Agent Governance Control Matrix
A working-paper control matrix that maps ten classic financial controls — least privilege, segregation of duties, audit trails, human sign-off, kill switches — onto AI agents across Microsoft Copilot, AWS Bedrock and AWS Quick Suite, against DORA, the EU AI Act and ISO 42001. For each control it shows what the platform gives you natively and the gap you still own. Filter, isolate the gaps, and export the full matrix to Excel.
The Agent Governance Control Matrix takes the century-old financial-control playbook — identity and least privilege, segregation of duties, audit trails, human oversight, kill switches, data governance, robustness, change management, monitoring and an agent register — and maps it onto AI agents across three surfaces: Microsoft Copilot, AWS Bedrock (the build layer) and AWS Quick Suite (the buy layer). Each control is read against DORA, the EU AI Act and ISO 42001. Every row shows, for each platform, whether the capability is native, partial or absent, with the concrete primitive named — Entra Agent IDs, Cedar policy at the AgentCore Gateway, Quick Suite custom permissions and S3 ACLs, and so on. Then it shows the gap: the part no vendor hands you, the control you design, run and evidence yourself, together with the specific evidence an examiner asks for. The premise is that the primitives are converging fast, but the gap column is the actual job — and it is the same job on every platform. You can filter by control family, isolate a single platform, show only the gaps, and export the full matrix, evidence checklist and platform notes to Excel. It is written as a working paper by a practitioner running a live enterprise agent deployment.
- Ten classic controls mapped onto AI agents, each anchored to DORA, the EU AI Act and ISO 42001
- Three platforms side by side — Microsoft Copilot, AWS Bedrock (build) and AWS Quick Suite (buy)
- Native / partial / gap marking per control per platform, with the specific primitive named
- The gap for every control — what no vendor hands you, spelled out
- The evidence an examiner asks for, control by control
- Filter by control family, isolate a platform, or show only the gaps
- Export the full matrix, evidence checklist and platform notes to Excel
AI agent platforms are shipping governance primitives at speed — scoped identities, policy gateways, approval steps, audit logs — and it is tempting to read a native feature as a discharged control. It is not. A platform can scope access but not prove the access was right; it can log actions but not assemble an examiner-ready audit file; it can offer an off-switch but not the runbook for using it. The distance between the primitive and the defensible control is exactly where a supervisory review lands. This matrix makes that distance explicit for the three platforms most regulated firms actually touch, mapped onto the obligations that bite — DORA, the EU AI Act and ISO 42001 — and names, for each control, the evidence you would have to produce. It is a scoping tool for the governance work that remains after the platform has done its part.
Status
LiveRegulation
EU AI ActFormat