1. Agent inventory
List every agent, owner, purpose, model/provider, connected tools, permission scope, and emergency revocation path.
Sample deliverable
A buyer-facing sample of what the Agent Governance Quick Audit reviews before a business lets agents touch email, CRM, support, finance, code, or customer workflows.
Control map
The paid audit turns these checks into a scored report with owners, risk notes, and a 30-day control backlog.
List every agent, owner, purpose, model/provider, connected tools, permission scope, and emergency revocation path.
List every inbox, app, repo, database, calendar, payment tool, file store, and customer system the agent can access or change.
Separate read-only work from consequential actions that send, publish, merge, invoice, refund, delete, or update records.
Define which actions need human review, who owns approval, and what evidence must be checked before execution.
Confirm prompts, inputs, tool calls, outputs, exceptions, approvals, and customer-facing actions are recorded somewhere durable.
Set limits for token usage, API calls, SaaS seats, background jobs, and follow-on automation until buyer value is proven.
Document when the agent must stop, ask for help, revoke credentials, notify owners, and restore manual workflows.
Scoring sample
A full audit scores every agent workflow for risk, business value, evidence quality, and the next control to add.
Workflow: Agent drafts invoice follow-ups from CRM and email history.
Risk: Medium. It reads customer history and can send billing messages.
Missing control: Agent inventory, permission scope, pre-action approval before send, final message log, reason code, and owner decision.
Next step: Run in draft-only mode for 10 messages, then review reply quality and payment outcomes.
Next step
If two or more checks are unclear, the business probably needs an agent governance audit before adding more automation.