4iGov Product v1.0 | April 2026

The Design-Time Contract

A Jira workflow template for AI governance in regulated environments

Embeds governance decisions into the moment they are made. PM, architect, and risk manager each answer specific questions at Epic creation. The evidentiary record is a byproduct of the workflow, not an additional artefact.

Get in touch
01Inception
02Classification
03Design
04Build
Gate 05
06Monitor
Product Manager
Define
Agent Scope Statement
What is this agent permitted to do? What is explicitly out of scope?
Select
Regulatory Framework
Which regulations apply? Activates relevant compliance overlays.
Reviews
Own
Governance Relevance
Reviews scope deviations before any story closes.
Reviews vs documented scope
Solution Architect
Define
Tool Boundaries
Which tools can the agent invoke? What credentials does it hold?
Reviews
Own
Architecture Stories
Tool scope, credential access, blast radius documented per story.
Review
OWASP Risk Reference
Each story tags relevant ASI risk if applicable.
Credential scope reviewed each cycle
Risk Manager
Define
Regulatory Obligations
What does a regulatory examination expect to find for this agent?
Classify
High-Risk Assessment
EU AI Act risk level. DORA critical function determination.
Reviews
Flag
Compliance Evidence
Marks stories requiring documented evidence for regulatory purposes.
Deviation triggers Epic update
Compliance Overlays
OWASP Agentic Top 10 | Additional Epic-level fieldsv1.0
Risk
Field name
What it captures
Required at
ASI01
Goal Hijack Controls
How are permitted objectives documented? What detects deviation from the agent's stated goal?
Stage 5
ASI02
Tool Boundary Declaration
Every tool the agent may invoke: name, permitted actions, prohibited actions, authorised by whom.
Stage 3
ASI03
Credential Scope and Owner
Every credential the agent holds: type, scope, expiry, named reviewer, review cadence.
Stage 5, 6
ASI05
Code Execution Validation
If agent generates or executes code: validation mechanism, execution environment, rollback path.
Stage 5
ASI10
Autonomy Boundary
Maximum autonomous action sequence without human confirmation. Escalation trigger and named path.
Stage 5
DORA Compliance Overlay | Accountability Assessment v1.1
Important: Template Framework
This assessment maps AI agent governance to DORA Articles 5, 6, 10, 17, 19. It is not regulatory assurance. Validate with your compliance team and regulator.
Condition 1: Design-Time Authority
Agent Scope *
PM Architectural Approval *
Design-Time Documentation Structure *
DORA: Articles 5(2), 6(1), 6(8)
Condition 2: Ongoing Monitoring Mandate
Named Monitoring Owner *
Monitoring Cadence *
Monitoring Data Access & Organization *
DORA: Articles 10(1), 10(3), 17(2)
Condition 3: Evidentiary Chain
Parameter Documentation & Versioning *
Decision & Monitoring Log Linkage *
Incident Documentation & Linkage *
DORA: Articles 17(2), 17(3)(b), 19(4)
Want more detail? Open full DORA Compliance Overlay →
EU AI Act overlay | coming in v1.1
FCA overlay | planned
Epic level | Stages 1 and 2
FieldTypeDescription
AI Agent Scope StatementText areaWhat is this agent permitted to do? What is explicitly out of scope? Good answers name specific actions, data types, and systems.
Permitted Data TypesCheckboxPII / Financial data / Health data / Internal comms / Public data only / Other. At least one required.
Behavioural Violation DefinitionText areaWhat constitutes a violation of documented scope? Give a specific, observable example. This is what the monitoring mandate checks against.
Named Accountability OwnerUser pickerWhich named individual holds the ongoing monitoring mandate? Must be a person. Cannot be blank at Stage 5.
Regulatory Framework in ScopeCheckboxEU AI Act / DORA / CRA / FCA / HIPAA / PCI DSS / Other. Selection activates relevant overlays.
High-Risk ClassificationDropdownEU AI Act: Unacceptable / High / Limited / Minimal / Not assessed.
DORA Critical FunctionDropdownYes / No / Under assessment. Triggers DORA overlay in v1.1.
Third-Party AI ComponentsText areaAll third-party LLMs, APIs, AI services: provider, version, data processing location.
Monitoring CadenceDropdownDaily / Weekly / Fortnightly / Monthly. Must be set before Stage 5 closes.
Pre-deployment Sign-off | PMUser + datePM confirmation at Stage 5 that Inception fields are accurate and complete.
Pre-deployment Sign-off | ArchitectUser + dateArchitect confirmation at Stage 5.
Pre-deployment Sign-off | RiskUser + dateRisk Manager confirmation at Stage 5.
Story / Task / Bug level | Stages 3, 4, 6
FieldTypeDescription
Governing EpicEpic linkLink to the controlling Epic. Mandatory for all stories in AI agent projects.
Governance RelevanceDropdownAffects agent scope / Tool boundaries / Credential access / Monitoring / No impact. First four require Epic review before close.
OWASP Risk ReferenceDropdownASI01 / ASI02 / ASI03 / ASI05 / ASI10 / Other / Not applicable.
Compliance Evidence RequiredYes / NoYes makes Evidence Reference mandatory before item closes.
Evidence ReferenceText / linkLink to compliance evidence record. Required when Compliance Evidence Required is Yes.
Scope DeviationYes / NoYes requires Governing Epic Scope Statement to be updated and re-signed before this item closes.
Activity Diagram | Jira Configuration Flow (v1.0 MVP)
Check: "AI Agent Epic" issue type exists in this project? Exists? Yes No Create "AI Agent Epic" issue type Create Epic-level custom fields Create Story / Task / Bug fields Add workflow transition conditions OWASP applies? No Yes Add 5 OWASP overlay fields ASI01 / ASI02 / ASI03 / ASI05 / ASI10 Jira Automation available? Yes Create scheduled monitoring automation No Set up manual recurring task template Run test Epic to validate fields All fields and gates OK? No Fix and re-test Yes LEGEND Action step Decision Skip / optional path Fix required

v1.1 will add compliance check decision nodes for Story and testing evidence branches

1
Create "AI Agent Epic" issue type

Create a new Epic-level issue type in Jira settings. Name it "AI Agent Epic". Keeps custom fields scoped to AI agent work.

Settings > Issues > Issue types > Add issue type Name: AI Agent Epic | Type: Epic
2
Create Epic-level custom fields

Create each field from the Epic Field Reference above. Associate with "AI Agent Epic" issue type only.

Settings > Issues > Custom fields > Create custom field Select type > Name as listed > Associate with AI Agent Epic
3
Create Story-level fields

Create each field from the Story Field Reference. Associate with Story, Task, and Bug across projects containing AI agent work.

4
Add workflow transition conditions

Prevent "Move to In Development" unless Named Accountability Owner and Scope Statement are populated. Prevent Stories closing if Scope Deviation is Yes and Epic is not updated.

Workflow > Edit workflow > Transition: "Move to In Development" Condition: "Named Accountability Owner" is not empty Condition: "AI Agent Scope Statement" is not empty
5
Activate OWASP overlay fields

Add the five OWASP overlay fields to the AI Agent Epic screen for relevant projects. Mark as required at Stage 5.

6
Create recurring monitoring task automation

Automate Stage 6 monitoring tasks to generate on the cadence set in the Monitoring Cadence field, assigned to the Named Accountability Owner.

Automation > Scheduled trigger > Frequency: [Monitoring Cadence] Create Task > "Monitoring review | [Epic name]" Assignee: Named Accountability Owner > Link to Epic

Published by 4iGov.cloud. Version 1.0, April 2026. Free to use and adapt with attribution.

Citation: Source: 4iGov Design-Time Contract v1.0 | 4igov.cloud/dtc

Questions: [email protected] | Not legal or compliance advice.