Role-Segregated Control Ownership Governance

2. Summary

Role-Segregated Control Ownership Governance requires that every material AI agent control has distinct, named owners for each lifecycle function: build, operate, approve, validate, and audit. No single individual or team may hold more than one of these roles for the same control without a documented, risk-assessed, and time-limited exception. This dimension prevents the concentration of authority that creates unchecked decision-making, ensures that the person who builds a control is not the same person who approves it, and guarantees that the person who operates a control is not the same person who audits it. Without role segregation, governance becomes self-referential — the builder marks their own work, the operator certifies their own compliance, and the auditor reviews their own decisions.

3. Example

Scenario A — Builder-Approver Collapse in a Financial Agent: A fintech deploys an AI trading agent with a risk-limit control. The same engineer who coded the limit-enforcement logic also holds approval authority for configuration changes. During a product launch, the engineer raises the daily aggregate limit from £500,000 to £5,000,000 to accommodate expected volume, approving the change themselves. The agent accumulates £4.2 million in exposure before end-of-day review. The risk committee had never approved operations above £1,000,000.

What went wrong: The build and approve roles were held by one person. No independent approval gate existed. The change bypassed the risk committee's authority because the person making the change was also the person authorising it. Consequence: £4.2 million in unapproved exposure, FCA investigation under the Senior Managers Regime, personal liability for the engineer under SM&CR, insurance claim disputed on grounds that segregation-of-duties controls were absent.

Scenario B — Operator-Auditor Collapse in Healthcare: A hospital deploys an AI triage agent. The operations team that monitors the agent's daily performance is also responsible for the quarterly compliance audit. During the audit period, the team identifies that the agent has been routing low-acuity patients incorrectly for 6 weeks but classifies the issue as a "known monitoring item" rather than a compliance finding, because reporting it as a finding would trigger a mandatory remediation that would disrupt their operational workflow. The regulator discovers the suppressed finding during an inspection 4 months later.

What went wrong: The operate and audit roles were held by the same team. The team had a conflict of interest — reporting their own operational failure as an audit finding created personal consequences. No independent audit function existed to provide objective assessment. Consequence: Regulatory enforcement action, mandatory independent audit engagement, reputational damage, potential patient safety review for the 6-week period.

Scenario C — Validator Self-Certification in Critical Infrastructure: An energy company deploys an AI load-balancing agent. The team responsible for validating the agent's behaviour against safety thresholds is the same team that developed the safety thresholds. When the agent exhibits borderline behaviour — operating at 98.7% of a thermal limit — the validation team adjusts the threshold from 95% to 99% rather than flagging the agent's behaviour as a near-miss. Their rationale: "We set the original threshold conservatively; 99% is still within engineering tolerances." Three months later, the agent operates at 99.3% of the revised threshold, and equipment damage occurs.

What went wrong: The build (threshold definition) and validate (threshold compliance checking) roles were held by the same team. The team's familiarity with their own design decisions led them to adjust standards rather than flag deviations. Consequence: Equipment damage valued at £2.3 million, HSE investigation, mandatory independent safety case review, operational shutdown for 14 days.

4. Requirement Statement

Scope: This dimension applies to all AI agent deployments where controls govern agent behaviour that can affect external state, governed exposure, personal data, safety-critical systems, or regulatory compliance. The scope covers every control artefact — mandate definitions, configuration parameters, monitoring rules, escalation thresholds, approval workflows, and audit programmes. For each such control, five distinct lifecycle roles exist: builder (creates or modifies the control), operator (runs the control day-to-day), approver (authorises changes to the control), validator (independently tests that the control works as intended), and auditor (provides independent assurance that the control meets governance requirements). The scope extends to automated controls: even where control execution is automated, the human roles of designing, approving, validating, and auditing that automation must be segregated. Organisations with fewer than 5 people involved in agent governance may apply a risk-based exception per requirement 4.8 but must document the residual risk accepted.

4.1. A conforming system MUST assign each material agent control to distinct named owners for the build, operate, approve, validate, and audit functions, such that no single individual holds more than one role for the same control.

4.2. A conforming system MUST maintain a machine-readable register of control-to-role assignments, updated within 5 business days of any change in personnel or role allocation.

4.3. A conforming system MUST enforce role segregation through access controls — the builder's credentials SHALL NOT permit approval actions, the operator's credentials SHALL NOT permit audit actions, and so on for all incompatible role pairs.

4.4. A conforming system MUST detect and alert on any attempt to exercise a role that the individual is not assigned to, within 60 seconds of the attempt.

4.5. A conforming system MUST require that any exception to role segregation is documented with a risk assessment, approved by a person at least one management level above the exception holder, and limited to a maximum duration of 90 days.

4.6. A conforming system SHOULD implement role segregation at the identity-provider level, binding role assignments to authentication tokens rather than relying on application-layer enforcement alone.

4.7. A conforming system SHOULD generate a monthly segregation-of-duties conflict report identifying any individuals who held incompatible roles during the reporting period.

4.8. A conforming system MAY permit combined roles in organisations with fewer than 5 individuals involved in agent governance, provided the combination is documented, risk-assessed, compensating controls are in place, and the exception is reviewed quarterly.

4.9. A conforming system MUST log all role assignment changes with attribution, timestamp, and justification, retaining logs for the same period as the control's evidence requirements.

5. Rationale

Role-Segregated Control Ownership Governance exists because concentrated authority is the most reliable predictor of governance failure. When the same person or team builds a control and approves it, the approval process has no independent perspective. When the same person operates a control and audits it, the audit cannot be objective. When the same person validates a control's effectiveness and designed the control, validation degenerates into confirmation bias.

This is not a theoretical concern. Every major financial control failure of the past two decades — from rogue trading incidents to accounting frauds — has featured a breakdown in segregation of duties as either a root cause or a critical enabler. The same dynamics apply to AI agent governance, amplified by two factors unique to AI systems. First, AI agent controls are technically complex, creating a temptation to consolidate roles in the small number of people who understand the system — precisely the circumstance where segregation is most important. Second, AI agents operate at machine speed, meaning that a failure in a control that is not independently validated or audited can accumulate consequences far faster than a human-operated process.

The five-role model (build, operate, approve, validate, audit) maps directly to the three lines of defence framework used in financial services and increasingly adopted across regulated sectors. The builder and operator sit in the first line (business operations). The approver and validator sit in the second line (risk and compliance oversight). The auditor sits in the third line (independent assurance). AG-259 enforces the structural separation that makes the three lines of defence meaningful rather than nominal.

Without AG-259, an organisation may have a three-lines-of-defence framework on paper but collapse it in practice because the same people wear multiple hats. AG-259 requires that the hats cannot be worn by the same person — and that this constraint is enforced structurally, not merely documented in policy.

6. Implementation Guidance

The core implementation challenge for AG-259 is mapping abstract role definitions to concrete, enforceable access controls. A role assignment that exists only in a governance document but is not enforced through system access is a policy, not a control. AG-259 requires the control.

Recommended patterns:

• RACI matrix with access-control binding. Maintain a RACI (Responsible, Accountable, Consulted, Informed) matrix for every material agent control. Bind each role assignment to a corresponding access-control group in the identity provider. When a person is assigned the "builder" role for a control, they receive builder-group membership for that control's configuration systems. They do not receive approver-group, validator-group, or auditor-group membership. The identity provider enforces the segregation — the governance document defines it.
• Workflow-enforced approval chains. Implement control changes through a workflow system that requires approvals from users in the approver role. The workflow system verifies role membership at the point of approval — it does not accept approvals from users in the builder role, even if those users have administrative access to the underlying system. The workflow enforces the sequence: build (by builder) → approve (by approver) → deploy (by operator) → validate (by validator).
• Segregation verification as a deployment gate. Before any control change is deployed, an automated check verifies that the change was built by a user in the builder role, approved by a different user in the approver role, and that no incompatible role combination was involved. If the check fails, deployment is blocked. This makes segregation enforcement part of the deployment pipeline, not a post-hoc audit finding.
• Rotation schedules. Rotate role assignments on a defined schedule (e.g., annually for audit roles, every 18 months for validator roles) to prevent excessive familiarity and ensure fresh perspective. Rotation also serves as a succession planning mechanism (intersects with AG-264).

Anti-patterns to avoid:

• Paper-only segregation. The most common anti-pattern: the organisation has a governance document stating that roles are segregated, but system access allows any team member to perform any function. When an incident occurs and the regulator asks for evidence of segregation, the organisation can produce the document but not the access logs demonstrating enforcement.
• Segregation by intention, not by architecture. "We trust our team members to only exercise their assigned roles" is not segregation. Segregation requires that the system prevents the exercise of unassigned roles, not that people choose not to exercise them. This is structurally identical to the AG-001 principle that boundaries must be in infrastructure, not in instructions.
• Emergency bypass without controls. Organisations sometimes argue that emergencies require role collapse — "in an incident, the developer needs to approve and deploy immediately." AG-259 does not prohibit emergency procedures but requires that they are pre-defined, logged, time-limited (requirement 4.5), and reviewed after the fact. An undocumented, unlogged emergency bypass is not an emergency procedure — it is an uncontrolled exception.
• Conflating team segregation with role segregation. Having separate teams for development and operations does not automatically satisfy AG-259 if the same individual within a team holds multiple roles. The segregation must be at the individual level for each specific control, not at the team level generally.
• Segregation without coverage planning. Segregating roles creates a key-person dependency: if the sole approver is unavailable, no changes can be approved. Without coverage planning (AG-264), segregation creates operational brittleness. Segregation and succession planning must be implemented together.

Industry Considerations

Financial Services. Role segregation maps directly to existing SM&CR (Senior Managers & Certification Regime) requirements. Each of the five roles should map to an SM&CR Prescribed Responsibility or a Certification Function. The approved person who holds the Prescribed Responsibility for AI governance should not also hold operational roles for specific agent controls. FCA expectations under SYSC 5.1.7G explicitly require segregation of duties in the management of conflicts of interest, which applies directly when agent controls affect financial outcomes.

Healthcare. In clinical settings, the separation between the team that configures clinical AI agents (builders) and the clinical governance committee that approves their use (approvers) is often well-established. The gap is typically between operation and validation: the team running the agent daily may also be responsible for assessing its clinical effectiveness, creating a conflict. AG-259 requires that validation of clinical AI agent performance is performed by an independent clinical review function.

Critical Infrastructure. Safety-critical deployments require that the audit function is demonstrably independent — often an external party. IEC 62443 explicitly requires role-based access control with segregation of duties for control system operations. AG-259 extends this to the AI agent layer operating within or alongside those control systems.

Maturity Model

Basic Implementation — The organisation has documented role assignments for each material agent control, assigning named individuals to build, operate, approve, validate, and audit roles. Role assignments are maintained in a spreadsheet or governance document. Access controls exist but may not perfectly mirror role assignments — some individuals may have system access beyond their assigned role, mitigated by policy. No automated detection of role conflicts.

Intermediate Implementation — Role assignments are enforced through identity-provider group memberships that correspond to specific control functions. The workflow system requires approvals from users in the correct role group. Automated monthly conflict reports identify any instances where role segregation was not maintained. Exceptions follow the documented exception process with time limits and management approval. Role assignment changes are logged with attribution and justification.

Advanced Implementation — All intermediate capabilities plus: segregation verification is a mandatory gate in the deployment pipeline — no control change deploys without verified segregation. Real-time alerts trigger within 60 seconds of any attempt to exercise an unassigned role. Role assignments are dynamically verified against the identity provider at each access decision, not cached. Independent adversarial testing has verified that no combination of system access can bypass role segregation. Rotation schedules are automated and enforced. The organisation can demonstrate to regulators that at no point in the past 12 months did any individual hold incompatible roles without a documented, approved exception.

7. Evidence Requirements

Required artefacts:

• Control-to-role register. Machine-readable register (JSON, YAML, or structured database export) mapping each material agent control to named individuals for each of the five lifecycle roles. Must include effective dates, change history, and any active exceptions.
• Access-control configuration. Export of identity-provider group memberships or role-based access control (RBAC) configuration demonstrating that system access aligns with the control-to-role register. Must show that incompatible role pairs cannot be exercised by the same individual.
• Exception register. All active and historical segregation exceptions, including the risk assessment, approving authority, duration, and compensating controls. Minimum 12 months of history.
• Conflict detection logs. Output of automated or manual segregation-of-duties conflict reports for at least the past 12 months, including any conflicts identified and their resolution.
• Role assignment change log. Timestamped, attributed log of all changes to role assignments, including justification. Minimum 36 months retention.

Retention requirements:

• Control-to-role registers and access-control configurations: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Testing AG-259 compliance requires verifying both the completeness of role assignments and the structural enforcement of segregation.

Test 8.1: Role Assignment Completeness

• Stimulus: Retrieve the control-to-role register. For each material agent control, verify that all five roles (build, operate, approve, validate, audit) are assigned to named individuals.
• Expected behaviour: Every material control has all five roles assigned. No role is vacant or assigned to a generic group without named individuals.
• Pass criteria: 100% of material controls have all five roles assigned to named individuals.
• Fail criteria: Any material control has a vacant role or a role assigned only to a group without identified individuals.

Test 8.2: Segregation Enforcement — Incompatible Role Blocking

• Stimulus: For each incompatible role pair (build/approve, build/audit, operate/audit, validate/build, operate/validate), attempt to exercise the second role's function using the first role's credentials.
• Expected behaviour: The system blocks the action and generates an alert within 60 seconds.
• Pass criteria: All 10 incompatible-pair attempts are blocked, and alerts are generated within 60 seconds for each.
• Fail criteria: Any incompatible-pair attempt succeeds, or alerts are not generated within 60 seconds.

Test 8.3: Exception Process Enforcement

• Stimulus: Attempt to assign incompatible roles to a single individual without following the exception process (no risk assessment, no management approval, no time limit).
• Expected behaviour: The system prevents the assignment or flags it as a non-compliant exception requiring remediation.
• Pass criteria: Uncontrolled exceptions are blocked or flagged before they take effect.
• Fail criteria: An individual is assigned incompatible roles without a documented exception.

Test 8.4: Access-Control Alignment

• Stimulus: Compare the control-to-role register against the actual identity-provider group memberships for a sample of 20% of material controls (minimum 5 controls).
• Expected behaviour: System access aligns with role assignments — individuals can only exercise functions corresponding to their assigned roles.
• Pass criteria: 100% alignment between the register and actual access for the sampled controls.
• Fail criteria: Any individual has system access that permits them to exercise a role they are not assigned to.

Test 8.5: Change Log Integrity

• Stimulus: Make 3 role assignment changes and verify that each appears in the change log with correct timestamp, attribution, and justification within 24 hours.
• Expected behaviour: All changes are logged completely and accurately.
• Pass criteria: All 3 changes appear in the log with complete metadata.
• Fail criteria: Any change is missing from the log or has incomplete metadata.

Test 8.6: Monthly Conflict Report Generation

• Stimulus: Request the segregation-of-duties conflict report for the most recent complete calendar month.
• Expected behaviour: The report exists, was generated within 10 business days of month-end, and covers all material controls.
• Pass criteria: The report is available, timely, and complete.
• Fail criteria: No report exists, the report is late, or the report does not cover all material controls.

Test 8.7: Exception Duration Enforcement

• Stimulus: Create a segregation exception with a 90-day time limit. After 90 days, verify that the system revokes the exception automatically or generates an alert requiring renewal.
• Expected behaviour: The exception expires automatically or triggers a mandatory renewal review.
• Pass criteria: The exception does not persist beyond its approved duration without active renewal.
• Fail criteria: The exception persists indefinitely after its approved duration.

Conformance Scoring

• Score 0: No role segregation — individuals routinely hold multiple lifecycle roles for the same controls without documentation or controls.
• Score 1: Role assignments are documented but not enforced through access controls — segregation exists on paper but not in systems.
• Score 2: Role segregation is enforced through access controls — incompatible role pairs are structurally prevented, and exceptions follow a documented process.
• Score 3: Verified by independent testing — an independent party has attempted to bypass role segregation using known attack techniques (credential sharing, privilege escalation, exception abuse) and failed. Automated conflict reporting and real-time alerts are operational.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 17 (Quality Management System)	Direct requirement
SOX	Section 404 (Internal Controls Over Financial Reporting)	Direct requirement
FCA SYSC	5.1.7G (Segregation of Duties)	Direct requirement
FCA SM&CR	Prescribed Responsibilities	Supports compliance
NIST AI RMF	GOVERN 1.2, GOVERN 2.1	Supports compliance
ISO 42001	Clause 5.3 (Organizational Roles, Responsibilities and Authorities)	Direct requirement
DORA	Article 5 (Governance and Organisation)	Supports compliance
PRA SS1/23	Model Risk Management — Governance	Supports compliance

EU AI Act — Article 17 (Quality Management System)

Article 17 requires providers of high-risk AI systems to put in place a quality management system that ensures compliance throughout the AI system lifecycle. A quality management system requires defined roles and responsibilities with appropriate segregation. AG-259 implements the structural role segregation that Article 17's quality management system depends upon — without it, the quality management system is self-certifying.

SOX — Section 404 (Internal Controls Over Financial Reporting)

SOX Section 404 requires management to assess internal controls and for auditors to attest to that assessment. Segregation of duties is a foundational SOX control objective. Where AI agents execute financial operations, the controls governing those agents are SOX-relevant controls. A SOX auditor will test whether the person who configures agent controls is different from the person who approves them. AG-259 provides the framework for demonstrating this segregation.

FCA SYSC — 5.1.7G (Segregation of Duties)

SYSC 5.1.7G states: "A firm should ensure that no single individual has unrestricted authority to conduct business, and that arrangements are made so that business is conducted in a sound and prudent manner." For AI agent governance, this means the individual who configures agent controls must not be the same individual who approves those controls or audits their effectiveness. AG-259's five-role model provides the structure to demonstrate compliance.

FCA SM&CR — Prescribed Responsibilities

Under SM&CR, Senior Managers hold Prescribed Responsibilities for specific governance functions. AG-259's named ownership model maps each control role to a named individual, supporting the SM&CR requirement that governance functions are attributed to identifiable persons who can be held accountable.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — affects the integrity of all agent governance controls

Consequence chain: Without role segregation, governance controls become self-referential. The builder approves their own work, the operator certifies their own compliance, and the auditor reviews their own decisions. This creates a systemic governance blind spot where errors, intentional manipulation, or gradual drift in control effectiveness go undetected because no independent perspective exists. The immediate consequence is undetected control degradation: limits that should have been challenged are approved without scrutiny, validation that should have found defects confirms the builder's assumptions, and audits that should have identified gaps are conducted by the people who created those gaps. The downstream consequence is regulatory enforcement: every major financial regulator considers segregation of duties a foundational control, and its absence is treated as a systemic governance failure rather than an isolated finding. Under SM&CR, the Senior Manager responsible for AI governance may face personal liability for failing to ensure adequate segregation. The reputational consequence compounds: investors, counterparties, and clients lose confidence when a governance failure reveals that the organisation's controls were self-certifying.

Cross-references: This dimension works in conjunction with AG-108 (Operator Role Segregation) which establishes the foundational principle of role separation at the operator level; AG-159 (Agent Accountability and Named Ownership) which ensures every agent has a named accountable owner; AG-260 (Three-Lines-of-Defence Mapping Governance) which maps controls to the three-lines framework that role segregation enables; AG-170 (Approval Quality and Substantive Review) which ensures that approval actions are substantive rather than rubber-stamp; and AG-019 (Human Escalation & Override Triggers) which defines when human authority must be exercised — authority that AG-259 ensures is held by appropriately segregated individuals.