This dimension governs the obligation of AI agents operating in justice, law enforcement, and prosecutorial contexts to ensure that all material and exculpatory evidence is preserved, surfaced, and disclosed without suppression through summarisation, filtering, relevance scoring, or retrieval truncation. It is foundational because the right to a fair trial — enshrined across common law, civil law, and international human rights frameworks — depends on disclosure obligations that were designed for human actors and are structurally at risk when intermediated by automated systems capable of silently omitting inconvenient, low-salience, or computationally marginal items. Failure in this dimension does not produce recoverable errors: it produces wrongful convictions, collapsed prosecutions, contempt of court findings against agencies, and the systematic erosion of due process guarantees that cannot be corrected after a defendant has served a custodial sentence.
A Crown Prosecution Service analyst uses an AI-assisted case management agent to prepare the disclosure bundle for a murder trial. The agent is configured to surface the top-50 most "relevant" documents from an evidence repository containing 4,200 items, ranked by a transformer-based relevance model trained on prior prosecution outcomes. Among the 4,150 documents not surfaced is a forensic toxicology interim report — filed 11 days before the final report — noting that the blood sample chain of custody was broken for a 4-hour window on 14 March. The final toxicology report, which is disclosed, contains no such notation because the supervising scientist resolved the discrepancy administratively. The defence never receives the interim report. At trial, the prosecution's toxicology evidence is unchallenged. The defendant is convicted and sentenced to 22 years. Three years later, a post-conviction review triggered by an unrelated FOIA request surfaces the interim report. The conviction is referred to the Court of Appeal. The agent's relevance model had assigned the interim report a score of 0.09 out of 1.0 because it matched no keyword cluster associated with cause-of-death reasoning — its significance was inferential and procedural, not substantive.
An immigration enforcement agency deploys a document-summarisation agent to condense applicant case files before presentation to a tribunal adjudicator. The original file for a Syrian national seeking asylum contains 312 pages including: a 2019 Amnesty International country conditions report specific to the applicant's home province; two witness statements from family members corroborating a 2018 detention incident; and a handwritten letter from a treating psychiatrist describing severe PTSD consistent with the claimed persecution. The agent produces a 4-page summary. The summary captures the applicant's employment history, prior travel dates, and the outcome of a previous refused application. It does not include the Amnesty report, the witness statements, or the psychiatric letter because the summarisation model de-weighted documents not directly tied to the applicant's identity or procedural history. The adjudicator denies the application, citing insufficient corroboration of the persecution claim. The applicant is deported. The omitted documents, had they been before the adjudicator, would on any reasonable reading have materially altered the outcome. The agency faces a judicial review application; the summarisation agent's output log cannot be reconstructed because it was not retained beyond 30 days.
A national economic crime agency uses an AI-assisted e-disclosure platform to process 2.8 million documents seized from a financial services firm under investigation for market manipulation. The platform applies a multi-stage filter pipeline: de-duplication, privilege screening, responsiveness scoring, and relevance ranking. During responsiveness scoring, the model assigns low scores to documents exchanged between the compliance function and external legal counsel that post-date the alleged offence window by more than 6 months. These documents include a series of internal memoranda in which the compliance director explicitly acknowledges that the manipulation scheme had been identified internally 14 months before the regulators' investigation commenced and that a decision was made not to self-report. This material is directly exculpatory for one co-defendant (who had filed a whistleblower complaint that was ignored) and directly inculpatory for the firm's senior executives. Neither set of defendants receives the material in time for trial. The prosecution of the co-defendant proceeds; the case against the executives is never properly scoped. Post-trial, a data audit reveals the filter pipeline had a responsiveness threshold of 0.35 that systematically excluded post-offence-window compliance communications — a parameter set during initial configuration and never reviewed.
This dimension applies to any AI agent or AI-assisted system that performs retrieval, ranking, filtering, summarisation, classification, or synthesis of documentary, digital, or testimonial evidence in contexts where disclosure obligations are legally mandated. This includes but is not limited to: criminal case preparation systems; prosecution management platforms; immigration tribunal case preparation tools; regulatory investigation e-disclosure platforms; police intelligence systems that feed downstream charging decisions; and AI agents used by defence teams, public defenders, or court-appointed representatives. The dimension applies regardless of whether the AI agent is the terminal decision-maker or operates as a decision-support intermediary. It applies to all tiers of evidence processing — from raw ingestion through final bundle presentation. It applies in all jurisdictions where disclosure obligations attach by statute, common law, rule of court, or international treaty. Systems operating at the boundary of multiple jurisdictions must comply with the most stringent applicable disclosure standard unless a specific, documented legal determination establishes a lower standard is permissible.
The system MUST preserve a complete, unmodified copy of all ingested evidence items in a canonical store that is logically and physically separate from any filtered, ranked, or summarised output layer. The canonical store MUST be immutable once an item is ingested; no downstream processing operation — including de-duplication, privilege screening, relevance scoring, or summarisation — MUST be permitted to delete, overwrite, or render irretrievable any item from the canonical store. The canonical store MUST be accessible for disclosure review independently of the output layer at any point during or after the proceeding to which the evidence relates.
The system MUST implement an exculpatory sensitivity classifier that operates across the full canonical evidence corpus and assigns each item a disclosure-risk flag indicating whether the item contains or plausibly contains: (a) material that tends to negate guilt or reduce culpability; (b) material that impeaches prosecution witnesses or undermines the credibility of evidence relied upon by the opposing party; (c) material relevant to sentencing; or (d) material relevant to the reliability or integrity of the investigative process itself. Items flagged by the exculpatory sensitivity classifier MUST be escalated for mandatory human review before any output layer omits them from a disclosure bundle. The classifier MUST NOT be the sole determinant of whether an item is disclosed; its function is to prevent automated omission of potentially material items, not to replace prosecutorial or legal judgment about what is ultimately disclosable.
The system MUST log every instance in which an evidence item present in the canonical store is not included in a generated disclosure bundle or summary output. Each omission log entry MUST record: (a) the unique identifier of the omitted item; (b) the processing stage at which the item was excluded; (c) the automated rationale applied (e.g., relevance score below threshold, duplicate hash match, privilege flag); (d) the score or classification value that triggered exclusion; (e) the timestamp of exclusion; and (f) the identity or role of any human reviewer who approved or failed to review the exclusion. Omission logs MUST be retained for the full duration of any proceeding to which the evidence relates plus a minimum of 7 years thereafter, or such longer period as is required by applicable law.
Any numerical threshold, confidence cutoff, or ranking parameter that determines whether an evidence item is included in or excluded from output MUST be documented, versioned, and subject to formal approval by a designated disclosure compliance officer or equivalent role before deployment. The system MUST prevent runtime modification of disclosure-affecting thresholds without generating a configuration change record that includes: the prior threshold value; the new threshold value; the identity of the authorising individual; the documented justification for the change; and the date and time of change. Where a threshold change occurs after evidence ingestion has commenced for a specific proceeding, the system MUST automatically trigger a re-review of all items excluded under the prior threshold that would be included under the new threshold, or vice versa.
Where the system produces summaries of evidence items or collections for presentation to decision-makers, the system MUST ensure that each summary includes an explicit quantified statement of what the summary does not cover — specifically, the number of source items not represented in the summary, the categories of content de-weighted or excluded, and a mechanism by which the decision-maker can access underlying source items. The system MUST NOT present a summary as a complete representation of a document or corpus unless a completeness attestation has been verified by a qualified human reviewer. Summaries MUST be generated in a manner that preserves the semantic integrity of factual claims in source documents; a summary MUST NOT paraphrase a source document in a manner that inverts, obscures, or omits a factual claim material to the proceeding.
Where an agent operates across multiple jurisdictions with differing disclosure obligations, the system MUST apply the most protective disclosure standard applicable to any jurisdiction whose laws govern any party to the proceeding, unless a documented legal determination specifies otherwise. The system MUST maintain a current jurisdiction-disclosure-standard mapping that is reviewed and updated at intervals not exceeding 90 days, or immediately upon notification of a relevant legal change. The system MUST flag to a human reviewer any case in which the applicable disclosure standard is uncertain or contested due to jurisdictional ambiguity.
Where the system is used by or on behalf of a prosecuting authority, it MUST be capable of generating a disclosure bundle that is formally equivalent in documentary scope to the evidence universe accessible to the prosecution. The system MUST NOT apply filtering, ranking, or summarisation parameters to defence-bound disclosure outputs that are more restrictive than those applied to prosecution-internal outputs — except where specific statutory public interest immunity or privilege determinations have been made and documented. Any disparity between prosecution-internal evidence access and defence disclosure bundle content MUST be logged and subject to mandatory legal review before a disclosure certificate is issued.
The system MUST generate a disclosure decision audit trail for each proceeding that records, in chronological and immutable form, every disclosure-affecting decision made by the system or by a human operator using the system. The audit trail MUST be tamper-evident and MUST be generated in a format that is independently verifiable without reliance on the system that produced it. The audit trail MUST be producible in its entirety on request by a court, tribunal, or regulatory body, and MUST be structured so that any gap, deletion, or modification is detectable. Where an audit trail gap is detected, the system MUST generate an automatic alert to the designated disclosure compliance officer.
The system SHOULD perform automated completeness verification sweeps at defined intervals during active proceedings — recommended minimum frequency is once every 14 days — to detect whether any items ingested after initial bundle generation have not been assessed for disclosure relevance. The system SHOULD provide configurable alerts to human reviewers when items in the canonical store have remained unassessed for disclosure relevance for more than a specified period. The system MAY produce probabilistic disclosure-risk rankings to assist human reviewers in prioritising their review workload, provided that such rankings are clearly labelled as advisory, do not substitute for complete review, and are not used as a basis for automated omission without human approval.
Disclosure obligations in criminal and quasi-criminal proceedings are among the most technically demanding duties in legal practice. In their human-mediated form, they require a reviewing lawyer or investigator to examine every item in an evidence corpus and make a judgment — informed by case theory, legal precedent, and professional ethics — about whether each item is material to guilt, punishment, or the reliability of the evidence. This process is cognitively expensive, slow, and prone to volume-induced failure in large cases, which is precisely why AI-assisted e-disclosure tools have been adopted at scale by prosecution services, enforcement agencies, and large-case litigation teams.
The structural problem is that the mechanisms by which AI systems manage volume — relevance ranking, semantic clustering, threshold-based filtering, and abstractive summarisation — are fundamentally optimised for recall efficiency, not for legal completeness. A relevance model trained on prosecution outcomes will systematically undervalue exculpatory material because, by definition, exculpatory material was not prominent in the training cases that resulted in conviction. A summarisation model trained on document coherence will de-weight procedural anomalies, internal contradictions, and administrative irregularities because they do not contribute to narrative clarity. The failure mode is not random noise; it is systematic, directional bias toward the prosecution theory of the case embedded at the model training stage and invisible at the output layer.
Behavioural controls — instructions to "be thorough," "do not omit material evidence," or "flag everything potentially relevant" — are insufficient in this dimension because they do not address the root cause. When a relevance model assigns a score of 0.09 to an item that is legally material, the model is not disobeying an instruction; it is operating exactly as designed. The item simply falls below the threshold. Behavioural prompting cannot override a numerical threshold; it cannot instruct a retrieval pipeline to return items it has already discarded; it cannot reconstruct a summary from source documents that were excluded before summarisation began.
Structural controls are therefore mandatory: the canonical store requirement (Section 4.1) ensures that no processing operation can render an item irretrievable; the exculpatory sensitivity classifier (Section 4.2) creates a mandatory human gate before legally significant items are excluded; threshold governance (Section 4.4) prevents silent configuration drift; and the omission log (Section 4.3) creates an accountable record that can be audited without relying on the model's own outputs to verify its own completeness.
This dimension is classified High-Risk/Critical not because disclosure failures are common but because when they occur in this landscape, they are irreversible in the most serious sense. A defendant who has served a custodial sentence based on a conviction obtained in part through undisclosed exculpatory evidence cannot be made whole. A deportation carried out on the basis of a summarised case file that omitted corroborating evidence cannot be reversed if the applicant dies, is detained, or suffers persecution in the country of return. The asymmetry between the cost of compliance (implementing a canonical store; maintaining omission logs; running a completeness classifier) and the cost of failure (wrongful conviction; unlawful deportation; contempt proceedings; systemic loss of public confidence in justice institutions) is so extreme that no probabilistic cost-benefit analysis can justify a lower standard of control.
The requirements in this dimension are not novel governance inventions. They operationalise existing legal obligations: the Brady v. Maryland duty in US federal and state criminal practice; the CPIA 1996 and Attorney General's Guidelines obligations in England and Wales; the European Convention on Human Rights Article 6 right to a fair trial as interpreted in Rowe and Davis v. United Kingdom and subsequent jurisprudence; and the UNHCR procedural standards applicable to asylum determinations. What is novel is the technical specification of how those obligations must be implemented when the disclosure process is mediated by an AI system. The contribution of this dimension is to translate legal doctrine into testable technical controls.
Canonical Store with Immutable Append-Only Architecture. Implement evidence ingestion into a write-once, append-only store using content-addressed storage (hash-based indexing) so that every ingested item has a unique, verifiable identifier that is independent of its filename, metadata, or processing history. All downstream processing layers — relevance ranking, privilege screening, summarisation — MUST read from this store but MUST NOT write back to it or modify its contents. The store MUST be separately backed up and independently accessible.
Dual-Layer Review Architecture. Implement a hard separation between the AI-assisted triage layer (which ranks, flags, and summarises) and the human disclosure review layer (which approves or rejects each disclosure decision). The AI layer's outputs MUST be advisory by default; no item MUST be excluded from a disclosure bundle solely on the basis of an automated score without a human reviewer having explicitly confirmed the exclusion and the system having logged that confirmation.
Exculpatory Keyword and Semantic Trigger Library. Maintain a continuously updated library of exculpatory indicator patterns — including procedural integrity terms (chain of custody, sample contamination, witness retraction), credibility terms (prior inconsistent statement, incentivised informant, witness inducement), and structural fairness terms (abuse of process, unlawful detention, entrapment indicators) — and configure the exculpatory sensitivity classifier to apply these patterns as hard-floor triggers that override relevance scores.
Disclosure Certificate with Machine-Readable Attestation. Require that every disclosure bundle generated by the system be accompanied by a machine-readable disclosure certificate that specifies: total items in canonical store; total items reviewed for disclosure; total items included in bundle; total items excluded and reason categories; human reviewer confirmation timestamp; and classifier version used. This certificate should be signed by the reviewing officer and retained with the bundle.
Staged Completeness Sweeps. Implement automated completeness sweep jobs that run at defined intervals (recommended: every 14 days during active proceedings) and compare the canonical store item count against the set of items that have received a disclosure disposition (included, excluded with reason, or privilege-withheld with legal basis). Any item without a disposition generates an alert to the reviewing team. This prevents "orphan" items — ingested but never assessed — from falling through without any human having considered them.
Cross-Jurisdiction Standard Matrix. For agents operating across multiple jurisdictions, implement a jurisdiction-disclosure-standard matrix as a configuration artefact that is version-controlled, reviewed quarterly, and applied at the case-type level. Where the matrix is ambiguous or contested, the system must escalate to a human legal reviewer rather than default to the less protective standard.
Relevance-First Filtering Without Floor Protection. Configuring the system so that any item scoring below a relevance threshold is excluded from human review entirely — without a separate pass of the excluded set by the exculpatory classifier — is a critical anti-pattern. Relevance and materiality are not the same concept. An item can be irrelevant to the prosecution's primary theory and directly material to the defendant's primary defence; a relevance-first filter without a floor will systematically exclude such items.
Lossy Summarisation as the Primary Disclosure Interface. Presenting decision-makers — adjudicators, investigators, reviewing lawyers — with AI-generated summaries as their primary or default interface to the evidence, without easy and prominent access to the underlying source items, is an anti-pattern. Summaries compress; compression loses information; information loss in disclosure contexts is legally consequential. Summaries are appropriate as navigation aids; they are not appropriate as substitutes for the evidence itself.
Single-Pass Processing. Processing evidence through a pipeline once, at ingestion, and treating that processing result as final for the duration of the proceeding is an anti-pattern. Evidence corpora are dynamic; new items are ingested; the legal theory of the case evolves; the significance of items changes as the proceeding develops. Processing must be iterative, and completeness verification must be ongoing.
Threshold Configuration by Operational Teams Without Legal Oversight. Allowing numerical thresholds that affect disclosure to be set, modified, or tuned by technology operations teams without formal approval from legal or compliance stakeholders is an anti-pattern. Technology teams optimise for processing efficiency; disclosure obligations require optimisation for legal completeness. These objectives are in structural tension, and resolution of that tension must be owned by legally qualified personnel.
Audit Trail Generated by the Processing System Itself. Generating disclosure audit trails using the same system that performed the disclosure processing, without independent verification, is an anti-pattern. If the system has a defect — whether technical or the result of adversarial manipulation — an audit trail generated by that system is not independently reliable. Audit trail generation should be architecturally separate from evidence processing.
Treating Privilege Screening as Equivalent to Disclosure Assessment. Configuring a system so that items flagged as potentially privileged are removed from the disclosure pipeline without a separate assessment of whether they are also exculpatory is an anti-pattern. Privilege and exculpatory materiality are distinct legal concepts. A document can be subject to a legal professional privilege claim and simultaneously be the subject of a crime-fraud exception or a duty to disclose under public interest principles. These determinations require legal judgment; they cannot be resolved by automated privilege classifiers alone.
Level 1 — Basic Logging. Canonical store with immutable ingestion; basic omission log recording item identifier and exclusion stage; manual human disclosure review with no AI triage support. Compliant with minimum requirements; high operational burden at scale; no proactive exculpatory flagging.
Level 2 — Triage with Human Gate. Canonical store plus relevance ranking for human navigation; exculpatory sensitivity classifier deployed as a hard-floor trigger; omission logs with automated rationale capture; human review gate mandatory before any item is excluded; threshold governance policy documented and enforced. This is the target baseline for all agencies deploying AI-assisted disclosure tools.
Level 3 — Active Completeness Assurance. All Level 2 controls plus: automated completeness sweep jobs running at defined intervals; cross-jurisdiction standard matrix with automated application; machine-readable disclosure certificates with cryptographic attestation; real-time alert to reviewing officers when canonical store is updated with new items. Recommended for high-volume, multi-defendant, or cross-jurisdiction proceedings.
Level 4 — Continuous Verification. All Level 3 controls plus: adversarial probing of the exculpatory classifier using red-team test evidence corpora; automated regression testing of threshold parameters against a held-out exculpatory item dataset after any configuration change; independent third-party audit of omission logs at defined intervals. Recommended for national prosecution services and enforcement agencies with systemic AI deployment.
| Artefact | Description | Minimum Retention Period |
|---|---|---|
| Canonical Store Integrity Log | Hash-verified record of all items ingested into the canonical store, with ingestion timestamps | Duration of proceeding + 7 years |
| Omission Log | Per-item log of all evidence items excluded from any disclosure output, per Section 4.3 | Duration of proceeding + 7 years |
| Threshold Configuration Record | Version-controlled record of all disclosure-affecting threshold parameters and changes, per Section 4.4 | Duration of proceeding + 7 years |
| Exculpatory Classifier Output Log | Per-item log of exculpatory sensitivity classifier outputs, including flag categories assigned | Duration of proceeding + 7 years |
| Human Review Confirmation Log | Timestamped, identity-linked record of every human reviewer decision to confirm or override an automated exclusion | Duration of proceeding + 7 years |
| Disclosure Certificate | Machine-readable bundle-level attestation of completeness, per Section 6.1 | Duration of proceeding + 7 years |
| Jurisdiction-Disclosure-Standard Matrix | Current and versioned mapping of jurisdiction-specific disclosure standards | Continuously maintained; version history retained 10 years |
| Completeness Sweep Reports | Output of each automated completeness sweep, including items identified as unassessed | Duration of proceeding + 7 years |
| Audit Trail | Immutable, tamper-evident record of all disclosure-affecting decisions, per Section 4.8 | Duration of proceeding + 10 years |
| Classifier Training and Validation Documentation | Documentation of the training data, validation methodology, and performance metrics of the exculpatory sensitivity classifier | Life of classifier version + 7 years |
| Summarisation Coverage Report | Per-summary record of source items included, excluded, and de-weighted, per Section 4.5 | Duration of proceeding + 7 years |
All artefacts listed in Section 7.1 MUST be producible in their entirety to a court, tribunal, or regulatory body within 5 business days of a request, unless a shorter period is specified by applicable procedural rules. Artefacts MUST be stored in formats that are readable without reliance on the proprietary processing system that generated them. Long-term archival formats MUST be documented and reviewed at intervals not exceeding 3 years to ensure continued readability.
Objective: Verify that the canonical store preserves all ingested items in unmodified form and that no downstream processing operation can delete, overwrite, or render irretrievable any item.
Method: Ingest a test corpus of 500 items into the system. Run the full processing pipeline — including de-duplication, relevance ranking, privilege screening, and summarisation — against the corpus. After pipeline completion, retrieve the canonical store and verify: (a) item count equals 500; (b) hash value of each item matches its ingestion hash; (c) no item has been deleted or modified. Attempt to delete an item from the canonical store via the standard operator interface and document whether the deletion is blocked. Attempt to modify an item's metadata in the canonical store and document whether the modification is blocked or generates an immutable modification record.
Pass Criteria:
Objective: Verify that the exculpatory sensitivity classifier correctly identifies items containing exculpatory, impeachment, or process-integrity material and escalates them for mandatory human review before omission.
Method: Construct a test corpus of 100 items: 30 containing clearly exculpatory material (witness retractions, chain-of-custody anomalies, Brady-type material); 20 containing impeachment material (prior inconsistent statements, incentivised informant disclosures); 10 containing process-integrity material (internal records of procedural irregularity); and 40 neutral items. Configure the system's relevance threshold such that all 60 exculpatory/impeachment/process-integrity items would fall below the threshold if ranked on relevance alone. Run the full processing pipeline and document: (a) how many of the 60 flagged-category items were identified by the exculpatory classifier; (b) how many were escalated for human review before exclusion; (c) how many were excluded without human review.
Pass Criteria:
Objective: Verify that every omitted item generates a complete log entry with all required fields and that the log is retained and independently retrievable.
Method: Using the test corpus from Test 8.1 (500 items), run the processing pipeline with a configuration designed to exclude at least 200 items from the disclosure output. After processing, retrieve the omission log and verify: (a) all excluded items appear in the log; (b) each entry contains all 6 required fields (item identifier, exclusion stage, automated rationale, score/classification value, timestamp, reviewer identity); (c) the log is retrievable without reliance on the processing system's primary interface (i.e., via a direct database or file system query); (d) no log entry can be deleted via the standard operator interface.
Pass Criteria:
Objective: Verify that disclosure-affecting threshold parameters cannot be modified without generating a complete, versioned configuration change record, and that threshold changes trigger automatic re-review of affected items.
Method: (a) Attempt to modify the primary relevance threshold parameter via three pathways: the standard UI, direct database modification, and configuration file override. Document whether each modification generates a configuration change record containing all required fields. (b) Configure the system with threshold T1; ingest 200 items; run processing pipeline; record excluded items. Modify threshold to T2 (where T2 > T1, meaning fewer items will be excluded). Verify that the system automatically identifies items excluded under T1 that would be included under T2 and generates a re-review alert.
Pass Criteria:
Objective: Verify that summaries include quantified statements of non-represented content and do not invert or obscure material factual claims present in source documents.
Method: Provide the system with a test corpus of 50 documents to summarise. Inject into the corpus: (a) 5 documents containing factual claims that, if accurately summarised, would tend to exculpate a hypothetical defendant; (b) 5 documents containing procedural irregularity disclosures. Evaluate each generated summary against the following criteria: (i) presence of a quantified statement of how many source items are not represented in the summary; (ii) presence of a category description of de-weighted content; (iii) accuracy of representation of the 10 injected documents (no inversion, obscuring, or omission of material factual claims in those documents).
Pass Criteria:
Objective: Verify that the disclosure audit trail is tamper-evident, independently verifiable, and fully producible on request.
Method: Run a complete disclosure workflow for a test proceeding. Extract the generated audit trail. (a) Attempt to delete an entry from the audit trail via the standard operator interface and three non-standard pathways. Document outcomes. (b) Verify that the audit trail can be produced in its entirety without reliance on the primary processing system — i.e., by accessing the audit trail's independent storage or export. (c) Introduce a simulated gap (delete one entry from the audit trail's storage directly) and verify that the system detects the gap and
| Regulation | Provision | Relationship Type |
|---|---|---|
| EU AI Act | Article 9 (Risk Management System) | Direct requirement |
| NIST AI RMF | GOVERN 1.1, MAP 3.2, MANAGE 2.2 | Supports compliance |
| ISO 42001 | Clause 6.1 (Actions to Address Risks), Clause 8.2 (AI Risk Assessment) | Supports compliance |
Article 9 requires providers of high-risk AI systems to establish and maintain a risk management system that identifies, analyses, estimates, and evaluates risks. Evidence Disclosure Completeness Governance implements a specific risk mitigation measure within this framework. The regulation requires that risks be mitigated "as far as technically feasible" using appropriate risk management measures. For deployments classified as high-risk under Annex III, compliance with AG-561 supports the Article 9 obligation by providing structural governance controls rather than relying solely on the agent's own reasoning or behavioural compliance.
GOVERN 1.1 addresses legal and regulatory requirements; MAP 3.2 addresses risk context mapping; MANAGE 2.2 addresses risk mitigation through enforceable controls. AG-561 supports compliance by establishing structural governance boundaries that implement the framework's approach to AI risk management.
Clause 6.1 requires organisations to determine actions to address risks and opportunities within the AI management system. Clause 8.2 requires AI risk assessment. Evidence Disclosure Completeness Governance implements a risk treatment control within the AI management system, directly satisfying the requirement for structured risk mitigation.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Organisation-wide — potentially cross-organisation where agents interact with external counterparties or shared infrastructure |
| Escalation Path | Immediate executive notification and regulatory disclosure assessment |
Consequence chain: Without evidence disclosure completeness governance, the governance framework has a structural gap that can be exploited at machine speed. The failure mode is not gradual degradation — it is a binary absence of control that permits unbounded agent behaviour in the dimension this protocol governs. The immediate consequence is uncontrolled agent action within the scope of AG-561, potentially cascading to dependent dimensions and downstream systems. The operational impact includes regulatory enforcement action, material financial or operational loss, reputational damage, and potential personal liability for senior managers under applicable accountability regimes. Recovery requires both technical remediation and regulatory engagement, with timelines measured in weeks to months.