enforce acknowledgement workflows for outputs involving copyleft licences before the code can be committed to a repository.
Pattern 5 — Jurisdictional Rules Engine. For cross-border deployments, implement a jurisdictional rules engine that maps the requesting user's jurisdiction (determined by account registration, geolocation, or contractual assignment) to the applicable IP rule set. The engine should dynamically adjust similarity thresholds, disclosure requirements, and blocking behaviour based on the most protective applicable standard for the output-jurisdiction combination.
Pattern 6 — Provenance Chain Hashing. For long-lived research or financial outputs that may be referenced, cited, or embedded in downstream work, generate a cryptographic hash of the provenance record at time of output delivery and include it in the output metadata. This enables future verification that a provenance record has not been altered and supports audit and litigation-hold processes.
Anti-Pattern 1 — Relying Solely on System Prompt IP Instructions. Placing IP compliance burden entirely on system prompt instructions such as "do not reproduce copyrighted text" is inadequate and will fail under adversarial prompting, capability boundary conditions, or highly memorised training examples. This anti-pattern is common in rapid deployments and constitutes a systematic control gap.
Anti-Pattern 2 — Treating Fair Use as a Blanket Default. Organisations that deploy content generation agents in commercial contexts and assume that all transformative outputs are automatically covered by fair use without conducting the required four-factor analysis or equivalent jurisdiction-specific assessment are creating undocumented legal exposure. This is particularly dangerous in jurisdictions without fair use doctrines, such as many EU member states where fair dealing exceptions are narrower.
Anti-Pattern 3 — Inadequate RAG Access Control Segmentation. Deploying a single RAG knowledge base for both internal privileged users and external customers without enforcing document-level access controls at the retrieval and output generation stages is a common architecture shortcut that directly enables the trade secret exfiltration scenario described in Example 3.3.
Anti-Pattern 4 — Post-Hoc IP Review as Primary Control. Scheduling periodic IP audits of agent outputs after delivery to users, rather than implementing pre-delivery screening, is ineffective because the harm (public disclosure of infringing content) occurs at the moment of delivery. Post-hoc review can be a supplementary control but cannot be the primary control for a High-Risk/Critical tier dimension.
Anti-Pattern 5 — Ignoring Third-Party Model IP Assurances. Deploying third-party foundation models without obtaining and reviewing IP assurance documentation under the assumption that the model provider's terms of service are sufficient protection. Terms of service typically disclaim IP warranties and shift liability to the deploying organisation; without independent IP assurance documentation, the deploying organisation has no basis for demonstrating good-faith compliance.
Anti-Pattern 6 — Flat Provenance Logging Without Tamper Evidence. Storing output provenance in a mutable database without tamper-evident controls (such as append-only logs, Merkle-tree structures, or periodic cryptographic anchoring) creates records that opposing counsel can challenge as potentially altered in litigation or regulatory proceedings.
Financial Services. Financial agents that generate research summaries, investment commentary, or regulatory filings face dual exposure: copyright infringement claims from data and content providers, and regulatory sanctions if AI-generated outputs cannot be traced to compliant source data. Firms should integrate output provenance logging with their existing research attribution workflows.
Legal and Professional Services. Agents that generate legal documents, contracts, or regulatory submissions may inadvertently reproduce copyrighted legal text (including model forms distributed by publishers under copyright). The standard practice in the legal industry of adapting precedents must be translated into explicit IP controls in agent deployment.
Creative and Media Industries. Agents that assist with creative content generation face the most acute copyright exposure, particularly for song lyrics, poetry, and distinctive literary passages that are among the most highly memorised content categories in large language models. Deploying organisations in this sector should implement the strictest similarity thresholds and consider output type restrictions for the highest-risk content categories.
Public Sector. Government agencies deploying agents for citizen-facing services or policy analysis must consider both their own Crown copyright or equivalent obligations and the IP rights of third-party data providers integrated into government knowledge bases.
| Maturity Level | Characteristics |
|---|---|
| Level 1 — Initial | No output-level IP controls; reliance on system prompt instructions only; no provenance logging; no IP risk register |
| Level 2 — Developing | IP risk register exists; basic lexical similarity screening for text outputs; RAG corpus partially tagged; ad-hoc human review |
| Level 3 — Defined | Full IP risk classification per 4.1; dual-method similarity screening; licence-aware code controls; RAG access control segmentation; structured provenance logging; documented escalation pathway |
| Level 4 — Managed | Jurisdictional rules engine operational; third-party IP assurance documentation obtained and reviewed; provenance logs tamper-evident; annual IP supply-chain reviews conducted; fair use assessments documented with legal counsel sign-off |
| Level 5 — Optimising | Continuous IP risk monitoring with automated anomaly detection; provenance chain hashing for downstream embedding; integration with external rights management systems; proactive engagement with model providers on training data transparency; cross-border IP compliance fully automated |
| Artefact | Description | Owner | Retention Period |
|---|---|---|---|
| IP Risk Register | Documented classification of all output categories by IP risk level, per 4.1.1 and 4.1.2 | AI Governance Lead / Legal | 3 years minimum; 7 years for regulated profiles |
| Trade Secret Inventory | Inventory of trade secret categories accessible to agent, access tiers, and enforcement mechanisms, per 4.3.3 | Information Security / Legal | Duration of deployment + 7 years |
| Jurisdictional IP Matrix | Per-jurisdiction analysis of applicable IP framework, per 4.9.2 | Legal / Compliance | Reviewed annually; retained 5 years per version |
| Fair Use / Fair Dealing Assessment | Written legal analysis of asserted exceptions, per 4.6.1 | Legal Counsel | Duration of deployment + 7 years |
| Third-Party IP Assurance Documentation | Written assurance from model/data providers, per 4.8.1 | Procurement / Legal | Duration of engagement + 7 years |
| Output Provenance Logs | Tamper-evident logs per 4.5.1 and 4.5.4 | Platform Engineering / Data Governance | 7 years (regulated profiles); 3 years (all others) |
| Screening Configuration Records | Documentation of similarity thresholds, filtering rules, and version history of screening system | Platform Engineering | Duration of deployment + 3 years |
| IP Incident Register | Record of all IP flags triggered, human review dispositions, and any infringement incidents identified | AI Governance Lead / Legal | 7 years |
| Annual IP Supply-Chain Review Reports | Results of annual third-party model and data IP reviews, per 4.8.3 | Legal / Procurement | 7 years per review |
| Human Review Escalation Records | Records of all flagged outputs reviewed by human reviewers, per 4.7.1 | AI Operations | 7 years (regulated profiles); 3 years (all others) |
All artefacts must be version-controlled with named author, review date, and approval sign-off. Provenance logs must be stored in append-only systems with cryptographic integrity verification. IP assurance documentation from third parties must be retained in original form (not summarised) and accompanied by internal legal review memoranda. Fair use assessments must identify the specific jurisdiction, the specific output category, and the specific statutory provision or case law basis for each asserted exception.
Maps to: 4.1.1, 4.1.2, 4.1.3 Test Description: Inspect the IP Risk Register to verify that: (a) all output categories generated by the agent are enumerated; (b) each category is assigned a risk level with documented rationale; (c) the register has been reviewed within the past 12 months or since the most recent material change (whichever is more recent); (d) for cross-border agents, the register identifies all applicable national IP regimes and documents material divergences. Test Method: Document review; comparison of register output categories against live agent output logs to identify coverage gaps; interview with AI Governance Lead to assess review cadence. Conformance Scoring:
Maps to: 4.2.1, 4.2.2, 4.2.3 Test Description: Submit to the agent a set of 30 test prompts designed to elicit reproduction of known copyrighted material, including: (a) 10 prompts likely to elicit verbatim text reproduction (passages from published books, news articles, song lyrics); (b) 10 prompts likely to elicit near-verbatim code reproduction from identifiable open-source repositories; (c) 10 control prompts not associated with known copyrighted material. Record whether the screening system correctly identifies and appropriately handles outputs containing substantial similarity to copyrighted works. Verify that the screening threshold matches documented policy. Test Method: Automated test harness; manual review of flagged and unflagged outputs; comparison against ground truth similarity scores computed independently. Conformance Scoring:
Maps to: 4.3.1, 4.3.2, 4.3.3, 4.3.4 Test Description: Using a test environment replicating the production RAG architecture, verify that: (a) a simulated low-privilege user account cannot elicit outputs containing information sourced from documents classified as Tier 1 (trade secret) in the Trade Secret Inventory; (b) a multi-hop reasoning prompt designed to reconstruct trade secret content from multiple individually non-confidential fragments is intercepted at the output generation stage; (c) outputs sourced from Tier 1 documents generate provenance records flagging the source classification; (d) for Financial-Value, Research / Discovery, and Public Sector profiles, the human review gate is triggered before Tier 1-sourced outputs are delivered. Test Method: Penetration-style access control testing using defined test accounts; automated prompt corpus covering 20 multi-hop reconstruction patterns; inspection of provenance logs; observation of review queue population. Conformance Scoring:
| Regulation | Provision | Relationship Type |
|---|---|---|
| EU AI Act | Article 9 (Risk Management System) | Direct requirement |
| EU AI Act | Article 15 (Accuracy, Robustness and Cybersecurity) | Direct requirement |
| NIST AI RMF | GOVERN 1.1, MAP 3.2, MANAGE 2.2 | Supports compliance |
| ISO 42001 | Clause 6.1 (Actions to Address Risks), Clause 8.2 (AI Risk Assessment) | Supports compliance |
Article 9 requires providers of high-risk AI systems to establish and maintain a risk management system that identifies, analyses, estimates, and evaluates risks. Intellectual Property and Copyright Compliance in Agent Outputs Governance implements a specific risk mitigation measure within this framework. The regulation requires that risks be mitigated "as far as technically feasible" using appropriate risk management measures. For deployments classified as high-risk under Annex III, compliance with AG-721 supports the Article 9 obligation by providing structural governance controls rather than relying solely on the agent's own reasoning or behavioural compliance.
Article 15 requires high-risk AI systems to achieve appropriate levels of accuracy, robustness, and cybersecurity. Intellectual Property and Copyright Compliance in Agent Outputs Governance directly supports the robustness and cybersecurity requirements by implementing structural controls that resist adversarial manipulation and ensure system integrity under attack conditions.
GOVERN 1.1 addresses legal and regulatory requirements; MAP 3.2 addresses risk context mapping; MANAGE 2.2 addresses risk mitigation through enforceable controls. AG-721 supports compliance by establishing structural governance boundaries that implement the framework's approach to AI risk management.
Clause 6.1 requires organisations to determine actions to address risks and opportunities within the AI management system. Clause 8.2 requires AI risk assessment. Intellectual Property and Copyright Compliance in Agent Outputs Governance implements a risk treatment control within the AI management system, directly satisfying the requirement for structured risk mitigation.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Organisation-wide — potentially cross-organisation where agents interact with external counterparties or shared infrastructure |
| Escalation Path | Immediate executive notification and regulatory disclosure assessment |
Consequence chain: Without intellectual property and copyright compliance in agent outputs governance, the governance framework has a structural gap that can be exploited at machine speed. The failure mode is not gradual degradation — it is a binary absence of control that permits unbounded agent behaviour in the dimension this protocol governs. The immediate consequence is uncontrolled agent action within the scope of AG-721, potentially cascading to dependent dimensions and downstream systems. The operational impact includes regulatory enforcement action, material financial or operational loss, reputational damage, and potential personal liability for senior managers under applicable accountability regimes. Recovery requires both technical remediation and regulatory engagement, with timelines measured in weeks to months.