This dimension governs the design, operation, and oversight of AI agent systems that handle, process, store, retrieve, or transmit information that could directly or indirectly identify a journalistic source or expose confidential communications between a journalist and an informant, whistleblower, or other protected party. Source confidentiality is a foundational pillar of press freedom, democratic accountability, and the rule of law; its erosion through AI-mediated information processing creates a systemic chilling effect on the willingness of sources to come forward with matters of legitimate public interest, with downstream consequences for investigative journalism, anti-corruption efforts, and public safety whistleblowing. Failure in this dimension takes the form of AI agents surfacing, correlating, logging, or transmitting source-identifying signals — including metadata, behavioural patterns, communication timing, document fingerprints, or inference-derived identity markers — to parties who are not authorised to receive them, whether through deliberate adversarial query, misconfigured retrieval pipelines, cross-session data leakage, or compelled disclosure to state actors.
A national investigative news outlet deploys an AI-assisted document analysis agent to help journalists process leaked procurement records. The agent is configured to store document embeddings in a shared vector database alongside session metadata, including upload timestamps, file names prior to anonymisation, and the journalist's internal user identifier. A security researcher contracted by the outlet's cloud provider submits a query through a separate analytics interface that has inadequately scoped read access to the same vector store. The query retrieves the 14 nearest-neighbour embeddings to a publicly available government tender document. Three of the returned results include partial file path strings that encode the originating government department and a date range consistent with a specific internal audit cycle. Cross-referencing these strings against a publicly known list of employees with access to that audit takes fewer than four hours. The source — a senior civil servant who had provided documents at personal legal risk — is identified. The source loses their position, faces criminal prosecution under official secrets legislation, and the outlet faces regulatory investigation for failure to implement adequate technical safeguards. Total identifiable harm: one source identified, one prosecution initiated, one outlet's source network materially chilled across a civil service with approximately 340,000 employees.
A regional newspaper operates a reader-facing AI agent that allows journalists to query an internal knowledge base using natural language. The knowledge base includes notes, interview summaries, and draft articles, some of which contain partially redacted source references encoded as tokens such as "Source-7" or "the contact in the finance ministry." A journalist queries the agent: "Summarise everything we know about procurement irregularities in the eastern district." The agent, lacking a prohibition on cross-document inference, synthesises across 23 documents and returns a response that combines: the source's stated seniority level, their described physical location within a specific building, a reference to a meeting time that is consistent with a publicly known committee schedule, and a linguistic pattern consistent with a named individual's known writing style. No single document contained sufficient information to identify the source, but the agent's synthesis produced a profile that an adversarially motivated reader — such as a state intelligence officer with legitimate-seeming access to the internal tool — could use to identify the source with high confidence. The source is later approached by state security services who demonstrate knowledge of their involvement. The AI agent's inference log, retained for 90 days in a standard application log, is subject to a compelled production order. Estimated blast radius: one source compromised, one ongoing investigation terminated, one jurisdiction's press freedom index score declining 11 points in the following annual assessment.
A multinational investigative consortium uses an AI orchestration layer to coordinate document review across seven jurisdictions. The orchestration agent is configured to route processing tasks to the lowest-latency available compute node, without jurisdiction-awareness logic. A document package submitted by a journalist in Germany — containing communications from a source in an authoritarian state — is routed for processing to a compute node physically located in a jurisdiction where the operating entity has a registered subsidiary and where local law requires disclosure of communications data to state security authorities upon administrative request (without judicial oversight). The routing occurs automatically at 02:14 local time with no human review. Three weeks later, the local subsidiary receives an administrative data request. Because the processing log is retained in the local jurisdiction and the request is legally valid under local law, the consortium's legal team advises that non-disclosure carries criminal liability for local staff. The source's identity is disclosed. The source is subsequently detained. The consortium had no awareness the routing had occurred until the data request arrived. Legal costs to contest jurisdiction: €2.3 million. Outcome for source: indefinite detention without charge under national security provisions. The orchestration agent had no jurisdiction-aware routing controls, no source-data tagging, and no human-in-the-loop checkpoint for cross-border transfer of protected materials.
This dimension applies to any AI agent system that: (a) processes documentary, conversational, or structured data submitted by or on behalf of a journalist, news organisation, civil society investigative body, or public interest publisher; (b) has the capability to store, retrieve, embed, summarise, classify, route, or transmit such data, including via sub-agent delegation or external API calls; or (c) operates in a context where source-identifying information — including direct identifiers, indirect identifiers, metadata, behavioural signals, document fingerprints, communication timing, linguistic style markers, or inference-derived attributes — could be generated, retained, or disclosed. The scope explicitly includes agentic systems where source-protective processing is a secondary or incidental function rather than a primary design goal, since the greatest risks arise precisely in systems not designed with press freedom considerations in mind. Systems operating exclusively with fully anonymised, independently verified, and cryptographically confirmed data that contains no residual identifying signal are exempt from requirements 4.2 through 4.7 only, and must demonstrate that anonymisation has been validated at the 99.9% re-identification resistance threshold.
The system MUST implement a classification mechanism that identifies and tags data containing potential source-identifying signals at the point of ingestion, before any processing, storage, embedding, or routing operation is performed. Classification MUST operate across at least the following signal categories: direct identity markers (names, identifiers, contact details), indirect identity markers (role descriptions, location data, access-scope indicators), metadata (file creation timestamps, modification history, device fingerprints, geolocation embedded in file headers), communication timing patterns, and linguistic style markers where natural language processing is applied. Classification tags MUST persist through all downstream processing stages and MUST NOT be stripped or overwritten by any automated pipeline step without explicit, logged human authorisation.
The system MUST enforce a minimum-necessary access model for all operations involving classified source-sensitive data. Access MUST be scoped to the specific processing task authorised, the specific time window required, and the specific data subset necessary. The system MUST NOT permit standing read access to source-sensitive data for any automated agent, pipeline component, or human operator role that does not have a documented, current, task-specific authorisation. Access grants MUST expire automatically after the authorised task window closes, and MUST NOT be renewable by the agent itself without human re-authorisation.
The system MUST implement controls that prevent the synthesis, correlation, or inference of source-identifying information across multiple documents or data records when the resulting inference would expose identity to a degree materially greater than any individual record alone. Where an agent's response is generated through multi-document synthesis, the system MUST evaluate whether the combined output crosses a configurable re-identification risk threshold before delivery. Responses that exceed the threshold MUST be blocked, flagged for human review, and logged with the specific inference path that triggered the threshold breach. The threshold MUST be set at a level that reflects legal standards applicable in the operating jurisdiction, defaulting to the most protective standard available when multiple jurisdictions apply.
The system MUST implement routing logic that prevents source-sensitive data from being processed in, transmitted through, or stored in any jurisdiction where: (a) local law permits compelled disclosure of journalistic communications data without independent judicial authorisation; (b) the operating entity or any subcontractor has a legal presence that creates a disclosure obligation; or (c) bilateral or multilateral agreements create a secondary disclosure pathway. Jurisdiction classification MUST be maintained as a continuously updated reference dataset, reviewed no less than quarterly, and audited against current legal intelligence. Routing decisions for source-sensitive data MUST be logged with the jurisdiction classification applied and the human or policy authority that approved the routing path.
The system MUST enforce retention limits on all source-sensitive data and derived artefacts, including embeddings, summaries, inference logs, access logs, and intermediate processing outputs. Retention periods MUST be defined by a documented policy approved by a qualified legal and editorial authority, and MUST NOT exceed the minimum period required for the authorised journalistic purpose. At the expiry of the retention period, destruction MUST be irreversible, verified by a cryptographic deletion attestation, and logged. The system MUST NOT retain source-sensitive embeddings or vector representations beyond the retention period applicable to the source documents themselves, and MUST implement vector store purge operations that are verified to remove all nearest-neighbour retrievability of deleted content.
The system MUST implement a documented protocol for responding to legal demands (court orders, administrative requests, regulatory notices) seeking access to source-sensitive data. The protocol MUST include: mandatory escalation to qualified legal counsel before any data is produced; a challenge-and-contest procedure that engages applicable press freedom protections; a notification procedure to the affected journalist and, where legally permissible and safe, the source; and a technical hold mechanism that prevents automated systems from producing data in response to a demand without explicit human authorisation at the appropriate authority level. The system MUST NOT permit any automated agent to independently determine that a legal demand is valid and produce data in response.
The system MUST maintain tamper-evident audit logs of all operations involving source-sensitive data, including: classification decisions, access grants and expirations, routing decisions, inference threshold evaluations, retention actions, and compelled disclosure events. Audit logs MUST be stored in a segregated, write-once environment that is not accessible to the same agent or pipeline component whose actions are being logged. Log integrity MUST be verified by a cryptographic commitment scheme (such as a hash chain or a signed log root) at intervals not exceeding 24 hours. Audit logs MUST be retained for a minimum of seven years, except where a shorter period is mandated by applicable law, in which case the shorter period applies only with explicit legal authority.
Where an AI agent system processes source-sensitive data on behalf of a journalist or news organisation, the system SHOULD implement a consent and notification architecture that: records the basis on which a source originally provided information; tracks any changes in the processing scope that might affect source risk; and provides a mechanism for a designated source liaison to request deletion or restriction of processing. This requirement is aspirational at SHOULD level in recognition of the operational constraints of investigative journalism, but organisations operating at Maturity Level 3 or above (see Section 6) MUST implement source notification capabilities for all new source interactions initiated after the effective date of this protocol.
The system MUST ensure that any third-party service provider, sub-agent, or external API that receives source-sensitive data as part of an agentic pipeline is bound by contractual obligations that are at least as protective as the requirements of this dimension. The system MUST maintain a current register of all third parties with access to source-sensitive data, including the legal basis for transfer, the jurisdiction of processing, the retention limits applied, and the mechanism for enforcing deletion on contract termination. Third-party agreements MUST include a specific provision requiring the third party to notify the operating organisation within 24 hours of receiving any legal demand relating to source-sensitive data processed under the agreement.
Source confidentiality is not a preference or a best practice — it is a legally recognised right in the majority of democratic jurisdictions and a functional prerequisite for the press to perform its constitutionally protected role. The structural case for preventive control over AI agent systems in this domain rests on three foundations.
First, AI agents fundamentally change the threat surface for source exposure. Pre-AI investigative workflows concentrated source-identifying information in human memory and physically secured documents, with disclosure requiring a human decision at each step. Agentic systems dissolve these natural friction points: a single misconfigured retrieval query can synthesise across thousands of documents in milliseconds, producing an identity inference that would have required weeks of adversarial human analysis. The attack surface is not merely larger — it is qualitatively different, because the agent operates at a speed and scale that outpaces human oversight without deliberate architectural intervention.
Second, metadata and inference-derived identity are legally equivalent to direct disclosure in most press freedom frameworks. The European Court of Human Rights has consistently held that compelling disclosure of journalistic source information — whether direct or indirect — engages Article 10 of the European Convention on Human Rights and requires the most compelling countervailing justification. AI systems that generate inference chains linking anonymised source tokens to identifiable individuals are performing a disclosure function regardless of whether any human intended that outcome.
Third, the chilling effect of source exposure extends far beyond the individual case. When a source is identified — or when the realistic possibility of identification becomes known within a source community — the effect on future source behaviour is immediate and severe. Investigative journalism relies on a reputational compact between the press and the source community: sources who believe their confidentiality will be protected come forward; sources who doubt it do not. An AI system that compromises this compact even once can suppress source activity across an entire sector for years.
Preventive controls are prioritised over detective controls in this dimension because detection after the fact provides no remedy for source exposure — the harm is irreversible the moment identifying information reaches an unauthorised party. Behavioural enforcement through access scoping, inference thresholds, and routing controls creates the structural conditions under which accidental or adversarially induced disclosure becomes technically difficult rather than merely procedurally discouraged. The requirement for human authorisation at each access grant, routing decision, and disclosure event is not bureaucratic overhead — it is the minimum friction necessary to ensure that consequential decisions about source-sensitive data are made by humans who can apply legal and ethical judgement, not by automated systems optimised for task efficiency.
The cross-document inference prohibition (4.3) reflects a specifically agentic risk that does not arise in traditional document management systems: the capacity of a language model to produce a synthesis that is more identifying than any of its inputs. This is not a theoretical risk — it is the mechanism described in Example B above, and it is a direct consequence of deploying retrieval-augmented generation over corpora containing partially anonymised source materials. Preventive threshold controls embedded in the inference pipeline are the only technically reliable mechanism for addressing this risk at scale.
Pattern 1: Source-Sensitivity Classification Pipeline Implement a multi-stage classification pipeline at the ingestion boundary that applies: (a) rule-based detection for known identifier patterns (names, identification numbers, email domains, device identifiers); (b) semantic classification using a fine-tuned classifier trained on press freedom frameworks and journalistic confidentiality standards; and (c) metadata extraction and risk scoring for file system and communication metadata. Assign a three-tier sensitivity label (Standard, Elevated, Protected) with processing restrictions that escalate with the tier. Protected materials must be processed only in air-gapped or cryptographically isolated environments.
Pattern 2: Ephemeral Processing Architecture Design agentic processing pipelines for Protected materials to operate in ephemeral compute environments that are destroyed after task completion, with no persistent state, no shared memory with other pipeline instances, and no logging of intermediate outputs beyond a minimal tamper-evident audit record. This pattern eliminates the residual data risk that arises from log retention and shared vector stores.
Pattern 3: Jurisdiction-Aware Orchestration Layer Build jurisdiction classification into the orchestration layer as a mandatory pre-routing check. Maintain a structured reference dataset that maps compute node locations, storage endpoints, and API processing locations to jurisdiction profiles, with each profile encoding: disclosure obligation trigger conditions, judicial oversight requirements, and current legal intelligence assessment. Require human sign-off for any routing that involves a jurisdiction not previously classified as Safe for the relevant source sensitivity tier.
Pattern 4: Re-identification Risk Scoring at Output Implement a re-identification risk scorer as a post-synthesis, pre-delivery gate in all retrieval-augmented generation pipelines. The scorer evaluates the combined output against the corpus of known public information about the inferred subject domain and assigns a risk score. Outputs exceeding a threshold require human review before delivery. The threshold should be calibrated against the legal standard in the most protective applicable jurisdiction.
Pattern 5: Cryptographic Deletion Attestation Implement deletion workflows that produce a cryptographically signed attestation confirming: the specific data identifiers deleted, the deletion timestamp, the deletion method applied (overwrite pattern, cryptographic key destruction, or physical destruction), and the verifying authority. Store attestations in a separate, legally defensible record that can be produced in response to regulatory enquiries.
Anti-Pattern 1: Shared Vector Stores Without Source-Sensitivity Isolation Do not store embeddings of source-sensitive documents in shared vector databases alongside non-sensitive content. Nearest-neighbour retrieval will inevitably surface proximity relationships that expose the semantic neighbourhood of sensitive documents, enabling indirect inference of their content and provenance even after the source documents themselves are deleted. Isolated vector stores with access controls tied to source-sensitivity classification are required.
Anti-Pattern 2: Automated Routing Without Jurisdiction Awareness Do not configure orchestration layers to route tasks to the lowest-latency or lowest-cost available compute node without jurisdiction checks. Cost optimisation logic is structurally incompatible with source confidentiality requirements when the compute estate spans multiple jurisdictions. Jurisdiction-aware routing must take precedence over performance optimisation for all Protected materials.
Anti-Pattern 3: Long-Lived Access Tokens for Agent Pipelines Do not issue long-lived API keys or access tokens to agent pipeline components that process source-sensitive data. Long-lived credentials create a persistent attack surface and violate the minimum-necessary access principle. All credentials for Protected data access must be scoped, time-limited, and automatically revoked at task completion.
Anti-Pattern 4: Natural Language Summary Retention Do not retain natural language summaries or extracted key points from source-sensitive documents beyond the retention period of the source documents themselves. Summaries that were generated for analytical convenience often concentrate identifying signals — a summary of a 200-page document may contain the three most identifying phrases in a form that is more easily searchable than the original. Summaries must be classified and retained under the same rules as their source documents.
Anti-Pattern 5: Delegating Compelled Disclosure Decisions to Automated Systems Do not implement workflows in which an AI agent receives a structured legal demand (such as a machine-readable court order) and autonomously determines the validity of the demand and produces responsive data. This pattern eliminates the human legal review that is both legally required and ethically necessary in the source confidentiality context. All legal demands must be escalated to qualified human legal counsel before any data is produced.
| Level | Description | Key Capabilities |
|---|---|---|
| Level 1 — Foundational | Basic classification and access controls in place | Manual classification at ingestion; role-based access controls; basic retention policy documented |
| Level 2 — Managed | Automated classification and jurisdictional controls | Automated multi-signal classification pipeline; jurisdiction-aware routing; tamper-evident audit logs; formal compelled disclosure protocol |
| Level 3 — Advanced | Inference risk controls and source notification architecture | Re-identification risk scoring at output; ephemeral processing for Protected tier; source notification capabilities; cryptographic deletion attestation |
| Level 4 — Optimised | Continuous legal intelligence integration and red team validation | Real-time jurisdiction legal intelligence feeds; adversarial red team exercises for inference attacks; automated threshold calibration against jurisdiction-specific legal standards; external audit of source confidentiality controls |
Organisations operating customer-facing or public sector agents MUST achieve Level 2 before production deployment and SHOULD target Level 3 within 18 months of deployment. Cross-border agents operating across jurisdictions with divergent press freedom frameworks MUST achieve Level 3 before deployment.
News organisations with established source protection programmes should map existing editorial and legal protocols onto the technical controls required by this dimension, rather than treating AI governance as a separate discipline. The institutional knowledge held by legal and editorial teams about source risk — including the specific threat models relevant to their coverage areas — should inform the calibration of re-identification thresholds, jurisdiction classification decisions, and access scoping policies. AI governance frameworks that operate independently of editorial process will inevitably create gaps at the boundary between human and automated decision-making.
Civil society organisations and NGOs that engage in investigative work without formal journalistic infrastructure face heightened risk because they often lack the legal resources to contest compelled disclosure and the institutional standing to invoke press freedom protections in all jurisdictions. For these organisations, the ephemeral processing pattern and jurisdiction-restricted routing controls are particularly critical.
| Artefact | Description | Retention Period |
|---|---|---|
| Source-Sensitivity Classification Policy | Documented policy defining classification criteria, tiers, and applicable processing restrictions for each tier | 7 years from policy version date |
| Classification Audit Log | Machine-readable log of all classification decisions at ingestion, including signal types detected and tier assigned | 7 years from log creation |
| Access Grant Register | Record of all access grants to source-sensitive data, including scope, duration, authorising authority, and expiration confirmation | 7 years from grant date |
| Jurisdiction Classification Dataset | Current and historical versions of the jurisdiction reference dataset used for routing decisions, with review dates and legal intelligence sources | 7 years from dataset version date |
| Routing Decision Log | Log of all routing decisions for Protected-tier materials, including jurisdiction applied, approving authority, and decision timestamp | 7 years from decision date |
| Re-identification Risk Assessment Log | Log of all inference threshold evaluations, including input document identifiers, risk score, threshold applied, and outcome (delivered / blocked / escalated) | 7 years from evaluation date |
| Retention and Deletion Schedule | Documented retention periods for each data category and derivation type, approved by legal and editorial authority | 7 years from schedule approval date |
| Cryptographic Deletion Attestations | Signed attestations confirming deletion of specific source-sensitive data, per the protocol in 4.5 | 10 years from deletion date |
| Compelled Disclosure Protocol | Documented response protocol for legal demands, including escalation path, challenge procedure, and human authorisation requirement | 7 years from protocol version date |
| Compelled Disclosure Event Log | Record of each legal demand received, the response taken, the human authority that authorised any production, and the legal basis applied | 10 years from event date |
| Third-Party Register | Current register of third parties with access to source-sensitive data, including jurisdiction, legal basis, retention limits, and deletion mechanism | 7 years from relationship termination |
| Third-Party Data Processing Agreements | Executed agreements incorporating the obligations specified in 4.9 | 7 years from agreement termination |
| Audit Log Integrity Verification Records | Records of cryptographic commitment scheme verifications, including hash chain roots or signed log roots, produced at each 24-hour interval | 7 years from verification date |
| Penetration Test and Red Team Reports | Reports from adversarial testing exercises targeting inference attacks, metadata correlation, and cross-border routing vulnerabilities | 7 years from report date |
All artefacts must be stored in a tamper-evident system. Audit logs and deletion attestations must be stored in a system that is logically and, where technically feasible, physically segregated from the production pipeline. Artefacts must be producible within 5 business days of a regulatory request. Where an artefact contains information that itself would constitute source-sensitive data if disclosed, it must be classified accordingly and subject to the protections of this dimension.
Maps to: Requirement 4.1 (Source Data Classification at Ingestion) Objective: Verify that the classification mechanism correctly identifies and tags source-identifying signals across all required signal categories before any downstream processing. Method: Submit a test corpus of 100 synthetic documents containing known instances of each signal category specified in 4.1 (direct identity markers, indirect identity markers, metadata, communication timing, linguistic style markers). Include 20 documents containing no source-identifying signals as control cases. Evaluate the classification output against the ground truth labels. Pass Criteria:
Maps to: Requirement 4.2 (Minimum Necessary Access Enforcement) Objective: Verify that access to source-sensitive data is correctly scoped, time-limited, and automatically revoked at task completion. Method: Configure a test agent with a task-specific access grant for a defined 30-minute window. Verify access is operational during the window. At T+31 minutes, submit a read request using the same access credentials. Separately, attempt to invoke the agent's self-renewal mechanism. Verify that neither access grant escalation nor implicit renewal is possible without explicit human re-authorisation. Pass Criteria:
Maps to: Requirement 4.3 (Cross-Document Inference Prohibition) Objective: Verify that the re-identification risk scorer correctly blocks or escalates synthesis outputs that cross the configured threshold. Method: Construct a test scenario consisting of 15 synthetic documents, each containing a fragment of identifying information that is individually below the re-identification threshold but collectively sufficient to identify a synthetic source persona. Submit a synthesis query designed to surface all 15 documents. Evaluate whether the output is: (a) delivered without intervention; (b) delivered with a warning; (c) blocked and escalated for human review. Pass Criteria:
Maps to: Requirement 4.4 (Jurisdiction-Aware Routing Controls) Objective: Verify that the routing layer correctly prevents Protected-tier data from being routed to jurisdictions classified as non-compliant. Method: Configure a test Protected-tier document. Submit the document to the orchestration layer with four routing targets: (a) a Safe jurisdiction; (b) a jurisdiction classified as requiring disclosure without judicial oversight; (c) a jurisdiction where the operating entity has a registered subsidiary; (d) an unclassified jurisdiction. Verify routing outcomes. Pass Criteria:
Maps to: Requirement 4.5 (Retention Minimisation and Scheduled Destruction) Objective: Verify that source-sensitive data and derived artefacts are destroyed at retention expiry and that deletion is irreversible and attested. Method: Ingest a synthetic source-sensitive document and its derived artefacts (embedding, summary, access log). Set the retention period to T+1 minute for testing purposes. At T+2 minutes, attempt to retrieve the original document, the embedding, and the summary through all available retrieval interfaces, including vector nearest-neighbour search. Verify that a cryptographic deletion attestation has been generated. Pass Criteria:
Maps to: Requirement 4.6 (Compelled Disclosure Response Protocol) Objective: Verify that the system enforces human legal review and blocks automated data production in response to a legal demand. Method: Submit a synthetic structured legal demand (modelled on an administrative data request) to the system through a simulated external channel. Observe whether: (a) the system escalates to human legal counsel; (b) the system initiates a data production workflow autonomously; (c) a technical hold is applied; (d) a notification workflow is triggered. Pass Criteria:
Maps to: Requirement 4.7 (Audit Log Integrity and Segregation) Objective: Verify that audit logs are tamper-evident, segregated from the processing pipeline, and subject to regular cryptographic integrity verification. Method: Ingest a source-sensitive test document and execute a sequence of 10 loggable operations. Attempt to: (a) modify a log entry using credentials available to the pipeline agent; (b) delete a log entry; (c) insert a backdated log entry. Verify that the cryptographic commitment scheme detects each modification. Verify that the 24-hour integrity verification cycle has produced a valid commitment for the test period. Pass Criteria:
Maps to: Requirement 4.9 (Third-Party and Sub-Agent Contractual Obligations) Objective: Verify that all third parties with access to source-sensitive data are registered, bound by adequate contractual obligations, and subject to a 24-hour notification requirement for legal demands. Method: Review the third-party register against the current list of active external API and sub-agent integrations. For three randomly selected third parties, review executed data processing agreements for the required provisions. Simulate a legal demand notification from one third party and measure time to receipt and escalation. Pass Criteria:
| Regulation | Provision | Relationship Type |
|---|---|---|
| EU AI Act | Article 9 (Risk Management System) | Direct requirement |
| NIST AI RMF | GOVERN 1.1, MAP 3.2, MANAGE 2.2 | Supports compliance |
| ISO 42001 | Clause 6.1 (Actions to Address Risks), Clause 8.2 (AI Risk Assessment) | Supports compliance |
Article 9 requires providers of high-risk AI systems to establish and maintain a risk management system that identifies, analyses, estimates, and evaluates risks. Source Confidentiality Protection Governance implements a specific risk mitigation measure within this framework. The regulation requires that risks be mitigated "as far as technically feasible" using appropriate risk management measures. For deployments classified as high-risk under Annex III, compliance with AG-605 supports the Article 9 obligation by providing structural governance controls rather than relying solely on the agent's own reasoning or behavioural compliance.
GOVERN 1.1 addresses legal and regulatory requirements; MAP 3.2 addresses risk context mapping; MANAGE 2.2 addresses risk mitigation through enforceable controls. AG-605 supports compliance by establishing structural governance boundaries that implement the framework's approach to AI risk management.
Clause 6.1 requires organisations to determine actions to address risks and opportunities within the AI management system. Clause 8.2 requires AI risk assessment. Source Confidentiality Protection Governance implements a risk treatment control within the AI management system, directly satisfying the requirement for structured risk mitigation.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Organisation-wide — potentially cross-organisation where agents interact with external counterparties or shared infrastructure |
| Escalation Path | Immediate executive notification and regulatory disclosure assessment |
Consequence chain: Without source confidentiality protection governance, the governance framework has a structural gap that can be exploited at machine speed. The failure mode is not gradual degradation — it is a binary absence of control that permits unbounded agent behaviour in the dimension this protocol governs. The immediate consequence is uncontrolled agent action within the scope of AG-605, potentially cascading to dependent dimensions and downstream systems. The operational impact includes regulatory enforcement action, material financial or operational loss, reputational damage, and potential personal liability for senior managers under applicable accountability regimes. Recovery requires both technical remediation and regulatory engagement, with timelines measured in weeks to months.