01Permissions
Can the agent touch only approved tools and data?
Map the tools, files, code, web sources, connectors, and business systems the agent can reach.
Keep: permission register, access decision, approved connector list.
Answer first
If an AI agent can call tools, read or write files, browse the web, execute code, or update systems, it needs a control matrix before wider rollout. The minimum evidence set is practical: purpose, owner, data access, tool permissions, code boundary, external actions, approval gate, logs, incident route, and shutdown owner.
The risk is not that managed agents exist. The risk is letting them operate with unclear permissions, unclear owners, unclear approval points, and no retained evidence when a buyer, customer, board, or security reviewer asks what the agent was allowed to do.
Use this matrix if one of these is true
Managed agents
An agent can act in a sandbox
You are testing agents that reason, use tools, execute code, read or write files, or fetch live web data.
Enterprise workflow
The agent connects to work systems
The agent may touch tickets, repositories, documents, customer records, sales data, support workflows, or internal approvals.
Governance evidence
You need permission records
You need a practical record of what the agent may do, who approves it, where logs sit, and who can stop it.
Managed agents control matrix
Select the control maturity for each row. Use Enforced with evidence only when the rule is implemented and someone can retrieve the record later.
Scoring rule: Missing = 0. Documented = 1. Enforced with evidence = 2. Maximum score = 24.
Your score
0/24
Not ready for agent rollout
Start by changing each row from Missing to the state that matches the evidence you can actually retrieve.
Recommended route
Do not widen rollout until purpose, permissions, approval, logs, and shutdown evidence are documented.
| Agent control | Missing | Documented | Enforced with evidence |
|---|---|---|---|
| Agent purpose and scopeYou can describe what the agent is allowed to do and what outcome it supports. | |||
| Business ownerA named accountable owner approves the agent use case and accepts residual risk. | |||
| Data and file accessThe team knows what files, repositories, tickets, documents, or datasets the agent can read or write. | |||
| Tool and skill permissionsThe agent's tools, skills, APIs, and connectors are listed and reviewed before use. | |||
| Code execution boundaryCode execution is constrained, reviewed, and separated from production deployment authority. | |||
| Web browsing and external fetchThe team controls how the agent fetches, processes, and trusts external web content. | |||
| External system actionsRecord updates, ticket changes, emails, commits, deployments, or workflow actions require clear approval rules. | |||
| Human approval gateHigh-impact actions need a defined human approval point before execution or external release. | |||
| Agent identity and accessThe agent has controlled identity, least-privilege access, and no shared human credentials. | |||
| Logging and observabilityPrompts, tool calls, file changes, decisions, approvals, and errors have a known retention location. | |||
| Incident escalation and shutdownSomeone can stop the agent, revoke access, preserve evidence, and escalate if behavior is unsafe. | |||
| Versioning and change reviewAgent instructions, skills, permissions, and configuration changes are versioned and reviewed. |
Result summary
Control evidence snapshot
This is a first-pass control signal, not a compliance score. It shows which agent controls have evidence and which still need work.
0
Enforced with evidence
None yet.
0
Documented only
None yet.
12
Missing
All controls.
Score: 0/24. Evidence enforced: none. Documented: none. Missing: all controls.
Control map
What the matrix is testing
The rows are grouped around five practical questions. If one of these areas is weak, a managed agent can create work, change records, expose data, or leave too little evidence to reconstruct what happened.
02Approval
Which actions need human review first?
Separate low-risk drafting from actions that change records, send messages, update tickets, or release content.
Keep: approval rule, reviewer role, retained approval record.
03Execution
Can the agent execute or change anything important?
Check whether the agent can run code, write files, alter repositories, update systems, or trigger business actions.
Keep: sandbox rule, change log, code review record, deployment separation.
04Observability
Can the team reconstruct what happened?
Retain enough prompt, tool-call, output, file-change, approval, and incident evidence to review agent behavior later.
Keep: prompt/tool-call logs, file change records, incident notes, retention location.
05Shutdown
Who can stop the agent and preserve evidence?
Assign the owner who can disable access, revoke tools, freeze changes, preserve logs, and run the escalation path when behavior becomes unsafe.
Keep: shutdown owner, revocation path, escalation contact, rollback note.
Turn weak rows into implementation evidence
The matrix is a free triage tool. ACT and the Sprint are where thin rows become working governance records.
ACT-2 route
Agent governance evidence pack
Use ACT-2 when managed agents need inventory, control mapping, approval evidence, incident route, board reporting, and buyer assurance.
- Best for evidence-led buyers and regulated teams.
- Strong route if the score is below 18.
Sprint route
Implementation Sprint
Use the Sprint when agent permissions, ownership, logs, or system actions are unclear and leadership needs a defensible rollout path.
- Best for urgent rollout or messy ownership.
- Good when agents can act across systems.
Technical route
M78Armor where runtime hardening matters
Use M78Armor only when the issue is local agent runtime hardening, OpenClaw, Hermes, MCP, or technical security enhancement.
- Governance stays on Move78.
- Runtime hardening stays on M78Armor.
Agents create operational risk when their permissions are undocumented.
Use the matrix to find the gaps. Use ACT-2 or the Sprint to convert those gaps into editable implementation evidence.
Source basis and limits
This page is based on public Google and standards sources reviewed on 2026-05-23. It is intended as operational implementation guidance, not legal, audit, certification, procurement, or security assurance.
- Google I/O 2026 announcements and developer updates were reviewed to identify Managed Agents and Antigravity-related agent capabilities.
- Google Cloud documentation was reviewed for Gemini Enterprise Agent Platform and Managed Agents references.
- NIST AI RMF and ISO/IEC 42001 public materials were reviewed as general AI risk management and AI management system references.
- Pricing, availability, preview status, and production suitability should be checked against current Google documentation before customer rollout.
Questions before using the matrix
Use it if your team is evaluating Google Managed Agents, Gemini Enterprise Agent Platform agents, Antigravity workflows, or any AI agent that can call tools, read or write files, browse the web, execute code, or act across business systems.
No. The page is written around Google Managed Agents because of the I/O 2026 announcements, but the control questions also apply to similar agentic AI systems that use tools, files, code, web access, or external workflows.
No. It is a planning and evidence tool. It helps identify missing governance controls, but it does not provide legal, audit, certification, procurement, or security assurance.
No. The scoring logic runs in the browser. The selected answers are not submitted to Move78. Site analytics may load only if the visitor accepts analytics cookies.
Start with purpose, owner, data access, tool permissions, approval gates, logs, and shutdown ownership. If the agent can execute code or change business records, treat it as an implementation control issue, not a casual AI pilot.