Lifecycle management

Govern every agent from first deploy to final retirement

Agents have lifecycles. They're drafted, tested, promoted to production, deprecated when superseded, and retired when no longer needed. Roval tracks every state, enforces every gate, and preserves every record, so no agent reaches production uncertified, no deprecated agent is forgotten, and no retired agent leaves a compliance gap.

Request a demo Speak with an expert
The problem

Agents are born. They're rarely retired.

A developer builds a proof-of-concept agent. It works. It stays running. The developer moves to another team, or leaves the company entirely. The agent keeps calling APIs, consuming tokens, and accessing data, with nobody responsible for it.

Meanwhile, the model provider deprecates the version the agent depends on. A framework releases a breaking change. An API the agent calls gets sunset. Nobody tracks these dependencies across the agent estate, so nobody knows which agents are about to break until they break.

And when an agent finally does get turned off, there's no documentation of what happened. No succession plan. No archive of its compliance records. In regulated industries, this is an audit finding waiting to happen.

An AI agent's ownership typically changes hands four times in its first year
The Hacker News, 2025
The EU Product Liability Directive extends latent injury liability to 25 years
25 yr
EU Product Liability Directive
Gartner predicts more than 40% of agentic AI projects will be canceled by 2027 due to rising costs and inadequate controls
40%
Gartner, 2025

Especially as we're talking and moving into things like agentic AI, where things are potentially happening in an autonomous way, there may be even further guardrails so that we don't do the wrong thing.

Dr. Ed Lee, Chief Medical Officer, Nabla (HIMSS26)

If you have agentic agents doing things in healthcare, it's a very complex and messy situation... it's even harder than human identity to control and to understand.

Dr. Sean Kelly, Chief Medical Officer, Imprivata (HIMSS26)
How it works

Seven states. One governed lifecycle.

Every agent in Roval follows a defined state machine. Transitions are enforced by the platform, not by process, not by documentation, not by hope.

From draft to retired: every transition enforced

Every state transition is recorded in an immutable audit log with actor, timestamp, and before/after state. Invalid transitions are blocked. You can't skip from Draft to Production. You can't retire an agent without documenting what happened.

See the registry
Lifecycle: customer-triage-agent
Draft
In Dev
Testing
Staging
Production
Deprecated
Retired

Hard gates, not guidelines

Tier 3+ agents cannot advance to Production without an active, non-expired certification. This is enforced by the platform. When an agent is in Staging and its certification has expired, the Production gate blocks the transition with an explanatory error.

See compliance
Staging → Production
Blocked: EU AI Act certification expired 3 days ago
Renew certification Request override

Every state has a purpose

Draft for registration. In Development for active building. Testing for validation. Staging for pre-production certification checks. Production for live monitoring. Deprecated for managed wind-down. Retired for permanent record preservation.

See lifecycle in action
Draft Registered, no classification yet
In Development Building, risk classification in progress
Testing Validated against boundaries
Staging Pre-production gate check
Production Live, monitored, baselined
Deprecated Wind-down, dependents notified
Retired Decommissioned, record preserved
Dependencies

Know when a dependency changes before agents break

Every agent has dependencies: a model provider, a framework, integration libraries, data sources. Each dependency has its own lifecycle. Roval tracks them across the entire agent inventory and surfaces risk before it materializes.

Dependency alerts, not just a graph

When a model provider announces a deprecation, Roval surfaces every affected agent, sorted by risk tier, with days until impact. When a framework releases a breaking change, you see the blast radius before anything breaks.

See the registry
Dependency alerts 3 active
Claude 3.5 Sonnet deprecation: 90 days 14 production agents · 3 Tier 3
LangChain 0.3 → 0.4 breaking change 8 agents on affected version
data-warehouse API v2 sunset: 180 days 2 agents affected · both Tier 1

Five dependency types, continuously monitored

Model providers, frameworks, data sources, APIs, and other agents. When an upstream agent is deprecated or retired, downstream agents are flagged for review. When an API gets sunset, you see every agent affected.

See dependency graph
Model providers Version deprecation, pricing updates
Frameworks Breaking changes, EOL announcements
Data sources Schema changes, access revocations
APIs Sunset timelines, auth changes
Other agents Upstream deprecation cascades
Retirement

Retire agents without creating compliance gaps

When an agent needs to be retired, Roval provides the governance framework for a controlled transition.

Four steps to a clean retirement

Inventory dependencies. Preserve records. Manage succession. Execute decommission. Every step is enforced and logged.

See compliance
Inventory dependencies 4 dependents found
Preserve records Lifecycle archived
Manage succession Linked to billing-copilot-v2
Execute decommission Credentials revoked

For regulated industries: the EU AI Act requires post-market monitoring records. SOC 2 Type II auditors will ask what happened to agents in scope during the observation period. HIPAA requires documentation of system decommissioning when PHI was involved. Roval's retirement workflow satisfies all three.

EU AI Act Art. 72 · SOC 2 CC6.5 · HIPAA § 164.310(d)
Compliance frameworks

Frameworks that require lifecycle management

Lifecycle governance is a legal requirement under these frameworks.

EU
EU AI Act eu-ai-act

Article 9 requires risk management as a continuous iterative process. Article 72 requires post-market monitoring throughout the system's lifetime.

Active
24 requirements Effective Aug 2026
Industry
ISO 42001 iso-42001

Clause 8.4 requires documented lifecycle processes including planning, design, verification, deployment, operation, and retirement.

Active
31 requirements AIMS certification
US
NIST AI RMF nist-ai-rmf

GOVERN 1.5 requires ongoing monitoring and periodic review of AI system risk, including processes for decommissioning.

Active
22 requirements Risk management
Industry
SOC 2 soc-2

CC6.5 requires disposal processes for system components. CC8.1 requires change management. Agents entering and leaving production are in scope.

Active
18 requirements Annual audit
Powered by

Lifecycle management is built into every module

Every lifecycle state flows directly from the agent registry into compliance tracking and audit evidence. Lifecycle management is a core capability of the AI agent management platform.

Agent Registry

Register agents, assign owners, classify risk, and enforce lifecycle gates from a single registry that stays current automatically.

Explore the registry

Compliance & Certification

Risk tiers drive which frameworks apply. Certifications auto-expire by tier. Drift detection catches configuration changes after certification.

Explore compliance

Stop discovering lifecycle gaps during audits

Join the private beta. Full lifecycle governance setup takes under a day.