Enterprise AI Progressive Deployment Through Earned Capability

Regulatory Framework

Five regimes now jointly govern enterprise AI deployment, and they are converging on a common operational vocabulary.

NIST AI RMF (1.0, January 2023, with the Generative AI Profile, July 2024). The framework defines four functions: Govern (organizational accountability), Map (context and risk identification), Measure (assessment and metrics), and Manage (allocation of resources to risk). Generative-AI-specific risks include confabulation, information integrity, and value-chain risk. Measure-2.x and Manage-2.x require ongoing performance assessment and risk-tier-appropriate response. A deployment that grants capabilities at onboarding and reassesses annually is non-conformant; the framework expects continuous measurement bound to action.

NIST CSF 2.0 (February 2024). The new Govern function elevates oversight to a peer of Identify, Protect, Detect, Respond, and Recover. AI agents that take action on enterprise systems are subjects of CSF; their authority must be governed under GV.OC and GV.RR, with evidence under GV.OV.

ISO/IEC 42001 AIMS. Annex A controls include A.6.2 (AI system impact assessment), A.7 (data for AI systems), A.9 (use of AI systems including authorized use), and A.10 (third-party and customer relationships). A.9 is the load-bearing control for skill gating: the organization must define and enforce authorized use, and the enforcement must be documentable on demand.

EU AI Act Article 26 (deployer obligations) and Article 27 (fundamental-rights impact assessment). Deployers of high-risk AI systems must use them in accordance with instructions for use, ensure input data are relevant and sufficiently representative, monitor operation, and keep logs for at least six months. Deployer obligations attach independently of the provider's obligations and cannot be discharged by procurement.

SOC 2 Type II, FedRAMP, FFIEC, and NIST SP 800-218 SSDF. SOC 2 Common Criteria CC6 (logical access) and CC7 (system operations) require that access be both granted and revoked based on need, with monitoring evidence over the audit period. FedRAMP Moderate and High inherit and extend these via NIST SP 800-53 controls AC-2 (account management), AC-6 (least privilege), and CA-7 (continuous monitoring). FFIEC IT Handbook expectations and the OCC/FRB SR 11-7 model-risk guidance treat AI agents as models requiring ongoing performance monitoring and tiered controls. The SSDF (SP 800-218) extends to AI-augmented development tools the same secure-development discipline applied to traditional software, including PO.5 archive and protect each release and PS.3 protect software releases from unauthorized modification.

Architectural Requirement

The convergent demand is a control surface that operates at the granularity of capability rather than role, that binds each capability to current evidence rather than past administrative decision, and that emits an audit-grade record of every grant, exercise, denial, and revocation.

Three architectural primitives are required. First, a capability curriculum: an explicit, versioned graph of capabilities ordered by risk, with prerequisites, evidence requirements, and expiration semantics. Second, an evidence gate: a function that takes the agent's recent performance record and a candidate capability and returns grant, deny, or revoke, with a citation to the evidence rule applied. Third, a governance log: an append-only record of every gate evaluation, capability state transition, and capability-bound action, sufficient to support SOC 2 Type II auditor walk-throughs, EU AI Act Article 26 record-keeping, and FFIEC model-risk attestation.

These primitives convert the deployment from a static access posture into a living governance system whose state is, at every moment, defensible.

Why Procedural Compliance Fails

The default enterprise compliance posture for AI agents is procedural: an acceptable-use policy, a procurement-time risk assessment, an RBAC mapping that puts the agent in a role, and a periodic review that nominally re-justifies the role assignment. Each layer has a purpose; together, they fail the regulatory tests above.

Policies do not constrain agent action. They constrain agent configuration, but a configured agent in production may exhibit performance characteristics no policy anticipated. NIST AI RMF Measure functions explicitly require behavioral evidence; policy documents are not behavioral evidence.

Procurement-time risk assessment is a snapshot. ISO 42001 A.6.2 calls it an impact assessment, but the standard's continual-improvement clause and the EU AI Act Article 26 monitoring obligation make clear that the snapshot is necessary and not sufficient. Agent capabilities drift as upstream models update, as data distributions shift, and as deployment context evolves. A snapshot dated eleven months ago does not satisfy a continuous-monitoring obligation.

RBAC is the most consequential failure. RBAC binds permissions to role membership. Two agents in the customer_service role have identical permissions; their actual demonstrated competence may differ by an order of magnitude. RBAC has no representation for the difference. SOC 2 CC6.1's least-privilege expectation, AC-6 in FedRAMP, and FFIEC's tiered-control expectation all become unsatisfiable: the organization cannot grant only what is needed, only what the role enumerates.

Periodic access reviews paper over the gap. They are administrative, calendar-driven, and largely informed by absence of incident rather than presence of performance evidence. Under EU AI Act Article 26 monitoring obligations and NIST AI RMF Manage-2.3 (resources allocated based on assessed and prioritized risk), absence of incident is not the metric; demonstrated currently-acceptable performance is.

The cumulative effect is that the procedural stack produces governance theater rather than governance. The agent has a role; the role has a policy; the policy has been signed; the audit binder is full. None of the artifacts answers the regulator's actual question, which is whether the agent's current authority is currently warranted.

What AQ Primitive Provides

Adaptive Query's LLM skill-gating primitive instantiates the capability curriculum, evidence gate, and governance log as the deployment's primary control surface. The model proposes an action; the gate decides whether the agent has earned the capability the action requires; the log records both the proposal and the decision. The model's confidence is irrelevant to authorization; the gate's evidence record is the authorization.

The capability curriculum is authored per agent class and versioned alongside the deployment. A customer-service curriculum, for example, may begin with read-only retrieval, progress to status updates, then to issue classification, then to refund authorization within a bounded amount, then to refund authorization without bound, then to account modification. Each level specifies its prerequisites (which capabilities must currently be granted), its evidence requirements (which performance metrics over which window at what threshold), its expiration (capabilities are time-bounded and re-earned), and its regression triggers (which performance excursions cause immediate revocation).

Evidence gates are deterministic functions over the agent's logged behavior. They evaluate accuracy, calibration, escalation appropriateness, and domain-specific outcome metrics across a sliding window of recent interactions. They are not subjective. They are not administrative. They are evaluable on demand by an auditor who has read the curriculum, and their decisions are reproducible from the log.

Regression detection runs continuously. An agent that earned a capability and whose recent evidence falls below the maintenance threshold has the capability revoked structurally; subsequent attempts to exercise it are starved. The starvation is not a soft failure surfaced to the user; it is a structural property of the gate. The agent cannot route around it, and the LLM cannot bypass it by generating a more confident proposal.

The governance log is append-only and SOC 2-grade. Every gate evaluation, every capability state transition, every action authorized or denied is recorded with the rule applied, the evidence cited, and the resulting state. The log is the artifact that an EU AI Act Article 26 monitoring obligation produces, an FFIEC model-risk review consumes, an ISO 42001 A.9 audit walks, and a SOC 2 Type II auditor samples. It is the deployment's continuous-monitoring evidence, generated as a byproduct of operation rather than as a separate compliance task.

Skill gating is, in the limit, the structural realization of least privilege for AI agents: at every moment, the agent has exactly the authority its current evidence supports, and the audit answer is generated rather than asserted.

Compliance Mapping

NIST AI RMF. The capability curriculum is the Map artifact for authorized use. The evidence gates are Measure functions. Regression-driven revocation is Manage-2.3 risk-tier-appropriate response. The governance log is the Govern function's traceability substrate.

NIST CSF 2.0. Govern (GV.OC, GV.RR, GV.OV) is satisfied by the curriculum's organizational anchoring and the log's oversight evidence. Protect (PR.AA access control) is satisfied at capability granularity. Detect (DE.CM continuous monitoring) is satisfied by regression detection.

ISO/IEC 42001 A.9 (authorized use). The curriculum specifies authorized use; the gate enforces it; the log evidences enforcement. A.6.2 impact-assessment outputs feed curriculum design; the design is therefore traceable to assessed impact.

EU AI Act Articles 26 and 27. Deployer monitoring is the gate's continuous evaluation. Six-month log retention is exceeded by default. Article 27 fundamental-rights impact assessments inform curriculum thresholds, particularly for capabilities affecting natural persons.

SOC 2 Type II (CC6, CC7) and FedRAMP (AC-2, AC-6, CA-7). Logical access is granted at capability granularity; least privilege is structural; continuous monitoring is intrinsic to operation. The log supports auditor sampling without supplemental data collection.

FFIEC IT Handbook and SR 11-7. The agent is treated as a model; the curriculum's tiered capabilities map to model-risk tiers; regression detection is the ongoing performance monitoring SR 11-7 requires; the log is the model inventory's behavioral record.

NIST SP 800-218 SSDF. Curriculum versioning aligns with PO.5 release archival; the gate is the PS.3 protection mechanism applied at runtime to the agent's effective authority.

Adoption Pathway

Phase one (weeks 1-4): inventory and curriculum draft. The organization inventories AI agents, classifies them by impact tier under ISO 42001 A.6.2 and EU AI Act Article 27, and drafts capability curricula per agent class. Existing role assignments are mapped onto initial curriculum levels.

Phase two (weeks 5-10): shadow gating. Skill gating runs in observation mode. Gate decisions are logged but not enforced; existing RBAC continues to authorize. The shadow log produces the evidence baseline used to calibrate gate thresholds and to identify agents whose current role exceeds their current evidence.

Phase three (weeks 11-18): enforcement rollout. Enforcement begins with the lowest-tier capabilities and progresses upward as confidence in gate calibration grows. RBAC is retained as a coarse outer fence; skill gating becomes the inner, evidence-driven control. Regression detection is enabled with conservative thresholds.

Phase four (week 19 onward): continuous governance. The governance log feeds SOC 2 Type II, ISO 42001 internal audit, EU AI Act Article 26 record-keeping, and FFIEC model-risk reviews directly. Curriculum versions evolve under change control; new agent classes onboard against the curriculum template rather than against ad-hoc role definitions.

The adoption pathway is incremental, evidence-producing, and reversible. The destination is an enterprise AI deployment whose governance is not a binder but a runtime property: at every moment, every agent has exactly the authority its evidence supports, and the audit answer is already written.