Description

UPDATED 2026: Covers China AI Agent governance regulations (generative AI regulations), MCP protocol governance implications, and enterprise AI audit framewo...

README (SKILL.md)

\r \r

Agent Governance Assistant\r

Name: Agent Governance Assistant
Author: gechengling

\r

Overview\r

\r A comprehensive AI-powered framework for governing enterprise AI agents — from audit trails and policy enforcement to regulatory compliance and risk reporting. As enterprise AI agents (Microsoft Agent 365, Copilot Studio, custom agents) proliferate, governance has become the #1 blocker to adoption. This skill bridges the gap between AI capability and enterprise control.\r \r

Title\r

\r Enterprise AI Agent Governance Framework — Audit · Secure · Comply\r \r

Triggers\r

\r

"agent governance" / "AI agent管理" / "代理治理"\r
"enterprise AI compliance" / "企业AI合规"\r
"shadow AI detection" / "影子AI排查"\r
"AI policy enforcement" / "AI策略执行"\r
"agent audit trail" / "代理审计日志"\r
"Microsoft Agent 365 governance" / "Agent 365治理"\r
"AI risk report" / "AI风险报告"\r
"Copilot Studio compliance" / "Copilot合规"\r
"China AI regulation" / "中国AI监管"\r
"CBIRC AI guidance" / "银保监会AI指引"\r \r ---\r \r

0. 2026 企业AI Agent治理最新趋势\r

\r | 时间 | 动态 | 治理含义 |\r |------|------|---------|\r | 2025年7月 | 中国《生成式人工智能服务管理暂行办法》正式施行 | AI Agent服务纳入互联网信息服务管理，算法备案要求扩展至Agent |\r | 2025年11月 | MCP协议移交Linux Foundation | AI Agent工具集成标准化带来新的审计盲点，需纳入治理范围 |\r | 2026年1月 | NFRA召开2026年监管工作会议，AI治理列为重点 | 金融行业AI Agent应用监管框架加速制定 |\r | 2026年 | Microsoft Agent 365/Copilot Studio企业大规模部署 | Agent行为审计、数据隔离、权限管控成为合规核心 |\r | 2026年 | 影子AI检测升级：从API监控到行为分析 | 传统DLP监控不足，需引入UEBA（用户实体行为分析）技术 |\r \r

2026年核心治理挑战： 企业AI Agent数量激增（从10个→100+），传统Agent Inventory已无法满足监管要求。建议采用"零信任Agent架构"——每个Agent独立身份认证、最小权限、数据隔离、完整审计日志。\r \r ---\r \r

Workflow\r

\r

Phase 1 — Agent Inventory Discovery\r

\r Step 1.1: Scan for Active AI Agents\r \r Generate a structured inventory of all AI agents in the enterprise environment.\r \r Input required:\r

List of known AI platforms in use (e.g., Microsoft 365 Copilot, Salesforce Einstein, custom LangChain agents, RPA bots)\r
Department ownership mapping\r
API endpoints or integration points\r \r Output: Agent Inventory Table\r \r | Agent ID | Platform | Owner | Department | Capabilities | Data Access Level | Last Active |\r |----------|----------|-------|------------|--------------|-------------------|------------|\r | AG-001 | Microsoft Agent 365 | IT Admin | Finance | Email drafting, meeting prep | Full mailbox | 2026-05-07 |\r \r Step 1.2: Classify Agent Risk Level\r \r Assign risk tier (Low / Medium / High / Critical) based on:\r
Data sensitivity (PII, financial, health, IP)\r
External interaction (internet, customers, third parties)\r
Autonomy level (advisory only → full automation)\r
Regulatory exposure (CBIRC, CFCA, personal information protection)\r \r Risk Classification Matrix:\r \r | Tier | Criteria | Example | Audit Frequency |\r |------|----------|---------|----------------|\r | Critical | Customer-facing + financial data + high autonomy | AI underwriting agent | Weekly |\r | High | Internal + sensitive data + medium autonomy | AI claims processor | Monthly |\r | Medium | Internal + general data + advisory only | AI meeting summarizer | Quarterly |\r | Low | Internal + no sensitive data | AI email categorizer | Bi-annual |\r \r ---\r \r

Phase 2 — Policy Framework Design\r

\r Step 2.1: Define Governance Policies\r \r Generate tailored governance policies based on enterprise type and regulatory context.\r \r For China Financial Institutions (CBIRC/CFCA):\r

POLICY: CFCA-AI-001 — Agent Data Minimization\r
All AI agents must process only minimum necessary personal data.\r
Agents cannot retain PII beyond the transaction completion window.\r
Annual data audit required.\r
\r
POLICY: CBIRC-AI-007 — Model Transparency\r
All AI-assisted decisions in underwriting/claims must provide\r
human-override capability and explainability documentation.\r
\r
POLICY: AI-ENTERPRISE-003 — Agent Registration\r
All production AI agents must be registered in the Enterprise\r
Agent Registry with documented purpose, data scope, and owner.\r
Unregistered agents are prohibited from accessing customer data.\r
```\r
\r
**Step 2.2: Policy Compliance Checker**\r
\r
For each registered agent, evaluate against all applicable policies.\r
\r
**Input:** Agent inventory + policy list\r
**Output:** Compliance gap matrix with severity scores\r
\r
---\r
\r
### Phase 3 — Shadow AI Detection\r
\r
**Step 3.1: Identify Unauthorized Agent Usage**\r
\r
Scan for signs of shadow AI — employees using personal AI tools on corporate data.\r
\r
**Detection indicators:**\r
- Third-party AI API calls from corporate networks (non-approved domains)\r
- AI tool usage logs in DLP (Data Loss Prevention) systems\r
- Browser extensions accessing corporate APIs\r
- Unsanctioned Zapier/Make/n8n workflows connecting to company data\r
\r
**Output:** Shadow AI Exposure Report\r
\r
| Finding | Risk Level | Data at Risk | Recommended Action |\r
|---------|-----------|-------------|-------------------|\r
| Employee using free ChatGPT API for customer email drafting | CRITICAL | Customer PII + contract terms | Immediate block + compliance training |\r
| Unsanctioned n8n workflow syncing CRM to personal AI tool | HIGH | Contact data + deal values | Replace with approved integration |\r
\r
---\r
\r
### Phase 4 — Audit Trail & Reporting\r
\r
**Step 4.1: Generate Governance Audit Report**\r
\r
Produce a structured audit report for internal risk committees and external regulators.\r
\r
**Report Sections:**\r
1. Executive Summary (1 page)\r
2. Agent Inventory & Risk Classification\r
3. Policy Compliance Scorecard\r
4. Shadow AI Findings\r
5. Open Risks & Remediation Roadmap\r
6. Appendix: Agent Decision Logs (sample)\r
\r
**Step 4.2: Generate Regulatory Filing**\r
\r
Format findings as a CBIRC/CFCA-compliant governance disclosure.\r
\r
---\r
\r
## Input / Output Examples\r
\r
### Example 1: Enterprise Agent Audit\r
\r
**Input:**\r
```\r
We have 12 AI agents across Finance, Claims, and Sales departments.\r
Recent CBIRC guidance requires quarterly AI governance reporting.\r
We discovered 3 employees using personal AI tools for work tasks.\r
```\r
\r
**Output:**\r
```\r
## Phase 1: Agent Inventory\r
[Structured table of 12 agents with risk tiers]\r
\r
## Phase 2: Policy Gap Analysis\r
- 4 agents non-compliant with CFCA-AI-001 (data minimization)\r
- 2 agents lack human-override capability (CBIRC-AI-007)\r
- 6 agents unregistered (AI-ENTERPRISE-003 violation)\r
\r
## Phase 3: Shadow AI Findings\r
[Shadow AI report with 3 findings]\r
\r
## Phase 4: Compliance Score — 58/100\r
Recommended actions prioritized by risk.\r
\r
## Report ready for CBIRC Q2 submission.\r
```\r
\r
### Example 2: Microsoft Agent 365 Governance Setup\r
\r
**Input:**\r
```\r
We are deploying Microsoft Agent 365 across 200 users.\r
IT needs to configure governance controls before go-live.\r
Finance and Claims departments need different permission levels.\r
```\r
\r
**Output:**\r
```\r
## Agent 365 Governance Configuration\r
\r
### Recommended Permission Matrix\r
| Department | Agent Capabilities | Data Scope | Human-in-Loop | Audit Level |\r
|------------|-------------------|------------|---------------|-------------|\r
| Finance | Report generation, variance analysis | Financial data only | Required for >¥100K | Full |\r
| Claims | Document review, fraud flag | Claims data | Required for >¥10K | Full |\r
| Sales | Lead scoring, email drafting | CRM data | Advisory only | Standard |\r
\r
### Governance Policies to Enable\r
1. Data Loss Prevention (DLP) rules for PII in agent prompts\r
2. Agent activity logging to Sentinel/Log Analytics\r
3. Approval workflows for high-stakes agent actions\r
4. Monthly governance review dashboard\r
\r
### Shadow AI Pre-emption\r
Block list: [personal-ai-tool-1.com, ai-tool-free.xyz]\r
Allow list: [Copilot, Agent 365, approved-vendor-ai.com]\r
```\r
\r
---\r
\r
## Notes & Best Practices\r
\r
1. **Start with inventory before policy.** You cannot govern what you cannot see.\r
2. **China-specific:** For CBIRC/CFCA regulated entities, always include PIPL (个人信息保护法) compliance in the policy framework. Agents processing insurance claims data are subject to strict data minimization requirements.\r
3. **Human-in-the-loop is non-negotiable** for any agent making or materially influencing financial decisions.\r
4. **Shadow AI is the #1 undetected risk** — prioritize network-level API monitoring.\r
5. **Update agent registry quarterly** — AI agent proliferation is fast; stale inventories create blind spots.\r
6. **Leverage Microsoft Purview** for data classification feeding into agent governance policies.\r
7. **Regulatory alignment:** Check current CBIRC AI guidance, CFCA fintech guidelines, and the generative AI regulation framework when generating policies.\r
\r
---\r
\r
*Author: @gechengling | Skill: agent-governance-assistant | clawhub.ai/gechengling/agent-governance-assistant*\r

Usage Guidance

Treat this as an inconclusive low-confidence review, because the local sandbox failed when attempting to read the supplied metadata and artifact directory.

Capability Assessment

ℹ Purpose & Capability

Artifact coherence could not be assessed because local read commands failed before metadata.json or artifact files could be inspected.

ℹ Instruction Scope

Runtime instructions could not be reviewed; no artifact-backed instruction-scope concern is available.

ℹ Install Mechanism

Install specifications could not be inspected; no artifact-backed install concern is available.

ℹ Credentials

Environment access and proportionality could not be assessed from artifacts in this run.

ℹ Persistence & Privilege

Persistence and privilege behavior could not be assessed from artifacts in this run.

Version History

v4.0.0

Major update expanding coverage to 2026 China AI governance, financial regulations, and advanced agent audit workflows: - Updated for 2026 trends: Includes China’s generative AI regulations, MCP protocol governance, and latest shadow AI detection advances. - Comprehensive enterprise workflow: Structured, multi-phase audit and compliance process from agent inventory to regulatory filing. - Specific triggers and keywords added for easy discovery in both English and Chinese. - Detailed policy framework templates tailored for CBIRC/CFCA financial compliance. - Shadow AI detection and reporting enhanced with new techniques and reporting formats. - Expanded input/output examples for practical enterprise and financial institution scenarios.

Metadata

Slug agent-gov

Version 4.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Agent Governance Assistant?

UPDATED 2026: Covers China AI Agent governance regulations (generative AI regulations), MCP protocol governance implications, and enterprise AI audit framewo... It is an AI Agent Skill for Claude Code / OpenClaw, with 99 downloads so far.

How do I install Agent Governance Assistant?

Run "/install agent-gov" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Agent Governance Assistant free?

Yes, Agent Governance Assistant is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Agent Governance Assistant support?

Agent Governance Assistant is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Agent Governance Assistant?

It is built and maintained by lingfeng-19 (@gechengling); the current version is v4.0.0.

More Skills

Agent Governance Assistant