137AI > AI Controls

AI Controls

AI controls are the engineering mechanisms that turn policy into practice. Governance defines what must be true. Compliance verifies that it is true. Controls are the machinery that makes it true. For autonomous and ambient AI agents, controls bound a structural attack surface rather than close it, because the surface is the value the system was built to deliver. The work is to make the surface auditable, attributable, constrained, and recoverable when exploited.

The Controls pillar covers eight engineering disciplines that combine to produce operational AI agent security. Each has its own dedicated treatment; this page is the overview that locates the disciplines relative to each other.

The Eight Control Disciplines

Identity & Cryptographic Attestation is the foundational control. Every other control depends on knowing what is acting. The discipline covers hardware roots of trust, device identity, model identity, agent instance identity, operator and user identity, and action authorization, with the cryptographic primitives that bind these layers together.

Behavioral Envelopes bound what agents can do at a layer the agent's reasoning cannot reach. The discipline covers physical envelopes (speed, force, geofence), action envelopes (transaction limits, allowed actions), content envelopes (output filters), permission envelopes (resource scope), temporal envelopes (operating hours), and compositional envelopes (action sequences). The defining property is that envelopes hold when training-based defenses fail.

Monitoring & Anomaly Detection catches what prevention misses. The discipline covers what to monitor across agent layers, the detection approaches (rule-based, statistical, ML-based, behavioral, reputation-based), the signal-to-noise problem, fleet-level visibility for coordinated patterns, and the privacy tension that monitoring infrastructure must navigate.

Human Oversight maintains human authority over agent operation through deliberate engineering and organizational design. The discipline covers in-the-loop, on-the-loop, and over-the-loop patterns; the scale tension that bounds what oversight is operationally feasible; and the structural distinction between real and nominal oversight.

Access Control & Permissions defines what agents can reach. The discipline covers the agent-as-principal question, delegated authority through the agency chain, tool-use authorization, the permission inflation problem, time and task-bounded access, and emerging agent-specific protocols including Model Context Protocol.

Telemetry Integrity Controls bound the risk that data feeding agents has been tampered with. The discipline covers cryptographic attestation across the data flow, validation at each pipeline stage, cross-validation across sources, physical-model consistency checks, anomaly detection on telemetry, and tamper-evident logging.

Consent & Capture Controls address what personal and ambient AI agents capture and who consented to that capture. The discipline covers the captured-population problem, indicator and disclosure design, capture scope minimization, retention controls, local-only versus cloud processing, consent record management, withdrawal mechanisms, and special category controls for children, biometrics, and health data.

OT/ICS Integration Controls bound how AI agents interact with operational technology and industrial control systems. The discipline covers the Purdue model boundary architecture, one-way versus bidirectional integration patterns, safety integrity level considerations, real-time operation requirements, AI-specific OT threats, and integration with sector-specific frameworks including NERC CIP, AWIA, TSA pipeline directives, and ISA/IEC 62443.

How the Disciplines Combine

The disciplines combine across the prevention, detection, and oversight layers of agent operation. Identity provides the foundation that all other controls depend on. Behavioral envelopes and access control operate at the prevention layer, bounding what agents can do and reach. Monitoring operates at the detection layer, catching what prevention misses. Human oversight operates as the human authority that acts on what detection surfaces. Telemetry integrity and consent and capture controls operate across the data flow that feeds agent operation. OT/ICS integration controls address the specific deployment context where agents reach operational technology environments.

No single discipline is sufficient. Operators deploy them in combination, with the specific architecture shaped by the agent category, the deployment context, and the regulatory framework that applies. Maturity varies substantially across operators and sectors, with established sectors including aviation, financial services, and medical devices providing more developed reference patterns than emerging consumer AI categories.

The Reframe

Controls are where AI governance becomes engineering practice. The disciplines covered here are not theoretical; they are deployed in production AI agent systems across sectors with varying maturity. The work of building and maintaining adequate controls infrastructure is one of the substantive engineering projects the agentic AI era requires, and the integration of controls with governance frameworks and compliance machinery determines whether autonomous and ambient AI agents can operate at scale without compounding individual risks into structural failure.

Related Coverage

Governance | Compliance & Conformity | Risks & Management | Security & Trust