AI agent risk classification: a practitioner's guide to the three dimensions

The pivot point of agent governance#

Risk classification is the decision that shapes everything downstream. Get it right and your governance program applies the right level of oversight to each agent: light-touch for a knowledge base bot, continuous monitoring for a clinical decision support system. Get it wrong and you either drown low-risk agents in compliance overhead (killing adoption velocity) or leave high-risk agents under-governed (creating exposure that no one sees until the audit).

The problem is that most enterprises classify AI agents the way they classify traditional AI: as a binary. High-risk or not high-risk. Governed or ungoverned. Approved or unapproved. This worked when AI systems produced outputs for humans to review. It doesn’t work when AI agents take autonomous actions, access sensitive data and interact with other agents across organizational boundaries.

Dr Zeynep Engin at University College London and Professor David Hand at Imperial College London made this argument formally in their 2025 paper Toward Adaptive Categories: Dimensional Governance for Agentic AI:

Their core insight is that agent risk isn’t a label you assign once. It’s a position along multiple continuous dimensions and that position moves as agents gain capabilities, access new data and operate in new contexts.

This article provides the practitioner methodology for doing that classification. Not as a theoretical exercise, but as an operational system you can implement this week. (Roval’s agent registry implements this three-dimension model as a core feature; see how it maps to your risk classification workflow.)

Why static categories fail for agents#

The EU AI Act defines a classification system for AI: unacceptable risk (banned), high-risk (strict obligations), limited risk (transparency requirements) and minimal risk (largely unregulated). Article 6 provides the rules and Annex III lists the use cases that qualify as high-risk: biometrics, critical infrastructure, education, employment, law enforcement and others.

This framework was designed for traditional AI systems: a credit scoring model, a medical diagnostic tool, a hiring algorithm. Systems whose behavior is defined at deployment and doesn’t change until someone deliberately modifies them. For those systems, a one-time classification is reasonable.

Agents are different in three ways that break static classification.

Agent behavior is non-deterministic. The same agent, given the same prompt, may take different actions depending on context, conversation history and the current state of the tools it has access to. A classification based on what the agent was designed to do may not reflect what it does in production.

Agent capabilities expand over time. Someone adds a new API integration. A tool permission gets broadened. A model version updates. None of these individually trigger a formal re-assessment, but collectively they can shift an agent’s risk profile from medium to high without anyone noticing.

Agent risk is contextual. The same agent architecture deployed in two different departments can carry fundamentally different risk. A summarization agent processing public marketing content is low-risk. The same architecture processing patient medical records is high-risk. The agent didn’t change. The context did.

The World Economic Forum’s November 2025 white paper addresses this directly, defining seven classification dimensions for agents: Function, Role, Predictability, Autonomy, Authority, Use case and Environment. Their conclusion: “autonomy and authority should not be treated as inherent system properties, but as design choices that can be made based on the agents’ intended functions, risk considerations and oversight requirements.”

Our model distills this into three dimensions that are actionable for enterprise practitioners.

The three dimensions#

Every AI agent can be scored across three dimensions. Each dimension captures a distinct axis of risk. Together, they produce a composite score that maps to a governance tier.

Dimension 1: Data sensitivity#

What it measures: The highest classification of data the agent can access or process.

This isn’t about what data the agent is supposed to access. It’s about what data it can access given its current permissions. An agent with read access to a database containing customer PII is classified based on that access, even if it’s only “supposed to” read the public columns.

Scoring scale:

Score	Level	Definition	Examples
1	Public	Publicly available information only	Marketing content, public documentation, open-source code
2	Internal	Non-public business data, no personal data	Internal wikis, project plans, meeting notes, internal metrics
3	Confidential	Sensitive business data or limited personal data	Employee records, customer account data, financial reports, trade secrets
4	Restricted	Regulated personal data or classified information	PII, PHI, payment card data, biometric data, data subject to legal hold

The European Insurance and Occupational Pensions Authority (EIOPA) published a factsheet on AI systems in insurance confirming that AI systems used for “risk assessment and pricing in relation to natural persons in the case of life and health insurance” are explicitly classified as high-risk under the EU AI Act. The data sensitivity dimension is where this regulatory classification bites: any agent processing health or financial data about individuals triggers the highest tier.

Dimension 2: Decision authority#

What it measures: The degree to which the agent can take actions that affect systems, data or people without human approval.

This dimension captures what Engin and Hand call “process autonomy”: “the degree to which the system can operate without human intervention, supervision or control.” The key distinction is between agents that inform and agents that act.

Scoring scale:

Score	Level	Definition	Examples
1	Advisory	Read-only; provides information or recommendations for human action	Knowledge base Q&A, document summarizer, research assistant
2	Assisted	Can take actions, but only with explicit human approval before execution	Draft-and-review content workflows, purchase requisitions requiring sign-off
3	Supervised	Autonomous within defined guardrails; human notified but doesn’t pre-approve	CRM record updates, internal email responses, scheduled report generation
4	Autonomous	Full execution authority with no human in the loop for routine actions	Automated trading, clinical triage routing, production infrastructure management

The Singapore IMDA Agentic AI Framework (January 2026) specifically calls for organizations to assess “the scope of actions the agent can take, the reversibility of those actions and the level of autonomy the agent will be granted.” Reversibility matters: an agent that can send an email (irreversible) carries higher decision authority risk than one that can draft an email (reversible until a human clicks send).

Dimension 3: Blast radius#

What it measures: The scope of impact if this agent fails catastrophically: produces incorrect outputs, takes unauthorized actions or behaves in ways that violate policy.

Blast radius is the dimension most often overlooked. An agent can be low on data sensitivity and low on decision authority but still be high-risk if its outputs affect a large population. A public-facing chatbot processing no sensitive data and taking no actions can still damage brand reputation across millions of customer interactions.

Scoring scale:

Score	Level	Definition	Examples
1	Individual	Affects a single user or a single workflow	Personal productivity assistant, individual code review agent
2	Team	Affects a team, department or internal process	Team scheduling agent, department reporting bot, project management assistant
3	Organization	Affects the entire organization or a business-critical process	Company-wide HR agent, ERP automation, internal communications agent
4	External	Affects customers, partners, regulated populations or public perception	Customer-facing support agent, public content generation, patient-facing clinical agent

Kunal Singh’s analysis of blast radius in multi-agent systems for OWASP 2026 identified a particularly dangerous pattern: “unchecked blast radius occurs when probabilistic agent behavior becomes persistent, trusted and shared across systems.” In multi-agent environments, a single agent’s failure can propagate through dependent agents, amplifying the blast radius well beyond its own direct scope. When scoring blast radius, account for downstream dependencies, not just the agent’s own direct impact.

Computing the composite risk tier#

The three dimension scores combine into a composite risk tier that determines the agent’s governance treatment.

Step 1: Score each dimension (1-4)

Each dimension is scored independently using the scales above.

Step 2: Apply weights

By default, dimensions are weighted equally (33% each). However, organizations in heavily regulated industries may weight data sensitivity higher, while organizations deploying customer-facing agents may weight blast radius higher.

Example configurations:

Organization type	Data sensitivity	Decision authority	Blast radius
Default	33%	33%	33%
Healthcare / Financial services	50%	30%	20%
Consumer SaaS / B2C	25%	25%	50%
Internal tools / Platform engineering	25%	50%	25%

Step 3: Calculate composite score

Composite = (Data sensitivity x weight1) + (Decision authority x weight2) + (Blast radius x weight3)

The result is a number between 1.0 and 4.0.

Step 4: Map to risk tier

Score range	Tier	Label	Governance implications
1.0-1.7	1	Low	Registry entry, annual review, light-touch monitoring
1.8-2.5	2	Medium	Certification required, 365-day expiry, standard monitoring
2.6-3.3	3	High	Human-in-the-loop for sensitive actions, 180-day cert expiry, production gate
3.4-4.0	4	Critical	Explicit approval required, 90-day cert expiry, continuous monitoring, incident response plan

Virginia Dignum, Professor of Responsible AI at Umea University and member of the UN High-Level Advisory Body on AI, has argued:

Risk classification is the mechanism that turns qualitative governance aspirations into quantitative, auditable decisions. Without a scoring methodology, classification becomes subjective and subjective classification becomes inconsistent, unauditable and ultimately unenforceable.

Dignum’s work on the DARE framework (Design, Accountability, Responsibility, Ethics) provides the theoretical foundation. The practical challenge is translating these principles into a repeatable scoring process that non-specialists can apply consistently. The three-dimension model described in this article is one such translation, distilling seven WEF dimensions into three that map directly to enforcement decisions.

The scoring model works across industries, team sizes and regulatory regimes. The downloadable worksheet includes blank templates, all five worked examples pre-filled, configurable weight tables and an EU AI Act mapping reference.

Worked examples#

Five agents scored across all three dimensions, using default equal weights.

Example 1: internal knowledge base Q&A bot#

Dimension	Score	Rationale
Data sensitivity	2 (Internal)	Accesses internal wiki and documentation; no personal data
Decision authority	1 (Advisory)	Read-only; provides answers, takes no actions
Blast radius	1 (Individual)	Serves one user at a time; wrong answer affects only that user

Composite: (2 + 1 + 1) / 3 = 1.3, Tier 1 (Low)

Governance: Registry entry. Annual review. No certification required. Minimal monitoring.

Example 2: HR screening agent#

Dimension	Score	Rationale
Data sensitivity	4 (Restricted)	Processes candidate PII: names, CVs, employment history, potentially protected characteristics
Decision authority	2 (Assisted)	Recommends shortlist, but human recruiter makes final decisions
Blast radius	2 (Team)	Affects hiring team and candidates for specific roles

Composite: (4 + 2 + 2) / 3 = 2.7, Tier 3 (High)

Governance: Human-in-the-loop required. 180-day certification expiry. Production gate: cannot go live without active certification. EU AI Act Annex III explicitly lists “AI systems intended to be used for recruitment” as high-risk.

Example 3: Customer support agent#

Dimension	Score	Rationale
Data sensitivity	3 (Confidential)	Accesses customer account data including order history and contact information
Decision authority	3 (Supervised)	Can issue standard responses, update tickets and escalate, without pre-approval
Blast radius	4 (External)	Customer-facing; errors affect brand perception and customer trust across entire user base

Composite: (3 + 3 + 4) / 3 = 3.3, Tier 3 (High)

Governance: Enhanced monitoring. Human escalation paths for non-standard situations. 180-day certification. Policy-as-code enforcement on data access and response boundaries.

Example 4: Clinical triage agent#

Dimension	Score	Rationale
Data sensitivity	4 (Restricted)	Processes PHI: symptoms, medical history, diagnostic information
Decision authority	3 (Supervised)	Routes patients to appropriate care pathways; autonomous within clinical protocols
Blast radius	4 (External)	Affects patient outcomes; errors can cause direct harm to a regulated population

Composite: (4 + 3 + 4) / 3 = 3.7, Tier 4 (Critical)

Governance: Maximum oversight. 90-day certification expiry. Continuous monitoring. Incident response plan required. HIPAA compliance mapping. EU AI Act Annex III includes “AI systems intended to be used as safety components” in healthcare.

Example 5: Meeting summarization agent#

Dimension	Score	Rationale
Data sensitivity	2 (Internal)	Processes meeting transcripts containing internal business discussions
Decision authority	1 (Advisory)	Generates summaries; takes no actions beyond producing text
Blast radius	2 (Team)	Summaries shared with meeting participants; inaccurate summaries affect team decisions

Composite: (2 + 1 + 2) / 3 = 1.7, Tier 1 (Low)

Governance: Registry entry. Annual review. No certification required. Light monitoring.

Dynamic re-classification#

Static classification is a snapshot. Agents change. And when agents change, their risk classification must be re-evaluated.

Engin and Hand’s dimensional governance framework introduces the concept of “critical trust thresholds”: points along each dimension where governance needs shift significantly. Crossing a threshold doesn’t require dramatic change. Adding read access to one new database can shift data sensitivity from Internal (2) to Confidential (3), which may push the composite score from Tier 2 to Tier 3, which triggers a completely different governance regime.

Re-classification triggers:

Trigger	Why it matters
New data source added	May increase data sensitivity score
New tool or API access granted	May increase decision authority score
Agent deployed to new user population	May increase blast radius score
Model version updated	May change agent behavior, affecting all dimensions
Owner leaves the organization	Orphaned agent, triggers governance review
Agent-to-agent dependency added	Cascading blast radius, system-level risk assessment needed
Certification expired	Forces re-assessment regardless of trigger

Thinking.inc’s enterprise governance framework proposes concrete promotion/demotion criteria: “an agent qualifies for tier promotion when its error rate is below 2% for 30 consecutive days at the current tier. Any agent exhibiting an error rate above 5% should be immediately demoted one tier. Any safety incident triggers immediate demotion to the lowest tier pending investigation.”

The key principle: classification is a living assessment, not a one-time label. Connect it to your continuous compliance certification pipeline so that re-classification triggers re-certification automatically.

Mapping to the EU AI Act#

The EU AI Act defines its own risk classification. Here’s how the internal four-tier enterprise model maps to the regulatory framework.

Internal tier	EU AI Act classification	Mapping rationale
Critical (4)	High-risk (Art. 6 + Annex III)	Touches regulated data, autonomous execution, customer-facing or safety-critical
High (3)	Likely high-risk; assess Art. 6(3) derogation	May qualify for derogation if narrow procedural task or result-improving function
Medium (2)	Limited risk or not high-risk	Transparency obligations may apply (Art. 50); unlikely to trigger Annex III
Low (1)	Minimal risk	Art. 6(3) derogation likely applies; voluntary codes of conduct recommended

The Article 6(3) derogation is critical for enterprise classification. An AI system listed in Annex III is not high-risk if it “does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons.” The derogation applies when the system performs a narrow procedural task, improves a previously completed human activity or detects decision-making patterns without replacing human assessment.

For enterprise AI agents, this means: a Tier 2 (Medium) agent that technically falls under an Annex III use case (e.g., employment-related) may still qualify for the derogation if it’s advisory-only, processes no personal data and supports (rather than replaces) human decision-making. Document the derogation justification carefully.

The ENISA Advisory Group’s 2025 opinion paper recommended that ENISA “monitor the implementation of the AI Act in different member states to identify common cybersecurity challenges in critical sectors and provide additional support.” As enforcement patterns emerge across EU member states, enterprise classification models will need to align with sector-specific interpretations.

The classification worksheet#

Implementing this model takes 15 minutes per agent. Here’s the process.

For each agent:

• Record the agent’s identity, owner, framework and deployment status from the registry
• Score data sensitivity (1-4) based on the highest classification of data the agent can access
• Score decision authority (1-4) based on the most consequential action the agent can take without human approval
• Score blast radius (1-4) based on the worst-case scope of impact if the agent fails
• Apply organizational weights (default: equal)
• Calculate composite score and map to tier
• Record the classification, the rationale for each dimension score and the date
• Set the re-classification review date based on the tier

The full worksheet (with blank scoring templates, weight configuration guides, all five worked examples pre-filled, EU AI Act mapping reference and a re-classification trigger checklist) is available as a downloadable PDF.

Classification is the foundation#

Every governance decision your organization makes about AI agents (what policies to enforce, how frequently to certify, what level of monitoring to deploy, how much human oversight to require) depends on knowing which agents are high-risk and which are low-risk.

Without classification, you’re either governing everything the same way (which means over-governing the low-risk agents and under-governing the high-risk ones) or not governing at all (which means hoping nothing goes wrong until the auditor arrives).

The three-dimension model gives you a repeatable, auditable, defensible methodology for making that determination. Score the agent. Calculate the tier. Apply the governance. Re-assess when things change.

Start with your top 10 agents. It takes 15 minutes each. By the end of the day, you’ll know which ones need attention and which ones can run.

Sources and further reading#

Source	URL
Engin & Hand, “Toward Adaptive Categories: Dimensional Governance for Agentic AI”	https://arxiv.org/abs/2505.11579
Data for Policy CIC, Dimensional Governance Announcement	https://dataforpolicy.org/shaping-the-future-of-ai-oversight-two-new-preprints-on-agentic-ai-from-data-for-policy-leadership/
WEF, “AI Agents in Action: Foundations for Evaluation and Governance” (Nov 2025)	https://www.weforum.org/publications/ai-agents-in-action-foundations-for-evaluation-and-governance/
WEF, Progressive Governance for AI Agents (Dec 2025)	https://www.weforum.org/stories/2025/12/ai-agents-onboarding-governance/
EU AI Act, Article 6 (Classification Rules)	https://artificialintelligenceact.eu/article/6/
EU AI Act, Annex III (High-Risk Use Cases)	https://artificialintelligenceact.eu/annex/3/
EIOPA, Insurance AI Act Factsheet	https://www.eiopa.europa.eu/
EIOPA, Opinion on AI Governance and Risk Management (Aug 2025)	https://www.eiopa.europa.eu/publications/opinion-artificial-intelligence-governance-and-risk-management_en
Singapore IMDA, Agentic AI Governance Framework (Jan 2026)	https://www.roedl.com/en/insights/singapore-model-ai-governance-framework/
ENISA Advisory Group, Opinion Paper on Cybersecurity for AI (2025)	https://www.enisa.europa.eu/
OWASP Agentic Blast Radius (Kunal Singh, Jan 2026)	https://www.singhspeak.com/blog/managing-the-agentic-blast-radius-in-multi-agent-systems-owasp-2026
Thinking.inc, Enterprise Agent Governance Framework	https://thinking.inc/en/blue-ocean/agentic/enterprise-agent-governance/
Deloitte, AI ROI in the Nordics (2026)	https://www.deloitte.com/no/no/issues/generative-ai/ai-roi-in-the-nordics.html
Virginia Dignum, CAIML/IWM Presentation (Sep 2025)	https://caiml.org/dighum/announcements/virginia-dignum-beyond-hype-and-fear-2025-09-08/
NordForsk, Nordic AI Research Initiative	https://norden.diva-portal.org/smash/get/diva2:1856812/FULLTEXT02
Ardoq, AI Agent Risk for Enterprise Architects	https://www.ardoq.com/blog/ai-agent-risk