Cross-Organisation Policy Federation Governance

2. Summary

Cross-Organisation Policy Federation Governance requires that when AI agents from different organisations interact, collaborate, or share resources, a formally defined policy federation framework governs the interaction. Each participating organisation retains sovereignty over its own governance policies while a federation layer resolves conflicts, enforces the most restrictive applicable policy at each decision point, and maintains a shared audit trail. Without this dimension, multi-organisation agent ecosystems default to ad hoc trust assumptions — Organisation A's agent trusts Organisation B's agent to comply with policies it cannot verify, creating governance gaps that no single organisation can detect or remediate.

3. Example

Scenario A — Policy Conflict Creates Regulatory Breach Across Jurisdictions: A UK-based insurance firm (Org Alpha) and a German reinsurance company (Org Beta) deploy agents that negotiate treaty placements. Org Alpha's policy permits automated treaty binding up to £2,000,000 without human approval. Org Beta's policy requires human approval for any commitment exceeding €500,000 (approximately £430,000). There is no federation layer — the agents negotiate directly via API. Org Alpha's agent proposes a treaty at £1,800,000 and Org Beta's agent accepts it automatically because it evaluates the action against Org Alpha's stated limit rather than its own. Org Beta has now made an €2,100,000 commitment without the human approval its own policy requires. BaFin opens an investigation into Org Beta's governance controls.

What went wrong: No federation framework existed to evaluate the proposed action against both organisations' policies simultaneously. Org Beta's agent relied on Org Alpha's policy statement rather than enforcing its own. There was no mechanism to apply the most restrictive policy across the federation. Consequence: €2,100,000 unauthorised commitment, BaFin regulatory investigation, potential Lloyd's market sanctions for Org Alpha.

Scenario B — Data Governance Policy Mismatch in Agent-to-Agent Data Sharing: A hospital trust (Org Cedar) deploys a clinical research agent that shares anonymised patient data with a pharmaceutical company's (Org Pine) research agent. Org Cedar's policy requires k-anonymity with k=10 and prohibits sharing genetic markers. Org Pine's agent requests a dataset and Org Cedar's agent provides it with k=5 anonymity (below its own threshold) because the federation API did not transmit Org Cedar's anonymisation requirements — only the data schema. The dataset includes genetic markers in a field labelled "biomarker_panel" which Org Pine's agent treats as permitted. Six months later, an ICO audit identifies the breach. Org Cedar faces a £4,200,000 GDPR fine and Org Pine faces a £1,800,000 fine.

What went wrong: The federation protocol transmitted data structure but not data governance metadata. Policy constraints were not machine-readable in the federation layer. Neither agent could evaluate the other organisation's data governance requirements. Consequence: £6,000,000 combined GDPR fines, clinical trial data integrity questioned, research programme suspended.

Scenario C — Cascading Authority Escalation Across Federated Organisations: Three logistics companies (Org X, Org Y, Org Z) federate their routing agents to optimise cross-network deliveries. Org X's policy requires human approval for route changes affecting hazardous materials. Org Y's agent, operating within its own policy that permits automated route changes for all cargo types, re-routes a shipment that Org X's agent originally planned. The shipment contains hazardous materials — a fact encoded in Org X's cargo manifest but not transmitted through the federation protocol. The re-routing sends a hazardous materials shipment through a residential zone in violation of ADR regulations. The HSE issues enforcement notices against all three organisations.

What went wrong: The federation protocol did not transmit cargo classification constraints. Org Y's agent applied its own policy to cargo governed by Org X's more restrictive policy. No federation-level mechanism existed to enforce the most restrictive applicable policy. Consequence: ADR regulatory violation, HSE enforcement notices, potential criminal liability for dangerous goods transport violations.

4. Requirement Statement

Scope: This dimension applies to all scenarios where AI agents from two or more distinct organisations interact in ways that create mutual obligations, shared resource commitments, data exchanges, or coordinated actions. "Distinct organisations" includes: separate legal entities, separate business units with independent governance frameworks, joint ventures where each party maintains independent governance, and outsourced operations where the service provider's agents interact with the client's governance framework. The scope includes both direct agent-to-agent interactions and intermediated interactions through shared platforms, marketplaces, or orchestration layers. The scope excludes purely read-only information queries where no commitment, data transfer, or action coordination occurs — though organisations should assess whether repeated read-only queries could constitute a data exchange pattern requiring governance. Where agents interact across jurisdictional boundaries, AG-047 applies concurrently.

4.1. A conforming system MUST establish a machine-readable federation agreement before any governed interaction between agents of different organisations, specifying each organisation's policy constraints, authority limits, data governance requirements, and dispute resolution procedures.

4.2. A conforming system MUST enforce the most restrictive applicable policy at every decision point where federated agents interact — if Organisation A permits an action but Organisation B's policy prohibits it, the action MUST be blocked.

4.3. A conforming system MUST maintain a shared, append-only audit trail of all federated interactions that is independently verifiable by each participating organisation.

4.4. A conforming system MUST validate that each participating organisation's agent operates within its own governance constraints before permitting federated actions — no organisation's agent may bypass its own policies through federation.

4.5. A conforming system MUST transmit governance-relevant metadata (authority limits, data classification, cargo restrictions, jurisdictional constraints) alongside operational data in every federated interaction.

4.6. A conforming system MUST implement federation-level escalation procedures for actions that require human approval under any participating organisation's policy, routing the escalation to the correct human authority in the correct organisation.

4.7. A conforming system SHOULD implement policy compatibility verification at federation establishment time, identifying potential conflicts before operational interactions begin.

4.8. A conforming system SHOULD support dynamic policy updates within the federation, propagating policy changes to all participating agents within a defined latency window (recommended: under 60 seconds for active federations).

4.9. A conforming system SHOULD implement federation-level rate limiting and aggregate exposure tracking across all participating organisations.

4.10. A conforming system MAY implement a federation trust framework with tiered trust levels based on the governance maturity of each participating organisation.

4.11. A conforming system MAY implement policy negotiation protocols that allow agents to propose alternative action parameters when the initial proposal conflicts with a federation partner's policy.

5. Rationale

As AI agents become operational participants in supply chains, financial markets, healthcare networks, and logistics systems, they increasingly interact with agents operated by other organisations. Each organisation has its own governance policies — spending limits, data handling rules, safety constraints, regulatory obligations, and risk appetites. When agents from different organisations interact without a policy federation framework, the governance posture of the interaction defaults to the weakest participant's controls.

This is analogous to the challenge of federated identity management, but more consequential. When two organisations federate authentication, a failure means an unauthorised user gains access. When two organisations federate agent governance, a failure means an autonomous system takes actions that violate one or both organisations' policies — potentially creating financial commitments, regulatory breaches, or safety incidents that neither organisation individually authorised.

The most-restrictive-policy principle is the foundation of federation governance. When organisations collaborate through human intermediaries, the humans naturally apply professional judgement to identify and respect the more restrictive constraint. Agents lack this implicit capability — they must be given an explicit mechanism to identify and enforce the most restrictive applicable policy across all federation participants. Without this mechanism, the agent defaults to its own organisation's policy, which may be more permissive than its counterpart's.

The shared audit trail requirement addresses the accountability challenge unique to multi-organisation agent interactions. When two organisations' agents complete a transaction that later proves problematic, each organisation will examine its own audit trail. If these trails are independent and potentially inconsistent, disputes become irresolvable. A shared, append-only trail that both organisations can verify provides the common factual basis needed for dispute resolution, regulatory response, and forensic investigation.

6. Implementation Guidance

AG-188 implementation requires establishing a federation protocol layer, a policy resolution engine, and a shared audit infrastructure.

Recommended Patterns:

• Federation agreement as code. Express the federation agreement as a machine-readable artefact (JSON Schema, protocol buffer definition, or formal specification) that both organisations' systems can parse and enforce automatically. The agreement should specify: each organisation's authority limits, data classification requirements, escalation procedures, dispute resolution mechanisms, and termination conditions. Version the agreement with the same rigour as individual governance policies per AG-007.
• Policy intersection engine. Implement a policy evaluation engine that takes the proposed action and each organisation's policy as inputs and outputs the most restrictive applicable constraint. For numeric limits, this is the minimum. For permitted action sets, this is the intersection. For data governance, this is the union of all restrictions. The engine should produce a machine-readable explanation of which policy was binding at each decision point, supporting audit and dispute resolution.
• Distributed ledger audit trail. Implement the shared audit trail as a distributed ledger or hash-chained log replicated to all federation participants. Each entry should include: the action, the policies evaluated, the binding policy at each decision point, the outcome, and cryptographic signatures from both organisations' governance systems. This ensures neither organisation can retroactively alter its record of the interaction.
• Governance metadata envelope. Wrap every federated message in a governance metadata envelope that travels with the operational payload. The envelope should include: the originating organisation's authority level, data classification tags, jurisdictional constraints, applicable regulatory frameworks, and any action-specific restrictions (e.g., hazardous materials classification, patient data sensitivity level). The receiving agent must parse the envelope before processing the payload.
• Federation gateway architecture. Implement federation interactions through a dedicated gateway service that: (a) validates outbound requests against the local organisation's policies, (b) attaches governance metadata envelopes, (c) validates inbound requests against the federation agreement, (d) evaluates the combined policy constraint, and (e) logs all interactions to the shared audit trail. Neither organisation's agent should interact directly with the other — all interactions pass through the federation gateways.

Anti-patterns to avoid:

• Trust-by-assertion. Accepting a partner organisation's claim that an action complies with its policies without independent verification. Organisation A's agent should not trust Organisation B's assertion that "this is within our policy" — it should receive Organisation B's policy constraints and verify compliance independently.
• Policy translation without formal mapping. Translating one organisation's policy into another's terminology without a formal, verified mapping. "Org A's 'low risk' equals Org B's 'standard'" is a policy mapping that must be formally defined, agreed, and version-controlled — not assumed.
• Single-organisation audit trail. Relying on one organisation to maintain the authoritative audit trail for federated interactions. This creates an information asymmetry that undermines accountability and dispute resolution.
• Bilateral-only federation. Implementing federation only as point-to-point agreements between pairs of organisations. In a multi-party ecosystem, this creates O(n²) agreements and makes it impossible to enforce consistent governance across the ecosystem. Consider multilateral federation frameworks for ecosystems with more than 3 participants.
• Ignoring policy version synchronisation. If Organisation A updates its policy but the federation layer continues enforcing the old policy, a governance gap exists. Policy updates must propagate to the federation layer within the defined latency window.

Industry Considerations

Financial Services. Cross-organisation agent interactions in financial services must comply with existing market conduct rules. The federation agreement should map to existing inter-dealer broker agreements, market-making obligations, and best execution requirements. MiFID II transaction reporting obligations apply to federated agent transactions. The FCA's expectations for outsourcing and third-party risk management (SYSC 8) apply to federation arrangements.

Healthcare. Cross-organisation data sharing in healthcare is governed by data sharing agreements (DSAs) under GDPR and the common law duty of confidentiality. The federation agreement must implement the DSA's technical controls. Caldicott Guardian approval requirements must be enforceable through the federation layer. NHS Digital's Data Security and Protection Toolkit requirements apply to all federation participants.

Supply Chain and Logistics. Cross-organisation routing and logistics federation must enforce cargo-specific constraints (ADR for hazardous materials, ATP for perishable goods, CITES for protected species). The federation metadata envelope must transmit cargo classification as a first-class governance attribute, not as optional supplementary data.

Crypto/Web3. Cross-organisation federation in decentralised finance presents unique challenges because organisational boundaries may be blurred. Smart contract-based federation agreements provide on-chain enforceability but must still satisfy off-chain regulatory requirements. The Travel Rule (FATF Recommendation 16) applies to agent-to-agent value transfers across organisations.

Maturity Model

Basic Implementation — Federation agreements exist as documented policies between organisations. Policy conflict resolution is manual — when agents detect a conflict, they escalate to human operators who resolve it. The audit trail is maintained independently by each organisation. This meets minimum requirements but introduces latency through manual resolution and creates audit trail inconsistency risk.

Intermediate Implementation — Federation agreements are machine-readable and automatically enforced. A policy intersection engine evaluates every federated action against all participating organisations' policies and enforces the most restrictive constraint. The shared audit trail is replicated to all participants with cryptographic integrity protection. Governance metadata envelopes accompany all federated messages. Policy updates propagate to the federation layer within 60 seconds.

Advanced Implementation — All intermediate capabilities plus: formal verification of policy compatibility at federation establishment, automated policy negotiation for conflict resolution within pre-approved parameters, federation-level aggregate exposure tracking, dynamic trust scoring based on partner governance maturity assessments, multi-party federation frameworks supporting ecosystem-wide governance, and real-time federation health monitoring with automatic degradation to conservative interaction modes when governance integrity is at risk.

7. Evidence Requirements

Required artefacts:

• Federation agreement artefact. The machine-readable federation agreement for each active federation, including version history. Not a prose summary — the actual enforceable specification.
• Policy intersection logs. Records of every policy evaluation at federation decision points, showing which organisation's policy was binding and why. Minimum 12 months retention.
• Shared audit trail. The complete, cryptographically protected audit trail of all federated interactions, verifiable by all participating organisations. Minimum 12 months retention.
• Governance metadata examples. Sample governance metadata envelopes demonstrating that governance constraints are transmitted with operational data.
• Federation escalation records. Records of all escalations triggered by federation policy conflicts, including the resolution decision, the resolving authority, and the time to resolution.

Retention requirements:

• Federation agreements, policy intersection logs, and shared audit trails: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Each participating organisation must be able to independently produce its copy of the shared audit trail to regulators within 48 hours. Federation agreements must be producible on demand.

8. Test Specification

Test 8.1: Most-Restrictive Policy Enforcement

• Stimulus: Configure two federated organisations with different limits — Org A permits actions up to £100,000, Org B permits up to £50,000. Submit a federated action for £75,000.
• Expected behaviour: The action is blocked because it exceeds Org B's £50,000 limit, even though it is within Org A's limit.
• Pass criteria: The action is blocked with a structured rejection identifying Org B's policy as the binding constraint.
• Fail criteria: The action executes, or the rejection does not identify the binding policy.

Test 8.2: Governance Metadata Transmission

• Stimulus: Initiate a federated interaction where the originating organisation's cargo/data is subject to specific restrictions (e.g., hazardous materials classification, patient data sensitivity). Inspect the message received by the partner's federation gateway.
• Expected behaviour: The governance metadata envelope contains all relevant restrictions in machine-readable format.
• Pass criteria: The receiving gateway can parse and enforce all governance constraints from the metadata envelope. No governance-relevant constraint is missing.
• Fail criteria: Any governance constraint is absent from the metadata envelope, or the receiving gateway cannot parse the constraints.

Test 8.3: Shared Audit Trail Consistency

• Stimulus: Execute 100 federated interactions. Extract the audit trail from each participating organisation independently.
• Expected behaviour: Both organisations' copies of the audit trail contain identical entries for all 100 interactions.
• Pass criteria: Byte-for-byte match of audit entries (excluding organisation-specific metadata). No entries are missing from either copy.
• Fail criteria: Any interaction is missing from either copy, or the entries differ in substance.

Test 8.4: Federation Agreement Absence Defaults to Deny

• Stimulus: Attempt a federated interaction between two organisations that have not established a federation agreement.
• Expected behaviour: The interaction is blocked with a structured rejection indicating no federation agreement exists.
• Pass criteria: No federated action executes without an active federation agreement.
• Fail criteria: Any federated action executes in the absence of a federation agreement.

Test 8.5: Policy Update Propagation

• Stimulus: Update one organisation's policy to add a new restriction. Measure the time until the federation layer enforces the new restriction.
• Expected behaviour: The federation layer enforces the updated policy within the configured propagation window (default: 60 seconds).
• Pass criteria: The new restriction is enforced within the propagation window. Actions submitted during the propagation delay that would violate the new restriction are either blocked or queued.
• Fail criteria: The federation layer continues enforcing the old policy beyond the propagation window.

Test 8.6: Cross-Organisation Escalation Routing

• Stimulus: Submit a federated action that requires human approval under one organisation's policy but not the other's. Verify that the escalation reaches the correct human authority in the correct organisation.
• Expected behaviour: The action is held pending approval. The escalation notification reaches the designated authority in the organisation whose policy requires approval.
• Pass criteria: The correct authority receives the escalation. The action does not execute until approval is granted. If approval is denied, the action is blocked.
• Fail criteria: The escalation reaches the wrong organisation, the wrong authority, or the action executes without the required approval.

Test 8.7: Self-Policy Bypass Prevention

• Stimulus: Attempt to use a federation interaction to circumvent the originating organisation's own policy — e.g., Org A's agent attempts an action that Org A's policy prohibits by routing it through a more permissive federation partner.
• Expected behaviour: The action is blocked by Org A's own governance layer before it reaches the federation.
• Pass criteria: No organisation's agent can bypass its own policies through federation. The originating organisation's policy is evaluated before federation policy.
• Fail criteria: Any agent successfully circumvents its own organisation's policy through a federated interaction.

Conformance Scoring

• Score 0: No federation governance — agents from different organisations interact without policy coordination, relying entirely on each agent's own policies.
• Score 1: Federation agreements exist as documents but are not machine-enforced — humans review cross-organisation interactions against written agreements.
• Score 2: Machine-readable federation agreements with automated most-restrictive-policy enforcement, governance metadata envelopes, and a shared audit trail — structural federation governance.
• Score 3: All Score 2 capabilities verified by independent testing, plus formal policy compatibility verification, dynamic policy propagation, federation-level aggregate tracking, and cross-organisation escalation routing with verified delivery.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 25 (Responsibilities Along the AI Value Chain)	Direct requirement
GDPR	Article 26 (Joint Controllers)	Direct requirement
GDPR	Article 28 (Processor Agreements)	Supports compliance
FCA SYSC	8.1 (Outsourcing Requirements)	Supports compliance
MiFID II	Article 25 (Best Execution)	Supports compliance
DORA	Article 28 (ICT Third-Party Risk)	Direct requirement
NIST AI RMF	GOVERN 1.2, MAP 5.1	Supports compliance
ISO 42001	Clause 8.4 (Externally Provided Processes)	Supports compliance

EU AI Act — Article 25 (Responsibilities Along the AI Value Chain)

Article 25 establishes responsibilities for parties along the AI value chain, including importers, distributors, and deployers. When agents from different organisations interact, each organisation may have different roles under the AI value chain. The federation agreement must clearly allocate AI Act responsibilities — particularly who is the "provider" and who is the "deployer" for governance purposes when agents collaborate. AG-188's federation agreement framework provides the mechanism for this allocation.

GDPR — Article 26 (Joint Controllers)

When agents from two organisations jointly determine the purposes and means of processing personal data, the organisations are joint controllers under Article 26. The federation agreement must include the Article 26 arrangement in a machine-enforceable format, specifying each organisation's obligations regarding data subject rights, data protection impact assessments, and breach notification. AG-188's governance metadata envelope ensures that data protection constraints travel with the data through federated interactions.

DORA — Article 28 (ICT Third-Party Risk)

Article 28 requires financial entities to manage ICT third-party risk, including maintaining a register of all ICT third-party arrangements. Federation agreements between AI agents constitute ICT third-party arrangements subject to DORA's requirements. The federation agreement must satisfy DORA's contractual requirements including audit rights, subcontracting restrictions, and exit strategies.

FCA SYSC — 8.1 (Outsourcing Requirements)

The FCA's outsourcing requirements apply when a firm's agent relies on another organisation's agent to perform a regulated function. The federation agreement must satisfy SYSC 8.1.1R requirements including the firm's ability to monitor the outsourced function, maintain operational continuity, and ensure the outsourced function meets regulatory standards.

MiFID II — Article 25 (Best Execution)

When agents from different organisations execute financial transactions through federation, best execution obligations apply. The federation framework must ensure that the executing agent applies best execution criteria across all federated venues, not just within its own organisation's default routing.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Cross-organisation — affects all organisations in the federation and potentially their respective regulators and customers

Consequence chain: Without cross-organisation policy federation governance, the governance posture of multi-organisation agent interactions defaults to the least restrictive participant's controls. This creates systematic governance gaps: actions that Organisation A's policy would prohibit are executed because Organisation B's more permissive policy governs the interaction point. The failure compounds across organisations — each organisation's audit trail shows compliance with its own policies, but the aggregate interaction violates one or more participants' governance frameworks. Regulatory exposure multiplies because each organisation may be regulated by different authorities, each of which expects the organisation's governance controls to be effective regardless of federation arrangements. Financial exposure scales with the number of federated interactions and the size of the governance gap between participants' policies. The reputational consequence is severe because neither organisation can claim it was unaware of the other's policy constraints — the absence of a federation framework is itself a governance failure.

Cross-references: AG-001 (Operational Boundary Enforcement) — federation must not weaken any participant's mandate enforcement; AG-007 (Governance Configuration Control) — federation agreements are governance artefacts requiring version control; AG-009 (Delegated Authority Governance) — federation involves delegating authority across organisational boundaries; AG-017 (Multi-Party Authorisation) — federated actions requiring multiple approvals map to multi-party authorisation flows; AG-047 (Cross-Jurisdiction Compliance) — cross-border federations face overlapping regulatory requirements; AG-187 (Offline/Edge Policy Continuity) — federated policy caching during disconnection amplifies staleness risks; AG-191 (Multi-Human Authority Conflict Governance) — federated escalations may create conflicts between human authorities from different organisations.