Outsourced Operator Accountability Governance

2. Summary

Outsourced Operator Accountability Governance requires that organisations retain accountable governance when operational work for AI agents is outsourced or shared with third parties. Outsourcing the operation of an AI agent — or any governance function related to it — does not transfer accountability. The organisation that deploys the agent remains accountable for its behaviour, its compliance, and its governance, regardless of which entity performs the operational work. AG-265 ensures that outsourcing arrangements include enforceable governance obligations, that the outsourcing organisation retains oversight and control, that accountability is not diluted by contractual distance, and that regulators can trace governance responsibility through the outsourcing chain to a named, accountable individual within the deploying organisation.

3. Example

Scenario A — Outsourced Monitoring Without Governance Retention: A mid-sized bank deploys an AI lending agent and outsources its monitoring and operations to a managed-service provider (MSP). The MSP operates the agent, monitors its performance, and manages its configuration under a service-level agreement (SLA). The SLA specifies uptime (99.9%) and response time (alerts acknowledged within 10 minutes) but does not address governance obligations: mandate compliance, regulatory reporting, evidence retention, or escalation authority. When the agent begins approving loans that exceed the bank's risk appetite (the MSP does not know the bank's risk appetite because it was not communicated as a governance requirement), the bank's compliance team discovers the issue during a quarterly review — 11 weeks after it began. The MSP's position: "We operate the agent to the SLA. Risk appetite is the bank's responsibility." The bank's position: "We outsourced operations. The MSP should have caught this." The regulator's position: "The bank is accountable. Outsourcing does not transfer regulatory responsibility."

What went wrong: The outsourcing arrangement transferred operations but not governance. The SLA covered operational metrics (uptime, response time) but not governance obligations (mandate compliance, risk appetite adherence, regulatory evidence). The bank assumed the MSP would govern the agent. The MSP assumed the bank would govern the agent. Neither did. Consequence: 11 weeks of lending outside risk appetite, estimated £3.4 million in above-appetite exposure, FCA regulatory action against the bank (not the MSP) for inadequate systems and controls, mandatory insourcing of governance functions pending remediation.

Scenario B — Outsourced Development With Undocumented Configuration: An insurance company outsources the development and deployment of an AI claims agent to a technology consultancy. The consultancy builds the agent, configures its mandate limits, sets monitoring thresholds, and deploys it to production. The contract specifies delivery of a "working system" but does not require delivery of governance documentation: mandate configuration rationale, monitoring threshold justification, escalation procedures, or kill mechanism documentation. When the consultancy's engagement ends, the insurance company has a working agent but no governance documentation. 6 months later, a regulatory audit asks: "Why is the per-claim limit set at £30,000?" No one in the organisation knows — the person who set it works for the consultancy and has since moved to another project. The insurance company cannot demonstrate governance rationale for its own agent's configuration.

What went wrong: The outsourcing arrangement covered delivery of the system but not delivery of governance artefacts. Critical governance knowledge (configuration rationale, threshold justification) left the organisation with the consultancy. The insurance company could not demonstrate governance over its own agent. Consequence: Regulatory finding for inadequate governance documentation, mandatory re-assessment of all agent configurations at a cost of £85,000, compliance remediation programme, personal accountability review for the executive who approved the outsourcing arrangement.

Scenario C — Well-Governed Outsourcing: A payment processor outsources the operation of its AI fraud-detection agent to a specialised MSP. The outsourcing contract includes a governance schedule specifying: the MSP must operate the agent within the processor's defined mandate (attached as an appendix, updated by the processor quarterly), the MSP must report governance metrics monthly (false-positive rates, false-negative rates, escalation volumes, mandate compliance), the MSP must retain evidence per the processor's evidence requirements (AG-007), the processor retains kill authority (AG-262) independent of the MSP, the MSP must escalate per the processor's escalation framework (AG-261), and the processor's second-line and third-line functions (AG-260) have unrestricted access to the MSP's operations for challenge and audit purposes. When the processor's internal audit function conducts its annual review, it audits the MSP's operations directly, verifying that the mandate is being enforced, evidence is being retained, and governance metrics align with the processor's expectations. The outsourcing does not create a governance gap because the contract explicitly addresses governance obligations.

What went right: The outsourcing arrangement was designed with governance requirements embedded in the contract. The processor retained accountability and oversight. Governance obligations were enforceable, auditable, and tested.

4. Requirement Statement

Scope: This dimension applies whenever any operational or governance function for a material AI agent is performed by a third party — including managed-service providers, technology consultancies, cloud platform operators, outsourced development teams, shared-service centres, and offshore operations. The scope covers all forms of outsourcing: full outsourcing (the third party operates the entire agent), partial outsourcing (the third party operates specific functions such as monitoring or configuration), and development outsourcing (the third party builds the agent and hands it over). The scope extends to sub-outsourcing: if the primary outsource provider sub-contracts work to another party, the governance obligations flow through the chain. The deploying organisation retains accountability regardless of the depth of the outsourcing chain. Read-only advisory services (e.g., a consultancy providing governance advice without operational access) are excluded from scope, but any third party with operational access to agent systems or data is within scope.

4.1. A conforming system MUST ensure that the deploying organisation retains named accountability for every governance function, even when operational work is performed by a third party — outsourcing operations SHALL NOT transfer governance accountability.

4.2. A conforming system MUST include enforceable governance obligations in all outsourcing contracts for AI agent operations, covering: mandate compliance, evidence retention, escalation procedures, incident notification, regulatory reporting support, and audit access.

4.3. A conforming system MUST retain independent kill authority (AG-262) over the agent that does not depend on the outsource provider's cooperation — the deploying organisation MUST be able to terminate the agent's operations without the third party's involvement.

4.4. A conforming system MUST retain second-line and third-line oversight (AG-260) over outsourced operations — the outsource provider's operations are subject to the same challenge and assurance activities as internal operations.

4.5. A conforming system MUST require the outsource provider to report governance metrics at least monthly, including mandate compliance, incident volumes, escalation events, and evidence retention status.

4.6. A conforming system MUST conduct an annual governance assessment of each outsource provider's operations, verifying that contractual governance obligations are being met.

4.7. A conforming system SHOULD include contractual provisions requiring the outsource provider to notify the deploying organisation within 24 hours of any material change to the provider's personnel, systems, or processes that could affect agent governance.

4.8. A conforming system SHOULD include contractual provisions for governance knowledge transfer at the end of an outsourcing arrangement, ensuring that all governance documentation, configuration rationale, and operational knowledge is transferred to the deploying organisation or its successor provider.

4.9. A conforming system MAY require outsource providers to achieve independent conformance certification (AG-157) for their AI agent operations as a condition of the outsourcing arrangement.

5. Rationale

Outsourcing is a standard operating model for many organisations — but outsourcing AI agent operations creates governance risks that traditional outsourcing frameworks do not adequately address. Traditional IT outsourcing SLAs focus on operational metrics: uptime, response time, throughput, and incident resolution. AI agent governance requires a fundamentally different set of obligations: mandate compliance (is the agent operating within its approved boundaries?), evidence integrity (are governance artefacts being retained to the required standard?), regulatory accountability (can the deploying organisation demonstrate governance to its regulators?), and escalation and kill authority (can the deploying organisation intervene when needed, independently of the outsource provider?).

The regulatory principle is clear and well-established: outsourcing does not transfer regulatory responsibility. The FCA's SYSC 8 (Outsourcing) explicitly states that a firm remains fully responsible for discharging all of its obligations under the regulatory system when it outsources operational functions. The EU AI Act assigns obligations to the "provider" and "deployer" of AI systems — outsourcing the operation to a third party does not change who the provider or deployer is for regulatory purposes. The PRA's SS2/21 on outsourcing and third-party risk management requires firms to ensure that outsourcing does not impair the quality of internal controls or the ability of the regulator to supervise.

AG-265 translates these regulatory principles into specific, testable governance requirements for AI agent outsourcing. It ensures that outsourcing arrangements are designed with governance obligations from the outset, rather than retrofitted after a governance gap is discovered.

6. Implementation Guidance

The core principle of outsourced governance is: you can outsource the work, but you cannot outsource the accountability. Every outsourcing arrangement must be designed so that the deploying organisation can demonstrate governance at all times, regardless of which entity is performing the operational work.

Recommended patterns:

• Governance schedule in outsourcing contracts. Include a dedicated governance schedule (annex) in every outsourcing contract for AI agent operations. The schedule should specify: the mandate the agent must operate within (referencing the deploying organisation's mandate definition), the evidence the outsource provider must retain and produce, the governance metrics the provider must report, the escalation procedures the provider must follow, the audit access the deploying organisation (and its regulators) must have, and the knowledge transfer obligations at contract termination. The governance schedule should be reviewed and updated at least annually.
• Independent kill authority architecture. Design the kill mechanism (AG-262) so that the deploying organisation can invoke it independently of the outsource provider. Options include: the deploying organisation retains direct infrastructure access to the kill function, the kill function is operated by a third party independent of the outsource provider, or the deploying organisation retains credential-level control over the agent's authentication that can revoke access unilaterally.
• Governance dashboard for outsourced operations. Implement a governance dashboard that aggregates data from the outsource provider's operations and presents it to the deploying organisation's second-line and third-line functions. The dashboard should display: real-time mandate compliance status, incident and escalation volumes, evidence retention status, and governance metric trends. The dashboard should pull data directly from the provider's systems (not rely on the provider's self-reporting alone).
• Annual governance audit of outsource providers. Conduct an annual governance audit of each outsource provider's AI agent operations. The audit should be performed by the deploying organisation's third-line function (or an external auditor) and should cover: mandate enforcement effectiveness, evidence integrity, escalation procedure compliance, personnel competence, and sub-outsourcing governance. Audit findings should be tracked to closure with defined deadlines.
• Exit governance planning. Before entering an outsourcing arrangement, document the exit plan — how governance knowledge, evidence, and operational capability will be transferred when the arrangement ends. This prevents the scenario where an outsource provider's departure creates a governance gap. The exit plan should be tested during the outsourcing arrangement (e.g., through a tabletop exercise) rather than being invoked for the first time during an actual exit.

Anti-patterns to avoid:

• SLA-only contracts. Outsourcing contracts that specify only operational SLAs (uptime, response time) without governance obligations. These contracts give the deploying organisation no contractual basis to require governance compliance from the outsource provider.
• Relying on the provider's own governance. Assuming that because the outsource provider has its own governance framework, the deploying organisation's governance obligations are met. The provider's framework is designed for the provider's regulatory obligations, not the deploying organisation's. The deploying organisation must specify its own governance requirements.
• Shared kill authority. A kill mechanism that requires both the deploying organisation and the outsource provider to cooperate. If the outsource provider is the source of the problem (e.g., misconfiguration by the provider's staff), requiring their cooperation to invoke the kill is a dependency conflict.
• Blind trust in governance reporting. Accepting the outsource provider's self-reported governance metrics without independent verification. Self-reporting has inherent conflicts of interest. The deploying organisation should verify reported metrics through independent audit and direct data access.
• Outsourcing without exit planning. Entering an outsourcing arrangement without documenting how governance continuity will be maintained if the arrangement ends. When the exit occurs (whether planned or forced), the deploying organisation discovers that critical governance knowledge resides with the provider, evidence is stored in the provider's systems without export provisions, and operational capability cannot be transferred quickly enough to avoid a governance gap.

Industry Considerations

Financial Services. FCA SYSC 8 and PRA SS2/21 provide detailed requirements for outsourcing in financial services. AG-265's requirements should be mapped to SYSC 8 obligations to ensure alignment. The FCA expects firms to maintain the same level of governance over outsourced AI agent operations as over internal operations. The Outsourcing Register required by DORA Article 28 should include AI agent outsourcing arrangements with governance-specific metadata.

Healthcare. Healthcare outsourcing of AI agent operations must address patient data governance under UK GDPR and the Data Protection Act 2018. The outsource provider must be a data processor (or joint controller, if appropriate) under a compliant data processing agreement. The deploying organisation retains controller accountability for patient data processed by the outsourced agent.

Critical Infrastructure. Outsourcing of safety-critical AI agent operations requires particular care under NIS2 and sector-specific regulations. The outsource provider must meet the same safety qualification requirements as an internal operator. Sub-outsourcing in safety-critical environments should be contractually prohibited or subject to deploying-organisation approval.

Maturity Model

Basic Implementation — Outsourcing contracts include basic governance obligations (mandate compliance, incident notification). The deploying organisation retains named accountability. Kill authority exists but may depend on provider cooperation. Second-line oversight of outsourced operations occurs but may be sporadic. Annual governance assessment of providers has been conducted at least once.

Intermediate Implementation — Governance schedules in contracts cover all AG-265 requirements. Independent kill authority is architecturally separated from the outsource provider. Monthly governance reporting is operational with defined metrics. Second-line and third-line oversight covers outsourced operations on the same schedule as internal operations. Annual governance audits are conducted with findings tracked to closure. Exit governance plans are documented for all outsourcing arrangements.

Advanced Implementation — All intermediate capabilities plus: governance dashboards provide real-time visibility into outsourced operations. Independent data feeds verify provider self-reporting. Exit governance plans have been tested through tabletop exercises. Sub-outsourcing is governed with the same rigour as primary outsourcing. Outsource providers have achieved independent conformance certification (AG-157). The deploying organisation can demonstrate to regulators that outsourced operations meet the same governance standard as internal operations.

7. Evidence Requirements

Required artefacts:

• Outsourcing governance register. Register of all outsourcing arrangements involving AI agent operations, specifying: the outsource provider, the functions outsourced, the contractual governance obligations, the governance schedule reference, and the named accountable individual within the deploying organisation. Must be current within 30 days.
• Contract governance schedules. The governance schedule (annex) from each outsourcing contract, specifying governance obligations, reporting requirements, audit access, and knowledge transfer provisions.
• Monthly governance reports. Provider-submitted monthly governance reports covering mandate compliance, incident volumes, escalation events, and evidence retention status. Minimum 12 months.
• Annual governance assessment reports. Reports from the annual governance assessment of each outsource provider, including scope, methodology, findings, and remediation tracking. Minimum 24 months.
• Kill authority independence evidence. Architecture documentation or test results demonstrating that the deploying organisation can invoke the kill function independently of the outsource provider.
• Exit governance plans. Documented exit plans for each outsourcing arrangement, specifying knowledge transfer, evidence migration, and operational transition procedures.

Retention requirements:

• Outsourcing governance registers and assessment reports: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Regulators must have the contractual right to access outsource provider operations directly.

8. Test Specification

Testing AG-265 compliance requires verifying both the contractual framework and the operational effectiveness of outsourced governance.

Test 8.1: Accountability Retention

• Stimulus: For each outsourcing arrangement, identify the named individual within the deploying organisation who holds governance accountability. Verify that this individual is documented, current, and aware of their accountability.
• Expected behaviour: Every outsourcing arrangement has a named accountable individual within the deploying organisation.
• Pass criteria: 100% of outsourcing arrangements have a named, current, aware accountable individual.
• Fail criteria: Any arrangement lacks a named accountable individual or the named individual is unaware of their accountability.

Test 8.2: Contractual Governance Obligations

• Stimulus: Review the outsourcing contract and governance schedule for a sample of outsourcing arrangements. Verify that the contract includes enforceable obligations for: mandate compliance, evidence retention, escalation procedures, incident notification, regulatory reporting support, and audit access.
• Expected behaviour: All required governance obligations are contractually specified and enforceable.
• Pass criteria: All sampled contracts include all required governance obligations.
• Fail criteria: Any contract lacks a required governance obligation.

Test 8.3: Independent Kill Authority

• Stimulus: Invoke the kill function for an outsourced agent without the outsource provider's involvement. Verify that the deploying organisation can terminate the agent independently.
• Expected behaviour: The agent is terminated without requiring any action by the outsource provider.
• Pass criteria: Kill invocation succeeds independently within the defined time-to-kill target.
• Fail criteria: Kill invocation requires outsource provider cooperation or fails without provider involvement.

Test 8.4: Second-Line Oversight of Outsourced Operations

• Stimulus: Verify that the deploying organisation's second-line function has performed challenge activities over outsourced operations within the most recent quarter.
• Expected behaviour: Quarterly challenge evidence exists for outsourced operations.
• Pass criteria: Second-line challenge reports covering outsourced operations exist for the current or most recent quarter.
• Fail criteria: No second-line challenge of outsourced operations within the required timeframe.

Test 8.5: Monthly Governance Reporting

• Stimulus: Retrieve the outsource provider's monthly governance reports for the past 6 months. Verify completeness and timeliness.
• Expected behaviour: Reports exist for all 6 months, are complete (covering all required metrics), and were submitted on time.
• Pass criteria: 6 consecutive monthly reports, all complete and timely.
• Fail criteria: Missing reports, incomplete metrics, or late submissions.

Test 8.6: Annual Governance Assessment

• Stimulus: Retrieve the most recent annual governance assessment of the outsource provider. Verify that it was conducted within the past 12 months and covers all required areas.
• Expected behaviour: A comprehensive assessment exists within the past 12 months.
• Pass criteria: Assessment completed within 12 months, covering mandate enforcement, evidence integrity, escalation compliance, and personnel competence.
• Fail criteria: No assessment within 12 months, or assessment scope is incomplete.

Test 8.7: Exit Governance Plan

• Stimulus: Retrieve the exit governance plan for each outsourcing arrangement. Verify that it addresses knowledge transfer, evidence migration, and operational transition.
• Expected behaviour: Exit plans exist and address all required elements.
• Pass criteria: All outsourcing arrangements have exit plans covering knowledge transfer, evidence migration, and operational transition.
• Fail criteria: Any arrangement lacks an exit plan or the plan is incomplete.

Conformance Scoring

• Score 0: No governance framework for outsourced operations — outsourcing contracts are operational-only with no governance obligations. Accountability for outsourced agent governance is unclear.
• Score 1: Governance obligations exist in contracts but are not actively enforced — the deploying organisation has contractual rights but does not exercise oversight. Kill authority depends on provider cooperation.
• Score 2: Governance obligations are contractually specified and actively enforced — monthly reporting is operational, second-line and third-line oversight covers outsourced operations, kill authority is independent, and annual governance assessments are conducted.
• Score 3: Verified by independent assessment — an independent party has verified that outsourced operations meet the same governance standard as internal operations, kill authority independence has been tested, and exit governance plans have been exercised.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 28 (Obligations of Deployers)	Direct requirement
EU AI Act	Article 9 (Risk Management System)	Supports compliance
FCA SYSC	8.1 (Outsourcing Requirements)	Direct requirement
PRA SS2/21	Outsourcing and Third-Party Risk Management	Direct requirement
DORA	Article 28 (Register of Information)	Direct requirement
DORA	Article 30 (Key Contractual Provisions)	Direct requirement
NIST AI RMF	GOVERN 1.6 (Third-Party Risks)	Supports compliance
ISO 42001	Clause 8.4 (AI System Operation)	Supports compliance
NIS2 Directive	Article 21 (Supply Chain Security)	Supports compliance
UK GDPR	Articles 28-29 (Processor Obligations)	Supports compliance

FCA SYSC — 8.1 (Outsourcing Requirements)

SYSC 8 requires that a firm which outsources critical or important operational functions "takes reasonable steps to avoid undue additional operational risk" and remains "fully responsible for discharging all of its obligations under the regulatory system." For AI agent outsourcing, this means the firm must maintain governance oversight, retain audit access, and ensure that outsourcing does not impair the regulator's ability to supervise. AG-265 implements these requirements for AI agent-specific operations.

PRA SS2/21 — Outsourcing and Third-Party Risk Management

SS2/21 requires firms to identify, manage, and mitigate the risks arising from outsourcing arrangements and third-party dependencies. For AI agents, this includes governance risks: the risk that outsourcing degrades governance quality, dilutes accountability, or creates evidence gaps. AG-265 ensures that these risks are mitigated through contractual governance obligations and active oversight.

DORA — Article 28 and Article 30

DORA Article 28 requires financial entities to maintain a register of all contractual arrangements with ICT third-party service providers. Article 30 specifies key contractual provisions that must be included, covering audit rights, sub-outsourcing, and exit strategies. AG-265's requirements align with and extend DORA's contractual requirements to cover AI agent-specific governance obligations.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — outsourcing governance failures affect all agents operated by the outsource provider

Consequence chain: Without outsourced operator accountability governance, the deploying organisation creates a governance gap between its regulatory accountability and its operational capability. The organisation is accountable to regulators for the agent's behaviour, but it does not have the operational visibility, contractual authority, or independent capability to ensure that behaviour meets governance standards. The gap typically manifests during incidents or regulatory reviews: the regulator asks "how do you ensure this agent operates within its mandate?" and the organisation cannot answer because the operational work is performed by a third party without governance obligations. The regulatory consequence is severe: the FCA, PRA, and EU AI Act all treat outsourcing governance failures as failures of the deploying organisation, not the outsource provider. The deploying organisation's accountability is non-delegable. Financial consequences include mandatory insourcing (often at 2-3x the cost of the outsourced arrangement), governance remediation costs, and potential regulatory fines.

Cross-references: This dimension works in conjunction with AG-259 (Role-Segregated Control Ownership Governance) which defines the roles that must be covered in outsourcing arrangements; AG-260 (Three-Lines-of-Defence Mapping Governance) which must extend to cover outsourced operations; AG-261 (Escalation Authority Governance) which must include outsource provider escalation paths; AG-262 (Kill Authority Designation Governance) which must be independent of the outsource provider; AG-264 (Successor and Coverage Planning Governance) which must account for outsource provider personnel changes; AG-266 (Joint-Venture and Shared-Control Governance) which addresses a related scenario where control is shared between entities; and AG-157 (External Conformance Assessment) which may be required of outsource providers.