AGENT CHANGE REQUEST (ACR) — ONE-PAGE TEMPLATE Purpose Use this for any new or expanded agent capability, especially anything that touches external systems or has side effects (send, post, modify, delete, execute). 1) Workflow Name + Owner - Workflow name: - Product owner: - Eng owner: - Launch flag / rollout plan (staged, beta, GA): 2) User Value (one sentence) - “This agent will…” (be concrete; name the systems and outcome): 3) Action Inventory (explicit side effects) List each action the agent can take. Include read vs write. - Tool/action #1: - Read/Write: - Target system (e.g., Gmail, Slack, Jira, internal DB): - Objects touched (emails, channels, tickets, records): - Tool/action #2: … 4) Identity + Permission Model - Acting identity (user, service account, delegated): - Required scopes/roles: - Tenant/project boundaries: - Any cross-tenant risk? (should be “no” with explanation) 5) Approval & Confirmation Policy For each write action, define the gate. - Suggest-only, Draft-only, Auto-execute: - If approval required, what does the approval UI show? - Diff/preview: - Recipients/targets: - Amounts/irreversible changes: 6) Data Access & Retention - Inputs the agent can see (UI fields, retrieved docs, message history): - Retrieval allowlist (sources included) + denylist (sources excluded): - Can the agent store memory/state? Where and for how long? - Redaction rules for logs (PII, secrets): 7) Failure Modes & Safe Fallback - What does the agent do on uncertainty? (ask a question / stop / draft only) - What does it do on tool error? (retry policy, backoff, abort) - What user messaging appears on partial completion? 8) Observability Requirements (must-have fields) For every agent run, capture: - User ID, tenant ID, workflow name, timestamp - Model/provider + routing decision - Step count + tool call list - Approval events (requested/approved/denied) - Cost bucket (your internal tagging), latency bucket - Link to replay/debug view 9) Evaluation Plan (quality + safety) - Small maintained test set describing real tasks (store prompts/inputs safely) - What counts as success for this workflow? - What counts as a blocker? (wrong recipient, wrong record, policy violation) - Regression check before expanding rollout 10) Kill Switch & Rollback - What can be disabled live? (entire workflow / specific tool / auto-exec) - How to force suggestion-only mode: - Owner on-call / escalation path: Sign-off - Product: - Engineering: - Security/Compliance (if applicable): - Date: Notes If you can’t fill this out in one page, the agent behavior is too vague. Tighten scope, reduce tool access, or add checkpoints until it’s reviewable.