Enterprises inventory servers, credentials, and vendors — each with an owner, a purpose, and a review date. Agents deserve the same discipline. This page describes the registry record and lifecycle for governed agents: what is written down before an agent acts, who answers for it, and when its authority expires.
Agents are cheap to create and quiet to run. An organization that lets them accumulate unregistered ends up with automation it cannot list, cannot attribute, and cannot switch off with confidence.
None of this requires a bad actor. It is what happens by default. The registry is what stops the default.
The registry answers a simple question for every agent and workflow in the estate: what is this, who answers for it, what may it touch, and when does someone have to look at it again.
| Field | What it records |
|---|---|
| agent_id / workflow_id | A stable identity, so approvals, budgets, and audit entries attach to one nameable thing. |
| purpose | What it exists to do — stated narrowly enough that drift is noticeable. |
| prohibited_uses | What it must never be used for, declared up front — mirroring the platform-wide prohibited uses. |
| business_owner | The person accountable for outcomes. A name, not a team alias. |
| technical_owner | The person who can change it, fix it, or halt it. |
| data_classifications | Which data classes it may touch, and the routes that data is allowed to travel. |
| models_providers | Which models and providers it runs on — so a model swap is a recorded change, not a silent one. |
| tools_permissions | The tools and connector scopes it holds: its skill allowlist, written down. |
| authority_level | The authority it has earned — observe, draft, recommend, request approval, or execute within policy. |
| budget | Spend and rate limits, so cost failure is bounded like any other failure. |
| current_version | The configuration version deployed now. Any change bumps the version. |
| evaluation_status | Whether it passed evaluation, against which set, and how recently. |
| deployment_state | Where it runs, and its current place in the lifecycle below. |
| next_review_date | When its registration expires unless a human re-approves it. |
| retirement_state | Whether it has been retired, and where its record and outputs are archived. |
The field set is the operating baseline. Naming, storage, and tooling for the record are configured per deployment.
Seven stages, no skipped steps. Each stage updates the record, and the record is what moves an agent to the next stage — authority is never carried over by habit.
Nothing runs unregistered. The record is written first — identity, owners, purpose, prohibited uses, and requested scope. Registration is deliberately cheap: the honest path has to be the easy path.
The agent runs against its evaluation set on representative inputs. Confidence is calibrated against tracked outcomes, and the result lands in the record.
The business owner accepts the risk. Authority level, data routes, tools, and budget are granted explicitly, and high-impact workflows pass a human approval gate before anything is deployed.
The approved version goes live inside its declared boundary — the allowlisted skills, permitted data routes, and authority level in the record, and nothing more.
Every consequential decision lands in a decision and execution record on the hash-chained audit trail, with the kill-switch above anything that touches the real world. Drift from purpose or budget shows up as a signal, not a surprise.
On the review date, registration expires unless renewed. Someone re-reads the purpose, re-checks the evaluation, and re-justifies every permission. Renewal is a decision, not a formality.
Agents end on purpose. Authority is revoked, credentials are rotated, and the record is archived alongside the audit trail it produced — so retirement closes the loop instead of creating an orphan.
The registry is the standing half of governed autonomy; the decision and execution record is the per-decision half. The four rungs — Evidence → Calibrated confidence → Gated authority → Full audit trail — need both.
The registry declares which data and tools evidence may come from; each decision record shows what a decision actually rested on.
The record's evaluation status holds the agent's standing calibration; each decision record carries the confidence attached to that output.
The registry's authority level is the earned grant; the graduation state machine and approval gates enforce it, decision by decision.
The registry says what should exist and within what bounds; the hash-chained trail shows what happened. Read together, they close the loop.
The same discipline applies to our own claims: platform capabilities are labelled, and the operating model is not dressed up as a shipped product.
These controls are described in the Trust Center and on the Security page. They are what make the registry enforceable rather than aspirational.
In a walkthrough we map your current agent estate onto this model — what would be registered, what is orphaned, and where the review dates should sit.
Request a walkthrough → See a decision record →