---
title: "AI agent risk classification: a practitioner's guide to the three dimensions"
date: 2026-04-08
updated: 2026-04-16
author: david
excerpt: "Risk classification is the decision that shapes everything downstream in agent governance. This guide provides a three-dimension scoring model (data sensitivity, decision authority and blast radius) that maps every AI agent to a governance tier."
category: governance
tags: [risk-classification, governance, eu-ai-act, compliance, ai-agents]
draft: false
tldr: "Static risk categories fail for AI agents because agent behavior is non-deterministic, capabilities expand over time and risk is contextual. Score every agent across three dimensions (data sensitivity, decision authority and blast radius) to compute a composite risk tier (1-4) that determines policies, certification cadence, monitoring level and human oversight requirements."
seo:
title: "AI agent risk classification: a practitioner's guide | Roval"
description: "Score AI agents across data sensitivity, decision authority and blast radius to compute a composite risk tier that drives governance decisions."
faqs:
- question: "How do I classify an AI agent by risk?"
answer: "Score the agent across three dimensions: data sensitivity (what data can it access?), decision authority (what actions can it take without human approval?) and blast radius (what's the scope of impact if it fails?). Each dimension is scored 1-4. Apply organizational weights, calculate the composite and map to one of four risk tiers."
- question: "What are the risk dimensions for AI agents?"
answer: "Data sensitivity measures the classification of data the agent can access (public to restricted). Decision authority measures the level of autonomous action the agent can take (advisory to fully autonomous). Blast radius measures the scope of impact if the agent fails (individual user to external/customer-facing)."
- question: "How does AI agent risk classification relate to the EU AI Act?"
answer: "The EU AI Act defines four risk levels: unacceptable, high, limited and minimal. The internal four-tier enterprise model maps onto this: Critical agents are likely high-risk under the Act; High agents may qualify depending on the Article 6(3) derogation; Medium and Low agents typically fall under limited or minimal risk with transparency obligations."
- question: "Should risk classification be static or dynamic?"
answer: "Dynamic. Agents change: new data sources, new tool access, model updates, ownership changes. Each change can shift the risk profile. Build re-classification triggers into your governance pipeline so that material changes automatically prompt a re-assessment."
- question: "How often should I re-classify agents?"
answer: "At minimum: annually for Tier 1, every 180 days for Tier 2, every 90 days for Tier 3-4. Additionally, re-classify immediately when any material change occurs (new data access, new tools, new deployment scope, model update or owner departure)."
- question: "What's the difference between agent risk classification and model risk management?"
answer: "Model risk management (MRM) governs the statistical performance of ML models: accuracy, bias, drift. Agent risk classification governs the operational risk of autonomous systems: what data they access, what actions they take and what happens when they fail. An agent can use a perfectly performing model and still be high-risk because of its data access, authority level or blast radius."
- question: "Where does Roval fit?"
answer: "Roval implements the three-dimension risk classification as a core feature of the agent registry. Each agent is scored across data sensitivity, decision authority, blast radius and regulatory exposure. The system computes a composite risk tier (1-4) with configurable weights per organization. Auto-classification suggests a tier with per-dimension reasoning; Tier 3+ suggestions require human confirmation. The production gate blocks uncertified high-risk agents from reaching production."
---
## The pivot point of agent governance
Risk classification is the decision that shapes everything downstream. Get it right and your governance program applies the right level of oversight to each agent: light-touch for a knowledge base bot, continuous monitoring for a clinical decision support system. Get it wrong and you either drown low-risk agents in compliance overhead (killing adoption velocity) or leave high-risk agents under-governed (creating exposure that no one sees until the audit).
The problem is that most enterprises classify AI agents the way they classify traditional AI: as a binary. High-risk or not high-risk. Governed or ungoverned. Approved or unapproved. This worked when AI systems produced outputs for humans to review. It doesn't work when AI agents take autonomous actions, access sensitive data and interact with other agents across organizational boundaries.
Dr Zeynep Engin at University College London and Professor David Hand at Imperial College London made this argument formally in their 2025 paper [*Toward Adaptive Categories: Dimensional Governance for Agentic AI*](https://arxiv.org/abs/2505.11579):
:::cite{name="Dr. Zeynep Engin" title="Senior Research Associate, University College London; Director, Data for Policy" avatar="/images/experts/zeynep-engin.jpg" linkedin="https://linkedin.com/in/zeynep-engin-phd-203b463"}
Traditional categorical governance frameworks (based on fixed risk tiers, levels of autonomy or human oversight models) are increasingly insufficient on their own.
:::
Their core insight is that agent risk isn't a label you assign once. It's a position along multiple continuous dimensions and that position moves as agents gain capabilities, access new data and operate in new contexts.
This article provides the practitioner methodology for doing that classification. Not as a theoretical exercise, but as an operational system you can implement this week. (Roval's [agent registry](/platform/agent-registry) implements this three-dimension model as a core feature; see how it maps to your [risk classification](/solutions/risk-classification) workflow.)
Toward Adaptive Categories: Dimensional Governance for Agentic AI. The academic foundation for dimensional risk scoring | Source
## Why static categories fail for agents
The EU AI Act defines a classification system for AI: unacceptable risk (banned), high-risk (strict obligations), limited risk (transparency requirements) and minimal risk (largely unregulated). [Article 6](https://artificialintelligenceact.eu/article/6/) provides the rules and [Annex III](https://artificialintelligenceact.eu/annex/3/) lists the use cases that qualify as high-risk: biometrics, critical infrastructure, education, employment, law enforcement and others.
This framework was designed for traditional AI systems: a credit scoring model, a medical diagnostic tool, a hiring algorithm. Systems whose behavior is defined at deployment and doesn't change until someone deliberately modifies them. For those systems, a one-time classification is reasonable.
:::fact{title="Why classification drives everything"}
The agent's risk tier determines: what policies apply to it, how frequently it must be recertified, what level of runtime monitoring it receives, what human oversight model governs it and which compliance frameworks it maps to. A misclassification doesn't just create one error. It cascades through every subsequent governance decision.
:::
Agents are different in three ways that break static classification.
**Agent behavior is non-deterministic.** The same agent, given the same prompt, may take different actions depending on context, conversation history and the current state of the tools it has access to. A classification based on what the agent *was designed to do* may not reflect what it *does* in production.
**Agent capabilities expand over time.** Someone adds a new API integration. A tool permission gets broadened. A model version updates. None of these individually trigger a formal re-assessment, but collectively they can shift an agent's risk profile from medium to high without anyone noticing.
**Agent risk is contextual.** The same agent architecture deployed in two different departments can carry fundamentally different risk. A summarization agent processing public marketing content is low-risk. The same architecture processing patient medical records is high-risk. The agent didn't change. The context did.
The [World Economic Forum's November 2025 white paper](https://www.weforum.org/publications/ai-agents-in-action-foundations-for-evaluation-and-governance/) addresses this directly, defining seven classification dimensions for agents: Function, Role, Predictability, Autonomy, Authority, Use case and Environment. Their conclusion: "autonomy and authority should not be treated as inherent system properties, but as design choices that can be made based on the agents' intended functions, risk considerations and oversight requirements."
AI Agents in Action: Foundations for Evaluation and Governance. The WEF framework for agent classification and progressive governance | Source
Our model distills this into three dimensions that are actionable for enterprise practitioners.
## The three dimensions
Every AI agent can be scored across three dimensions. Each dimension captures a distinct axis of risk. Together, they produce a composite score that maps to a governance tier.
### Dimension 1: Data sensitivity
**What it measures:** The highest classification of data the agent can access or process.
This isn't about what data the agent *is supposed to* access. It's about what data it *can* access given its current permissions. An agent with read access to a database containing customer PII is classified based on that access, even if it's only "supposed to" read the public columns.
**Scoring scale:**
| Score | Level | Definition | Examples |
|-------|-------|------------|---------|
| 1 | **Public** | Publicly available information only | Marketing content, public documentation, open-source code |
| 2 | **Internal** | Non-public business data, no personal data | Internal wikis, project plans, meeting notes, internal metrics |
| 3 | **Confidential** | Sensitive business data or limited personal data | Employee records, customer account data, financial reports, trade secrets |
| 4 | **Restricted** | Regulated personal data or classified information | PII, PHI, payment card data, biometric data, data subject to legal hold |
The European Insurance and Occupational Pensions Authority (EIOPA) published a [factsheet on AI systems in insurance](https://www.eiopa.europa.eu/) confirming that AI systems used for "risk assessment and pricing in relation to natural persons in the case of life and health insurance" are explicitly classified as high-risk under the EU AI Act. The data sensitivity dimension is where this regulatory classification bites: any agent processing health or financial data about individuals triggers the highest tier.
:::fact{title="The permission-based principle"}
Classify based on *access*, not *intent*. If an agent has database credentials that grant read access to a table containing customer PII (even if the agent's prompt says "only query the product catalog") the data sensitivity score is 4 (Restricted). Access defines the risk boundary, not the prompt. This principle prevents the most common classification error: scoring agents based on what they're designed to do rather than what they're capable of doing.
:::
### Dimension 2: Decision authority
**What it measures:** The degree to which the agent can take actions that affect systems, data or people without human approval.
This dimension captures what Engin and Hand call "process autonomy": "the degree to which the system can operate without human intervention, supervision or control." The key distinction is between agents that *inform* and agents that *act*.
**Scoring scale:**
| Score | Level | Definition | Examples |
|-------|-------|------------|---------|
| 1 | **Advisory** | Read-only; provides information or recommendations for human action | Knowledge base Q&A, document summarizer, research assistant |
| 2 | **Assisted** | Can take actions, but only with explicit human approval before execution | Draft-and-review content workflows, purchase requisitions requiring sign-off |
| 3 | **Supervised** | Autonomous within defined guardrails; human notified but doesn't pre-approve | CRM record updates, internal email responses, scheduled report generation |
| 4 | **Autonomous** | Full execution authority with no human in the loop for routine actions | Automated trading, clinical triage routing, production infrastructure management |
The [Singapore IMDA Agentic AI Framework](https://www.roedl.com/en/insights/singapore-model-ai-governance-framework/) (January 2026) specifically calls for organizations to assess "the scope of actions the agent can take, the reversibility of those actions and the level of autonomy the agent will be granted." Reversibility matters: an agent that can send an email (irreversible) carries higher decision authority risk than one that can draft an email (reversible until a human clicks send).
### Dimension 3: Blast radius
**What it measures:** The scope of impact if this agent fails catastrophically: produces incorrect outputs, takes unauthorized actions or behaves in ways that violate policy.
Blast radius is the dimension most often overlooked. An agent can be low on data sensitivity and low on decision authority but still be high-risk if its outputs affect a large population. A public-facing chatbot processing no sensitive data and taking no actions can still damage brand reputation across millions of customer interactions.
**Scoring scale:**
| Score | Level | Definition | Examples |
|-------|-------|------------|---------|
| 1 | **Individual** | Affects a single user or a single workflow | Personal productivity assistant, individual code review agent |
| 2 | **Team** | Affects a team, department or internal process | Team scheduling agent, department reporting bot, project management assistant |
| 3 | **Organization** | Affects the entire organization or a business-critical process | Company-wide HR agent, ERP automation, internal communications agent |
| 4 | **External** | Affects customers, partners, regulated populations or public perception | Customer-facing support agent, public content generation, patient-facing clinical agent |
Kunal Singh's [analysis of blast radius in multi-agent systems](https://www.singhspeak.com/blog/managing-the-agentic-blast-radius-in-multi-agent-systems-owasp-2026) for OWASP 2026 identified a particularly dangerous pattern: "unchecked blast radius occurs when probabilistic agent behavior becomes persistent, trusted and shared across systems." In [multi-agent](/research/blog/multi-agent-governance) environments, a single agent's failure can propagate through dependent agents, amplifying the blast radius well beyond its own direct scope. When scoring blast radius, account for downstream dependencies, not just the agent's own direct impact.
## Computing the composite risk tier
The three dimension scores combine into a composite risk tier that determines the agent's governance treatment.
**Step 1: Score each dimension (1-4)**
Each dimension is scored independently using the scales above.
**Step 2: Apply weights**
By default, dimensions are weighted equally (33% each). However, organizations in heavily regulated industries may weight data sensitivity higher, while organizations deploying customer-facing agents may weight blast radius higher.
Example configurations:
| Organization type | Data sensitivity | Decision authority | Blast radius |
|-------------------|------------------|--------------------|--------------|
| **Default** | 33% | 33% | 33% |
| **Healthcare / Financial services** | 50% | 30% | 20% |
| **Consumer SaaS / B2C** | 25% | 25% | 50% |
| **Internal tools / Platform engineering** | 25% | 50% | 25% |
**Step 3: Calculate composite score**
Composite = (Data sensitivity x weight1) + (Decision authority x weight2) + (Blast radius x weight3)
The result is a number between 1.0 and 4.0.
**Step 4: Map to risk tier**
| Score range | Tier | Label | Governance implications |
|-------------|------|-------|------------------------|
| 1.0-1.7 | 1 | **Low** | Registry entry, annual review, light-touch monitoring |
| 1.8-2.5 | 2 | **Medium** | Certification required, 365-day expiry, standard monitoring |
| 2.6-3.3 | 3 | **High** | Human-in-the-loop for sensitive actions, 180-day cert expiry, production gate |
| 3.4-4.0 | 4 | **Critical** | Explicit approval required, 90-day cert expiry, continuous monitoring, incident response plan |
Virginia Dignum, Professor of Responsible AI at Umea University and member of the UN High-Level Advisory Body on AI, has argued:
:::cite{name="Virginia Dignum" title="Professor of Responsible AI, Umea University; UN High-Level Advisory Body on AI" avatar="/images/experts/virginia-dignum.jpg" linkedin="https://linkedin.com/in/vdignum"}
Responsible AI is more than ticking boxes. Means to assess maturity are needed.
:::
Risk classification is the mechanism that turns qualitative governance aspirations into quantitative, auditable decisions. Without a scoring methodology, classification becomes subjective and subjective classification becomes inconsistent, unauditable and ultimately unenforceable.
Dignum's work on the DARE framework (Design, Accountability, Responsibility, Ethics) provides the theoretical foundation. The practical challenge is translating these principles into a repeatable scoring process that non-specialists can apply consistently. The three-dimension model described in this article is one such translation, distilling seven WEF dimensions into three that map directly to enforcement decisions.
Beyond Hype and Fear: Responsible AI for Societal Transformation. Virginia Dignum at TU Wien | YouTube
The scoring model works across industries, team sizes and regulatory regimes. The downloadable worksheet includes blank templates, all five worked examples pre-filled, configurable weight tables and an EU AI Act mapping reference.
:::download{title="AI agent risk classification worksheet" cta="Get the worksheet" file="/downloads/ai-agent-risk-classification-worksheet.pdf"}
A printable scoring template for classifying every AI agent in your organization. Includes the three-dimension scoring rubrics, configurable weight tables, five pre-filled worked examples across industries, EU AI Act mapping and a re-classification trigger checklist.
:::
## Worked examples
Five agents scored across all three dimensions, using default equal weights.
### Example 1: internal knowledge base Q&A bot
| Dimension | Score | Rationale |
|-----------|-------|-----------|
| Data sensitivity | 2 (Internal) | Accesses internal wiki and documentation; no personal data |
| Decision authority | 1 (Advisory) | Read-only; provides answers, takes no actions |
| Blast radius | 1 (Individual) | Serves one user at a time; wrong answer affects only that user |
**Composite:** (2 + 1 + 1) / 3 = **1.3, Tier 1 (Low)**
Governance: Registry entry. Annual review. No certification required. Minimal monitoring.
### Example 2: HR screening agent
| Dimension | Score | Rationale |
|-----------|-------|-----------|
| Data sensitivity | 4 (Restricted) | Processes candidate PII: names, CVs, employment history, potentially protected characteristics |
| Decision authority | 2 (Assisted) | Recommends shortlist, but human recruiter makes final decisions |
| Blast radius | 2 (Team) | Affects hiring team and candidates for specific roles |
**Composite:** (4 + 2 + 2) / 3 = **2.7, Tier 3 (High)**
Governance: Human-in-the-loop required. 180-day certification expiry. Production gate: cannot go live without active certification. EU AI Act Annex III explicitly lists "AI systems intended to be used for recruitment" as high-risk.
### Example 3: Customer support agent
| Dimension | Score | Rationale |
|-----------|-------|-----------|
| Data sensitivity | 3 (Confidential) | Accesses customer account data including order history and contact information |
| Decision authority | 3 (Supervised) | Can issue standard responses, update tickets and escalate, without pre-approval |
| Blast radius | 4 (External) | Customer-facing; errors affect brand perception and customer trust across entire user base |
**Composite:** (3 + 3 + 4) / 3 = **3.3, Tier 3 (High)**
Governance: Enhanced monitoring. Human escalation paths for non-standard situations. 180-day certification. Policy-as-code enforcement on data access and response boundaries.
### Example 4: Clinical triage agent
| Dimension | Score | Rationale |
|-----------|-------|-----------|
| Data sensitivity | 4 (Restricted) | Processes PHI: symptoms, medical history, diagnostic information |
| Decision authority | 3 (Supervised) | Routes patients to appropriate care pathways; autonomous within clinical protocols |
| Blast radius | 4 (External) | Affects patient outcomes; errors can cause direct harm to a regulated population |
**Composite:** (4 + 3 + 4) / 3 = **3.7, Tier 4 (Critical)**
Governance: Maximum oversight. 90-day certification expiry. Continuous monitoring. Incident response plan required. HIPAA compliance mapping. EU AI Act Annex III includes "AI systems intended to be used as safety components" in healthcare.
### Example 5: Meeting summarization agent
| Dimension | Score | Rationale |
|-----------|-------|-----------|
| Data sensitivity | 2 (Internal) | Processes meeting transcripts containing internal business discussions |
| Decision authority | 1 (Advisory) | Generates summaries; takes no actions beyond producing text |
| Blast radius | 2 (Team) | Summaries shared with meeting participants; inaccurate summaries affect team decisions |
**Composite:** (2 + 1 + 2) / 3 = **1.7, Tier 1 (Low)**
Governance: Registry entry. Annual review. No certification required. Light monitoring.
## Dynamic re-classification
Static classification is a snapshot. Agents change. And when agents change, their risk classification must be re-evaluated.
Engin and Hand's dimensional governance framework introduces the concept of "critical trust thresholds": points along each dimension where governance needs shift significantly. Crossing a threshold doesn't require dramatic change. Adding read access to one new database can shift data sensitivity from Internal (2) to Confidential (3), which may push the composite score from Tier 2 to Tier 3, which triggers a completely different governance regime.
**Re-classification triggers:**
| Trigger | Why it matters |
|---------|---------------|
| New data source added | May increase data sensitivity score |
| New tool or API access granted | May increase decision authority score |
| Agent deployed to new user population | May increase blast radius score |
| Model version updated | May change agent behavior, affecting all dimensions |
| Owner leaves the organization | Orphaned agent, triggers governance review |
| Agent-to-agent dependency added | Cascading blast radius, system-level risk assessment needed |
| Certification expired | Forces re-assessment regardless of trigger |
[Thinking.inc's enterprise governance framework](https://thinking.inc/en/blue-ocean/agentic/enterprise-agent-governance/) proposes concrete promotion/demotion criteria: "an agent qualifies for tier promotion when its error rate is below 2% for 30 consecutive days at the current tier. Any agent exhibiting an error rate above 5% should be immediately demoted one tier. Any safety incident triggers immediate demotion to the lowest tier pending investigation."
The key principle: classification is a living assessment, not a one-time label. Connect it to your continuous [compliance certification](/platform/compliance) pipeline so that re-classification triggers re-certification automatically.
:::fact{title="The Nordic caution, and how classification resolves it"}
Deloitte's 2026 report on AI ROI in the Nordics found that 58% of Nordic respondents using agentic AI anticipate 3+ years for significant ROI, compared to 37% in the rest of Europe. Part of this caution stems from governance uncertainty: organizations don't know which agents are safe to scale. Risk classification resolves this directly. Once every agent has a tier, organizations know exactly which ones can move fast (Tier 1-2) and which ones need enhanced oversight (Tier 3-4).
:::
## Mapping to the EU AI Act
The EU AI Act defines its own risk classification. Here's how the internal four-tier enterprise model maps to the regulatory framework.
| Internal tier | EU AI Act classification | Mapping rationale |
|--------------|--------------------------|-------------------|
| **Critical (4)** | High-risk (Art. 6 + Annex III) | Touches regulated data, autonomous execution, customer-facing or safety-critical |
| **High (3)** | Likely high-risk; assess Art. 6(3) derogation | May qualify for derogation if narrow procedural task or result-improving function |
| **Medium (2)** | Limited risk or not high-risk | Transparency obligations may apply (Art. 50); unlikely to trigger Annex III |
| **Low (1)** | Minimal risk | Art. 6(3) derogation likely applies; voluntary codes of conduct recommended |
**The Article 6(3) derogation** is critical for enterprise classification. An AI system listed in Annex III is *not* high-risk if it "does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons." The derogation applies when the system performs a narrow procedural task, improves a previously completed human activity or detects decision-making patterns without replacing human assessment.
For enterprise AI agents, this means: a Tier 2 (Medium) agent that technically falls under an Annex III use case (e.g., employment-related) may still qualify for the derogation if it's advisory-only, processes no personal data and supports (rather than replaces) human decision-making. Document the derogation justification carefully.
The [ENISA Advisory Group's 2025 opinion paper](https://www.enisa.europa.eu/) recommended that ENISA "monitor the implementation of the AI Act in different member states to identify common cybersecurity challenges in critical sectors and provide additional support." As enforcement patterns emerge across EU member states, enterprise classification models will need to align with sector-specific interpretations.
## The classification worksheet
Implementing this model takes 15 minutes per agent. Here's the process.
**For each agent:**
- Record the agent's identity, owner, framework and deployment status from the registry
- Score data sensitivity (1-4) based on the highest classification of data the agent can access
- Score decision authority (1-4) based on the most consequential action the agent can take without human approval
- Score blast radius (1-4) based on the worst-case scope of impact if the agent fails
- Apply organizational weights (default: equal)
- Calculate composite score and map to tier
- Record the classification, the rationale for each dimension score and the date
- Set the re-classification review date based on the tier
The full worksheet (with blank scoring templates, weight configuration guides, all five worked examples pre-filled, EU AI Act mapping reference and a re-classification trigger checklist) is available as a downloadable PDF.
## Classification is the foundation
Every governance decision your organization makes about AI agents (what policies to enforce, how frequently to certify, what level of monitoring to deploy, how much human oversight to require) depends on knowing which agents are high-risk and which are low-risk.
Without classification, you're either governing everything the same way (which means over-governing the low-risk agents and under-governing the high-risk ones) or not governing at all (which means hoping nothing goes wrong until the auditor arrives).
The three-dimension model gives you a repeatable, auditable, defensible methodology for making that determination. Score the agent. Calculate the tier. Apply the governance. Re-assess when things change.
Start with your top 10 agents. It takes 15 minutes each. By the end of the day, you'll know which ones need attention and which ones can run.
:::cta{title="See Roval in action" description="Book a 15-minute walkthrough of the agent registry, compliance certification and LLM monitoring." cta="Book a demo" href="/demo"}
:::
## Sources and further reading
| Source | URL |
|--------|-----|
| Engin & Hand, "Toward Adaptive Categories: Dimensional Governance for Agentic AI" | https://arxiv.org/abs/2505.11579 |
| Data for Policy CIC, Dimensional Governance Announcement | https://dataforpolicy.org/shaping-the-future-of-ai-oversight-two-new-preprints-on-agentic-ai-from-data-for-policy-leadership/ |
| WEF, "AI Agents in Action: Foundations for Evaluation and Governance" (Nov 2025) | https://www.weforum.org/publications/ai-agents-in-action-foundations-for-evaluation-and-governance/ |
| WEF, Progressive Governance for AI Agents (Dec 2025) | https://www.weforum.org/stories/2025/12/ai-agents-onboarding-governance/ |
| EU AI Act, Article 6 (Classification Rules) | https://artificialintelligenceact.eu/article/6/ |
| EU AI Act, Annex III (High-Risk Use Cases) | https://artificialintelligenceact.eu/annex/3/ |
| EIOPA, Insurance AI Act Factsheet | https://www.eiopa.europa.eu/ |
| EIOPA, Opinion on AI Governance and Risk Management (Aug 2025) | https://www.eiopa.europa.eu/publications/opinion-artificial-intelligence-governance-and-risk-management_en |
| Singapore IMDA, Agentic AI Governance Framework (Jan 2026) | https://www.roedl.com/en/insights/singapore-model-ai-governance-framework/ |
| ENISA Advisory Group, Opinion Paper on Cybersecurity for AI (2025) | https://www.enisa.europa.eu/ |
| OWASP Agentic Blast Radius (Kunal Singh, Jan 2026) | https://www.singhspeak.com/blog/managing-the-agentic-blast-radius-in-multi-agent-systems-owasp-2026 |
| Thinking.inc, Enterprise Agent Governance Framework | https://thinking.inc/en/blue-ocean/agentic/enterprise-agent-governance/ |
| Deloitte, AI ROI in the Nordics (2026) | https://www.deloitte.com/no/no/issues/generative-ai/ai-roi-in-the-nordics.html |
| Virginia Dignum, CAIML/IWM Presentation (Sep 2025) | https://caiml.org/dighum/announcements/virginia-dignum-beyond-hype-and-fear-2025-09-08/ |
| NordForsk, Nordic AI Research Initiative | https://norden.diva-portal.org/smash/get/diva2:1856812/FULLTEXT02 |
| Ardoq, AI Agent Risk for Enterprise Architects | https://www.ardoq.com/blog/ai-agent-risk |
