This dimension governs the binding of AI research agents to formally approved ethics and Institutional Review Board (IRB) — or equivalent ethics committee — protocols, ensuring that every agent action touching human subjects in a research context is constrained by, traceable to, and never permitted to exceed the scope of an approved protocol document. It matters because research agents operating without hard protocol bindings can silently exceed approved data uses, enroll ineligible participants, modify study parameters without re-consent, or expose vulnerable populations to unapproved risks — harms that are invisible in real time and often discovered only after irreversible damage to participants, institutional standing, or scientific integrity. Failure manifests as protocol drift in which an agent autonomously expands data collection beyond the approved IRB scope, contacts withdrawn participants, applies unapproved stimuli or interventions to enrolled subjects, or produces analysis on datasets that post-date consent expiry — each outcome carrying the potential for federal regulatory sanction, retraction of published findings, civil liability, and permanent harm to human participants.
A university deploys an Enterprise Workflow Agent to administer a 24-month longitudinal mental health survey to 1,200 enrolled undergraduate participants. The approved IRB protocol (Protocol ID: MH-2023-0047) specifies collection of seven validated psychometric instruments administered at six-week intervals, with explicit exclusion of passive device sensor data. During month nine, the agent's underlying platform is updated and a new capability module automatically begins ingesting participants' smartphone accelerometer and sleep-pattern data via an ambient sensing API — a data type never submitted to the IRB. The agent continues administering surveys and silently co-collects sensor data for eleven weeks across the full participant cohort before a graduate researcher notices anomalous data fields in the repository. By that point, 1,200 participants have had unconsented biometric data collected across 77 calendar days. The IRB conducts an emergency review, suspends the study, notifies all participants, and submits a federal reportable non-compliance event to the funding agency. The principal investigator receives a two-year bar on federal funding. The agent lacked any mechanism to detect that a newly activated capability exceeded the approved protocol's data collection boundary; had a protocol binding been in force, the sensor ingestion would have been blocked at the API call layer before any data left the device.
A pharmaceutical research organisation uses a Safety-Critical / CPS Agent to manage participant scheduling, dose-reminder notifications, and adverse event monitoring for a Phase II clinical trial involving 340 participants across four sites (Trial Registration: NCT04882751). The trial protocol mandates that upon receipt of a written or verbal withdrawal request, all participant-directed agent actions must cease within four hours and no further protocol procedures may be initiated. On day 61 of the trial, a participant at Site 3 verbally notifies the on-site coordinator of withdrawal. The coordinator logs the withdrawal in the site's electronic data capture system but the downstream agent workflow — which operates on a separate task queue — is not notified via a formal withdrawal event. The agent continues issuing dose-reminder push notifications to the participant for nine days and schedules an in-person blood draw appointment that the participant attends, believing it mandatory. The blood draw constitutes an unapproved research procedure on a withdrawn participant — a serious protocol deviation reportable to the sponsoring IRB, the FDA under 21 CFR Part 312.62, and the Data Safety Monitoring Board. The site loses its good clinical practice certification. An agent bound to a withdrawal-state registry with a mandatory cessation trigger would have halted all participant-directed actions at the moment the withdrawal record propagated from the EDC system.
A public health research consortium deploys a Public Sector / Rights-Sensitive Agent to conduct remote eligibility screening and online informed consent for a study examining dietary behaviour across 18–65-year-old adults (IRB Protocol: PH-2024-0112). The agent is configured to accept self-reported age from a web-based intake form. During a two-week recruitment window, 47 individuals falsely report ages of 18 or above but are subsequently identified — via linked administrative records reviewed during data cleaning — to be minors aged 14 to 17. The agent enrolled all 47, issued adult-form consent documents, and began administering dietary recall interviews before the discrepancy was detected. Because the protocol carries no parental consent provision for minors (they are explicitly excluded), every interaction with those 47 participants constitutes research conducted without legally valid informed consent. The institution must notify the IRB, withdraw all data from the 47 participants, provide remediation notices to families, and submit a federal non-compliance report. The study's federal grant is placed on administrative hold for 90 days. The agent contained no age-verification binding to a validated identity source, no eligibility re-confirmation gate prior to consent delivery, and no protocol-boundary check preventing enrollment of a participant type explicitly excluded from the approved protocol. A properly bound screening agent would have flagged the self-reported-age-only path as an insufficiently verified eligibility criterion and routed ambiguous cases to human coordinator review before any consent document was issued.
This dimension applies to any AI agent — including orchestration agents, sub-agents within multi-agent pipelines, and AI-assisted data collection, communication, monitoring, or analysis tools — that (a) directly interacts with human research participants, (b) processes data derived from human participants, (c) administers research instruments, interventions, or communications to enrolled individuals, or (d) makes eligibility, scheduling, dosing, consent, or data-access decisions within a research study governed by an ethics committee, IRB, or equivalent regulatory body. The dimension applies regardless of whether the study is funded federally or privately, whether participants are adults or minors, and whether the modality is in-person, remote, or hybrid. It applies throughout the full research lifecycle: protocol design support, participant recruitment, screening and enrollment, active study conduct, data collection, analysis, withdrawal processing, and closeout. It does not apply to purely synthetic data generation pipelines that contain no real participant data and carry no participant-facing outputs, provided that status is documented and verified.
The agent MUST be bound to a machine-readable representation of the approved ethics/IRB protocol prior to any participant-facing action or participant-data-touching operation. This binding MUST include, at minimum: the approved protocol identifier, protocol version number, approval date, expiry/renewal date, approved data collection instruments and modalities, approved participant population criteria (inclusions and exclusions), approved study procedures and their permitted sequence, and any special conditions (e.g., vulnerable population provisions, geographic restrictions). The agent MUST reject any instruction or capability activation that is not traceable to a parameter explicitly enumerated within this protocol binding.
The agent MUST enforce a hard scope boundary such that requests for data collection, analysis, participant contact, or procedure initiation that exceed the approved protocol scope are refused at the action layer and do not produce partial outputs. When a scope boundary is encountered, the agent MUST log the refused action with timestamp, requesting entity, proposed action, and the specific protocol parameter that was violated, and MUST surface a structured alert to a designated human oversight role within a configurable maximum latency not to exceed 60 minutes.
The agent MUST verify that the bound protocol is currently approved (i.e., not expired, suspended, or revoked) before initiating each new study session, participant interaction, or batch data operation. If the protocol has expired or its status is unknown due to a registry connectivity failure, the agent MUST default to a cessation state, suspending all participant-facing and participant-data-touching operations until human confirmation of valid protocol status is obtained and logged.
The agent MUST apply all inclusion and exclusion criteria specified in the protocol binding as a gate prior to any enrollment or consent-delivery action. Eligibility determinations MUST reference at least one verified data source (e.g., authenticated identity record, linked clinical record, verified administrative data) where the protocol requires objective eligibility criteria; self-report alone MUST NOT constitute a sufficient eligibility determination for criteria that are objectively verifiable. Where eligibility cannot be confirmed to the required standard, the agent MUST route the case to a human coordinator with a documented rationale before proceeding.
The agent MUST maintain a consent state record for each enrolled participant, tracking at minimum: consent version presented, date and time of consent, consent modality (electronic, written, verbal with witness), capacity confirmation where required, and parental/guardian consent status for minors. The agent MUST NOT initiate any study procedure, data collection act, or participant communication beyond initial consent delivery until a valid, current consent state is confirmed in the participant record. When a new protocol amendment requires re-consent, the agent MUST suspend all non-essential participant interactions for the affected participant until re-consent is recorded.
The agent MUST subscribe to a withdrawal event channel or registry and MUST, upon receipt of a withdrawal event for a participant, cease all participant-directed actions, cancel all pending scheduled interactions, and flag the participant record as withdrawn within a maximum of four hours of the withdrawal event timestamp. The agent MUST NOT access, process, or transmit the withdrawn participant's data for any purpose not explicitly authorised by the protocol's withdrawal data-handling clause. The cessation MUST be confirmed in the audit trail with the withdrawal event source, the timestamp of cessation, and the identity of any actions that were in-flight and aborted.
The agent MUST monitor participant-facing outputs and incoming participant response data for signals matching the adverse event criteria defined in the protocol binding. Upon detection of a potential adverse event signal, the agent MUST immediately suspend the relevant participant's scheduled interactions, generate a structured adverse event notification routed to the principal investigator and safety officer within 15 minutes, and log all contextual data associated with the signal. The agent MUST NOT make an autonomous determination that a signal does not constitute an adverse event; any signal matching protocol-defined criteria MUST be escalated to human review regardless of the agent's internal confidence assessment.
In multi-agent research pipelines, the orchestrating agent MUST propagate the protocol binding to all sub-agents prior to delegating any participant-facing or participant-data-touching task. Sub-agents MUST NOT accept task delegations that lack a verifiable protocol binding reference. Where a sub-agent receives conflicting instructions from an orchestrating agent and the protocol binding, the sub-agent MUST refuse the conflicting instruction and surface the conflict to the human oversight role. Protocol bindings MUST NOT be overridden by inter-agent communication at runtime without a new human-authorised protocol amendment event in the audit trail.
The agent MUST produce a tamper-evident, append-only audit log of every protocol-relevant action, including: protocol binding load events and version checks; eligibility gate outcomes; consent state changes; scope boundary refusals; withdrawal cessation events; adverse event escalations; and any human override of an agent refusal. Log entries MUST include a monotonically increasing sequence number, UTC timestamp, participant pseudonym or study ID (not direct identifiers unless required), agent instance identifier, and a hash of the prior log entry to support chain-of-custody verification. Logs MUST be retained for the period specified by the applicable regulatory framework, with a minimum default retention of seven years from study closeout where no other requirement governs.
Behavioural guidelines and researcher training alone are insufficient to constrain AI research agents operating at scale in longitudinal, multi-site, or high-throughput studies. Research agents are often invoked thousands of times per day across large participant cohorts, executing actions faster than any human reviewer can audit in real time. A protocol binding that exists only as a PDF document reviewed during study setup provides no runtime constraint: the agent has no mechanism to know that a newly activated software capability exceeds the approved scope, that a participant has withdrawn via a parallel system, or that an eligibility criterion has been violated through a subtle data-path error. Structural enforcement — machine-readable protocol parameters loaded as hard constraints into the agent's action layer — transforms the IRB protocol from an administrative artefact into an active runtime boundary. This approach reflects the same logic underlying safety interlocks in regulated manufacturing: the safety function must be independent of operator memory and embedded in the execution pathway itself.
In most enterprise AI governance contexts, detective controls (logging, post-hoc review, anomaly detection) serve as an adequate second line of defence behind preventive controls. In human subjects research, the calculus is fundamentally different. A harm to a research participant — unconsented data collection, exposure to an unapproved intervention, failure to honour withdrawal — is not reversible by detecting it after the fact. The Belmont Report's three foundational principles (respect for persons, beneficence, and justice) each carry an immediacy requirement: consent must be valid at the moment of enrolment, not audited afterward; a withdrawn participant must be protected from the moment of withdrawal, not from the moment the log is reviewed. Preventive control at the action layer — refusing the action before it executes — is the only mechanism that honours these principles at the speed at which AI agents operate. Detective controls remain necessary as an independent verification layer and as the mechanism for surfacing previously unknown failure modes, but they cannot substitute for preventive binding.
The most robust implementation pattern encodes the approved IRB protocol as a structured data object (see Section 6) that is version-controlled, cryptographically signed by the IRB at approval, and loaded into the agent's configuration layer at study initialisation. This model provides three properties that plain-text protocol documents cannot: (a) machine-parseable scope parameters that the agent can evaluate against proposed actions without ambiguity; (b) a verifiable chain of custody from IRB approval to agent runtime state; and (c) a version control history that makes protocol amendments auditable and prevents agents from operating on stale protocol versions after an amendment has been approved. The protocol-as-code model also enables automated compliance checking — where the agent continuously evaluates whether its current operational state is consistent with the bound protocol — rather than relying on point-in-time human review.
The four-hour maximum cessation latency specified in Section 4.6 is derived from the intersection of two considerations: the realistic operational cadence of multi-site clinical and behavioural research (where withdrawal events may be recorded at any time of day or night, including outside business hours), and the ethical imperative to honour withdrawal without requiring the participant to take additional steps. A 24-hour window would be inconsistent with ICH E6(R2) Good Clinical Practice expectations and would create unacceptable exposure in studies involving frequent agent-participant interactions. An instantaneous requirement would be technically unachievable in distributed multi-site systems with intermittent connectivity. Four hours represents a defensible, operationally achievable threshold that has been accepted by leading institutional review bodies as consistent with the "prompt" withdrawal cessation language in the Common Rule (45 CFR 46).
Protocol-as-Code Schema. Represent the approved IRB protocol as a structured document (JSON-LD, YAML, or equivalent) containing machine-parseable fields for each requirement in Section 4.1. The schema should include: protocol_id, protocol_version, approval_timestamp, expiry_timestamp, status (enum: active, suspended, expired, revoked), approved_instruments (array), approved_data_modalities (array), inclusion_criteria (array of evaluable predicates), exclusion_criteria (array of evaluable predicates), consent_versions (array with validity windows), withdrawal_data_clause (structured text), adverse_event_criteria (array of signal definitions), and oversight_contacts (array of role-keyed contact references). The schema should be cryptographically signed by the IRB system at approval and verified by the agent at load time.
Protocol Binding Registry. Operate a central protocol binding registry — accessible to all agents in the research infrastructure — that exposes protocol status in real time. Agents poll or subscribe (via webhook or event stream) to this registry to receive immediate notification of status changes (amendment approval, suspension, renewal, revocation). This eliminates the failure mode where an agent continues operating on an expired protocol because it has no visibility into the IRB's administrative decisions.
Eligibility Predicate Engine. Implement inclusion and exclusion criteria as evaluable predicates rather than natural-language descriptions. For example, an age-based criterion is represented as {"field": "age_years", "operator": "gte", "value": 18} and evaluated against a verified data source at runtime. Where criteria require clinical judgement (e.g., "clinically stable mental health status"), the predicate engine flags the criterion as requiring human evaluation and routes the eligibility determination to a qualified coordinator rather than attempting autonomous resolution.
Consent State Machine. Model participant consent as a formal state machine with defined states (pre-consent, consent-delivered, consented, re-consent-required, withdrawn, excluded) and allowed transitions. The agent is restricted to a subset of actions permitted in each state. Transitions are triggered only by authorised events (consent signature recorded, amendment approved, withdrawal received) and each transition is logged with the authorising event reference.
Withdrawal Event Bus. Integrate the agent's withdrawal cessation logic with a dedicated withdrawal event bus that aggregates withdrawal signals from all study-relevant systems (EDC, coordinator portal, phone/email intake, on-site paper log digitisation). The event bus normalises withdrawal records and emits a standardised withdrawal event that all subscribed agents process within the four-hour SLA. Implement a dead-letter queue and alerting for withdrawal events that are emitted but not acknowledged by all subscribed agents within the SLA window.
Maturity Model.
Anti-Pattern 1 — Natural Language Protocol Summaries as Runtime Constraints. Loading a plain-text summary of the IRB protocol into the agent's system prompt and relying on the language model's interpretation to enforce scope boundaries is not an acceptable implementation of Section 4.1 or 4.2. Natural language interpretation introduces ambiguity, is sensitive to prompt context, and cannot provide the deterministic enforcement required for a High-Risk/Critical control. Protocol binding MUST be implemented at the action layer, not at the language model inference layer.
Anti-Pattern 2 — Consent Verification by Timestamp Lookup Only. Checking whether a consent event occurred in the past (timestamp lookup) without verifying the consent version, the consent capacity, and whether a re-consent requirement has since been triggered is insufficient for Section 4.5 compliance. An agent that proceeds because "a consent record exists" without checking its current validity will enroll participants on superseded consent forms following protocol amendments.
Anti-Pattern 3 — Withdrawal Handled as a Soft Flag. Marking a participant as "withdrawn" in a database field without propagating a hard cessation event to all agent instances and sub-agents creates the scenario described in Example 3.2. Withdrawal handling MUST be event-driven and MUST produce a positive cessation confirmation from every agent component, not a passive flag that may be read at the next scheduled interaction.
Anti-Pattern 4 — Protocol Binding Bypassed for "Read-Only" Analytical Operations. Assuming that data analysis operations are exempt from protocol binding because they do not directly contact participants is incorrect and inconsistent with Section 4.0. Analysis operations that process participant data beyond the approved purpose limitation violate the protocol even in the absence of participant contact. All data-touching operations are in scope.
Anti-Pattern 5 — Manual Override Without Audit Trail. Allowing human researchers to override agent scope boundary refusals through a privileged administrative command that does not produce an audit log entry violates Section 4.9 and undermines the chain-of-custody guarantee. All overrides MUST be logged, attributed, and linked to an authorising rationale (e.g., an emergency protocol deviation form).
Anti-Pattern 6 — Sub-Agents Trusted Implicitly on Protocol Compliance. In multi-agent pipelines, assuming that a sub-agent is protocol-compliant because the orchestrating agent is protocol-compliant fails under Section 4.8. Each sub-agent must independently verify the protocol binding reference before accepting delegated tasks. Trust cannot be inherited through the call chain without explicit binding propagation.
Clinical Trials. Studies operating under FDA oversight (21 CFR Parts 50, 56, 312) carry regulatory reporting obligations for protocol deviations that are triggered automatically by certain adverse event and non-compliance events. The agent's adverse event escalation implementation (Section 4.7) should be designed in coordination with the institution's regulatory affairs function to ensure that agent-generated alerts are compatible with the deviation reporting workflow.
Federally Funded Behavioural and Social Science Research. Research subject to the U.S. Common Rule (45 CFR 46) and its 2018 Revised Common Rule carries specific provisions for informed consent documentation, exempt category determination, and the handling of identifiable private information. Protocol bindings for studies under Common Rule oversight should encode the applicable review category and its associated constraints.
Multi-National Studies. Research conducted across jurisdictions (e.g., EU and US sites) must bind to the strictest applicable protocol constraint across all participant populations. Agents must be aware of jurisdiction-specific consent requirements (e.g., GDPR Article 9 for health data processed in EU member states) and apply them as additional constraints on top of the IRB protocol binding.
| Artefact | Description | Retention Period |
|---|---|---|
| Protocol Binding Load Record | Cryptographically signed log entry recording the protocol document version, its signature verification outcome, and the timestamp of binding at agent initialisation | Duration of study plus 7 years from closeout |
| Protocol Status Check Logs | Time-stamped records of each protocol validity check performed against the binding registry, including the registry response and the agent's resulting state | Duration of study plus 7 years from closeout |
| Eligibility Gate Outcomes | Record of every eligibility determination, including: participant study ID, criteria evaluated, data sources consulted, outcome (eligible/ineligible/referred to human), and evaluating agent instance | Duration of study plus 7 years from closeout |
| Consent State Records | Complete consent state machine history per participant including all state transitions, consent version references, timestamps, and re-consent events | Duration of study plus applicable post-study retention (minimum 7 years) |
| Scope Boundary Refusal Log | Structured log of every refused action including the requesting entity, proposed action, violated protocol parameter, timestamp, and downstream alert reference | Duration of study plus 7 years from closeout |
| Withdrawal Cessation Confirmations | Per-withdrawal record showing: withdrawal event source, event timestamp, cessation confirmation timestamp for each subscribed agent, and list of aborted in-flight actions | Duration of study plus 7 years from closeout |
| Adverse Event Escalation Records | Structured record of each adverse event signal detected, signal description, protocol criteria matched, escalation timestamp, recipients notified, and resolution outcome | Duration of study plus 15 years (clinical trials) or 7 years (other) |
| Multi-Agent Protocol Inheritance Trace | Record of protocol binding references propagated from orchestrating agent to each sub-agent, with sub-agent acknowledgement and verification outcome | Duration of study plus 7 years from closeout |
| Audit Log Chain-of-Custody Verification | Periodic hash-chain verification reports demonstrating tamper-evidence of the audit log | Duration of study plus 7 years from closeout |
| Human Override Records | Complete record of every human override of an agent scope refusal, including authorising individual, rationale, and linked protocol deviation form reference | Duration of study plus 7 years from closeout |
Maps to: Sections 4.1, 4.2 Objective: Verify that the agent loads a valid, cryptographically verified protocol binding at initialisation and refuses actions outside the approved scope. Procedure:
Conformance Scoring:
Maps to: Section 4.3 Objective: Verify that the agent detects protocol expiry and enters cessation state, and that connectivity failure to the registry also triggers cessation. Procedure:
Conformance Scoring:
Maps to: Section 4.4 Objective: Verify that the eligibility gate enforces verified-source requirements and routes ambiguous cases to human review. Procedure:
Conformance Scoring:
Maps to: Section 4.5 Objective: Verify that the agent enforces consent state requirements and suspends non-essential interactions when re-consent is required. Procedure:
consented state with consent version v1.0. Attempt to initiate a study procedure. Verify the action proceeds.re-consent-required state and suspends all non-essential interactions.re-consent-required state. Verify the agent refuses.consented state and study procedures resume.pre-consent state (no consent record exists). Verify the agent refuses and does not advance beyond initial consent delivery.Conformance Scoring:
re-consent-required or pre-consent states.Maps to: Section 4.6 Objective: Verify that the agent ceases all participant-directed actions within four hours of a withdrawal event and correctly handles in-flight actions. Procedure:
Conformance Scoring:
Maps to: Section 4.7 Objective: Verify that the agent detects adverse event signals and escalates within 15 minutes without making autonomous determination of non-event status. Procedure:
| Regulation | Provision | Relationship Type |
|---|---|---|
| EU AI Act | Article 9 (Risk Management System) | Direct requirement |
| NIST AI RMF | GOVERN 1.1, MAP 3.2, MANAGE 2.2 | Supports compliance |
| ISO 42001 | Clause 6.1 (Actions to Address Risks), Clause 8.2 (AI Risk Assessment) | Supports compliance |
| FERPA | 34 CFR Part 99 (Student Education Records) | Supports compliance |
Article 9 requires providers of high-risk AI systems to establish and maintain a risk management system that identifies, analyses, estimates, and evaluates risks. Human-Subject Protocol Binding Governance implements a specific risk mitigation measure within this framework. The regulation requires that risks be mitigated "as far as technically feasible" using appropriate risk management measures. For deployments classified as high-risk under Annex III, compliance with AG-585 supports the Article 9 obligation by providing structural governance controls rather than relying solely on the agent's own reasoning or behavioural compliance.
GOVERN 1.1 addresses legal and regulatory requirements; MAP 3.2 addresses risk context mapping; MANAGE 2.2 addresses risk mitigation through enforceable controls. AG-585 supports compliance by establishing structural governance boundaries that implement the framework's approach to AI risk management.
Clause 6.1 requires organisations to determine actions to address risks and opportunities within the AI management system. Clause 8.2 requires AI risk assessment. Human-Subject Protocol Binding Governance implements a risk treatment control within the AI management system, directly satisfying the requirement for structured risk mitigation.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Organisation-wide — potentially cross-organisation where agents interact with external counterparties or shared infrastructure |
| Escalation Path | Immediate executive notification and regulatory disclosure assessment |
Consequence chain: Without human-subject protocol binding governance, the governance framework has a structural gap that can be exploited at machine speed. The failure mode is not gradual degradation — it is a binary absence of control that permits unbounded agent behaviour in the dimension this protocol governs. The immediate consequence is uncontrolled agent action within the scope of AG-585, potentially cascading to dependent dimensions and downstream systems. The operational impact includes regulatory enforcement action, material financial or operational loss, reputational damage, and potential personal liability for senior managers under applicable accountability regimes. Recovery requires both technical remediation and regulatory engagement, with timelines measured in weeks to months.