What must an AI use policy contain to score well in the Governance dimension?

An AI use policy that contributes to a Governance score above 5 must cover: the categories of AI use the organization permits and prohibits; the approval process that a new AI deployment must pass before going live; the roles responsible for approving AI deployments and for ongoing oversight; the disclosure obligations when AI is used in decisions affecting customers or employees; the training requirements for staff who operate or oversee AI systems; and the process for reviewing the policy when significant changes occur (new regulations, new AI capabilities, material incidents). A policy that covers these six elements and is linked to an active deployment approval gate is operationalized in the sense the Governance dimension requires.

Methodology · 22 May 2026

The Governance Dimension: what AI insurers need from your certification documentation

Q: What does the Governance dimension of Agent Certified evaluate?

The Governance dimension evaluates five areas of organizational AI governance: the AI use policy and its operationalization; the incident response plan for AI-related failures; the liability chain documentation mapping responsibility across the provider and deployer relationship; the quality management system for AI development and deployment processes; and the review and update cadence for all governance documentation. Each area is assessed for whether the documentation exists, whether it is operationalized (meaning it actually shapes decisions), and whether it is maintained with a regular review cycle.

Q: How is the Governance dimension scored?

The Governance dimension is scored on a 1 to 10 scale. A score of 1 to 3 indicates that governance documentation is absent or exists only as generic policies that are not AI-specific or operationalized. A score of 4 to 6 indicates that core documents exist (AI use policy, incident response plan) but are not fully operationalized: they have not been tested, are not regularly reviewed, and do not clearly map to the actual AI systems in deployment. A score of 7 to 9 indicates a complete and operationalized governance framework with documented review cycles, tested incident response, and clear liability chain mapping. A score of 10 requires third-party verification of governance effectiveness through audits, insurance underwriter due diligence, or regulatory inspection, with documented evidence that the governance process influenced at least one material deployment decision.

Q: Why does incident response documentation matter for AI insurance?

Insurers writing AI liability policies evaluate incident response documentation for two reasons. First, the incident response plan defines how the organization will preserve evidence after an AI-related event, which directly affects whether the insurer can reconstruct what happened and verify that the claim falls within the coverage scope. Second, the incident response plan and log are the primary evidence that the organization takes a managed approach to AI risk. An operator with no incident response plan signals to an underwriter that AI failures are not anticipated and not managed, which is itself an underwriting risk. AIUC-1, Munich Re aiSure, and Armilla all review incident response capability during underwriting.

Q: How does the Governance dimension relate to EU AI Act Article 17?

EU AI Act Article 17 requires providers of high-risk AI systems to implement a quality management system covering all aspects of the system's lifecycle. The quality management system must be proportionate to the system's risk level and must include documented policies and procedures for technical specifications, data management, risk management, post-market monitoring, and incident reporting. The Governance dimension in Agent Certified evaluates the same organizational infrastructure that Article 17 requires, assessed from the deployer perspective rather than the provider perspective. An organization that scores 7 or above on the Governance dimension has the quality management foundation that Article 17 requires, even if the full Article 17 QMS documentation needs to be supplemented with provider-specific technical records.

Governance is the dimension that connects regulatory compliance to insurance eligibility. A high score across the other six dimensions in the Agent Certified framework is of limited use if the governance dimension is weak, because governance documentation is the first thing insurers, regulators, and enterprise procurement teams request. This article explains what the Governance dimension evaluates, how it is scored, and how to close the gaps that consistently prevent organizations from reaching the threshold where AI agent coverage becomes possible.

By Future Proof Intelligence Published 22 May 2026 Reading time 12 minutes

Key takeaways

The Governance dimension evaluates five areas: the AI use policy, the incident response plan, the liability chain documentation, the quality management system, and the documentation review cadence. Together these constitute the organizational governance infrastructure for AI.
Governance documentation is the first gateway to AI agent insurance. Insurers including AIUC-1 licensees, Munich Re aiSure, and Armilla all review governance documentation before assessing technical characteristics. No governance documentation means no policy.
The most common gap is a policy that exists on paper but is not operationalized. A policy that does not shape actual deployment decisions, that has not been tested against a real incident, and that has not been reviewed since it was written is not a governance system. It is a file.
EU AI Act Article 17 requires providers of high-risk AI to implement a quality management system. The Governance dimension in Agent Certified evaluates the same organizational infrastructure from the deployer perspective. Scores of 7 or above indicate the QMS foundation Article 17 requires.
Liability chain documentation is the governance artefact most organizations have not produced. It maps who is responsible for what in the relationship between the AI provider and the deployer, and it is the document that resolves coverage disputes after an incident.

Why governance is the insurance gateway

Every underwriting process for an AI liability policy begins with governance. Before an insurer evaluates the technical characteristics of the AI system being covered, they assess whether the organization deploying it has a documented governance framework. The logic is straightforward. An organization with no governance framework has not anticipated AI failures, has no process to detect them, and has no plan to respond to them. That is the highest-risk posture an underwriter can encounter. An organization with a complete governance framework has, by definition, thought about what can go wrong, assigned responsibility for managing those risks, and established procedures for identifying and responding to failures. That is the posture from which an insurer can price risk with meaningful accuracy.

The same logic applies to EU regulatory compliance. Article 17 of Regulation (EU) 2024/1689 requires providers of high-risk AI systems to implement and document a quality management system covering all aspects of the AI lifecycle. Article 26 requires deployers to implement appropriate technical and organizational measures for their deployment context. Both obligations are, at their core, governance obligations: they require documented policies, defined roles, review cycles, and record-keeping practices that constitute a managed approach to AI risk. An organization with strong Governance dimension certification is close to satisfying both obligations at the organizational level, even if specific technical documentation must still be produced for individual systems.

The five areas the Governance dimension evaluates

Area 1: The AI use policy. The AI use policy is the foundational governance document. It defines which categories of AI use the organization permits, which it prohibits, and which require senior approval. A well-constructed AI use policy covers: the definition of AI as used by the organization (which systems are in scope); the permitted uses across business functions with any specific restrictions; the prohibited uses (typically including AI in unsupervised autonomous decision-making in regulated high-stakes contexts without an approval process); the deployment approval gate (the process a new AI system must pass before going live, including risk assessment, oversight assignment, and documentation requirements); the disclosure obligations when AI assists in decisions affecting customers, employees, or other external parties; and the training requirements for staff who operate or oversee AI systems.

What distinguishes an operationalized AI use policy from a policy that only exists on paper is a traceable connection between the policy and actual deployment decisions. Assessors evaluating this area ask: can the organization show a deployment that was modified, delayed, or declined because of a constraint in the AI use policy? Can they show that the oversight assignment required by the policy is recorded for each deployed system? Can they show that the training requirement was met for the staff currently assigned to oversight roles? A policy that cannot be connected to at least one concrete deployment decision it influenced is not operationalized for the purposes of the Governance dimension.

Area 2: The incident response plan. The incident response plan is the document that determines whether an AI failure produces a manageable operational event or a coverage dispute. It must cover five elements: the definition of an AI incident (what level of failure, error, or unexpected output qualifies as an incident requiring the plan to be activated); the immediate response steps (evidence preservation, system containment, stakeholder notification); the investigation process (how the root cause is identified, what technical and operational records are required, who conducts the analysis); the external notification obligations (when regulators, affected individuals, or insurance carriers must be notified, and at what intervals); and the post-incident improvement process (how the findings from the incident are fed back into the governance documentation and technical controls).

The test of a genuine incident response plan is whether it has been exercised. Organizations that have run a tabletop exercise or responded to a real AI incident using the plan can demonstrate that it works in practice, not just on paper. Assessors look for evidence of at least one documented exercise or real incident response event. Organizations that have not tested their plan are assessed on the quality of the plan document itself and scored proportionally lower until a test event has been conducted.

Area 3: Liability chain documentation. The liability chain document is the governance artefact that most organizations have not produced, even those with well-developed AI use policies and incident response plans. It maps the distribution of responsibility across the AI provider and deployer relationship for each AI system in scope. The document answers four questions for each system: who bears primary liability if the system produces a harmful output in its intended use; what the deployer's specific obligations are under the provider's instructions for use; where the boundary lies between provider responsibility and deployer responsibility for the specific deployment configuration; and what the escalation process is when a liability question cannot be resolved by reference to the existing documentation.

The liability chain document is important to insurers for a specific reason. AI liability policies exclude claims arising from the insured's contractual obligations to their AI providers, from breaches of the provider's instructions for use, and from modifications to the system that the provider did not authorize. An insurer examining a post-incident claim needs to establish whether the claim falls within covered territory or within one of these exclusions. The liability chain document is the artefact that makes this determination possible. Its absence means the insurer must reconstruct the provider-deployer liability boundary from contracts and communications under post-incident time pressure, which is the condition most likely to produce disputed outcomes.

Area 4: Quality management system for AI. The quality management system (QMS) for AI covers the documented processes through which the organization develops, tests, deploys, monitors, and retires AI systems. For organizations that develop their own AI systems or substantially customize procured ones, the QMS must address the development lifecycle: specification, design review, testing (including adversarial and edge-case testing), deployment approval, post-deployment monitoring, and version control. For organizations that deploy AI systems developed by third parties without modification, the QMS is primarily concerned with the procurement and monitoring processes: vendor assessment, deployment configuration review, ongoing performance monitoring, and the process for managing updates and version changes.

The connection between the QMS and EU AI Act Article 17 is direct. Article 17(1) specifies that providers of high-risk AI systems shall put a quality management system in place covering: strategies and procedures for compliance with the Act; techniques and processes for system design; testing and validation procedures; a technical infrastructure for assessing the AI system; data management specifications; the post-market monitoring system; and responsibility and accountability procedures. The Governance dimension treats the deployer's QMS as the organizational counterpart to the provider's Article 17 obligation. A deployer with a documented QMS that covers the deployment-side equivalents of these eight categories has the governance foundation Article 17 is designed to produce.

Area 5: Documentation review cadence. The fifth area is the process by which governance documentation is kept current. Governance documents that are written once and never reviewed become inaccurate as AI systems evolve, as regulatory requirements are updated, and as the organization's AI portfolio changes. The review cadence should specify: the minimum review interval for each governance document (typically annual for the AI use policy and QMS, and after each material incident for the incident response plan); the triggers that prompt an unscheduled review (a material change to a deployed AI system, a new regulatory obligation, a serious incident, a significant change to the organization's AI footprint); and the ownership of each document (who is responsible for initiating and completing the review).

The Governance scoring rubric

The Governance dimension is scored on a 1 to 10 scale within the Agent Certified methodology. The rubric reflects progressive maturity from absent documentation to externally validated governance effectiveness.

A score of 1 to 3 indicates that governance documentation is absent or generic. There is no AI use policy specific to the organization's deployments, or the policy that exists is a template that has not been adapted to actual practice. There is no incident response plan for AI-related failures. Liability chain responsibility has not been documented and is understood (if at all) only by the individual who negotiated the AI vendor contract. The quality management processes for AI, if they exist, are informal and undocumented. First assessments typically produce scores in this range for organizations that have deployed AI rapidly without having built governance infrastructure in parallel.

A score of 4 to 6 indicates the existence of core governance documents. The AI use policy exists and has been communicated to relevant staff. The incident response plan exists and covers the basic response sequence. Liability chain documentation exists in some form, typically as a section of the vendor contract rather than as a standalone operational document. The QMS exists at least as a description of the deployment approval process. However, none of these documents have been fully operationalized: the policy has not been tested against a deployment decision, the incident response plan has not been exercised, the liability chain document has not been reviewed against a real incident scenario, and the QMS review cycle has not been completed at least once. Scores in this range indicate organizations that have recognized the governance requirement and begun to address it but have not yet closed the gap between having documents and having a functioning governance system.

A score of 7 to 9 indicates a complete and operationalized governance framework. All five areas are covered by documented, current, and tested materials. The AI use policy is linked to a deployment approval gate and can be connected to concrete deployment decisions. The incident response plan has been exercised and revised at least once. The liability chain document is a standalone operational document reviewed when the provider relationship or system configuration changes. The QMS covers the full deployment lifecycle and has been completed for all AI systems in scope. The documentation review cadence is embedded in the organization's governance calendar. Scores in this range indicate organizations that treat governance as an operational capability, not a compliance formality. These are the organizations for whom the insurance underwriting process is productive: the documentation file is ready before the underwriter asks for it.

A score of 10 requires external verification of governance effectiveness. This can take the form of a third-party governance audit, a completed insurance underwriting process that reviewed the governance documentation and issued a policy on that basis, or a regulatory inspection that assessed the governance framework and found it adequate. A score of 10 also requires documented evidence that the governance process produced at least one material deployment decision. This final requirement ensures that the certification reflects a governance system that actually governs, rather than one that is merely well-documented.

The most common governance gaps

Three gaps recur consistently across first assessments.

The first is an AI use policy that has not been adapted for the specific AI systems in use. Generic policies produced before the organization began deploying AI agents frequently fail to address autonomous action scope, escalation procedures for AI decisions with significant consequences, and the disclosure obligations that apply when AI produces customer-facing outputs. When assessors ask whether the policy was applied in a specific deployment decision, the answer is typically that the deployment happened before the policy was written, or that the policy is consulted at annual review rather than at deployment time.

The second is an incident response plan that has not been exercised. The plan document may be complete and well-structured, but without a tabletop exercise or a real incident response event, the organization cannot demonstrate that the plan is executable. Assessors treat unexercised plans as partially valuable: they score better than no plan, but significantly lower than a plan with a documented exercise record. The most efficient remediation is to schedule and document a tabletop exercise. A two-hour exercise involving the AI governance, legal, and operations teams, documented with a summary of findings and any plan updates made as a result, moves a score of 4 to a score of 6 or 7 in this area.

The third is missing liability chain documentation. Most organizations understand that their AI vendor contracts address liability, but have not translated the contract terms into an operational document that answers the four questions the Governance dimension requires. The vendor contract is a legal instrument; the liability chain document is an operational one. They serve different audiences. Creating a one-page liability chain summary for each AI system in scope, derived from but not identical to the contract terms, is the most direct path to closing this gap.

Governance and insurance eligibility

For the connection between Governance dimension certification and the insurance products available for AI agents in Europe, the clearest pathway runs as follows. A score of 4 to 5 is typically the threshold below which specialist AI liability insurers decline to issue a policy, because the governance documentation does not provide adequate evidence of a managed risk approach. A score of 6 to 7 is the range in which most specialist products (Armilla, AIUC-1 backed coverage) will engage with an underwriting submission, though premium and terms will reflect the remaining gaps. A score of 8 or above is the range in which the underwriting process is typically straightforward, coverage terms are most favourable, and the organization's governance documentation can support a detailed risk representation to the insurer.

For a full treatment of how governance documentation connects to the insurance submission process, see preparing an AI agent underwriting submission for European insurers. For the relationship between the Governance dimension and the other six dimensions in the framework, see the seven dimensions overview.

Key takeaways

The Governance dimension evaluates AI policy, incident response, liability chain documentation, quality management, and review cadence. Together they constitute the organizational governance infrastructure for AI.
Governance documentation is the first gateway to AI agent insurance. No governance documentation means no policy, regardless of technical characteristics.
The most common gap is a policy that exists on paper but is not operationalized. Connect it to a deployment approval gate and it becomes a governance system.
EU AI Act Article 17 requires providers to implement a quality management system. The Governance dimension evaluates the deployer-side equivalent. Scores of 7 or above indicate the QMS foundation Article 17 requires.
Liability chain documentation is the governance artefact most organizations have not produced, and the one that matters most in post-incident coverage disputes.

Frequently asked questions

What does the Governance dimension of Agent Certified evaluate?

The Governance dimension evaluates five areas: the AI use policy and its operationalization; the incident response plan for AI-related failures; the liability chain documentation mapping responsibility across the provider and deployer relationship; the quality management system for AI development and deployment processes; and the documentation review and update cadence. Each area is assessed for documentation quality, operationalization, and maintenance.

How is the Governance dimension scored?

The dimension is scored on a 1 to 10 scale. Scores of 1 to 3 indicate absent or generic documentation. Scores of 4 to 6 indicate documents exist but are not operationalized or tested. Scores of 7 to 9 indicate a complete, operationalized, and maintained governance framework. A score of 10 requires external verification of governance effectiveness through a third-party audit, a completed underwriting process, or a regulatory inspection. See the full methodology for the complete rubric.

What must an AI use policy contain to score well?

An operationalized AI use policy must cover permitted and prohibited AI uses, the deployment approval gate, disclosure obligations, training requirements, and a review trigger. It must be connected to at least one concrete deployment decision it influenced. Policies that exist but have not shaped any actual deployment decision score in the 3 to 4 range, regardless of how well-written they are.

Why does incident response documentation matter for AI insurance?

Insurers evaluate incident response capability for two reasons: it determines whether evidence can be preserved after an AI failure, and it is the primary signal that the organization takes a managed approach to AI risk. AIUC-1, Munich Re aiSure, and Armilla all review incident response capability during underwriting. An unexercised plan scores significantly lower than a tested one.

How does the Governance dimension relate to EU AI Act Article 17?

Article 17 requires providers of high-risk AI to implement a quality management system covering the AI lifecycle. The Governance dimension evaluates the same organizational infrastructure from the deployer perspective. An organization scoring 7 or above has the QMS foundation Article 17 requires, though provider-specific technical documentation must still be produced separately for each high-risk system.

References

Agent Certified. Methodology specification, May 2026 version, Governance dimension. Published at agentcertified.eu/methodology.html.
Regulation (EU) 2024/1689, Article 17, quality management system requirements for providers of high-risk AI systems.
Regulation (EU) 2024/1689, Article 26, obligations of deployers of high-risk AI systems.
Regulation (EU) 2024/1689, Article 9, risk management system requirements.
AIUC-1 reference standard. AI Underwriting Company, 2025. Governance documentation requirements for certification.
Munich Re aiSure. Underwriting documentation requirements, Special Enterprise Risks division, 2025 to 2026.
Armilla AI. Coverage requirements and risk assessment framework, armilla.ai, 2025 to 2026.
ISO/IEC 42001:2023. Artificial intelligence management system, Annex A controls for AI policy and governance. International Organization for Standardization, December 2023.
National Institute of Standards and Technology. AI Risk Management Framework 1.0. NIST AI 100-1. January 2023. GOVERN function subcategories.