AI-generated advice, marketing, or communications that fail KYC, suitability, disclosure, record-keeping, or model-risk-management expectations create regulatory exposure; weak supervision and accountability lines turn this into direct non-compliance.
AI/ML / Multi Agent Refarch / Threats / DEV
Non-compliant outputs and model-risk-management gaps
CCC.MARefArc.TH25
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.MARefArc.CP21 | Human supervision and oversight | Mechanisms for human reviewers to inspect, approve, correct, or override agent outputs, supporting human-in-the-loop and human-over-the-loop workflows for sensitive or high-impact tasks. |
| CCC.MARefArc.CP05 | Agent-ingress zero-trust guardrails | Treats all inputs as untrusted and enforces authentication, authorization, input validation, content filtering, access control, rate limits, and dynamic policy before any request reaches an agent. |
| CCC.MARefArc.CP02 | Human-in-the-loop output review | Application-embedded controls that allow users to review, approve, or modify agent outputs before they are executed or shared. |
Related Controls
| ID | Title | Description |
|---|---|---|
| CCC.MARefArc.CN03 | System Acceptance Testing | Validate agents, models, and end-to-end workflows against accuracy, robustness, bias, drift, and compliance criteria before promotion to production, and re-validate after material changes. |
| CCC.MARefArc.CN04 | Data Quality and Classification | Assess the quality of, and assign classification and sensitivity labels to, all data used for grounding, training, and fine-tuning, and enforce handling rules derived from those labels throughout the Knowledge and LLM layers. |
| CCC.MARefArc.CN05 | Legal and Contractual Frameworks for AI Systems | Establish contractual controls with model and MCP service providers covering data handling, retention and deletion, intellectual property, liability, and supply-chain integrity. |
| CCC.MARefArc.CN09 | Encryption of AI Data at Rest | Encrypt AI data at rest, including the vector store and source repositories, so that storage-level access does not expose embeddings or sensitive content. |
| CCC.MARefArc.CN20 | Citations and Source Traceability for AI-Generated Information | Attach citations and source traceability to AI-generated information so that outputs can be verified against retrieved sources and decisions can be explained. |
| CCC.MARefArc.CN22 | Preserving Source Data Access Controls in AI Systems | Propagate the access controls of source data into the retrieval path so that retrieval and generation cannot expose content a requesting user is not authorized to see. |
| CCC.MARefArc.CN23 | Agent Decision Audit and Explainability | Record an auditable trace of agent decisions, including tool selections, inputs, and rationale, sufficient to explain and review autonomous actions after the fact. |
External Mappings
| Framework | ID | Remarks |
|---|---|---|
| air-vec | AIR-RC-022-01 | |
| air-vec | AIR-RC-022-02 | |
| air-vec | AIR-RC-022-03 | |
| air-vec | AIR-RC-022-04 |