Enterprise Decision & Control Runtime Audit - IRIS

Identity, authorization, controls, accountability, resilience, lifecycle, and operating-model proof
Control runtimeEnterprise-gradeGaps visible

Enterprise Decision & Control Runtime Audit

This page audits the runtime through the enterprise operating-model lens: identity, authorization, data contracts, controls, resilience, accountability, change management, and operating model. It shows what is already proven by the runtime and what must be hardened for production.

Readiness
60%
Audited cases
8
Agents
1
Skills
8
Evidence linked
1
Replayable
1

Enterprise operating-model test

The question is not whether an agent can detect duplicate invoices. The question is whether the platform can safely run finance decisions inside a global enterprise.

IdentityWho is this agent operationally?
AuthorizationWhat can this agent or human actually do?
Data contractsWhich governed data products and SORs are used?
ControlsWhich control, policy, evidence, and attestation apply?
ResilienceHow does the process continue when AI or integration fails?
AccountabilityWho approved, who executed, and what proves it?
Change managementHow are agents certified, piloted, promoted, and retired?
Operating modelWhich roles own execution, approval, governance, cyber, audit, and operations?

Enterprise Control Plane

The control plane is the business operating layer above the agent data plane. It makes authorities, policies, controls, owners, fallback paths, and replay visible.

Identity registryHuman and agent identities, roles, owners, risk classes
Policy registryBusiness, control, and AI policies
Control registrySOX, finance, operational, and cyber controls
Agent registryVersions, approvals, certifications, and risk levels
Runtime governanceWho did what, why, when, with which evidence
Resilience centerFallback, business continuity, DR, and recovery status

Live Enterprise Decision & Control Runtime Audit

Live runtime

Overall readiness
60%
Agents
1
Skills
8
Replayable
1
LayerScorePurposeRuntime proofRemaining gap
Enterprise Identity50%Every agent and skill has an operational identity, owner, risk class, and authority boundary.1 agent identities linked to decision ledger; 7 skill owners resolved; Skill owner and risk class exposed in Skills + Policy AuditNo critical gap captured
Enterprise Authorization12%Agent action is gated by identity, authority, policy, evidence, and replay.1 skills authorized by policy/evidence/context; 7 skills forced to review or block state; Authority and execution mode are explicit per skillAdd live Entra delegated-authority token introspection before production writes.
Enterprise Data Contracts100%Agents consume governed context through source lineage and data contracts, not uncontrolled SOR polling.8/8 audited cases carry source lineage; 11/26 context queries marked used in decisions; Context completeness evaluates required entities, relationships, policy, evidence, replay, freshness, and learningBind each source ref to formal UDP/Databricks/OneData data-product contract IDs.
Enterprise Control Framework12%Controls connect policy, execution, evidence, replay, and attestation.1/8 cases have policy linkage; 1/8 cases have evidence linkage; 1/8 cases are replayableAdd SOX/control IDs, control owner, attestation cadence, and testing schedule to each policy binding.
Operational Resilience94%Failure paths degrade to policy fallback and human workflow instead of stopping finance operations.8/8 skills expose human override boundary; 7 skill decisions route to review/block instead of unsafe execute; System has live Enterprise Resilience Center and control-plane resilience APIsAttach explicit RTO/RPO and failure playbook IDs per skill before production rollout.
Enterprise Accountability59%Every action identifies responsible actors, accountable owners, policy, evidence, version, and replay.1 policy owners resolved; 8 human override paths visible; 1 replay records linkedPersist full RACI per policy/control and bind approver identity at action execution time.
Enterprise Change Management56%Agents and skills move through versioning, certification, pilot, parallel run, and production gates.8/8 skill versions captured; 1/8 policy versions captured; Manifest certification service exists for lifecycle gatesExpose certification record, pilot state, parallel-run status, and retirement date per skill.
Enterprise Operating Model94%Analyst, supervisor, tower lead, process owner, controller, audit, AI governance, cyber, and platform teams have explicit responsibilities.7 business skill owners; 1 policy governance owners; 8 human accountability boundariesAdd a formal operating-model registry with role-specific responsibilities and escalation SLAs.

Enterprise Control Plane Model

Identity Registry{"agents": ["iaf-invoice-decision-agent"], "skill_owners": ["Close Controller", "Credit Risk Owner", "FP&A Lead", "P2P Control Owner", "R2R Controller", "Trading Risk", "Treasury Operations"]}
Policy Registry{"policy_owners": ["Finance Governance"], "policies_linked": 1}
Control Registry{"policy_evidence_replay_controls": 1, "attestation_status": "partial_until_control_ids_bound"}
Agent Registry{"skills": ["SKILL-P2P-DUP-HOLD", "SKILL-CREDIT-EXPOSURE-ASSESS", "SKILL-CLOSE-MAINT-ACCRUAL", "SKILL-TRADING-EXPOSURE-ASSESS", "SKILL-TRSY-PAYMENT-TIMING", "SKILL-FPA-VARIANCE-EXPLAIN", "SKILL-R2R-JOURNAL-VALIDATE", "SKILL-P2P-DUP-HOLD"]}
Runtime Governance{"context_usage": 11, "human_override_paths": 8}
Resilience Center{"fallback_paths": 7, "manual_override_paths": 8}

Workshop position

The platform is an Enterprise Decision & Control Runtime when identity, authorization, controls, evidence, replay, resilience, lifecycle, and operating model are visible and enforced.

The audit intentionally surfaces gaps. That is more credible than claiming every enterprise operating-model capability is complete.

Credible enterprise answer

The runtime is moving from Decision Runtime to Enterprise Decision & Control Runtime by making identity, authorization, controls, accountability, resilience, certification, and operating model visible and enforceable.