Policy Cards: Machine-Readable Runtime Governance for Autonomous AI Agents
This addresses the need for accountable autonomy in AI agents, particularly for deployment in regulated environments, though it is incremental as it builds on existing transparency artifacts like Model Cards.
The paper tackles the problem of governing autonomous AI agents by introducing Policy Cards, a machine-readable standard for encoding operational, regulatory, and ethical constraints at runtime, enabling verifiable compliance and integration with assurance frameworks like NIST AI RMF and the EU AI Act.
Policy Cards are introduced as a machine-readable, deployment-layer standard for expressing operational, regulatory, and ethical constraints for AI agents. The Policy Card sits with the agent and enables it to follow required constraints at runtime. It tells the agent what it must and must not do. As such, it becomes an integral part of the deployed agent. Policy Cards extend existing transparency artifacts such as Model, Data, and System Cards by defining a normative layer that encodes allow/deny rules, obligations, evidentiary requirements, and crosswalk mappings to assurance frameworks including NIST AI RMF, ISO/IEC 42001, and the EU AI Act. Each Policy Card can be validated automatically, version-controlled, and linked to runtime enforcement or continuous-audit pipelines. The framework enables verifiable compliance for autonomous agents, forming a foundation for distributed assurance in multi-agent ecosystems. Policy Cards provide a practical mechanism for integrating high-level governance with hands-on engineering practice and enabling accountable autonomy at scale.