Compute and Hardware Governance

Infrastructure, Platform & Network ~6 min read AGS v2.1 · 2026-06-06

EU AI Act NIST AI RMF ISO 42001

AGS Frontier Autonomy (Group K) | Infrastructure, Platform & Network | Version 3.0

1. Definition

Compute and Hardware Governance governs infrastructure-level controls over the compute on which frontier agents are trained and run — compute metering and authorisation, multi-party sign-off for large-scale runs, customer due diligence ("know-your-customer") for frontier-scale compute, location attestation, and, where available, hardware-level off-switch/licensing mechanisms.

This dimension situates frontier-agent safety in the substrate: compute is the one input that is physical, countable, and chokepointed, making it a uniquely enforceable governance layer that complements model- and deployment-level controls.

2. Scope

In scope: compute metering/allowances tied to authorisation; multi-party authorisation for frontier-scale training; KYC for large compute provision; location/integrity attestation of compute; use of hardware-enabled governance mechanisms where available.

Out of scope: export-control/sanctions compliance of the *actions* an agent takes (AG-236 and related) and ordinary cloud security. This dimension governs *governance of the compute substrate itself*.

3. Why This Matters

Model- and deployment-level controls can be bypassed by a determined actor with access to compute; the compute layer is harder to evade and is increasingly the focus of frontier-safety and international-governance proposals. Metering, multi-party authorisation, KYC-for-compute, and hardware off-switches give an organisation (and, ultimately, oversight bodies) a substrate-level brake on the training and operation of the most capable systems.

4. Requirements

R1: Frontier-scale training and operation MUST run on authorised, inventoried compute; the organisation MUST know which compute resources are capable of frontier-scale work and who can access them.
R2: Initiation of a frontier-scale training run MUST require multi-party authorisation (a "two-person rule"), with the authorisation recorded.
R3: Providers of frontier-scale compute MUST apply customer due diligence (identity, beneficial ownership, intended use) before granting access (KYC-for-compute), proportionate to scale.
R4: Compute usage SHOULD be metered against authorised allowances, with usage beyond authorisation flagged and gated.
R5: Where hardware-enabled mechanisms are available (location attestation, license-gated operation, off-switches, integrity attestation), the organisation SHOULD adopt them for the highest-risk systems and MUST document the decision where it does not.
R6: The compute supply chain for frontier systems MUST be subject to integrity and provenance controls (chain-of-custody) to detect unauthorised diversion or aggregation.
R7: Compute-governance controls MUST integrate with the organisation's halt/pause commitments (AG-827) — a halt MUST be enforceable at the compute layer for the highest-risk systems.
R8: Compute-governance posture and any frontier-scale authorisations SHOULD be disclosable to relevant authorities for systemic-risk systems.

5. Maturity Model

Basic: Frontier-capable compute is inventoried and access-controlled; large runs are authorised.
Intermediate: Multi-party authorisation for frontier-scale runs, KYC-for-compute proportionate to scale, metering against allowances, and supply-chain integrity controls.
Advanced: Hardware-enabled mechanisms for the highest-risk systems, compute-layer halt enforcement, and authority-disclosable posture.

6. Test Criteria

Test 6.1: Multi-Party Authorisation

Stimulus: Attempt to initiate a frontier-scale training run with a single approver.
Expected: The run requires recorded multi-party authorisation.
Fail: A single party can launch a frontier-scale run.

Test 6.2: KYC-for-Compute

Stimulus: Review onboarding for a large-compute customer/internal team.
Expected: Identity, ownership, and intended-use due diligence proportionate to scale was performed.
Fail: Frontier-scale compute granted without due diligence.

Test 6.3: Compute-Layer Halt

Stimulus: Invoke a halt commitment for a highest-risk system.
Expected: The halt is enforceable at the compute layer (the system cannot simply continue).
Fail: The halt cannot be enforced at the substrate.

7. Scoring

Score	Criteria
0	No compute-level governance of frontier systems
1	Compute inventoried/access-controlled but no multi-party authorisation or KYC
2	Multi-party authorisation, KYC-for-compute, metering, supply-chain integrity
3	Hardware-enabled mechanisms, compute-layer halt enforcement, authority-disclosable posture

8. Failure Scenarios

Scenario A — Unilateral Frontier Run: A single engineer launches a frontier-scale training run that should have required organisational sign-off. A two-person rule at the compute layer would have required recorded multi-party authorisation.

Scenario B — Anonymous Compute: Frontier-scale compute is provisioned to a customer with no due diligence; it is used to train a dangerous-capability model outside any governance. KYC-for-compute would have surfaced the risk.

Scenario C — Unenforceable Halt: Leadership invokes a halt, but the training continues on compute the governance layer cannot actually stop. Compute-layer halt enforcement would have made the stop real.

9. Regulatory Mapping

Requirement	EU AI Act	NIST AI RMF	ISO 42001
R1: Inventoried, authorised frontier compute	Art. 51 — Systemic-risk classification	GOVERN 1.6 — AI system inventory	A.4 — Resources for AI systems
R2: Multi-party authorisation for large runs	Art. 55 — Risk mitigation	GOVERN 2.1 — Accountability	Clause 8.1 — Operational control
R3: KYC-for-compute	Art. 55 — Systemic-risk governance	GOVERN 6.1 — Third-party risk	A.4 — Resources for AI systems
R4: Compute metering against allowances	Art. 55 — Risk mitigation	MEASURE 2.4 — Production monitoring	Clause 9.1 — Monitoring and measurement
R5: Hardware-enabled mechanisms	Art. 15 — Cybersecurity	MEASURE 2.7 — Security and resilience	A.4 — Resources for AI systems
R6: Supply-chain integrity/provenance	Art. 15 — Cybersecurity	GOVERN 6.1 — Third-party risk	A.4 — Resources for AI systems
R7: Compute-layer halt enforcement	Art. 55 — Risk mitigation	MANAGE 2.4 — Deactivation	Clause 8.1 — Operational control
R8: Authority-disclosable posture	Art. 55 — Reporting	GOVERN 4.3 — Information sharing	—

EU AI Act — Article 55 and Article 51

Articles 51 and 55 classify and govern systemic-risk models partly via compute thresholds; compute governance is the substrate-level enforcement of those obligations — multi-party authorisation, KYC, and halt enforceability.

NIST AI RMF — GOVERN 1.6, MANAGE 2.4

GOVERN 1.6 (inventory) and MANAGE 2.4 (deactivation) extend to the compute substrate: knowing and being able to stop the hardware on which frontier systems run.

ISO 42001 — Clause 8.1, A.4

Clause 8.1 (operational control) and Annex A.4 (resources for AI systems — including compute) require governing the compute resources frontier agents depend on.

AG-827 (Pre-Committed Halt and Pause Conditions) — compute governance makes halts enforceable
AG-807 (Agent Compute and Cost Budget) — runtime resource budgeting; AG-828 is substrate governance
AG-801 (Capability-Threshold Gating) — compute thresholds inform capability tiers
AG-236 (Export Control and Sanctions Compliance) — distinct: governs the agent's actions, not the substrate
AG-070 (Emergency Kill Switch) — compute-layer enforcement of the stop

Cite this protocol

AgentGoverning. (2026). AG-828: Compute and Hardware Governance. The Protocols of AI Agent Governance, AGS v2.1. agentgoverning.com/protocols/AG-828

← Previous

AG-827

Pre Committed Halt And Pause Conditions

Next Protocol →

AG-829

Goal Drift Measurement And Re Grounding