COMPEL Specialization — AITE-ATS: Agentic AI Systems Architect Expert Artifact Template 4 of 5
How to use this template
Populate one matrix per agent. The matrix is the authoritative statement of how every action class the agent can initiate maps to an oversight mode — human-in-the-loop (HITL), human-on-the-loop (HOTL), or autonomous. It is the document operators, security reviewers, and auditors consult when they ask: who decides what, when, and within what time?
The matrix sits alongside the Agent Governance Charter (Template 1) and is referenced from Section 7 of the charter. It is more detailed than the charter summary and changes more frequently. Populate at the end of Organize; refresh on any change to tools, thresholds, or operator roles.
Oversight modes, definitions used in this template:
- HITL (Human-in-the-Loop). A human decision is required before the action proceeds. The agent is paused until the human responds.
- HOTL (Human-on-the-Loop). The action proceeds. A human monitors asynchronously and may intervene (rollback, halt, correct) on signal.
- Autonomous. The action proceeds without per-action human involvement. Oversight is through observability, sampling, and exception-routing rather than per-action approval.
Escalation Matrix
Identity
| Field | Value |
|---|---|
| Agent identifier | stable-agent-id |
| Matrix version | 1.0 |
| Charter version referenced | 1.0 |
| Last updated | YYYY-MM-DD |
| Architect of record (role) | role |
| Agent owner (role) | role |
| Operations lead (role) | role |
1. Action-class enumeration
Every action the agent can take is assigned to a class. Classes are the granularity at which oversight decisions are made.
| Class ID | Action class | Representative tool(s) | Reversibility | Blast radius |
|---|---|---|---|---|
| C01 | External read (trusted sources) | search_internal_kb | read-only | low |
| C02 | External read (untrusted sources) | fetch_url, read_email | read-only | low-medium; injection surface |
| C03 | Memory read (session) | read_memory(session) | read-only | low |
| C04 | Memory write (persistent) | write_memory(persistent) | reversible-in-window | medium |
| C05 | Draft to user workspace | write_draft | reversible | low |
| C06 | Outbound communication (internal) | send_internal_notification | irreversible after send | medium |
| C07 | Outbound communication (customer) | send_email_customer | irreversible after send | high |
| C08 | Reversible financial action (under cap) | initiate_transfer, amount ≤ cap | reversible within window | medium |
| C09 | Reversible financial action (over cap) | initiate_transfer, amount > cap | reversible within window | high |
| C10 | Irreversible external action | publish_public | irreversible | high |
Populate with the agent’s actual tool set. The above is an illustrative rather than a prescriptive list.
2. Oversight mode per class
| Class ID | Oversight mode | Primary operator (role) | Secondary (role) | Rationale |
|---|---|---|---|---|
| C01 | Autonomous | n/a (post-hoc sampling) | ops monitor | read-only, trusted source, post-hoc sampling sufficient |
| C02 | Autonomous with HOTL | ops monitor | security ops | read-only but untrusted; observability + sampling required |
| C03 | Autonomous | n/a | n/a | session-scoped; no cross-session leakage |
| C04 | HOTL | ops monitor | agent owner | persistent writes are sampled and reviewed weekly |
| C05 | Autonomous | n/a | primary reviewer | draft-only; human reviews before publication |
| C06 | HOTL | ops monitor | comms lead | volume-based sampling; immediate alert on anomaly |
| C07 | HITL | comms lead | agent owner | direct customer contact; per-action approval |
| C08 | HOTL | AP team lead | treasury on-call | policy-gated; sampled review |
| C09 | HITL | treasury on-call | CFO delegate | above cap; pre-authorisation required |
| C10 | HITL + Stop-Go | agent owner | executive sponsor | irreversible; explicit pre-authorisation plus stop-go authority present |
3. HITL gate detail
For each class with HITL oversight, specify the gate.
| Class ID | Trigger condition | Gate type | Primary operator | Timeout | Timeout behaviour | Observability emission |
|---|---|---|---|---|---|---|
| C07 | agent proposes customer email | pre-execution approval | comms lead | 4 business hours | park; escalate to agent owner | gate.c07.fired |
| C09 | transfer amount > cap | pre-execution approval | treasury on-call | 2 business hours | park; escalate to CFO delegate | gate.c09.fired |
| C10 | agent proposes publication | pre-execution approval + stop-go | agent owner | 1 business day | park; escalate to executive sponsor | gate.c10.fired |
4. HOTL sampling and response
For each class with HOTL oversight, specify the sampling and the intervention mechanism.
| Class ID | Sampling rate | Review cadence | Intervention mechanism | Intervention latency target |
|---|---|---|---|---|
| C02 | 100% (all external-read traces sampled) | daily aggregate; per-event on injection detector fire | kill-switch on active session | ≤ 5 minutes from detector fire |
| C04 | 5% random + 100% schema-violation | weekly | rollback memory write; retrain detector | ≤ 4 business hours |
| C06 | 5% random + 100% anomaly-flagged | daily | retract notification where possible; update prompt | ≤ 1 business day |
| C08 | 2% random + 100% anomaly-flagged | weekly | reverse transfer within window; post-mortem | ≤ 1 business day |
5. Autonomous-mode compensating controls
For classes operating autonomously, document the controls that substitute for per-action review.
| Class ID | Control | Owner | Evidence |
|---|---|---|---|
| C01 | tool-call authorisation (Lab 2 matrix) | platform team | policy bundle version |
| C03 | session memory is disposable; session-end cleanup | platform team | cleanup log |
| C05 | draft-only action; downstream human review before publication | user | editorial workflow |
6. Escalation tree
Who is paged, in what order, on which trigger classes. A compact tree suffices; the incident playbook (Article 25) holds the full runbook.
Trigger class | L1 (first) | L2 (secondary) | L3 (tertiary)
----------------------------------|-------------------------|------------------------------|---------------
Kill-switch fired | stop-go authority | agent owner | executive sponsor
Runaway / loop-length excess | ops monitor | agent owner | architect
Tool auth denial | security on-call | agent owner | CISO delegate
Memory schema violation | ops monitor | agent owner; data-governance | CISO delegate
Indirect-injection detector fire | security on-call | agent owner | CISO delegate
User complaint (customer-facing) | comms lead | agent owner | legal
Regulatory inquiry | legal | executive sponsor | board (if material)7. Timeouts, escalations, and fallbacks
| Situation | Target | Behaviour on breach |
|---|---|---|
| HITL gate timeout | per table in §3 | park; escalate to secondary role; emit gate.timeout.escalated |
| HOTL intervention-latency breach | per table in §4 | emit hotl.intervention_late; trigger post-incident review |
| Operator role unavailable | immediate detection via presence signal | fallback to secondary; emit operator.unavailable; if no secondary within 15 minutes, autonomous action is paused |
| Observability sink down | immediate detection via heartbeat | agent’s HITL gates fall open-fail (stop) rather than closed-fail (proceed); emit observability.down |
Open-fail vs. closed-fail is a deliberate design choice per class. For classes where the action’s reversibility is high, closed-fail (action proceeds pending operator review) may be acceptable; for irreversible classes, open-fail (action halts pending operator confirmation) is mandatory.
8. Operator capacity planning
The matrix is unusable if the operators cannot staff it. Record the expected load.
| Operator role | Expected gate volume | Target staffing | Burn-down posture |
|---|---|---|---|
| ops monitor | ~40 HOTL reviews / week | 1 FTE covering business hours | backlog > 20 triggers HITL-gate-queue alert |
| treasury on-call | ~5 HITL gates / week | rotating 1-person on-call | backlog > 3 triggers escalation |
| comms lead | ~2 HITL gates / week | rotating 1-person on-call | backlog > 1 triggers escalation |
9. Change log
| Date | Version | Change | Trigger | Author (role) |
|---|---|---|---|---|
| YYYY-MM-DD | 1.0 | initial matrix | onboarding | architect |
10. Sign-off
| Role | Sign-off date |
|---|---|
| Architect of record | |
| Agent owner | |
| Operations lead | |
| Each named operator role lead | |
| Executive sponsor (if any HITL class with irreversible action) |
End of Escalation Matrix template.