NIST AI RMF

AF-1

agent_identities row per agent (DID, lifecycle, owner FK); members directory listing

The agent_identities table is the inventory; AF-1.5 surfaces it in /members.

AF-3 (state only)

agent_charters.status = 'retired'; agent_identities.deleted_at

Retirement state exists in the charter lifecycle, but the workflow (revoke commitments, freeze new ledger writes, archive view) is unbuilt. Tracked in AF-7.4.

AF-2

agent_owners row with role ∈ {primary, secondary, observer}, verification_status='verified', escalation priority ordering

Owner taxonomy is the canonical accountability map. Backfilled rows ship with verification_status='backfilled_pending' to prevent reading defaults as governance.

None

—

AF-2 owner roles do not include an executive-sponsor dimension. For agents with riskLevel='high' we'd require a named sponsor on top of the primary owner. Tracked in AF-7.6.

AF-3

agent_charters.humanOversight.{requiredFor, monitoringCadence, overrideAuthority}; agent_charters.approvalRequirements[]

The charter humanOversight block plus the approval-requirements list together specify human-AI role differentiation per agent. Aligns with EU AI Act Art 14.

AF-3, AF-1

agent_charters (the policy artifact, signed via signedByOwnerId and signedByOwnerAt); agent_action_events (every action observable, proves implementation)

Charter is the per-agent policy-as-data; ledger proves the policy is implemented, not just written.

AF-3, AF-0

agent_charters.riskLevel; action_verbs.risk_class; agent_action_events.decision

Two-axis risk capture: per-agent (charter) and per-action-class (vocabulary). Ledger records every decision against those classifications. ADR-044 cites this requirement directly.

AF-1, AF-7.3

agent_action_events queries by tenant/agent/time; decision='blocked' rows surface action-level errors

Ledger gives observability and per-action error capture. Incident workflow + linkage to specific ledger entries is tracked under AF-7.3.

None (tenant-level)

—

External-feedback collection is a tenant-wide governance practice (existing exception/feedback workflows belong to the broader product, not AF). Not tracking in AF-7 — out of agent-governance scope.

AF-3

agent_charters.purpose; agent_charters.scope; agent_charters.mayActions[] (slug-keyed to action_verbs)

Charter purpose + scope + mayActions together define the agent's permitted task surface in machine-readable form.

AF-3, AF-6

agent_charters.humanOversight; AF-6 escalation row in ledger with decision='escalated' and approved_by_user_id populated on resolution

Oversight is declared in the charter and enforced by AF-6. The escalated-action row in the ledger proves the process operated.

AF-4

agent_statement_assignments row per controlling statement (with accepted_by, rationale, charter_hash); downstream policy_commitments for verifiable issuance

The four-state binding (run → suggestion → assignment → commitment) is the documented internal-risk-control map per agent.

AF-3, AF-6

agent_charters.mayNotActions; agent_charters.mustEscalateWhen; AF-6 preflight evaluator + ledger row with decision='blocked' or 'escalated'

Charter declares prohibited and escalation-required actions; AF-6 enforces; ledger records the response.

AF-6, AF-7.1

AF-6 per-action override (block/escalate decisions written to ledger); agent-level kill switch tracked in AF-7.1

Per-action override is in AF-6 (live). Agent-level deactivation — suspend the whole agent — is the kill switch, AF-7.1.

AF-1.5, AF-6

Recent Actions tab on /members/[id]; AF-6 escalation rows with approved_by_user_id (appeal/override path)

Monitoring + appeal/override covered. Decommissioning → AF-7.4. Incident response → AF-7.3. Change management of charters covered by supersedesCharterId chain.

AF-7.3

—

AF-1 ledger captures action-level errors via decision='blocked'. Incident workflow (ack, triage, resolve, link to ledger entries) is tracked under AF-7.3.