Policy Cards
Machine-readable governance for autonomous systems at runtime.
Policy Cards sit with the autonomous AI agent, and tell it what it must and must not do. They translate complex regulatory requirements and operational policies into language the AI can understand. They define escalation pathways, such as when human involvement is required. They align engineering teams, compliance functions, and AI agents on shared expectations.
The Governance Challenge
As AI agents gain autonomy, organizations face a critical control problem: how do you ensure agents respect policy boundaries without constant human oversight?
Compliance Officers
"We need to demonstrate that AI systems comply with regulations, but agents operate in black boxes."
- Regulatory audits require provable compliance
- Agent decisions lack traceable reasoning
- No structured way to encode policy rules in a way the AI understands
- Risk exposure grows with increased agent autonomy
Engineering Teams
"We want to build smarter agents, but we can't be sure they won't break important rules."
- Policy changes require code rewrites
- Governance logic gets mixed into core implementation code
- Innovation is punished by governance overhead for engineers
- Engineers worry they will be blamed if behaviour goes wrong
Business Leaders
"We want to scale AI safely, but we can't rely on guesswork around agent behaviour."
- Agent mistakes damage customer trust and brand reputation
- Lack of proactive governance stalls AI adoption
- No clear ownership of autonomous agent behavior
- Leadership carries liability for risks they cannot assess or control
What Are Policy Cards?
Policy Cards are structured, machine-readable documents that define how an autonomous AI agent is expected to behave. They express obligations, prohibitions, constraints, escalation rules, monitoring and evidence requirements in a format an agent can interpret at runtime.
1. Machine-Readable & Normative
Policies are defined as structured schemas (JSON), with explicit normative semantics and escalation triggers. Agents can interpret, check, and act on these requirements directly.
2. Bound to Agents
Each Policy Card attaches to a specific agent or system component. Thus, two agents with different Policy Cards will behave differently. Governance becomes part of the execution path rather than external documentation.
3. Standards-Aware & Auditable
Policy Cards are designed to systematically align with all relevant governance frameworks such as NIST AI RMF, ISO/IEC 42001, and the EU AI Act. They support evidence logging and traceability of all decisions at runtime.
4. Extensible Across Domains
The framework is designed for AI and autonomy from the ground up and is domain agnostic. Domain-specific ontologies, regulations, rules and constraints are supported (finance, healthcare, defence, etc.).
How Policy Cards Work
Policy Cards follow a three-stage lifecycle: organisations declare policy intent, agents execute against those policies, and behaviour is monitored, audited and improved over time.
Declare
Define the Policy Card for a given agent or workflow.
Domain experts, engineers, and governance teams encode rules, constraints, obligations, escalation pathways, and monitoring requirements.
The card is validated, versioned, approved, and registered.
Do
The card is deployed alongside the agent.
At runtime, the agent checks each intended action against the card to decide whether to allow, deny, or escalate, and to determine which logging or evidence obligations apply.
Audit
Evidence collected under the card is reviewed against the declared rules.
A live dashboard indicates live system compliance.
Violations, drifts, and threshold breaches can trigger investigation, rollback, retraining, or modification of the Policy Card.
Schema Structure
Each Policy Card is built from ten core components that together define the domain model, governance rules, obligations, and assurance pathways for the agent.
These components provide a structured way to operationalise any governance or regulatory framework. Requirements from standards such as the NIST AI RMF, ISO/IEC 42001, or the EU AI Act can be mapped directly into specific sections of the Policy Card and executed at runtime.
Policy Card
The Policy Card schema is implemented as open JSON Schema with automated validation tooling, enabling CI/CD integration, pre-deployment checks, and automated assurance workflows. For a complete view of all fields and relationships, see the full schema documentation.
Examples from High-Stakes Domains
Policy Cards have been developed for high-stakes domains where agent autonomy must be balanced with strict governance requirements, including multi-jurisdictional scenarios and rules of engagement. The examples below correspond to concrete Policy Cards in the public examples repository.
Retail Payments Agent
Single source of truth for autonomy and compliance
Policy Card governing an autonomous agent that prepares domestic retail payments, ensuring compliance with fraud controls, sanctions, and internal risk policies before the bank's core system releases funds.
Focus
- Sanctions, watchlist, and fraud checks must complete successfully before a payment can be initiated
- Transaction limits and heuristics adapt to customer risk profiles and payment context
- Suspicious or anomalous payments are escalated to human operations
Outcomes
- Bounded autonomy for routine payments, with clear rules for denial and escalation.
- A single, versioned source of truth that links the bank's risk appetite to every runtime decision, ready to show regulators and auditors.
- Structured, queryable evidence for each payment, instead of scattered logs and spreadsheets.
Clinical Triage Assistant (Non-Diagnostic)
Automation without crossing the diagnostic red line, with evidence.
Policy Card for an AI triage assistant that helps collect symptom information and prioritise cases in an emergency department sandbox, but is explicitly barred from diagnosing or prescribing.
Focus
- Explicit prohibition of diagnosis, prescribing, or treatment recommendations
- Mandatory escalation paths for red-flag symptoms, high uncertainty, or vulnerable patient groups
- Structured logging of triage suggestions, uncertainty signals, and clinician handovers
Outcomes
- Automation of intake and prioritisation with a hard, machine-enforced boundary on clinical responsibility.
- Clear, auditable handover points to human clinicians for high-risk or ambiguous cases.
- A single artefact hospital safety boards and regulators can review to understand how triage decisions were taken.
UAV ISR Mission Planner (Civil Infrastructure Protection)
Encoded rules of engagement + multi-jurisdiction trust
Policy Card governing a mission-planning agent for uncrewed aerial vehicles (UAVs) tasked with intelligence, surveillance, and reconnaissance over critical civilian infrastructure, under strict rules of engagement.
Focus
- Mission plans are constrained by no-fly zones, protective corridors, and coalition-specific rules of engagement; only ISR tasks are permitted
- Take-off, re-tasking, or changes that affect operational risk or legal posture require explicit human approval under the relevant ROE.
- Detectors and KPIs monitor corridor breaches, deconfliction issues, spoofing alerts, and time-to-approval SLAs.
- Jurisdiction and ROE tokens encoded in the card ensure that multi-nation or multi-agency missions respect each participant’s constraints.
Outcomes
- Agents can propose and adapt ISR missions while remaining inside the legal and ethical boundaries encoded in the card
- Cryptographically verifiable logs of approvals, sensor provenance, and mission changes for post-mission review.
- A concrete basis for trusted human-on-the-loop control and coalition operations, where each partner's rules of engagement are declared and enforced in a shared format.
Policy Cards Hub
Explore schemas, examples, documentation, and research: everything you need to design and deploy Policy Cards.
Who Benefits from Policy Cards?
Policy Cards create value by making governance explicit, shared, and executable. They allow different stakeholders, both human and non-human, to coordinate around the same operational rules, expressed in a form each can use.
AI Agents
Policy Cards give autonomous agents explicit knowledge of the rules, constraints, and expectations governing their operation.
- Agents become policy-aware, not just policy-constrained. This is a prerequisite for agentic accountability.
- Runtime decisions are taken with direct reference to declared obligations, limits, and escalation paths.
- In multi-agent or multi-jurisdiction settings, each agent carries its own declared governance context, enabling safe coordination.
Compliance & Risk Teams
Policy Cards provide a single, structured artefact for specifying and reviewing AI governance.
- High-level policies are translated into concrete, versioned constraints per system.
- Compliance evidence is generated as part of runtime behaviour, not assembled after the fact.
- Policy changes update schemas rather than code, reducing operational friction.
Engineering & Product Teams
Policy Cards separate governance concerns from application logic without slowing development.
- Engineers receive machine-readable constraints instead of ambiguous policy prose.
- Governance is integrated once via schema and tooling, not re-implemented per project.
- Validation, monitoring, and assurance become part of CI/CD and runtime operations.
Regulators & Standards Bodies
Policy Cards create a concrete interface between regulatory intent and system behaviour.
- Governance requirements are expressed in a standardised, inspectable format.
- System behaviour can be checked against declared rules continuously, not just at audit time.
- Shared schemas enable alignment across organisations, sectors, and jurisdictions.
Get Started with Policy Cards
Whether you're designing your first Policy Card or integrating governance into production systems, we support pragmatic engagement paths.
Why Adopt Policy Cards?
Autonomous systems need rules that are clear, inspectable, and enforceable at runtime. Policy Cards turn governance into a machine-readable artefact your teams can review, version, validate, and attach to deployments.
The result is governed autonomy without slowing delivery. Policy changes update the Policy Card, not the application code, while evidence and accountability are captured as part of operations.
Engagement Options
Discovery Workshop (90 minutes)
Map one real workflow to a first Policy Card. Identify operational constraints, obligations, KPIs, escalation paths, and evidence required at runtime.
Schema Design Sprint
Co-design a production-ready Policy Card for your domain, iterating from draft → validation → reviewable artefact.
Pilot Integration
Integrate Policy Card parsing + checks into one system. Add validation in CI/CD and runtime monitoring hooks.
Governance Advisory
Ongoing support as policies evolve: versioning strategy, assurance mapping, and operational change management.
Putting AI governance into practice
We work with teams to apply Policy Cards to real systems, starting small, validating assumptions, and expanding only where it adds value. Most engagements begin with a short workshop or a focused pilot, whichever is lowest friction for your team.