Building an Agent Governance Program from Zero: A 90-Day Playbook

You've decided your organization needs an agent governance program. Maybe a board member asked the question nobody could answer. Maybe an audit flagged the gap. Maybe you read about a competitor's agent-related incident and realized you have the same exposure. Maybe you read the previous eleven articles in this series and decided you're done waiting.

Whatever the trigger, you're starting from zero — no agent inventory, no policies, no monitoring, no defined accountability. And you need to build something credible, functional, and defensible in a timeframe that doesn't require a two-year program plan and a seven-figure budget.

This is the 90-day playbook. Three phases, each building on the last, each producing tangible outputs that demonstrate progress and reduce risk. By the end of 90 days, you'll have a governance program that you can present to your board, defend to your auditors, and build on over time.

Phase 1: Discovery and Foundation (Days 1–30)

The first phase is about understanding what you're governing and establishing the basic infrastructure to govern it. You can't protect what you can't see.

Week 1: Secure Sponsorship and Assign Ownership

Day 1-3: Executive sponsorship. Agent governance needs an executive sponsor — ideally the CISO, but the CTO or CRO can also work depending on your organizational structure. The sponsor provides budget authority, organizational mandate, and air cover when governance requirements create friction with deployment teams.

Prepare a brief for your sponsor: the business case for agent governance (regulatory trajectory, incident risk, board-level exposure), the scope of the program, the resources you'll need, and the 90-day timeline. Get explicit sign-off.

Day 3-5: Assign a governance lead. Designate a specific individual as the agent governance lead. This person will own the program day-to-day. Depending on organizational size, this might be a full-time role, a significant portion of an existing security or compliance role, or a rotation among the security team. The key requirement is that someone specific is accountable — not "the security team" but a named person.

Day 5: Establish a working group. Recruit representatives from the teams most likely to have deployed agents: engineering, data science, IT operations, customer service, and any team that has adopted AI tools. This working group will be your primary source of information during discovery and your primary channel for policy implementation.

Week 2-3: Conduct the Agent Inventory

This is the single most important activity in the entire 90 days. Everything else depends on knowing what agents exist in your environment.

Approach the inventory from multiple angles:

Top-down survey. Send a structured questionnaire to every department head and team lead asking whether their team has deployed, built, or uses AI agents, chatbots, automated workflows, or AI-powered tools that access internal systems. Define "agent" broadly — you'd rather catch too much than too little. Include specific examples to help non-technical respondents identify agents they might not recognize as such.

Technical discovery. Work with IT operations to identify agent-like activity in your systems. Look for service accounts that were created in the last 12 months and are making regular API calls. Look for API keys issued to individual developers that show automated access patterns (high frequency, regular intervals, systematic data access). Review cloud provider logs for AI API calls (OpenAI, Anthropic, Google, etc.) coming from your network. Check for deployed containers or services with names that suggest agent or AI functionality.

Procurement and finance review. Check for subscriptions to agent platforms (LangChain, CrewAI, AutoGen, Copilot Studio, etc.), AI API charges (OpenAI, Anthropic), and agent-adjacent services that might indicate shadow agents.

For each agent identified, document:

• Agent name and description
• Owning team and responsible individual
• Data sources accessed (specific systems and data types)
• Actions the agent can take (read-only vs. write, internal vs. external)
• Underlying model or platform
• Date deployed
• Authentication method and credentials used
• Current monitoring and logging status

Expect this to take two full weeks. You will discover agents you didn't know existed. That's the point.

Week 3-4: Risk Assessment and Prioritization

Score every agent using the five-dimension risk methodology — data access scope, action scope, autonomy level, error impact, and compliance exposure. This produces a composite risk score for each agent that maps to a governance tier.

Build the risk heat map. Visualize your agent portfolio by risk score. This becomes your prioritization tool — governance controls are implemented in order of risk, not in order of discovery or organizational politics.

Identify critical gaps. For your highest-risk agents (Tier 3 and 4), identify the most urgent governance gaps. Common findings: agents running on personal API keys, agents with over-provisioned data access, agents with no monitoring or logging, and agents with no documented owner.

Produce the Discovery Report. Compile the inventory, risk assessment, and gap analysis into a board-presentable document. This is your first tangible output and the foundation for everything that follows. Share it with your executive sponsor and governance working group.

Phase 2: Policy and Controls (Days 31–60)

The second phase translates discovery findings into governance policies and begins implementing technical controls. The priority is establishing minimum viable governance for your highest-risk agents while building the policy framework that will cover all agents over time.

Week 5-6: Draft Core Policies

You need five core policy documents to establish a credible governance program. Don't try to write perfect policies — write good-enough policies that can be refined over time.

1. Agent Acceptable Use Policy. Defines what agents are in your organization's context, who is authorized to deploy them, what approvals are required, and what uses are prohibited. This is the foundational document that establishes organizational expectations.

2. Agent Data Access and Permissions Policy. Defines how agent data access is scoped, approved, and reviewed. Establishes the principle of least privilege for agents, requires data classification before agent access is granted, and mandates periodic access reviews.

3. Agent Onboarding and Approval Workflow. Defines the process for getting a new agent approved for deployment. Includes a risk assessment step, security review for high-risk agents, documentation requirements, and approval authorities based on risk tier.

4. Agent Incident Response Playbook. Defines how agent-related incidents are detected, classified, contained, remediated, and reviewed. Includes kill switch procedures, escalation paths, and communication templates.

5. Agent Decommissioning Runbook. Defines the process for safely retiring an agent — credential revocation, data purging, documentation archival, and confirmation of complete shutdown.

For each policy, the minimum viable version includes: scope (which agents it covers), requirements (what must be done), responsibilities (who does it), procedures (how it's done), and exceptions (how to request a variance).

Week 6-7: Implement Critical Controls

While policies establish requirements, controls enforce them. Focus on the highest-risk agents first.

Credential remediation. Any agent running on a personal API key or shared credentials should be migrated to a dedicated service account immediately. This is typically the highest-leverage control you can implement in terms of risk reduction per hour of effort.

Access scope reduction. For agents with over-provisioned data access — and the inventory will have identified several — work with the owning teams to reduce access to the minimum required. Create database views or API facades where broad access was granted for convenience.

Logging activation. For critical agents with no monitoring, implement basic input/output logging. This doesn't require a sophisticated observability platform — even writing logs to a centralized log store (CloudWatch, ELK, Splunk) is a significant improvement over nothing.

Kill switch documentation. For every Tier 3-4 agent, document the exact steps required to immediately shut down the agent and revoke its credentials. Test each kill switch procedure. Store the documentation where the incident response team can access it.

Week 7-8: Establish Governance Cadence

Launch the governance review cycle. Define how frequently agent governance is reviewed — monthly for the governance working group, quarterly for executive and board reporting. Schedule the first three months of reviews now.

Create the governance dashboard. Build a simple dashboard (even a spreadsheet is fine for now) that tracks: total agent count, agents by risk tier, policy compliance status by agent, open remediation items, and trend over time. This dashboard is what you'll present to your sponsor and the board.

Communicate the program. Announce the agent governance program to the organization. Communicate the new policies, the onboarding process, and the expectation that all agents — existing and new — will be brought under governance. Provide a grace period (30 days is reasonable) for teams to bring existing agents into compliance.

Phase 3: Operationalization and Scale (Days 61–90)

The third phase transitions from "building the program" to "running the program." The focus shifts from establishing policies to demonstrating that they're being followed, and from critical controls to sustainable processes.

Week 9-10: Onboarding Process Validation

Process the backlog. By now, the agent inventory should be complete and policies should be published. Every existing agent should go through the onboarding process — even retroactively. This validates that the process works, identifies agents that can't meet policy requirements (and need to be decommissioned or remediated), and produces a complete governance record for every agent.

Refine based on feedback. The onboarding process will need adjustment based on real-world experience. Listen to the teams going through it. If the process takes too long, streamline it. If the risk assessment questions are ambiguous, clarify them. The goal is a process that people use because it's reasonable, not one they bypass because it's burdensome.

Handle exceptions. Some agents won't fit neatly into your policy framework. Establish an exception process — a formal request that documents why an agent can't meet a specific requirement, what compensating controls are in place, and when the exception will be reviewed. Every exception should have an expiration date.

Week 10-11: Monitoring and Metrics

Establish governance metrics. Define the KPIs that tell you whether the program is working:

• Percentage of known agents with completed governance documentation
• Percentage of Tier 3-4 agents with active monitoring
• Average time from agent deployment to governance review
• Number of agents operating without designated owner
• Number of open remediation items by age and severity
• Incident count and mean time to containment

Automate where possible. Even simple automation helps — scripts that check for new service accounts, alerts for API keys approaching expiration, automated reports from your logging infrastructure summarizing agent activity.

Conduct the first tabletop exercise. Run a simulated agent incident with your response team. Pick a realistic scenario — an agent producing incorrect outputs, an agent accessing data outside its scope, a shadow agent discovered during a security review. Walk through the response, identify gaps in the playbook, and update accordingly.

Week 11-12: Board Readiness and Continuous Improvement

Prepare the board presentation. Compile the 90-day program into a board-ready package: the agent inventory summary, the risk assessment findings, the governance program overview (policies, controls, monitoring), the governance metrics dashboard, and the forward plan. The tone should be "here's what we found, here's what we've done about it, here's what's next" — candid about gaps, concrete about progress.

Define the Year 1 roadmap. The 90-day program gets you to a credible baseline. The Year 1 roadmap takes you to operational maturity. Typical Year 1 priorities include: automating the onboarding process, implementing behavioral monitoring for critical agents, conducting a formal incident response exercise, establishing vendor governance for agent platforms, developing agent governance training for deployment teams, and integrating agent governance into the broader IT governance framework.

Establish the feedback loop. Schedule quarterly retrospectives on the governance program. What's working? What's creating friction without reducing risk? What new agent types or use cases have emerged? The program should evolve with the organization's agent usage, not calcify into a static set of policies that become increasingly disconnected from reality.

What This Costs

The 90-day program is designed to be achievable without a dedicated budget line. It requires:

• One named governance lead (partial FTE for 90 days)
• Working group members' time (2-4 hours per week during Phase 1, 1-2 hours during Phases 2-3)
• Executive sponsor's time (monthly check-ins, Phase 3 board preparation)
• No new technology purchases required — existing logging, monitoring, and collaboration tools are sufficient for the baseline

The most significant investment is time and organizational attention, not money. The governance toolkit and policy templates available from AgentGuru can compress the policy drafting phase from weeks to days by providing professionally structured templates that need customization, not creation from scratch.

Day 91 and Beyond

On day 91, you have something most organizations don't: a functioning agent governance program with an inventory, policies, controls, monitoring, and metrics. It's not perfect — no governance program is on day 91 — but it's real, it's defensible, and it provides the foundation for continuous improvement.

The organizations that build this capability now — while agent deployments are still manageable in number and complexity — will govern smoothly as agent usage scales. The organizations that wait will be trying to build governance around an entrenched, undocumented, ungoverned agent infrastructure.

I've seen both paths. The first is hard but manageable. The second is a crisis.

Start today.

---

Compress your 90-day timeline. The Agent Governance Toolkit provides all five core policy templates, the risk assessment methodology, onboarding workflow, incident response playbook, and decommissioning runbook — ready for customization. What takes weeks to draft from scratch takes days with the toolkit. Get the toolkit at agentguru.co →

Want expert guidance? The Agent Governance Readiness Assessment is a structured engagement where we conduct the discovery, build the risk assessment, and deliver the governance roadmap — accelerating your 90-day program with practitioner expertise. Learn more at agentguru.co →

Build internal expertise. The Certified Agent Governance Professional (CAGP) program trains your team to own and operate the governance program long-term. Join the waitlist at agentguru.co →

---

Ritesh Vajariya is the CEO of AI Guru and founder of AgentGuru. Previously AWS Principal ($700M+ AI revenue), BloombergGPT Architect, and Cerebras Global Strategy Lead. He has trained 35,000+ professionals and built products serving 50,000+ users.