Shared Blackboard Access Governance

2. Summary

Shared Blackboard Access Governance requires that every common planning board, shared memory space, or collective data structure used by multiple agents is subject to explicit, enforceable access control policies that define which agents may read, write, modify, or delete entries, under what conditions, and within what classification boundaries. Multi-agent systems frequently employ blackboard architectures — shared memory regions where agents post partial results, coordination signals, planning states, and situational data — and without structural access governance, any agent in the topology can read data it was never authorised to see, overwrite critical planning state produced by higher-authority agents, or inject poisoned data that cascades through every agent reading the blackboard. This dimension mandates that blackboard access is governed at the infrastructure layer with classification-aware permissions, write integrity controls, and tamper-evident logging, ensuring that shared memory spaces do not become the weakest link in an otherwise well-governed multi-agent deployment.

3. Example

Scenario A — Classification Leakage Through Unrestricted Blackboard Reads: A European insurance firm deploys a multi-agent claims processing pipeline with seven agents: intake, medical review, fraud screening, liability assessment, settlement calculation, payment authorisation, and customer communication. All agents share a common blackboard for coordination. The medical review agent posts detailed clinical notes including psychiatric diagnoses and genetic test results — data classified as Special Category under GDPR Article 9. The customer communication agent, designed only to send status updates, has unrestricted read access to the blackboard. A prompt injection in a customer query causes the communication agent to summarise "all available information about this claim" in its response. The customer receives an email containing their psychiatric diagnosis, which the communication agent retrieved from the blackboard. The firm reports the breach to the ICO. The ICO determines that sharing Special Category data with a communication agent that had no legitimate processing purpose constituted a violation of Article 5(1)(f) (integrity and confidentiality) and Article 9 (processing of special categories).

What went wrong: The blackboard had no classification-aware access controls. Every agent could read every entry regardless of data classification or processing purpose. The medical review agent correctly posted clinical data needed by downstream assessment agents, but the blackboard architecture made this data available to all agents including those with no legitimate need. Consequence: ICO fine of £4.35 million under GDPR Article 83(5)(a), mandatory independent audit of all multi-agent data flows, temporary suspension of automated claims processing, reputational damage from press coverage of psychiatric data exposure, and 2,300 affected individuals requiring notification under Article 34.

Scenario B — Blackboard Poisoning Corrupts Coalition Planning: A logistics company uses a multi-agent system for warehouse operations where twelve agents coordinate via a shared planning blackboard. Each agent posts its current status, capacity, and task commitments. A scheduling optimisation agent reads the blackboard to generate shift plans and resource allocations. An attacker compromises a low-priority inventory counting agent through a malicious barcode scan containing an embedded instruction payload. The compromised agent writes falsified capacity data to the blackboard — reporting that three warehouse zones are at zero capacity when they are actually at 85% utilisation. The scheduling agent reads the poisoned data and reallocates all incoming shipments to the remaining zones, causing physical congestion, worker safety incidents, and a 14-hour operational shutdown.

What went wrong: All agents had unrestricted write access to the blackboard. No integrity verification existed to validate that posted data was consistent with the posting agent's authority or operational domain. The inventory counting agent had no legitimate reason to write capacity data, yet the blackboard accepted the write. No anomaly detection flagged the sudden zero-capacity reports as inconsistent with historical patterns. Consequence: £2.1 million in delayed shipments, three worker injury claims totalling £340,000, regulatory investigation by the Health and Safety Executive, and loss of a major retail customer contract worth £8.7 million annually.

Scenario C — Concurrent Write Corruption Destroys Planning Coherence: A financial services firm operates a multi-agent trading strategy system where five agents post their market assessments and proposed positions to a shared blackboard. A portfolio construction agent reads the blackboard to build a consolidated position. During a period of high market volatility, three agents simultaneously update their market assessments. No write serialisation or versioning exists on the blackboard. The portfolio construction agent reads a partially-written state: Agent A's updated equity assessment, Agent B's stale fixed-income assessment (mid-write), and Agent C's updated commodities assessment. The resulting portfolio is constructed from an internally inconsistent state that no individual agent intended. The portfolio contains a £23 million directional bet that contradicts the firm's risk framework because it was derived from temporally misaligned assessments.

What went wrong: The blackboard had no write serialisation, version control, or atomic read capability. Concurrent writes created a torn-read condition where the consuming agent saw an inconsistent snapshot. No mechanism existed to detect or prevent consumption of partially-written blackboard state. Consequence: £23 million unintended directional exposure, £4.6 million realised loss on emergency unwind, FCA investigation into systems and controls adequacy, and requirement to demonstrate that multi-agent coordination mechanisms meet the same integrity standards as trading systems under MiFID II Article 17.

4. Requirement Statement

Scope: This dimension applies to any multi-agent system in which two or more agents share a common data structure — whether called a blackboard, shared memory, common workspace, bulletin board, tuple space, or any equivalent — for the purpose of coordination, planning, status reporting, or data exchange. The scope includes both persistent shared stores (databases, distributed caches) and transient shared spaces (in-memory data structures, message queues used as coordination buffers). An agent that can read data posted by another agent, or write data intended to be read by another agent, through a shared intermediary rather than through direct point-to-point communication, is within scope. The scope extends to partial blackboard patterns: systems where a shared store is used for some but not all inter-agent communication are in scope for the shared-store portion. Read-only bulletin boards where a single authoritative source publishes and multiple agents consume are in scope but face reduced write-integrity risk.

4.1. A conforming system MUST enforce classification-aware access controls on every shared blackboard, ensuring that agents can only read entries whose data classification is within the agent's authorised access level and processing purpose.

4.2. A conforming system MUST enforce write controls on every shared blackboard, ensuring that agents can only create or modify entries within their designated authority domain and cannot overwrite entries authored by agents of higher authority or different functional domains without explicit authorisation.

4.3. A conforming system MUST maintain a tamper-evident, append-only audit log of all blackboard read and write operations, recording the agent identity, timestamp, operation type, entry identifier, and data classification of each operation.

4.4. A conforming system MUST reject blackboard writes that would elevate the classification of an entry beyond the writing agent's authorised classification ceiling.

4.5. A conforming system MUST implement atomic read consistency mechanisms ensuring that consuming agents read a complete, internally consistent snapshot of blackboard state, not a partially-written or torn state.

4.6. A conforming system MUST deny all blackboard access to agents not registered in the topology inventory (per AG-389), defaulting to deny for unrecognised agent identities.

4.7. A conforming system SHOULD implement schema validation on blackboard entries, rejecting writes that do not conform to the declared schema for the entry type and the writing agent's functional domain.

4.8. A conforming system SHOULD implement anomaly detection on blackboard write patterns, flagging sudden deviations from an agent's historical write frequency, data volume, or value ranges.

4.9. A conforming system SHOULD provide entry-level provenance metadata on every blackboard entry, recording the authoring agent, creation timestamp, modification history, and classification level.

4.10. A conforming system MAY implement read-receipt tracking to confirm that critical blackboard entries have been consumed by their intended recipients within a defined time window.

4.11. A conforming system MAY implement blackboard partitioning to physically separate entries of different classification levels, reducing the attack surface for classification leakage.

5. Rationale

Shared blackboard architectures are among the oldest and most widely used coordination mechanisms in multi-agent systems. The blackboard pattern — originally developed in the 1970s for speech understanding systems — provides a shared workspace where agents post partial results, read contributions from other agents, and incrementally build toward a collective solution. The pattern is powerful precisely because it decouples agents from one another: an agent does not need to know which other agents exist or how they operate; it simply reads from and writes to the blackboard. This decoupling makes blackboard architectures highly scalable and flexible, which is why they remain prevalent in modern multi-agent deployments.

However, the same decoupling that makes blackboard architectures powerful makes them dangerous from a governance perspective. In a direct communication topology, each agent-to-agent channel can be individually governed: Agent A is authorised to send specific data types to Agent B. In a blackboard topology, governance must be applied to the shared space itself, because any write is potentially visible to every reader and any agent's contribution affects the shared state consumed by all others. This creates three fundamental governance challenges.

First, classification leakage. When agents with different data access authorisations share a blackboard, high-classification data posted by an authorised agent becomes readable by every other agent with blackboard access. A medical assessment agent that posts clinical findings to a blackboard inadvertently makes those findings available to a customer communication agent that has no legitimate processing purpose for clinical data. This is not a hypothetical risk — it is the default behaviour of any ungovened blackboard, and it directly violates data minimisation principles under GDPR Article 5(1)(c) and purpose limitation under Article 5(1)(b).

Second, write integrity. A compromised or malfunctioning agent that writes falsified data to the blackboard can corrupt the decision-making of every other agent that reads the blackboard. This is a force multiplier for attacks: compromising a single low-value agent gives the attacker influence over the entire multi-agent system through blackboard poisoning. The attack surface scales with the number of agents that have write access, and the impact scales with the number of agents that have read access.

Third, temporal consistency. Blackboards that lack atomic read mechanisms expose consuming agents to torn-read conditions where they see a mix of old and new data from concurrent writers. In financial, safety-critical, or planning contexts, decisions made on temporally inconsistent data can produce outcomes that no individual agent intended and that no individual agent's governance controls would have permitted.

The regulatory context is increasingly explicit about these risks. The EU AI Act's Article 15 (Accuracy, Robustness, and Cybersecurity) requires that AI systems be resilient to errors and inconsistencies, including those arising from multi-component interactions. DORA Article 9 requires financial entities to ensure the integrity of data processed by ICT systems, which directly encompasses shared coordination spaces in multi-agent deployments. The FCA's SS1/23 on model risk management expects firms to demonstrate that data flows between model components maintain integrity throughout the processing chain.

6. Implementation Guidance

Implementing Shared Blackboard Access Governance requires treating the blackboard as a first-class governed resource rather than an informal coordination space. The blackboard must be subject to the same access control rigour as any database containing classified data, the same write integrity standards as any system of record, and the same audit requirements as any regulated data store. The key insight is that a shared blackboard in a multi-agent system is functionally equivalent to a shared database — and should be governed accordingly.

Recommended patterns:

• Classification-partitioned blackboard. Implement the blackboard as a set of partitions, each corresponding to a data classification level. Agents are granted access to partitions matching their authorised classification ceiling. A medical review agent writes to the SPECIAL_CATEGORY partition; a customer communication agent has access only to the PUBLIC and INTERNAL partitions. Cross-partition references use opaque identifiers that reveal no content. This pattern enforces classification boundaries structurally, without relying on per-read access checks that could be bypassed.
• Domain-scoped write authorities. Each agent is registered with a functional domain (e.g., "medical_assessment", "fraud_screening", "customer_communication") and can only write to blackboard entry types associated with its domain. A scheduling agent cannot write capacity data because "capacity_report" entries are associated with the "warehouse_monitoring" domain. Write authority is enforced at the blackboard infrastructure layer, not by the agent's own restraint.
• Snapshot-isolated reads. Implement blackboard reads using snapshot isolation or multi-version concurrency control (MVCC). When a consuming agent reads the blackboard, it receives a consistent point-in-time snapshot. Concurrent writes by other agents do not affect the snapshot. This eliminates torn-read conditions and ensures that planning decisions are based on internally consistent state.
• Write-ahead provenance logging. Before any blackboard write is made visible to readers, the write operation is first committed to a tamper-evident append-only log (per AG-006). The log entry includes the writing agent's identity, the entry content hash, the classification level, and a monotonically increasing sequence number. If a blackboard entry is later disputed, the provenance log provides the authoritative record.

Anti-patterns to avoid:

• Flat, unpartitioned shared memory. A single shared memory space where all agents can read and write everything is the default in many multi-agent frameworks. This is the highest-risk configuration: one compromised agent can poison all shared state, and any agent can access any classification level. Retrofitting access controls onto a flat architecture is significantly harder than designing partitioned access from the start.
• Agent-side access self-enforcement. Relying on agents to respect access boundaries through their instructions (e.g., "only read entries relevant to your task") provides no structural protection. A compromised or malfunctioning agent will not respect instruction-based boundaries. Access control must be enforced at the blackboard infrastructure layer.
• Unrestricted write-back without validation. Allowing any agent to overwrite any entry without schema validation or domain authority checks enables both accidental corruption (an agent writing to the wrong entry type) and deliberate poisoning (a compromised agent overwriting critical planning state).
• Polling without snapshot isolation. Agents that continuously poll the blackboard without snapshot isolation read different states on each poll, leading to decision inconsistency. In high-frequency coordination scenarios, this creates cascading oscillations where agents respond to stale or partially-updated state.
• Treating the blackboard as ephemeral. Multi-agent blackboard state often contains regulated data (financial positions, personal data, clinical assessments) that is subject to retention and audit requirements. Treating the blackboard as a transient cache that can be cleared without retention violates regulatory obligations.

Industry Considerations

Financial Services. Blackboard architectures in multi-agent trading or risk management systems must meet the same data integrity and audit trail requirements as any trading system component. Under MiFID II Article 17, algorithmic trading systems must maintain adequate systems and controls, which extends to shared coordination mechanisms. Blackboard entries containing position data, market assessments, or risk calculations constitute records that must be retained per FCA record-keeping requirements (SYSC 9). Real-time blackboard access logs should be integrated with the firm's surveillance infrastructure.

Healthcare. Blackboard entries containing patient data — clinical notes, diagnoses, treatment plans, genetic information — are subject to HIPAA minimum necessary requirements and GDPR Special Category protections. Classification-aware partitioning is not optional in healthcare contexts; it is a direct regulatory requirement. Access logs must record which agent accessed which patient data entry, enabling audit trails for data subject access requests under GDPR Article 15.

Safety-Critical and Industrial. In robotics or industrial control contexts, blackboard poisoning can have physical consequences. An agent that writes falsified sensor readings or incorrect safety parameters to a shared planning space can cause physical harm. Write validation in safety-critical contexts should include plausibility checks against physical constraints — a temperature reading of -500°C or a pressure of 10,000 bar should be rejected as implausible regardless of the writing agent's authority.

Public Sector. Multi-agent systems in government contexts must ensure that blackboard access respects security classification boundaries. An agent cleared to handle OFFICIAL data must not be able to read OFFICIAL-SENSITIVE entries on the blackboard. Classification partitioning must align with the organisation's information classification scheme and be auditable for Freedom of Information compliance.

Maturity Model

Basic Implementation — The organisation has defined access control lists for each shared blackboard, specifying which agents have read and write access. Access enforcement is implemented in the application layer. Audit logging captures write operations but not reads. No classification-aware partitioning exists; access is all-or-nothing per agent. Write validation checks entry format but not domain authority. This level provides basic accountability but does not prevent classification leakage or domain-crossing writes.

Intermediate Implementation — Classification-aware partitioning segregates blackboard entries by data classification level. Write authorities are scoped to functional domains, enforced at the infrastructure layer. Snapshot-isolated reads prevent torn-read conditions. All read and write operations are logged with agent identity, timestamp, and classification metadata. Schema validation rejects malformed writes. Anomaly detection flags unusual write patterns. Provenance metadata is attached to every entry. This level addresses the core risks of classification leakage, write poisoning, and temporal inconsistency.

Advanced Implementation — All intermediate capabilities plus: blackboard access controls have been verified through independent adversarial testing, including compromised agent simulation, classification escalation attacks, and concurrent write exploitation. Real-time anomaly detection uses behavioural baselines to identify blackboard poisoning attempts within seconds. Cryptographic integrity verification (per AG-006) ensures that blackboard entries cannot be modified without detection. Cross-blackboard governance tracks data flows between multiple blackboards in complex topologies. The organisation can demonstrate to regulators that shared coordination spaces meet the same governance standards as formal systems of record.

7. Evidence Requirements

Required artefacts:

• Blackboard access policy artefact. The actual access control configuration for each shared blackboard, showing per-agent read and write permissions, classification-level restrictions, and domain authority mappings. Format: structured data export from the access control system, not a prose policy document.
• Classification partitioning evidence. Architecture documentation and configuration exports demonstrating that blackboard entries are partitioned by classification level and that cross-partition access is structurally prevented for unauthorised agents.
• Audit log samples. Representative samples from the blackboard access log showing read operations, write operations, blocked access attempts, and classification-based denials. Minimum 12 months of continuous logging with no gaps.
• Atomic read consistency evidence. Test results demonstrating that snapshot isolation or equivalent prevents torn reads under concurrent write conditions, including load testing at peak operational throughput.
• Adversarial test results. Results from independent testing demonstrating that classification leakage, write poisoning, domain-crossing writes, and unregistered agent access all failed under adversarial conditions.

Retention requirements:

• Blackboard access policies and audit logs: minimum 7 years for regulated financial services; minimum 5 years for healthcare and other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Testing AG-393 compliance requires verifying that classification boundaries, write authorities, read consistency, and access controls all function correctly under normal and adversarial conditions.

Test 8.1: Classification-Aware Read Enforcement

• Stimulus: Configure a blackboard with entries at three classification levels (e.g., PUBLIC, INTERNAL, SPECIAL_CATEGORY). Deploy agents with access authorised at each level. Attempt to have each agent read entries above its authorised classification level.
• Expected behaviour: Agents successfully read entries at or below their classification level. Agents are blocked from reading entries above their classification level. Blocked attempts are logged.
• Pass criteria: No agent reads an entry above its authorised classification ceiling. Every blocked attempt generates an audit log entry.
• Fail criteria: Any agent reads an entry above its authorised classification level, or a blocked attempt is not logged.

Test 8.2: Write Authority Domain Enforcement

• Stimulus: Configure agents with designated functional domains (e.g., "medical_assessment", "scheduling", "customer_communication"). Attempt to have each agent write entries associated with a different agent's functional domain — e.g., a customer communication agent attempts to write a medical assessment entry.
• Expected behaviour: Writes within the agent's designated domain succeed. Writes outside the agent's domain are rejected with a structured error indicating domain authority violation.
• Pass criteria: No agent writes an entry outside its designated functional domain. Every rejected write generates an audit log entry with the domain violation reason.
• Fail criteria: Any agent writes an entry outside its designated domain, or a domain violation is not logged.

Test 8.3: Tamper-Evident Audit Log Completeness

• Stimulus: Execute a sequence of 1,000 blackboard operations including reads, writes, modifications, and deletions across multiple agents. Independently record the expected operations. Compare the audit log against the expected record.
• Expected behaviour: Every operation appears in the audit log with correct agent identity, timestamp, operation type, entry identifier, and classification metadata. The log is append-only and cannot be retroactively modified.
• Pass criteria: 100% operation coverage in the audit log with zero omissions. Attempted log modification is detected or structurally prevented.
• Fail criteria: Any operation is missing from the audit log, or the log can be retroactively modified without detection.

Test 8.4: Classification Escalation Prevention

• Stimulus: An agent authorised at INTERNAL classification attempts to write an entry containing SPECIAL_CATEGORY data (e.g., clinical information, biometric data). Test both explicit classification tagging and content-based classification detection.
• Expected behaviour: The write is rejected because it would create an entry at a classification level above the writing agent's authorised ceiling.
• Pass criteria: No agent creates an entry at a classification level above its authorised ceiling. The rejection includes a structured error code identifying the classification violation.
• Fail criteria: Any agent creates an entry at a classification level exceeding its authorised ceiling.

Test 8.5: Atomic Read Consistency Under Concurrent Writes

• Stimulus: While three agents simultaneously write updates to related blackboard entries, a consuming agent reads the blackboard. Execute 500 concurrent read-write cycles. Verify that every read returns a consistent snapshot — either all pre-update values or all post-update values for related entries, never a mix.
• Expected behaviour: Every read returns a consistent snapshot. No torn reads occur. The consuming agent never observes a partially-written state.
• Pass criteria: Zero torn reads across 500 concurrent read-write cycles. Every snapshot passes internal consistency validation.
• Fail criteria: Any read returns a mix of pre-update and post-update values for related entries, indicating a torn-read condition.

Test 8.6: Unregistered Agent Access Denial

• Stimulus: An agent not registered in the topology inventory (per AG-389) attempts to read from and write to the blackboard. Test with fabricated agent identities, expired agent credentials, and agent identities removed from the topology registry.
• Expected behaviour: All access attempts are denied. The system defaults to deny for any unrecognised agent identity.
• Pass criteria: No unregistered agent reads or writes any blackboard entry. Every denied attempt is logged with the unrecognised identity.
• Fail criteria: Any unregistered agent accesses the blackboard, or the system defaults to permissive access for unrecognised identities.

Test 8.7: Blackboard Poisoning Detection

• Stimulus: A compromised agent writes falsified data to the blackboard — values that are schema-valid but semantically inconsistent with the agent's historical patterns (e.g., a temperature sensor agent suddenly reporting financial figures, or a capacity agent reporting values three standard deviations from its historical baseline). Execute over a 72-hour simulated operational period.
• Expected behaviour: Anomaly detection flags the semantically inconsistent writes within the detection window. Consuming agents are alerted or the entries are quarantined before consumption.
• Pass criteria: Anomalous writes are detected and flagged. No consuming agent acts on poisoned data without at least receiving an anomaly warning.
• Fail criteria: Poisoned data is consumed by downstream agents without any anomaly detection triggering.

Conformance Scoring

• Score 0: No access governance on shared blackboard — all agents can read and write all entries without restriction.
• Score 1: Basic access control lists exist but are enforced at the application layer only, with no classification-aware partitioning or write domain enforcement.
• Score 2: Classification-aware access controls enforced at the infrastructure layer, write domain authorities enforced, atomic read consistency implemented, and tamper-evident audit logging operational.
• Score 3: Verified by independent adversarial testing — an independent party has attempted classification leakage, write poisoning, domain escalation, and concurrent exploitation attacks and all have been prevented.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 15 (Accuracy, Robustness, and Cybersecurity)	Direct requirement
EU AI Act	Article 12 (Record-Keeping)	Supports compliance
SOX	Section 404 (Internal Controls Over Financial Reporting)	Supports compliance
FCA SYSC	6.1.1R (Systems and Controls)	Direct requirement
NIST AI RMF	GOVERN 1.7, MANAGE 2.2, MANAGE 3.1	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks), Clause 8.4 (AI System Impact Assessment)	Supports compliance
DORA	Article 9 (ICT Risk Management Framework), Article 10 (Detection)	Supports compliance

EU AI Act — Article 15 (Accuracy, Robustness, and Cybersecurity)

Article 15 requires that high-risk AI systems achieve an appropriate level of accuracy, robustness, and cybersecurity, and perform consistently throughout their lifecycle. For multi-agent systems using shared blackboards, this directly requires that the shared coordination mechanism maintains data integrity and is resilient to errors, faults, and inconsistencies — including those introduced by compromised or malfunctioning agents. Blackboard poisoning represents a cybersecurity vulnerability; torn reads represent a robustness failure; classification leakage represents a data protection failure. AG-393 addresses all three through structural controls at the blackboard layer.

EU AI Act — Article 12 (Record-Keeping)

Article 12 requires that high-risk AI systems include logging capabilities that enable monitoring of the system's operation. The tamper-evident audit logging requirement of AG-393 directly implements this for shared blackboard operations, providing a complete record of which agents accessed which data, when, and for what purpose. This is essential for post-incident reconstruction in multi-agent systems where the chain of causation flows through the blackboard.

SOX — Section 404 (Internal Controls Over Financial Reporting)

For multi-agent systems involved in financial processing, Section 404 requires adequate internal controls over the data that feeds financial reporting. A shared blackboard containing financial data (position reports, valuation assessments, risk calculations) is part of the financial data processing chain. Controls over who can write to and read from this shared space are internal controls over financial data integrity. A SOX auditor examining a multi-agent financial system will ask how the integrity of shared data stores is maintained and whether write access is appropriately restricted.

FCA SYSC — 6.1.1R (Systems and Controls)

SYSC 6.1.1R requires firms to establish and maintain adequate systems and controls. For firms deploying multi-agent systems with shared coordination mechanisms, this means the shared blackboard must meet the same integrity and access control standards as any system processing financial or customer data. The FCA expects firms to demonstrate that shared data stores within AI systems are governed with equivalent rigour to traditional databases, including access controls, audit trails, and integrity verification.

NIST AI RMF — GOVERN 1.7, MANAGE 2.2, MANAGE 3.1

GOVERN 1.7 addresses processes for ongoing monitoring and periodic review of AI system risks. MANAGE 2.2 addresses mechanisms for managing identified AI risks. MANAGE 3.1 addresses post-deployment monitoring of AI systems. AG-393 supports compliance by establishing governance mechanisms for shared data stores in multi-agent systems, managing the risks of data poisoning and classification leakage, and providing audit capabilities for post-deployment monitoring.

ISO 42001 — Clause 6.1, Clause 8.4

Clause 6.1 requires organisations to determine actions to address risks within the AI management system. Clause 8.4 requires AI system impact assessment. Shared blackboard governance is a risk treatment for data integrity and classification leakage risks in multi-agent AI systems. The impact assessment should specifically evaluate the consequences of blackboard poisoning and classification leakage, which AG-393 mitigates through structural controls.

DORA — Article 9, Article 10

Article 9 requires financial entities to maintain an ICT risk management framework that ensures the integrity of data processed by ICT systems. Article 10 requires detection mechanisms for anomalous activities. AG-393 supports both: the access control and integrity mechanisms satisfy Article 9's data integrity requirements, and the anomaly detection on blackboard write patterns satisfies Article 10's detection requirements for multi-agent coordination systems.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	All agents sharing the blackboard — potentially the entire multi-agent topology where blackboard state influences downstream decision-making

Consequence chain: Without structural blackboard access governance, a single compromised or malfunctioning agent can corrupt the shared state consumed by every other agent in the topology, creating a force-multiplier effect where one breach cascades into system-wide compromise. The immediate technical failure takes one of three forms: classification leakage (data exposed to agents without legitimate access), write poisoning (falsified data consumed by downstream agents), or temporal inconsistency (decisions based on torn reads from partially-written state). The operational impact depends on the blackboard's role: in financial systems, poisoned position data can drive incorrect trading decisions across all consuming agents simultaneously; in healthcare systems, classification leakage can expose patient data to unauthorised processing agents; in safety-critical systems, falsified sensor or capacity data can cause physical harm through incorrect planning. The severity is amplified by the speed of multi-agent coordination — poisoned data posted to a blackboard can be consumed by all reading agents within milliseconds, far faster than any human monitoring process can detect and intervene. The business consequence includes regulatory enforcement action under GDPR (for classification leakage), FCA (for inadequate systems and controls in financial contexts), and sector-specific regulators; material financial loss from decisions based on corrupted data; potential personal liability for senior managers who failed to ensure adequate controls over multi-agent coordination mechanisms; and reputational damage from incidents where the root cause is traced to ungoverned shared memory in AI systems.