Module 06 · Operations·10 min

Risk, governance, and compliance.

AI Employees can access sensitive data, execute code, and communicate externally. Here's how to deploy them without losing sleep.

Video module · in production

Read along below. The video drops shortly.

Every CIO who hesitates on agents has the same three concerns: data leakage, bad output, accountability. We'll address all three.

By the end of this module

  • Set up audit trails that actually work
  • Build guard-rails into the agent design, not bolt them on after
  • Answer the 'who's responsible when an agent screws up' question

The three concerns

Data leakage: agents access sensitive systems, what stops them sending data outside? Bad output: what stops an agent from sending a wrong proposal to a major client? Accountability: when an agent does something wrong, who is responsible — the agent, the deployer, the platform?

Guard-rails by design

Sandboxed execution. Output validators (a second agent reviews the first one's output). Policy engines (NemoClaw is NVIDIA's enterprise wrapper for OpenClaw — sandboxes, policy engine, privacy router). Compliance-aware prompts. Logged actions, replayable transcripts, immutable audit trails. Build these in from day 1.

The accountability stack

Three layers: the agent (does the action), the human approver (signs off when policy requires), the deployer/operator (responsible for the system). Same liability stack as any operations team. Auditable, replayable, defensible. Compliance-ready out of the box.

Do this · before the next module

01

Identify your compliance perimeter.

HIPAA, SOC2, FINRA, PCI, GDPR, CCPA — which apply to you? Write them down. Every agent deployment respects them.

02

Decide what requires human approval.

Outbound emails to customers? Contracts? Anything over a dollar threshold? Make the rule explicit. Then automate the rest.

03

Demand audit trails as a deployment requirement.

Every action logged. Every prompt versioned. Every output stored. If a vendor can't show you the audit trail, they're not deployment-ready.

Workbook · 5-minute exercise

Pick one compliance constraint that applies to your business (HIPAA, SOC2, data residency, etc.). Write down what an AI deployment would need to do to respect it.