7 Essential Attributes for Guiding Agent-Based AI Toward Ethical and Responsible Practices

Jun 8
7 min read

For several years now, our transformation projects have brought us face to face with a recurring question from our clients: how can we integrate innovation, regulatory compliance, and transformation management into a single system?

When it comes to agent-based AI, meetings vary depending on the context, whether with the risk director of a regional bank, the CIO of an insurance group, or the head of ethical AI at a research lab, but they often highlight the same blind spot: agents exist within the technical stack, risks are listed in a Word document, certifications are tracked in a spreadsheet, and nothing is connected.

This observation has driven the R&D work we have been conducting at Gabriel Greenfield since the creation of our Meridian methodology: integrating our generic transformation metamodel structured around ambitions, challenges, initiatives, capabilities, and processes with the requirements of the ISO 42001 standard and the European AI Regulation.

The result is what we call the agent-based AI governance metamodel: a structured model that integrates AI agents as first-class entities alongside traditional transformation entities, and links each agent to its risks, knowledge bases, decision histories, and certification.

Here’s how this model is structured, why it goes beyond a simple risk register, and why it addresses ethical and responsible AI.

From the Generic Metamodel to Agent-Based Governance: What Has Changed

For several years now, we have been working with a transformation metamodel structured around the following key components: Strategic Ambitions, Challenges, Initiatives, Business Capabilities, Processes, KPIs, Risks. This model helps us trace the connection between the Executive Committee’s vision and operational execution. This is what we formalize in our Meridian method.

The introduction of AI Agents raises three questions:

Agents do not exist as first-class entities. We talk about AI projects, automation initiatives, but never about a specific agent with its own lifecycle, its own risks, and its designated ISO 42001 manager.
The knowledge base that powers the agents is invisible. Yet it is this base that determines the quality, potential biases, and regulatory relevance of each output.
Execution traces (i.e., the individual decisions made by the agents) do not exist anywhere in the model. Yet it is these traces that the EU AI Act requires to be archived for high-risk systems.

The agentic extension adds four new entities to the existing model: AI Agent, Knowledge Base, Agent Decision, and Benchmark Asset. And it enriches existing entities: Risk, Certification, Engagement Result, with attributes specific to the reality of AI systems.

Seven Essential Attributes

1. Confidence Threshold (Escalation) — on the AI Agent entity

A float between 0 and 1 that defines the confidence level at which the agent escalates to a human consultant. Without this attribute, the agent makes decisions independently in all circumstances. With it, we implement the human-in-the-loop principle required by ISO 42001. It can be audited, measured, and adjusted.

2. EU AI Act Classification — on the AI Risk entity

The “unacceptable / high / limited / minimal” list determines whether your agent must be registered in the national registry, undergo a pre-deployment compliance assessment, or simply be documented. For an agent deployed in a banking context (maturity scoring, governance recommendations), a high-risk classification is likely. Documenting this in the model automates the regulatory response.

3. Level of Explainability — on the AI Agent entity

A three-value enumeration - black box, post-hoc, or native - that answers a simple question: can we understand why an agent produced this output rather than another?

Black box: we see the input and the output, nothing in between. This is the default case for a direct call to an LLM without instrumentation, and it is obviously unacceptable for any decision impacting customers in a regulated sector.
Post-hoc: the explanation is reconstructed after the fact using techniques such as SHAP, LIME, or forced chain-of-thought. This is a rationalization, not proof.
Native: The explanation is generated simultaneously with the decision. Each score is linked to its source in the corpus, each recommendation is linked to the methodological rule that triggered it, and the complete path is logged. This is the level required by Article 13 of the EU AI Act for high-risk systems.

This distinction is critical in a regulated sector: a maturity scoring agent cannot be a black box if a client asks why do I have a 2/5 score on the Data dimension?. Explicitly modeling this attribute forces the architectural discussion at the right time: before deployment, not after the first client complaint. An agent designed as a black box and classified as “high-risk” under the EU AI Act constitutes a structural non-compliance, not a problem to be patched later.

4. Retrieval Quality Score — on the Knowledge Corpus Entity

An agent is only as good as what it is fed. Measuring retrieval accuracy (e.g., precision@10) on the Meridian RAG corpus is the first line of defense against hallucinations. This attribute allows us to correlate the quality of agent outputs with the quality of the corpus, and to trigger a corpus update when performance drifts.

5. ISO 42001 Category — on the AI Risk entity

Bias, privacy, transparency, robustness: the four pillars of responsible AI according to ISO 42001. Each documented risk must be linked to one of these categories. This enables two concrete outcomes: automatically generating the ISO 42001 compliance dashboard, and identifying under-covered categories prior to the audit.

6. Consent benchmark — on the Engagement Result entity

The benchmark asset is the strategic jewel of the model, but it relies entirely on client consent. Without this modeled attribute, referencing the corresponding contractual clause, the data asset has no legal basis. This attribute is the prerequisite for the future monetization of engagement data.

7. Validated by — on the Agent Decision entity

Every decision made by a high-risk agent must be associated with a human actor who validated it, or indicate that it was executed without validation. This is the core of the accountability principle: the agent produces, the consultant validates. It is an indispensable attribute.

The challenge: building an ethical, responsible, and compliant AI

The real question is not technical. It is institutional: an organization deploying AI agents in a regulated sector must be able to demonstrate, at any time, that each of its agents is ethical in its design, responsible in its use, and compliant in its documentation. These three requirements are distinct:

Compliance answers a closed-ended question: Have you documented what the standard requires?

Accountability answers a question of responsibility: Who is accountable for what the agent has done?

Ethics, finally, answers a substantive question: Are this agent’s decisions fair, explainable, and non-discriminatory?

An agent can be compliant without being accountable if no one is specifically held responsible for their decisions. They can be accountable without being ethical if the populations affected by their decisions have never been identified. The strength of a structured metamodel lies precisely in integrating these three levels into a single governance system, rather than treating them as three parallel projects.

What ISO 42001 and the EU AI Act Actually Require

ISO 42001 mandates an AI management system: a written policy, a mapping of deployed AI systems, an impact analysis for each system, documentation of risk control measures (bias, privacy, transparency, robustness), and a periodic review by a governance body. Without a metamodel linking each agent to its risks, mitigation measures, and supervisory body, these requirements quickly result in dozens of disconnected documents that are incomprehensible to an auditor.

The EU AI Act goes further for systems classified as high-risk: a category that includes most agents deployed in banking or insurance as soon as they involve credit, pricing, or claims management. It requires an official registry of AI systems (Article 49), automatic logging of decisions, effective human oversight, and the ability to provide any affected individual with a meaningful explanation of the decision that impacted them. These requirements are enforceable obligations on the company.

How the metamodel meets the three requirements

We designed the metamodel precisely to articulate these three levels. Each entity and each relationship has been designed to meet a specific requirement (regulatory, ethical, or operational).

→ For compliance. The AI Agent, Risk, and Certification entities and their relationships automatically generate the Article 49 register and the ISO 42001 mapping. The audit is prepared through queries on the model, not by manually reconstructing tables.

→ For accountability. The Agent Decision entity and its “validated by” link to a specifically identified Actor ensures effective accountability. Every critical output can be traced back to the human who validated it or to the absence of validation.

→ For ethics. The attributes Level of Explainability, Affected Populations, and Benchmark Consent force the organization to document what standards do not yet require, and to do so before the regulator, the client, or the press make it a enforceable requirement.

In our work, we are seeing a growing divide between organizations that treat AI governance as little more than a regulatory compliance issue, and those that design it from the outset as a structured system. The former struggle to prepare for audits. The latter turn it into a competitive advantage: a trust-building factor for their regulated clients and a prerequisite for the AI applications of tomorrow, where explainability and accountability will be standard requirements.

Responsible AI governance isn't just about checking compliance boxes. It's about building a system where every decision made by an agent can be traced, explained, and accounted for by a specific person.

This is precisely what this metamodel makes possible—not as a document, but as a living, queryable structure connected to the operational reality of the transformation.

At Gabriel Greenfield, we implement this model as part of our Certified Responsible Agentic offering, which is backed by our ISO 42001 certification process. If you are deploying or planning to deploy AI agents in a regulated environment and wish to assess your governance posture in concrete terms, we offer a 4-week POC: mapping of your existing agents, structuring of the model within your architecture tool, and a first look at your EU AI Act registry.