Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Policy Cards: Machine-Readable Runtime Governance for Autonomous AI Agents

Juraj Mavračić

TL;DR

This work introduces Policy Cards as a machine-readable, deployment-layer governance artifact that binds autonomous AI agents to explicit, auditable constraints. By formalizing a JSON Schema-based representation of operational rules, obligations, and evidentiary requirements, the approach enables automatic validation, versioned stewardship, and integration with runtime enforcement and continuous auditing. The authors provide a validation toolchain, a crosswalk to NIST AI RMF, ISO/IEC 42001, and the EU AI Act, and domain exemplars in finance, healthcare, and defense to demonstrate domain generality and regulatory readiness. The framework supports a Declare-Do-Audit lifecycle, enabling stress testing, multi-agent governance, and cryptographic extensions for confidential, verifiable assurance, with a clear path toward scalable, auditable, and ethically guided autonomous systems.

Abstract

Policy Cards are introduced as a machine-readable, deployment-layer standard for expressing operational, regulatory, and ethical constraints for AI agents. The Policy Card sits with the agent and enables it to follow required constraints at runtime. It tells the agent what it must and must not do. As such, it becomes an integral part of the deployed agent. Policy Cards extend existing transparency artifacts such as Model, Data, and System Cards by defining a normative layer that encodes allow/deny rules, obligations, evidentiary requirements, and crosswalk mappings to assurance frameworks including NIST AI RMF, ISO/IEC 42001, and the EU AI Act. Each Policy Card can be validated automatically, version-controlled, and linked to runtime enforcement or continuous-audit pipelines. The framework enables verifiable compliance for autonomous agents, forming a foundation for distributed assurance in multi-agent ecosystems. Policy Cards provide a practical mechanism for integrating high-level governance with hands-on engineering practice and enabling accountable autonomy at scale.

Policy Cards: Machine-Readable Runtime Governance for Autonomous AI Agents

TL;DR

This work introduces Policy Cards as a machine-readable, deployment-layer governance artifact that binds autonomous AI agents to explicit, auditable constraints. By formalizing a JSON Schema-based representation of operational rules, obligations, and evidentiary requirements, the approach enables automatic validation, versioned stewardship, and integration with runtime enforcement and continuous auditing. The authors provide a validation toolchain, a crosswalk to NIST AI RMF, ISO/IEC 42001, and the EU AI Act, and domain exemplars in finance, healthcare, and defense to demonstrate domain generality and regulatory readiness. The framework supports a Declare-Do-Audit lifecycle, enabling stress testing, multi-agent governance, and cryptographic extensions for confidential, verifiable assurance, with a clear path toward scalable, auditable, and ethically guided autonomous systems.

Abstract

Policy Cards are introduced as a machine-readable, deployment-layer standard for expressing operational, regulatory, and ethical constraints for AI agents. The Policy Card sits with the agent and enables it to follow required constraints at runtime. It tells the agent what it must and must not do. As such, it becomes an integral part of the deployed agent. Policy Cards extend existing transparency artifacts such as Model, Data, and System Cards by defining a normative layer that encodes allow/deny rules, obligations, evidentiary requirements, and crosswalk mappings to assurance frameworks including NIST AI RMF, ISO/IEC 42001, and the EU AI Act. Each Policy Card can be validated automatically, version-controlled, and linked to runtime enforcement or continuous-audit pipelines. The framework enables verifiable compliance for autonomous agents, forming a foundation for distributed assurance in multi-agent ecosystems. Policy Cards provide a practical mechanism for integrating high-level governance with hands-on engineering practice and enabling accountable autonomy at scale.

Paper Structure

This paper contains 50 sections, 5 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Contributions.
  3. Positioning.
  4. Background & Related Work
  5. Transparency Artifacts
  6. Assurance and Governance Frameworks
  7. Practical Need for a Deployment-Layer Artifact
  8. Policy Cards: Definition & Design Goals
  9. Definition
  10. Design Goals
  11. Threat Model and Failure Modes
  12. Schema Overview and Validation Tooling
  13. Schema Architecture
  14. Validation and Linting Rules
  15. Continuous Integration and Enforcement
  16. ...and 35 more sections

Figures (5)

  • Figure 1: Policy cards sit with the deployed agent and tell it what is must and must not do. Agents governed by different Policy Cards behave differently.
  • Figure 2: Schema architecture. Sections and principal relationships.
  • Figure 3: The Policy Card sits at the heart of the governance lifecycle. It supports policy declaration, controlled execution, evidence capture and automated audit feedback.
  • Figure 4: In multi-agent systems each agent carries its own Policy Card, building a distributed governance mesh. A Policy Card may be encrypted and parts of it visible only to oversight agents or regulators. Agents can produce zero-knowledge proofs asserting compliance with certain policy conditions without revealing internal data.
  • Figure 5: Policy Card coverage across NIST AI RMF 1.0, ISO/IEC 42001, and the EU AI Act. Filled dots indicate mappings between Policy Card sections and framework clauses, demonstrating interoperability and completeness of the Policy Card governance layer.