AG-777
Collective and Swarm Intelligence Governance
EU AI Act
NIST AI RMF
ISO 42001
Collective and Swarm Intelligence Governance addresses the emergent behaviours that arise when populations of agents interact, coordinate, and compete. Individual agents may each comply with their respective governance controls, yet the collective behaviour of the population may produce outcomes that no individual agent intended or that no individual governance control anticipated. AG-777 establishes controls for detecting, monitoring, and constraining emergent swarm-level behaviours that could cause systemic harm.
The dimension draws on complexity science and multi-agent systems theory. Emergent behaviours in agent populations include spontaneous coordination (agents independently converging on the same strategy), cascade effects (one agent's action triggering a chain reaction across the swarm), collective resource exhaustion (agents competing for shared resources until system degradation), and emergent deception (agents collectively producing misleading information without any individual agent intending to deceive). Each of these emergent modes requires distinct governance instrumentation.
AG-777 mandates population-level monitoring that operates above the individual agent level. While each agent maintains its own governance controls per other AGS dimensions, swarm governance requires an overlay monitor that observes aggregate population metrics: strategy correlation, resource consumption distribution, output diversity, and inter-agent communication patterns. When population-level metrics breach defined thresholds, the swarm governance system must intervene -- either by introducing diversity constraints, throttling inter-agent communication, or activating population-level circuit breakers.
The dimension also addresses the accountability challenge. When emergent behaviour causes harm, attributing responsibility to individual agents may be impossible or meaningless. AG-777 therefore establishes the concept of "population-level accountability," where the organisation deploying or coordinating the agent population bears governance responsibility for collective outcomes, regardless of individual agent compliance.
AG-777 further recognises that emergent behaviour is not inherently negative. Beneficial emergent properties -- such as distributed problem solving, collective resilience, and adaptive load balancing -- are desirable outcomes of well-designed multi-agent systems. The governance challenge is to distinguish beneficial emergence from harmful emergence in real time, and to constrain the latter without unnecessarily suppressing the former. The dimension therefore requires that population-level interventions be proportionate, graduated, and reversible, avoiding heavy-handed controls that would eliminate the collective intelligence advantages of multi-agent deployments.
This dimension applies to all AI agent deployments operating under the AGS framework where the governance controls specified in Section 4 are relevant to the agent's operational context. Specifically:
Exclusions: Agents operating in fully sandboxed research environments with no access to production data or systems are excluded, subject to the condition that any transition to production immediately triggers compliance with this dimension. Single-purpose read-only agents with no write access to external systems may be excluded where a documented risk assessment confirms that the governance controls specified here are not applicable to the agent's operational scope.
Financial Services. Agents operating in financial services face heightened regulatory scrutiny under MiFID II, DORA, and FCA SYSC requirements. The controls in this dimension support compliance with these frameworks and should be implemented at the most stringent level applicable to the agent's transaction authority.
Healthcare. Agents processing patient data or supporting clinical decisions must implement this dimension's controls in conjunction with HIPAA safeguards and applicable medical device regulations. The governance controls directly support the duty of care that healthcare organisations owe to patients.
Public Sector. Government agencies deploying agents that affect individual rights or public services must implement this dimension's controls to satisfy transparency, accountability, and judicial review requirements applicable to algorithmic decision-making in the public sector.
Collective and Swarm Intelligence Governance addresses a governance gap that, if left unmanaged, creates systemic risk across the agent ecosystem. As AI agents move from experimental deployments to production operations with real-world consequences, the absence of structural controls in this area means that failures scale with the speed and autonomy of the agent population — not at the pace of human review.
Traditional approaches to this governance challenge — contractual obligations, periodic audits, and application-layer policy enforcement — are necessary but insufficient for agentic contexts. Contractual obligations operate on legal timescales; agents operate on millisecond timescales. Periodic audits capture a snapshot; agent behaviour is continuous and dynamic. Application-layer enforcement can be bypassed through prompt injection, reasoning failure, or context manipulation. The AGS approach requires structural enforcement at the infrastructure layer — controls that operate independently of the agent's reasoning process and cannot be circumvented by the agent's own outputs.
The regulatory environment increasingly mandates the controls this dimension specifies. The EU AI Act requires risk management systems proportionate to identified risks. NIST AI RMF requires organisations to map, measure, and manage AI risks through enforceable controls. ISO 42001 requires an AI management system with documented operational procedures. This dimension operationalises these regulatory requirements into specific, testable, infrastructure-enforceable controls — bridging the gap between regulatory intent and technical implementation.
The consequences of absence are illustrated in Section 8 (Failure Scenarios). When this dimension is not implemented, the resulting governance gap permits agent behaviour that can cause material financial loss, regulatory enforcement action, reputational damage, and — in safety-critical deployments — physical harm. The blast radius scales with the agent's access scope and operational autonomy.
Basic Implementation — The organisation has documented policies addressing collective and swarm intelligence and has implemented initial controls. Implementation is primarily at the application layer with manual processes for monitoring and response. Logging covers key events but may lack full metadata. Coverage extends to the most critical agent deployments but may not encompass all in-scope systems. Staff are aware of requirements but formal training may be incomplete.
Intermediate Implementation — All Basic capabilities plus: controls are enforced at the infrastructure layer with automated monitoring and alerting. All MUST requirements from Section 4 are implemented with documented evidence. Coverage extends to all in-scope agent deployments. Audit trails are tamper-evident and retained per regulatory requirements. Formal change control governs all configuration changes. Regular review cycles are established and documented. Staff receive formal training and competency is assessed.
Advanced Implementation — All Intermediate capabilities plus: controls have been validated through independent adversarial testing. Real-time dashboards provide operational visibility into compliance status, anomaly detection, and response metrics. The organisation can demonstrate to regulators and counterparties that no known attack vector bypasses the governance controls. Continuous improvement processes incorporate lessons from incidents, testing, and regulatory developments. Integration with related dimensions provides defence-in-depth coverage.
Real-time monitoring with graduated alerting. Deploy monitoring infrastructure that evaluates governance compliance continuously rather than periodically. Implement graduated alert severity levels with defined response procedures for each level, ensuring that critical governance violations trigger immediate automated response.
Scheduled governance review cycle. Establish a formal review cadence (minimum quarterly) that examines governance effectiveness, reviews incident data, assesses emerging risks, and updates policies and controls accordingly. Review outcomes are documented and tracked.
Separation of governance and agent runtime domains. Deploy governance enforcement infrastructure in a security domain separate from the agent runtime. The agent cannot influence governance decisions, modify enforcement configuration, or access governance logs directly. This architectural separation is the foundation for infrastructure-layer enforcement.
Governance by instruction rather than infrastructure. Relying on agent system prompts or configuration files to enforce governance controls rather than infrastructure-layer enforcement. Instruction-based controls can be bypassed through prompt injection, context manipulation, or reasoning failure.
Monitoring without enforcement. Implementing detection and logging of governance violations without pre-execution blocking. By the time a violation is logged, the ungoverned action has already executed. Detection is necessary but not sufficient; prevention must be the primary control.
Manual processes for machine-speed operations. Relying on human review processes for governance decisions that occur at machine speed. Agents execute actions in milliseconds; governance controls that depend on human review cycles of hours or days leave gaps that scale with agent autonomy.
Objective: Verify that the population monitor detects strategy convergence above the threshold. Procedure: Configure 50 simulated agents to gradually converge on an identical strategy (correlation increasing from 0.3 to 0.9 over 200 decision cycles). Expected Result: Alert fires when correlation exceeds the defined threshold (e.g., 0.75). Pass Criteria: Alert fires before correlation reaches 0.80. Zero false negatives.
Objective: Confirm that inter-agent delegation cascades are limited to the maximum depth. Procedure: Trigger a task that naturally cascades through delegation. Set maximum depth to 5. Expected Result: Delegation terminates at depth 5. Depth-6 delegation requests are rejected with an explanatory error. Pass Criteria: Zero delegations beyond depth 5. Error message logged for all rejected depth-6 attempts.
Objective: Test graduated response when resource consumption threshold is breached. Procedure: Simulate 100 agents increasing API consumption until aggregate reaches 85% of capacity (threshold: 80%). Expected Result: Circuit breaker activates. Tier-2 and tier-3 agents rate-limited. Aggregate consumption drops below 80%. Pass Criteria: Consumption returns to below threshold within 10 minutes. Tier-1 agents unaffected.
Objective: Verify that emergent collective outcomes are logged with population-level attribution. Procedure: Trigger an emergent event (e.g., correlated output) that does not violate any individual agent's controls but breaches a population-level threshold. Expected Result: Event logged with population-level attribution, including contributing agent IDs, aggregate metrics, and organisational accountability assignment. Pass Criteria: Log entry complete. No attribution gaps.
Objective: Validate the semi-annual swarm stress simulation process. Procedure: Execute a full stress simulation with 500 simulated agents under 3 stress scenarios (market crash, API outage, adversarial injection). Expected Result: Simulation completes. Emergent risks identified and documented. Governance controls validated or gaps flagged. Pass Criteria: Simulation report produced. All identified gaps assigned remediation owners.
| Evidence ID | Description | Collection Frequency | Retention Period |
|---|---|---|---|
| AG777-E01 | Population-level monitoring dashboards and threshold configs | Continuous | 5 years |
| AG777-E02 | Strategy correlation breach alerts and circuit breaker logs | Per event | 7 years |
| AG777-E03 | Resource consumption aggregate metrics | Hourly | 3 years |
| AG777-E04 | Cascade depth violation logs | Per event | 5 years |
| AG777-E05 | Swarm governance stress simulation reports | Semi-annually | 5 years |
| AG777-E06 | Population diversity metric time series | Daily | 3 years |
| AG777-E07 | Population-level accountability assignment records | Per event | 7 years |
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No collective and swarm intelligence governance exists. The organisation has no controls, policies, or monitoring in place for the capabilities this dimension governs. Agent behaviour in this area is ungoverned. |
| 1 | Basic | Basic controls exist but are enforced at the application layer — dependent on correct implementation rather than structural guarantees. Coverage may be partial. Configuration is not governed through formal change control. Logging exists but may lack full metadata. |
| 2 | Infrastructure-layer enforcement | Controls are enforced at the infrastructure layer, independent of the agent's reasoning process or instruction set. All requirements are structurally enforced with no application-layer bypass path. Full audit trail with tamper-evident logging. Configuration is governed through formal change control. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities are in place and have been validated through independent adversarial testing. An independent party has attempted to bypass, circumvent, or degrade the governance controls using known attack techniques relevant to this dimension and has failed. Test results are documented, reproducible, and available for regulatory review. |
A quantitative hedge fund operates 150 Financial-Value Agents, each independently managing a USD 20 million sub-portfolio (total AUM: USD 3 billion). Each agent runs a distinct variant of a statistical arbitrage strategy, and individually each complies with AG-774 market impact controls. However, AG-777's population-level monitor detects that 83 of the 150 agents (55.3%) have independently converged on a short position in European utility sector ETFs, with aggregate short exposure reaching EUR 1.1 billion. The strategy correlation coefficient across the 83 agents is 0.92 (threshold: 0.75). The population-level circuit breaker activates: (1) new short positions in the correlated sector are frozen for all 150 agents, (2) the 83 correlated agents are assigned diversity constraints requiring them to reduce sector concentration by at least 30% within 4 trading hours, (3) the fund's risk committee receives an automated alert with a swarm correlation heatmap. Over the next 4 hours, aggregate utility sector short exposure reduces from EUR 1.1 billion to EUR 410 million. Two days later, a European Commission energy policy announcement causes utility stocks to surge 7.2%. The fund's loss is EUR 29.5 million -- substantial but far less than the estimated EUR 79.2 million loss that would have occurred without the intervention.
An enterprise operates 2,800 agents across its technology stack, all sharing a common set of internal APIs and databases. AG-777's resource consumption monitor detects an emergent pattern: 340 agents have independently increased their query frequency to the customer data API by an average of 280% over a 45-minute window, triggered by a cascading chain of inter-agent task delegations related to a quarterly reporting deadline. Aggregate API throughput reaches 94% of capacity (threshold: 80%). The swarm governance system initiates a graduated response: (1) agents are prioritised by business criticality, with tier-1 agents maintaining full access, (2) tier-2 agents are rate-limited to 50% of their current query rate, (3) tier-3 agents are queued with a 30-second delay. The API returns to 62% utilisation within 8 minutes. No service outage occurs, and all quarterly reporting tasks complete within the business deadline. Post-event analysis reveals that the cascade originated from a single agent delegating a data-enrichment task to 12 peer agents, each of which delegated further sub-tasks, creating a geometric expansion of API calls.
| Regulation | Provision | Relationship Type |
|---|---|---|
| # | Framework / Standard | _Pending v2.1 editorial review_ |
| ---- | ----------------------------------- | _Pending v2.1 editorial review_ |
| 1 | METR | _Pending v2.1 editorial review_ |
| 2 | EU AI Act | _Pending v2.1 editorial review_ |
| 3 | OWASP Agentic Security | _Pending v2.1 editorial review_ |
| 4 | UK AISI | _Pending v2.1 editorial review_ |
| 5 | NIST AI RMF | _Pending v2.1 editorial review_ |
| 6 | Financial Stability Board | _Pending v2.1 editorial review_ |
| 7 | BIS | _Pending v2.1 editorial review_ |
| 8 | IEEE 7000-2021 | _Pending v2.1 editorial review_ |
| 9 | ISO/IEC 23894:2023 | _Pending v2.1 editorial review_ |
| 10 | Santa Fe Institute | _Pending v2.1 editorial review_ |
| 11 | DORA | _Pending v2.1 editorial review_ |
| 12 | FCA | _Pending v2.1 editorial review_ |
| 13 | ESMA | _Pending v2.1 editorial review_ |
| 14 | CFTC | _Pending v2.1 editorial review_ |
| 15 | OECD AI Principles | _Pending v2.1 editorial review_ |
| 16 | NIST CSF 2.0 | _Pending v2.1 editorial review_ |
This dimension supports compliance with the following ISO/IEC 42001:2023 clauses: Clause 6.1, Clause 8.2, Clause 9.1. These clauses address the AI management system requirements that this dimension operationalises.
| Dimension | Name | Relationship |
|---|---|---|
| AG-774 | Autonomous Financial Market Impact Governance | Systemic risk from correlated trading agents |
| AG-775 | Agent Succession and Failover Governance | Swarm continuity when population members fail |
| AG-776 | Neuromorphic and Non-Transformer Architecture Gov. | Neuromorphic agents in swarm configurations |
| AG-780 | Decentralised and Blockchain-Native Agent Gov. | DAO-coordinated agent swarms |
| AG-770 | Agentic Identity and Credential Lifecycle Gov. | Identity management for large agent populations |
| AG-778 | Human-Agent Relationship Boundary Governance | Collective manipulation through coordinated agents |