This dimension governs the detection, attribution, and escalation of coordinated inauthentic behaviour (CIB) when AI agents are implicated either as instruments of orchestration, as targets of manipulation, or as detection infrastructure within information ecosystems. CIB — the use of fake accounts, synthetic personas, astroturfed content networks, or automated amplification systems to distort public discourse — represents one of the highest-severity misuse classes for language-capable agents, because such agents can dramatically lower the operational cost of running influence operations at scale while simultaneously evading traditional heuristic-based detection. Failure in this dimension results not merely in platform abuse or regulatory exposure but in measurable harm to democratic deliberation, public health communication, electoral integrity, and the informational rights of individuals across multiple jurisdictions simultaneously.
Scenario A — Synthetic Persona Network on a Public Comment Platform
A government regulatory agency deploys a customer-facing AI agent to gather public comment on proposed environmental legislation. Over a 14-day consultation window, the agent receives 47,200 submissions. Post-close analysis reveals that 31,400 of those submissions — 66.5% of the total corpus — were generated by a coordinated network of 812 synthetic personas, each using a distinct email domain, varied writing style, and geographically dispersed IP routing through residential proxy pools. The submissions clustered around three specific objection templates with surface-level paraphrasing. The agency's AI agent, which was tasked with summarising thematic response patterns for the policy team, had no CIB detection capability and faithfully summarised the synthetic majority as genuine public sentiment. The resulting policy brief misrepresented public support ratios by approximately 4:1. The error was identified only when an independent journalist cross-referenced submission metadata against known proxy infrastructure — 11 weeks after the consultation closed and 3 weeks after the policy brief had been distributed to legislators.
Scenario B — Coordinated Amplification of Synthetic Health Misinformation
A cross-border health information agent, operated by a regional public health authority and accessible in six languages, is integrated with a social media listening module that surfaces trending health topics for triage. Over a 72-hour window during a disease outbreak, the listening module ingests a coordinated campaign in which 2,300 accounts — later traced to two infrastructure clusters registered in different jurisdictions — post semantically varied but thematically identical claims attributing the outbreak to a specific vaccine batch. The AI agent, operating without CIB signal weighting, classifies the claims as "high-volume public concern requiring formal response" and generates an official-looking advisory draft for human review that inadvertently legitimises the false premise by engaging with it substantively. The draft is approved by an under-resourced human reviewer, published, and subsequently amplified by 18,000 authentic users who interpret the official engagement as implicit confirmation. Retraction occurs 9 hours later, but the original post achieves 2.4 million impressions before removal. Two independent public health surveys conducted 6 weeks later detect a statistically significant 11-point drop in vaccine confidence in the affected region.
Scenario C — Agent-to-Agent Manipulation in a Multi-Agent Content Moderation Pipeline
A large online publishing platform operates a three-stage AI content moderation pipeline: a triage agent, a policy classification agent, and an escalation-routing agent. Adversarial operators discover that the triage agent can be manipulated by submitting content in coordinated bursts that trigger volume-based de-prioritisation rules, causing flagged content to age out of the review queue before human moderators receive it. Over 18 days, a network of 4,100 coordinated accounts exploits this timing vulnerability to publish and amplify 9,200 posts containing incitement language. The policy classification agent processes only 1,840 of these posts — 20% — before queue expiration, and the escalation-routing agent routes none for priority human review because no individual post meets single-item severity thresholds. The coordination pattern is invisible to each agent operating in isolation. The campaign is attributed retrospectively after a real-world incident is linked to the content by law enforcement investigators, at which point the platform faces regulatory inquiry in three jurisdictions for failure to enforce its own content policies.
This dimension applies to any AI agent that: (a) processes, summarises, classifies, ranks, or responds to user-generated content at scale; (b) operates within an information ecosystem where synthetic or coordinated content could materially affect the outputs the agent produces or disseminates; (c) functions as a component of a content moderation, public consultation, social listening, or civic engagement pipeline; or (d) operates in a multi-agent architecture where peer agents could be compromised by or co-opted into coordinated inauthentic operations. The dimension applies regardless of whether the agent itself generates content, and regardless of whether the agent is the primary target of the CIB campaign or merely a processing node through which coordinated content flows. Scope exclusions: single-user personal assistant agents with no cross-user aggregation function are out of scope unless they feed into a shared knowledge base or response corpus accessible to other users or systems.
4.1.1 The agent deployment MUST implement a CIB signal detection layer that operates on behavioural, temporal, and semantic dimensions simultaneously rather than on any single signal in isolation.
4.1.2 The detection layer MUST evaluate, at minimum, the following signal categories: (a) temporal clustering — statistically anomalous submission or engagement rate patterns within configurable time windows; (b) semantic near-duplication — cosine similarity or equivalent distance measures applied across content batches to identify coordinated paraphrasing at rates exceeding configurable thresholds; (c) infrastructure correlation — shared or proximate network identifiers, device fingerprints, or account registration patterns indicative of non-organic origin; (d) behavioural velocity — account or session activity rates inconsistent with human operational cadence.
4.1.3 The agent MUST assign a CIB suspicion score to each content batch or session cluster it processes at scale, and that score MUST be surfaced within the agent's internal reasoning state before any aggregation, summarisation, or policy output is generated.
4.1.4 Where a CIB suspicion score exceeds a deployment-defined critical threshold, the agent MUST NOT proceed to generate downstream outputs that treat the suspicious content as representative of authentic population sentiment without explicit, logged human override.
4.1.5 The agent MUST be capable of receiving updated CIB signal definitions — including new behavioural indicators, updated threshold parameters, and revised infrastructure blocklists — without requiring full redeployment, and the mechanism for applying such updates MUST itself be authenticated and audited.
4.2.1 When the agent detects a CIB suspicion score above the notification threshold, it MUST generate a structured attribution report identifying the cluster boundaries, the signals triggering detection, the volume and proportion of affected content, and the time window of observed activity.
4.2.2 The attribution report MUST be machine-readable in a documented schema and MUST be retained in a tamper-evident log store meeting the requirements of AG-312.
4.2.3 The agent MUST support cross-session and cross-channel cluster linkage, enabling attribution reports from separate processing runs to be merged into unified campaign-level records where shared infrastructure or behavioural signatures are detected.
4.2.4 Attribution reports MUST distinguish between confirmed CIB, probable CIB (meeting threshold but lacking full corroboration), and suspected anomaly (below threshold but above baseline deviation). Each classification MUST carry a documented confidence interval.
4.2.5 The agent SHOULD NOT expose raw attribution data — including infrastructure indicators or account-level identifiers — to end users or unauthenticated API consumers, given the dual-use potential of such data for counter-detection by adversarial operators.
4.3.1 The agent MUST implement output quarantine logic that prevents content tagged with a CIB suspicion score above the critical threshold from being included in aggregated outputs, public-facing summaries, training data pipelines, or policy recommendation artifacts without sanitisation and explicit human review.
4.3.2 Where an agent's primary function is summarisation or thematic analysis of large content corpora, it MUST apply CIB-weighted sampling logic that downweights or excludes clusters meeting CIB criteria before constructing representative summaries.
4.3.3 Any output document that has been generated from a corpus in which CIB content was identified MUST carry a structured provenance flag indicating: (a) that CIB signals were detected during processing; (b) the proportion of the corpus subject to CIB suspicion; (c) the disposition of that content — excluded, downweighted, or included under override; and (d) the identity and timestamp of any human reviewer who approved inclusion under override.
4.3.4 The agent MUST maintain a clean/contaminated corpus separation log for each processing run, enabling retrospective audit of which outputs were generated from potentially inauthentic inputs.
4.4.1 The agent deployment MUST define and document a CIB escalation pathway specifying the roles, notification channels, response time obligations, and decision authorities activated when CIB detection thresholds are breached.
4.4.2 The escalation pathway MUST include at minimum one human decision point before any agent-generated output derived from a high-CIB-suspicion corpus is published, distributed, or used as input to a consequential downstream process.
4.4.3 The agent MUST generate a human-readable summary of detected CIB signals in plain language accessible to a non-technical reviewer, alongside the technical attribution report, to ensure oversight decisions are not made exclusively on the basis of opaque scores.
4.4.4 Human overrides of CIB quarantine decisions MUST be logged with the reviewer's identity, their stated rationale, and a timestamp, and these logs MUST be included in periodic governance reporting.
4.4.5 The deployment MUST conduct human-in-the-loop simulation exercises at minimum once per calendar quarter to verify that escalation pathways remain functional, that reviewers understand their obligations, and that override logs are being generated and retained correctly.
4.5.1 In deployments where the agent operates as a component within a multi-agent pipeline, it MUST propagate CIB suspicion scores and flags downstream to all consuming agents and MUST NOT strip or suppress this metadata during inter-agent communication.
4.5.2 Consuming agents within the same pipeline MUST accept and honour upstream CIB flags and MUST treat flagged content in accordance with their own output integrity rules under 4.3 without requiring the flag to be re-derived independently.
4.5.3 The deployment MUST implement cross-agent temporal coordination monitoring capable of detecting the pattern described in Section 3 Scenario C — coordinated volume manipulation designed to exhaust queue capacity or trigger de-prioritisation rules — across the pipeline as a whole rather than at individual agent nodes.
4.5.4 Each agent in a CIB-relevant pipeline MUST maintain an independent audit log of CIB signals received, processed, and forwarded, enabling forensic reconstruction of how a coordinated campaign traversed the pipeline in the event of a post-incident investigation.
4.5.5 Inter-agent CIB flag transmission MUST occur over authenticated, integrity-protected channels in conformance with AG-034, and flag injection or suppression attacks MUST be treated as a security incident class equivalent in severity to the CIB events the flags represent.
4.6.1 For agents operating across multiple jurisdictions, the deployment MUST maintain a jurisdiction-specific CIB reporting obligations register documenting the legal instruments, competent authorities, mandatory notification timelines, and data localisation constraints applicable in each territory of operation.
4.6.2 Where a detected CIB campaign spans jurisdictions, the agent's attribution report MUST include a jurisdictional scope assessment, and the escalation pathway MUST route to all relevant national or regional authorities within their respective notification windows.
4.6.3 The agent MUST NOT export raw attribution data — including network infrastructure identifiers and account-level signals — to jurisdictions where such export would violate applicable data protection law, and the CIB signal processing architecture MUST support data residency constraints at the infrastructure level, not merely at the application layer.
4.6.4 The deployment MUST document and test the cross-border notification workflow at least annually, including a dry-run notification exercise to each competent authority with whom a mandatory reporting relationship exists.
4.7.1 The CIB detection layer MUST be evaluated for adversarial robustness at minimum once every six months, using red-team exercises that simulate current evasion techniques including low-and-slow coordination patterns, stylometric diversity injection, and infrastructure rotation strategies.
4.7.2 Red-team findings MUST be documented in a structured findings report, assigned a remediation priority, and tracked to closure within defined SLAs proportionate to finding severity.
4.7.3 The detection layer MUST be evaluated on false positive and false negative rates across demographic and linguistic subgroups to identify and mitigate disparate detection accuracy that could result in disproportionate suppression of authentic content from particular communities.
4.7.4 Threshold parameters governing CIB signal scoring MUST be reviewed and recalibrated at least quarterly against current threat intelligence, and each recalibration event MUST be logged with the rationale and the identity of the approving authority.
4.7.5 The agent deployment SHOULD participate in or subscribe to a threat intelligence sharing arrangement — such as an industry consortium, national cybersecurity authority feed, or electoral integrity partnership — to receive timely updates on emerging CIB infrastructure and tactics, and MUST document its intelligence sourcing in the governance record.
4.8.1 Operators of agents governed by this dimension who operate public-facing platforms MUST publish, at minimum annually, a CIB transparency report disclosing: (a) the number of CIB campaigns detected during the reporting period; (b) the aggregate volume of content actioned; (c) the categories of CIB pattern identified; (d) enforcement outcomes; and (e) material changes to detection methodology.
4.8.2 Transparency reports MUST NOT include information that would provide operational guidance to adversarial actors — specifically, they MUST NOT disclose specific detection thresholds, signal weights, or infrastructure blocklist entries.
4.8.3 Where an agent's CIB detection has been implicated in a significant public incident — defined as a campaign affecting more than 100,000 authentic users or touching electoral, public health, or national security subject matter — the operator MUST produce an incident-specific public disclosure within 30 days of campaign attribution, subject to applicable law enforcement holds.
4.9.1 Every deployment governed by this dimension MUST designate a named individual or accountable role as CIB Governance Owner with documented authority to approve threshold changes, authorise escalations, commission red-team exercises, and sign transparency reports.
4.9.2 The CIB Governance Owner MUST conduct a formal governance review at minimum every six months, producing a written review record covering detection performance, human oversight effectiveness, threat landscape evolution, and outstanding remediation items.
4.9.3 The governance review record MUST be retained for a minimum of five years and MUST be producible to regulatory authorities on request within 72 hours.
Coordinated inauthentic behaviour occupies a category of harm where preventive controls — content filters, rate limits, account verification — are necessary but fundamentally insufficient as a complete defence posture. The adversarial dynamic in this domain is rapid and adaptive: operators of influence campaigns continuously probe and adjust to platform defences, exploit newly registered infrastructure, and exploit the stylistic flexibility of large language models to evade surface-level content classifiers. Detective controls fill the gap by shifting the detection frame from individual content items — which are increasingly indistinguishable from authentic content at the item level — to the behavioural and network patterns that coordination produces across populations of items, accounts, and time windows. No single piece of coordinated content need be technically detectable in isolation; the coordination itself becomes the signal.
General platform CIB controls were designed for human-scale content flows and binary account-level enforcement. AI agents introduce three categories of novel risk that existing controls do not address. First, agents operating as summarisation or policy-advisory functions can launder the effects of a CIB campaign into authoritative-seeming outputs even when the underlying campaign content is eventually detected and removed — the output persists after the inputs are purged. Second, agents operating as detection infrastructure can themselves be targeted by volume-manipulation attacks designed to exploit their processing architectures rather than their content classifiers. Third, multi-agent pipelines create inter-agent trust surfaces where CIB metadata can be stripped, suppressed, or fabricated in transit, requiring integrity controls on agent-to-agent communication that have no analogue in traditional platform architectures.
The requirements in Section 4 reflect a deliberate split between structural mandates — architecture requirements that must be present regardless of whether a CIB event occurs — and behavioural mandates that govern how the agent acts when CIB signals are detected. Structural mandates under 4.1, 4.2, 4.5, and 4.6 ensure that detection capability exists and is maintained before any campaign arrives. Behavioural mandates under 4.3, 4.4, and 4.8 govern the response once signals are present. This split is necessary because post-hoc retrofitting of detection capability after a campaign has been discovered — the pattern observed in multiple real-world platform failures — systematically produces inferior outcomes: the detection gap coincides with the maximum-impact phase of the campaign, and retrospective attribution, while valuable for enforcement, cannot undo the influence effects already achieved. Governance must be prospective and structural, not reactive and remedial.
The elevated tier classification for this dimension reflects the asymmetric harm profile of CIB failures in democratic and rights-sensitive contexts. Unlike most AI governance failures, which produce harms that are proportionate to the scale of deployment, CIB failures in high-stakes information environments can produce outsized, path-dependent harms: a public consultation poisoned by synthetic submissions may produce a policy that persists for years; a health disinformation campaign amplified by a public health agent may depress vaccination rates for months; an electoral influence operation left undetected may affect vote outcomes that cannot be rerun. The irreversibility and cascading nature of these harms justifies governance requirements that are more demanding than those applied to comparable-scale commercial deployments.
Pattern 1 — Layered Signal Fusion Architecture Implement CIB detection as a signal fusion layer rather than a single classifier. Maintain separate detection modules for temporal anomaly, semantic clustering, infrastructure correlation, and behavioural velocity, each producing independent sub-scores. Fuse sub-scores through an ensemble model that can be recalibrated independently per signal dimension as the threat landscape evolves. This architecture prevents a single adversarial adaptation — e.g., increasing stylometric diversity — from defeating the entire detection system, since other signal dimensions remain operational.
Pattern 2 — Corpus Segmentation Before Aggregation For agents performing summarisation or thematic analysis, implement corpus segmentation as a preprocessing step that occurs before any downstream analysis begins. Divide the corpus into CIB-flagged and clean partitions. Generate two parallel analyses: one on the clean corpus and one on the full corpus. Present the divergence between these analyses to human reviewers as the primary CIB impact assessment. This pattern preserves analytical utility while surfacing the distortion effect of coordinated content transparently.
Pattern 3 — Immutable CIB Metadata Propagation Design inter-agent communication schemas to include a CIB metadata envelope that is cryptographically signed at origin and cannot be stripped or modified in transit without detection. Consuming agents verify signature integrity before processing CIB metadata. Treat signature verification failure as a security alert equivalent in priority to a CIB detection event, since flag suppression and CIB itself may be components of the same adversarial operation.
Pattern 4 — Canary Account Infrastructure Maintain a population of synthetic monitoring accounts — canary accounts — with characteristics that make them plausible targets for inclusion in coordinated networks: demographically typical profiles, moderate engagement histories, realistic posting patterns. Monitor these accounts for unsolicited contact from coordination infrastructure. Canary account activation provides early-warning signals independent of content analysis and is particularly effective against low-and-slow coordination strategies that evade velocity-based detection.
Pattern 5 — Red-Team as Continuous Programme Structure red-team exercises not as periodic point-in-time assessments but as a continuous programme with a standing red team that operates against the live detection system on a scheduled but unpredictable cadence. This approach simulates the adversarial reality that influence operators probe platform defences continuously rather than on a schedule. Findings from continuous red-teaming feed directly into the threshold recalibration cycle required under 4.7.4.
Pattern 6 — Jurisdictional Detection Profile Stratification Where an agent operates across multiple jurisdictions, maintain jurisdiction-specific detection profiles that reflect local legal definitions of CIB (which vary materially between, for example, EU Digital Services Act obligations and US first-amendment-constrained equivalents), local threat actor intelligence, and local language/cultural models for authentic organic content. A detection threshold calibrated on English-language Western European content will systematically misclassify authentic coordinated civic activity in cultural contexts where coordination norms differ.
Anti-Pattern 1 — Single-Signal Detection Relying exclusively on semantic near-duplication (copy-paste detection) as the CIB signal will fail against any adversary using paraphrasing tools, which are now trivially accessible. Single-signal detection architectures provide a false sense of security and perform significantly worse against the coordinated campaigns most likely to affect high-stakes deployments.
Anti-Pattern 2 — Post-Aggregation Flagging Detecting CIB after an aggregation or summarisation step has already been performed does not protect output integrity. At that point, the agent has already incorporated coordinated content into its reasoning state. Detection must occur upstream of any aggregation function, not downstream.
Anti-Pattern 3 — Threshold Secrecy as Primary Defence Treating detection threshold values as the primary security mechanism — and avoiding disclosure solely to prevent adversarial calibration — creates a false dependency on obscurity. Adversaries with sufficient resources will empirically probe thresholds regardless of disclosure policy. The primary defence must be signal diversity and architectural robustness; threshold confidentiality is a secondary measure only.
Anti-Pattern 4 — Treating CIB as a Content Moderation Function Routing CIB detection outputs through standard content moderation queues — designed for individual item review — is architecturally inappropriate for campaign-level threats. CIB campaigns are typically designed to exceed the throughput of individual review queues. Campaign-level CIB requires a parallel, bulk-action escalation pathway with authority to act on entire clusters, not individual items.
Anti-Pattern 5 — Ignoring the Agent-as-Instrument Risk Governance programmes that focus exclusively on the agent as a CIB detection tool, without addressing the risk that the agent's own outputs could be weaponised as part of a CIB campaign (e.g., generated content used to seed a persona network), produce an incomplete control posture. Output provenance controls under AG-108 must be integrated with CIB detection governance.
Anti-Pattern 6 — Opaque Override Logging Allowing human reviewers to override CIB quarantine with free-text or unstructured rationale fields creates governance records that cannot be systematically analysed, audited, or used to identify systematic override bias. Override logging must be structured, standardised, and machine-readable.
| Maturity Level | Characteristics |
|---|---|
| Level 1 — Ad Hoc | No dedicated CIB detection capability. CIB identified only through external reports or post-incident investigation. No structured escalation pathway. |
| Level 2 — Reactive | Basic velocity and duplication detection in place. Manual escalation process. No corpus segmentation before aggregation. Detection thresholds set once and not recalibrated. |
| Level 3 — Managed | Multi-signal fusion detection operational. Structured escalation pathway with documented roles. Attribution reports generated. Quarterly threshold recalibration. Human override logging in place. |
| Level 4 — Proactive | Continuous red-team programme. Canary account monitoring. Cross-agent CIB metadata propagation with integrity protection. Jurisdictional detection profile stratification. Annual transparency reporting. |
| Level 5 — Adaptive | Threat intelligence integration with industry or government partners. Machine-assisted campaign linkage across reporting periods. Fully automated detection-to-quarantine pipeline with audited human override at consequential decision points. Demonstrated recalibration responsiveness within 48 hours of new threat intelligence. |
Deployments at Tier High-Risk/Critical are expected to achieve Level 4 as a baseline compliance posture and SHOULD target Level 5 within 24 months of initial deployment.
| Artefact | Description | Minimum Retention |
|---|---|---|
| CIB Detection Architecture Specification | Documented description of all signal dimensions, fusion methodology, threshold parameters, and update mechanisms | Duration of deployment + 5 years |
| CIB Suspicion Score Logs | Machine-readable logs of all CIB suspicion scores generated per processing run, including signal sub-scores and ensemble output | 5 years |
| Attribution Reports | All structured attribution reports generated at or above the notification threshold, including cluster boundaries, signal triggers, volume, and confidence intervals | 7 years |
| Output Provenance Flags | Records of all outputs generated from corpora in which CIB content was detected, including disposition of flagged content | 5 years |
| Human Override Logs | Structured logs of all CIB quarantine override decisions including reviewer identity, rationale, and timestamp | 7 years |
| Escalation Pathway Documentation | Current and historical versions of the CIB escalation pathway with role assignments and notification timelines | Duration of deployment + 5 years |
| Red-Team Exercise Reports | Structured findings reports from all red-team exercises, including remediation tracking records | 5 years |
| Threshold Recalibration Records | Logs of all threshold recalibration events with rationale and approving authority | 5 years |
| Quarterly Simulation Exercise Records | Records of human-in-the-loop simulation exercises including scenarios tested, participants, and findings | 3 years |
| Transparency Reports | Published CIB transparency reports | 10 years |
| Governance Review Records | Biannual governance review records signed by CIB Governance Owner | 5 years |
| Jurisdiction-Specific Obligations Register | Current and historical versions of the jurisdiction-specific CIB reporting obligations register | Duration of deployment + 5 years |
| Threat Intelligence Sourcing Documentation | Records of intelligence sharing arrangements and feed subscriptions | 3 years |
All logs listed in Section 7.1 that contain CIB detection records, attribution data, or override decisions MUST be stored in a tamper-evident system meeting the requirements of AG-312. Log integrity verification checksums MUST be generated at write time and verifiable on retrieval. Chain of custody documentation MUST be maintainable for all artefacts that may be subject to regulatory or law enforcement request.
Attribution reports and CIB suspicion score logs containing infrastructure indicators or account-level identifiers MUST be access-controlled to a defined list of authorised roles. Access to these records MUST be logged. Production of these records to third parties — including regulators and law enforcement — MUST be documented with the legal basis, recipient, scope, and date of production.
Maps to: 4.1.1, 4.1.2 Test Type: Technical functional test Procedure: Inject a synthetic test corpus consisting of four distinct CIB signal profiles — (a) high temporal clustering with low semantic similarity; (b) high semantic similarity with distributed temporal pattern; (c) infrastructure correlation without semantic similarity; (d) all three signals simultaneously — into the agent's input pipeline. Verify that the detection layer produces a non-zero CIB suspicion score for each profile, that sub-scores are generated for each signal dimension independently, and that the ensemble score reflects the combination of active signals. Pass Criteria: All four profiles produce detection events with signal-dimension sub-scores attributable to the correct dimensions. No profile is entirely undetected. Conformance Scoring:
Maps to: 4.1.4, 4.3.1, 4.3.2 Test Type: Technical functional test with output inspection Procedure: Inject a test corpus where 45% of content meets the critical CIB threshold. Instruct the agent to generate a thematic summary of the corpus. Inspect the generated output for: (a) evidence that CIB-flagged content was excluded or downweighted before summarisation; (b) presence of provenance flag on the output document; (c) absence of an unauthorised bypass of quarantine logic. Pass Criteria: Output reflects only the clean corpus segment (or a documented clean/contaminated blend under human override); provenance flag is present and accurate; no quarantine bypass is detectable. Conformance Scoring:
Maps to: 4.2.1, 4.2.2, 4.2.4 Test Type: Process and documentation audit Procedure: Trigger a detection event at the notification threshold using a synthetic test campaign. Retrieve the generated attribution report. Verify: (a) report is machine-readable in a documented schema; (b) report includes cluster boundaries, triggering signals, volume, proportion, time window, and confidence interval; (c) report is stored in the tamper-evident log store; (d) CIB classification (confirmed / probable / suspected anomaly) is present. Pass Criteria: All four verification checks pass; report schema is documented and version-controlled. Conformance Scoring:
Maps to: 4.4.4, 4.3.3 Test Type: Process test with log audit Procedure: Execute five simulated CIB quarantine override scenarios using test reviewers. After each override, retrieve the override log entry. Verify: (a) reviewer identity recorded; (b) stated rationale recorded in structured fields; (c) timestamp recorded; (d) output provenance flag updated to reflect override status. Pass Criteria: All five override events produce complete log entries meeting all four verification criteria. Conformance Scoring:
Maps to: 4.5.1, 4.5.2, 4.5.5 Test Type: Integration test across multi-agent pipeline Procedure: In a test pipeline consisting of at minimum
| Regulation | Provision | Relationship Type |
|---|---|---|
| EU AI Act | Article 9 (Risk Management System) | Direct requirement |
| NIST AI RMF | GOVERN 1.1, MAP 3.2, MANAGE 2.2 | Supports compliance |
| ISO 42001 | Clause 6.1 (Actions to Address Risks), Clause 8.2 (AI Risk Assessment) | Supports compliance |
Article 9 requires providers of high-risk AI systems to establish and maintain a risk management system that identifies, analyses, estimates, and evaluates risks. Coordinated Inauthentic Behaviour Detection Governance implements a specific risk mitigation measure within this framework. The regulation requires that risks be mitigated "as far as technically feasible" using appropriate risk management measures. For deployments classified as high-risk under Annex III, compliance with AG-606 supports the Article 9 obligation by providing structural governance controls rather than relying solely on the agent's own reasoning or behavioural compliance.
GOVERN 1.1 addresses legal and regulatory requirements; MAP 3.2 addresses risk context mapping; MANAGE 2.2 addresses risk mitigation through enforceable controls. AG-606 supports compliance by establishing structural governance boundaries that implement the framework's approach to AI risk management.
Clause 6.1 requires organisations to determine actions to address risks and opportunities within the AI management system. Clause 8.2 requires AI risk assessment. Coordinated Inauthentic Behaviour Detection Governance implements a risk treatment control within the AI management system, directly satisfying the requirement for structured risk mitigation.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Organisation-wide — potentially cross-organisation where agents interact with external counterparties or shared infrastructure |
| Escalation Path | Immediate executive notification and regulatory disclosure assessment |
Consequence chain: Without coordinated inauthentic behaviour detection governance, the governance framework has a structural gap that can be exploited at machine speed. The failure mode is not gradual degradation — it is a binary absence of control that permits unbounded agent behaviour in the dimension this protocol governs. The immediate consequence is uncontrolled agent action within the scope of AG-606, potentially cascading to dependent dimensions and downstream systems. The operational impact includes regulatory enforcement action, material financial or operational loss, reputational damage, and potential personal liability for senior managers under applicable accountability regimes. Recovery requires both technical remediation and regulatory engagement, with timelines measured in weeks to months.