This profile defines the additional conformance expectations that apply when TSMM is used to govern agentic or delegated-action deployments. It is not a fourth maturity tier. It is a cross-cutting profile that may be applied alongside the Operational or Assured baseline.
The existing Minimal, Operational, and Assured profiles describe increasing rigor for general trust-system implementation. Agentic systems introduce a different problem shape. The primary risks are not only around identity, policy, or evidence. They are around delegated action, runtime context, oversight mode, and traceability of effects.
This profile applies where a system includes one or more of the following characteristics:
Implementations SHALL define explicit delegation artifacts or records that bind delegator, delegate, scope, obligations, and revocation conditions.
Implementations SHALL declare the oversight mode for governed actions. Oversight mode SHOULD be recorded per action class or per workflow.
Implementations SHALL classify agentic actions by risk tier and SHALL document the rationale used to assign the tier.
Implementations SHALL preserve structured trace records for governed actions, including action reference, context reference, applicable delegation, and resulting effect where one occurs.
Implementations SHOULD define when an agentic action is denied, downgraded, routed for approval, or sampled for review.
Where multiple agents participate in a single effect chain, implementations SHALL document coordination boundaries and SHOULD define which agent is accountable for which action stage.
The Agentic Profile is additive. It does not replace Operational or Assured requirements. It constrains how those baselines apply in agentic contexts.
Suitable evidence may include delegation records, workflow approval policies, trace logs, risk-tier inventories, oversight procedures, remediation workflows, and coordination diagrams.