Agent as Process / Application / Query / Dashboard
complete RACI & control model

Ward 2 26 lifecycle stages
Core principle: An agentic AI that operates as a workflow, application, query engine, or dashboard must be governed with the same rigour as any bank-grade controlled process and production system. This model covers four sub-pillars: Process (workflow governance), Application (system governance), Query (retrieval & inference governance), and Dashboard (visualisation & reporting governance). Each has distinct control obligations — but they share a common compliance spine.
All pillars 26
Process 12
Application 13
Query 8
Dashboard 7
All pillars: Showing all 26 control areas across Process, Application, Query, and Dashboard governance. Each row is tagged to its sub-pillar. Many controls apply across multiple pillars — the tagging reflects the primary governance home.
R — Responsible
A — Accountable
C — Consulted
I — Informed
BU = Business owner IT = Platform / engineering RISK = Op / model / tech risk COMP = Compliance / legal / privacy OPS = Operations / SRE / support IA = Internal audit
#Control areaTraditional eq. BUITRISKCOMPOPSIA Evidence
26
Control areas
380+
Control points
4
Sub-pillars
6
Lifecycle phases
6
RACI roles
12
Control domains

Minimum checklist — AI as Process

Is the AI-enabled process formally documented?
Are controls embedded at the right points?
Are exceptions and escalations defined?
Is each process step traceable?
Is policy mapped to workflow?
Is there a manual fallback?
Are changes governed?
Is the process monitored with KRIs?
Can audit reconstruct a case end to end?

Minimum checklist — AI as Application

Is it in application inventory?
Has architecture been approved?
Are security controls implemented?
Is the model approved and tested?
Are prompts, policies, and configs version-controlled?
Is the data lineage and privacy position known?
Is telemetry sufficient?
Is there a rollback and kill switch?
Is spend governed?
Are third-party and open-source risks assessed?
Can it be retired cleanly?

Minimum checklist — AI as Query / Dashboard

Is every query logged with caller, intent, and source?
Are retrieval sources approved and lineage-tracked?
Is confidence scoring applied before surfacing results?
Are dashboard outputs validated before rendering?
Is there access control per audience and data sensitivity?
Are refresh cadences and staleness controls defined?
Can a metric be traced from widget to source?
Are AI-generated insights labelled and disclaimered?
The blunt version: A bank must govern AI in three ways — like an employee, like a controlled process, and like a production application. Ward 2 covers the second and third. If the AI-operated workflow has no controls, no approvals, no traceability, and no fallback — it is not a process, it is a liability. If the AI application has no architecture review, no security, no monitoring, and no kill switch — it is not an application, it is an incident waiting to happen. If the query engine or dashboard has no lineage, no confidence scoring, and no access control — it is not intelligence, it is misinformation.