Skip to content

AI Governance

This chapter covers the Admin Center → AI Governance menu and how to operate each screen. It is the area where the organization manages risk assessment, inspection, audit, and control policies for AI usage.

Accessing the Screen

Enter Admin Center from the top-left mode switch, then expand the AI Governance section in the left sidebar. The page opens with the governance monitoring dashboard.

AI Governance Monitoring — combined dashboard organized as a widget grid

The left sidebar's AI Governance area presents four management menus organized as an accordion. The menus are visible only to SuperUser accounts with the appropriate permissions; the display order and labels are as follows.

# Sidebar label Page header (on entry) Section in this chapter In-page structure
1 AI Risk Assessment AI Risk Assessment Risk Review Risk-category widget grid → items over the threshold open the Agent Approval view inside
2 Inspection History AI Inspection History & Plan Inspection Four tabs — Inspection History / Inspection Plan / Overdue / Inspection Register
3 AI Service Change History (service / operation change history list) AI Service Change History Click an Agent name to open the detail view → 6 sub-tabs: Execution Detail History / Data Access Info / Agent Change History / Policy Change History / Deployment Approval History / Governance Approval History
4 Control Policy Management (3-tab policy management) Control Policy Three tabs — PII Protection / Forbidden Words / Risk Levels

Sidebar labels may differ from page headers

Clicking Inspection History in the sidebar opens a page whose header reads AI Inspection History & Plan. This chapter locates each menu by its sidebar label, and uses the page header only as a confirmation cue after entry.

Internally the four items belong to backend permission categories (gov-risk-review / gov-inspection / gov-service-history / gov-control-policy), but those category names are not shown as sidebar group labels — all four sit flat inside a single AI Governance accordion.

Risk Review

Computes per-category risk scores for deployed agents; agents that exceed a threshold are routed to governance reviewers for explicit approval.

AI Risk Assessment — risk-category widget grid and trend charts

Suggested Weights (Financial Sector Example)

  • PII Exposure: 10 (highest priority)
  • Data Exfiltration: 9
  • Privilege Misuse: 8
  • Policy Violation: 6
  • Abnormal Access: 5

Agent Approval

This menu is the second of two approval stages required before an agentflow can be served to end users. The first stage — deployment approval — is performed by the System Administrator on Agent Operations → Agent Management; only agents that pass that stage reach this queue.

Where Governance Approval sits — stage 2 of dual approval

Stage Reviewer Screen Effect on data
1. Deployment approval System Administrator Agent Management is_accepted: true, is_deployed: true
2. Governance approval (this screen) Governance Officer AI Governance → Agentflow Approval is_governance_accepted: true
✅ Servable Visible to end users only after both stages pass

Agents rejected at stage 1 never appear in this queue. Because governance reviewers only see agents the System Administrator has already cleared for operational fitness, their review can focus on risk category, PII impact, and policy compliance.

Approval workflow

Agent approval is handled in the steps below. All review and decision actions can be completed within this single screen.

1. Open the screen

In Admin Center, navigate via the left sidebar:

  • AI Governance
  • Agent Approval

The screen header is followed by a search field and the per-status stat cards.

2. Check approval status

Use the dashboard cards at the top to quickly see the current status of the queue.

Examples:

  • All
  • Pending
  • Approved
  • Rejected

Click any card to filter the list automatically by that status, so you can focus on what you need to act on.

Only agents that have cleared the System Administrator's stage-1 deployment approval are listed in this review queue. Items whose risk-assessment results exceed the configured thresholds may also be added to the same queue automatically.

  1. Read the table columns — Headers sort on click.

    Column Sortable Description
    Agentflow Name. Row click = detail modal
    Creator Author ID / display name
    Department Author's department
    Governance status Pending / Approved / Rejected badge
    Reviewer The Governance Officer who processed the row (- while pending)
    Last modified Request or processing timestamp
    Actions View detail / Approve / Reject — the latter two appear only on pending rows

4. Inspect the detail modal

Selecting an item from the list opens the Agent Flow Detail modal, which gathers the information you need to review in one place.

Basic info

Shows the basic information about the agent flow.

What you can verify:

  • Agent name
  • Creator (name / department)
  • Version
  • Node and edge counts

Examples:

  • v2
  • 14 Nodes / 21 Edges

Governance review status

Shows the current governance status and review history.

What you can verify:

  • Governance status badge
  • Reviewer
  • Processing state

Already-approved or already-rejected items display this information as well.

Review comment

The comment recorded by the reviewer is shown here.

Shown only for already-processed items.

Node summary table

Summarizes the nodes that make up the agent flow.

What you can verify:

  • Node name
  • Function ID
  • Category
  • Parameter count
  • Input / Output (I/O)

Clicking a row expands the detail panel where you can inspect parameter values and input fields.

Review recommendations

We recommend prioritizing nodes that may handle personal information (PII) or transmit data outside the system.

Examples:

  • External API calls
  • Email sending
  • External system integration
  • File upload

Check whether node parameters and inputs could carry sensitive data and confirm that the configuration matches the intended use.

5. Decide — Approve or Reject

The footer buttons in the detail modal, or the right-side buttons on the row, open the comment modal.

  • Approve — Comment is optional. The agent goes live immediately.
  • Reject — Comment is required. The comment is delivered to the author, who must fix the agent and resubmit from stage 0.

When the Submitting… state clears, the stat cards and table refresh automatically. If the same agent reappears as Pending, the author has resubmitted after a fix — repeat the workflow.

Every approve/reject action is recorded in AI Service Change History; the reviewer (governance_reviewed_by), comment (governance_review_comment), and timestamp are retained permanently.

Inspection

Manages the inspection schedule and history for AI systems across the organization.

Menu Role
Inspection Monitoring Card-style dashboard of in-progress and upcoming items
Plan Register/adjust quarterly and annual inspection plans
Overdue Track items past their due date and their owners
History Results, actions, and evidence for completed inspections

Inspection items are linked to risk-review results; completing an inspection re-computes the affected risk scores.

AI Service Change History

Records governance-policy changes and user operational actions.

Service Change History — tracks governance-policy and service-configuration changes

Menu Role
Service Change History Changes to governance policies, service configuration, and approval workflows
Operation History Per-user / per-policy / per-agent action tracking (actor, approver, target, time)

vs. data audit log

The solution exposes two distinct audit surfaces. They differ by the unit being tracked.

View Tracked unit What it records Location
Data Audit Log DB row / user INSERT / UPDATE / DELETE / DDL on operational DB — who, when, which table, which row Data Management · Data Audit Log (Data Management group)
AI Service Change History Agent The Per-Agent detail — 6 tabs above — Execution / Data Access / Agent Change / Policy Change / Deployment Approval / Governance Approval This screen (AI Governance group)

Rule of thumb: if the question is "what data was changed", use the Data Audit Log. If it is "how has this agent evolved" at the agent level, use this screen.

Per-Agent detail — 6 tabs

Clicking an Agent name in the list opens the agent's detail view. The screen shows an attachment panel and 6 tabs at the top. On every tab you can review the stat cards and use filters, date-range search, and CSV export.

# Tab Stat cards Table columns Filters
1 Execution Detail History Total / Success / Failure Execution ID · Timestamp · Version · Type · Executor · Duration · Status · Input · Output Type · Status · Period
2 Data Access Info Total accesses / Agent developer / Model developer Access timestamp · Target DB / Collection · RBAC type · User · Department · Action RBAC · Action · Period
3 Agent Change History Total changes / Approved / Pending / Rejected Change timestamp · Activity · Before · After · Changer · Department · Approval status Approval status · Period
4 Policy Change History Total changes / Auto-approved / Changer Change timestamp · Policy type · Policy name · Version · Change type · Changer · Approval Change type · Changer · Approval · Period
5 Deployment Approval History Approved / Pending / Rejected Execution ID · Timestamp · Version · Executor · Department · Approval status Approval status · Period
6 Governance Approval History Approved / On hold / Rejected Execution ID · Timestamp · Version · Executor · Department · Governance reviewer · Approval status Approval status · Period

How to enter:

  1. Click AI Governance → AI Service Change History in the left sidebar to open the list
  2. Click the Agent name of a row to drill into the detail view
  3. Choose one of the 6 tabs at the top to focus on a specific change category
  4. Use the CSV button at the top right to export the current tab (use this as the source for compliance reports)

Recommended use per tab

  • Deployment Approval / Governance Approval History — Review the dual-approval workflow step by step. Use these tabs as primary evidence for finance and internal-audit responses.
  • Policy Change / Agent Change History — Trace responsibility for risk-policy and control-policy edits. The changer and approval status are recorded together, so incident root causes can be narrowed quickly.
  • Data Access Info — Use the RBAC-type breakdown to spot over-provisioned permissions.

Control Policy

Registers and manages the organization's AI usage control policies.

Control Policy Management — active / inactive policy counts and violation trends

Area Content Detail
PII Policy Targets and rules for personal-information masking (RRN, phone, email, etc.) PII Policy
Forbidden Words Keywords/regex blocked in inputs and responses (in PII Policy chapter)
Risk Policy Risk-category weights and automatic-action thresholds See Risk Review above

Active-policy counts and violation trends also appear as widgets on the main governance monitoring dashboard.

Operational Recommendations

  • Monthly review — operations and security teams jointly review the governance dashboard and risk-review output, then act on outliers
  • Quarterly weight tuning — reweight risk categories to reflect new external regulation and internal incidents
  • Documented approval process — for agents over the risk threshold, document approvers, deadlines, and re-review cadence separately
  • Automated inspection planning — register the quarterly inspection plan in the scheduler to avoid misses
  • Retention — keep operation history for the regulatory retention period (typically 5+ years in financial sector)

Contact

For AI Governance questions, contact the Xgen Solution Administrator.