KYE Learn™ · Playbook

12 do's and don'ts before procurement signs.

Twelve items every procurement-side reviewer should verify before approving an AI-agent deployment in a regulated workflow. Each item has the failure mode you'd be approving if you skip it.

Published 2026-05-19 · reviewed 2026-05-19 · ~7-min read

Do

  1. Do declare authority before the agent runs. Each agent has a named, scoped permission to act, granted by a named human principal, with a recorded purpose and an expiry. Failure mode if skipped: the agent acts on ambient permissions you can't audit.
  2. Do emit evidence at decision-time. Purpose, admissibility decision, actor, scope, action, outcome — signed and hash-linked. Failure mode: evidence is reconstructed from logs after the fact and won't survive regulator cross-examination.
  3. Do require dual-channel sign-off on irreversibles. Payments released, schemas migrated, secrets rotated, customer-facing notices sent. Two independent humans through two independent channels. Failure mode: a single phishing compromise becomes a six-figure incident.
  4. Do run in shadow mode against a known-good baseline first. Measure agent quality before enforcement. Failure mode: agent quality discovered in production with customer impact attached.
  5. Do attest controls every ≤90 days. Each control has a named owner, a freshness window, a signed attestation. Failure mode: the SOC 2 lookback finds 8-month gaps in your evidence.
  6. Do keep the authority lattice version-controlled. Every change to who-may-do-what is reviewed + diff'd + reviewed. Failure mode: authority creep, where the lattice silently expands without anyone noticing.

Don't

  1. Don't trust "we have a policy" — ask to see the runtime enforcement. Policies that aren't enforced are theatre. Failure mode: the policy says one thing, the agents do another, the regulator finds out.
  2. Don't conflate model evaluation with action evaluation. Model quality doesn't tell you whether the agent had the right to act. They are different problems. Failure mode: excellent model, illegal action, fine.
  3. Don't let your AI vendor define "AI governance" for you. The category is regulator-defined now (EU AI Act, ISO 42001, SR 11-7, DORA). Vendor-defined governance is a sales surface. Failure mode: you bought a dashboard, not a control.
  4. Don't auto-approve "low-risk" payments or notices. The "low" in low-risk is the vendor's threshold, not yours. Failure mode: the vendor's threshold turns out to be wrong for your tenant + you can't unwind.
  5. Don't accept evidence that's only readable by the vendor. Replay-Proof™ evidence is verifiable by a third party using only public signatures + the public spec. If you can't verify it yourself, regulators can't either. Failure mode: the vendor goes dark and your audit-trail goes with them.
  6. Don't skip the off-ramp. An AI-governance vendor must publish how to export everything (manifests, dictionaries, evidence packs, attestations) in open formats. Failure mode: vendor lock-in becomes audit lock-in.

How KYE Protocol™ satisfies the checklist

Every item maps to a built-in KYE Protocol™ engine or surface — that's the design. Apply for an Audit Pilot™ and we run this checklist against your workflow, line by line, on a single scoped pipeline. Output: a written report on which items are covered, which need work, and the staged plan to close the gaps.

Next: back to the AI governance pillar