ICMD Agentic Workflow Governance Pack (2026)

1) Define the workflow (one page)
- Workflow name:
- Business owner (human):
- Agent owner (human):
- Systems touched (e.g., GitHub, Zendesk, Stripe, Salesforce):
- Data sensitivity: Low / Medium / High (PII, financial, credentials)
- Failure impact: Low / Medium / High (customer harm, revenue loss, security)

2) Set an autonomy tier (choose one)
- L0 Suggest only: agent drafts; human edits/executes.
- L1 Sandbox execute: agent runs analysis/tests; human reviews.
- L2 Limited write: agent can open PRs/tickets/docs; human approves merge/publish.
- L3 Guardrailed production: agent executes pre-approved playbooks (feature flags/config) with alerts.
- L4 End-to-end: agent plans and executes; post-hoc audits (rare).

3) Governance controls checklist (must-have before scaling)
- Access: least privilege scopes; separate read/write; short-lived tokens.
- Audit logs: prompts, tool calls, outputs, approver identity, timestamps.
- Kill switch: one-click disable + credential revoke + rollback steps.
- Evaluation: 25–50 “golden tasks” with expected outputs; weekly regression runs.
- Incident playbook: how to contain, notify, and learn when the agent fails.

4) Weekly scorecard (fill every Friday)
- Volume: # tasks attempted / completed by agent.
- Lead time to value: median hours from request → customer-visible outcome.
- Defect escape rate: % outputs causing rollback, incident, or customer complaint within 7 days.
- Verification cost: reviewer minutes per shipped change (trendline).
- Autonomy ROI: (hours saved − hours spent on review/cleanup) × fully loaded hourly cost.
- Drift signals: eval pass rate; top 3 failure patterns.

5) 90-day rollout plan (repeatable)
Days 1–15: pick 2 low-risk workflows; define metrics; assign owners; set autonomy tier.
Days 16–30: enforce “receipts” templates; implement logs; add kill switch; train reviewers.
Days 31–60: build eval harness; run weekly regressions; tighten prompts/tools; document lessons.
Days 61–90: move one workflow up one tier (if metrics improve); add 1 new workflow; publish scorecard.

6) Promotion criteria (to move up an autonomy tier)
- Eval pass rate ≥ 90% for 3 consecutive runs.
- Defect escape rate trending down for 4 weeks.
- Time-to-disable (drill) ≤ 60 seconds.
- Full audit coverage for 100% of high-impact outputs.

Copy/paste this pack into your internal wiki and treat it like production engineering: owners, metrics, audits, and continuous improvement.