Autonomy Ladder Assessment

Fifteen questions on write authority, the veto layer, the replayable ledger, and the controls a regulator or PE diligence team asks about first. Answer for the program as it runs today, not as it is documented. You get a deterministic A0–A4 tier and score — framework only, no advice.

0 of 15 answered

What write authority does the AI program currently hold over the system of record?

Recommends only; a human types the final write Drafts a write; a human approves every write before it commits Writes inside a defined envelope; sampled review in-envelope, manual review out-of-envelope Writes autonomously inside scope; non-overridable veto layer in front of every write Writes autonomously, orchestrates other agents, runs validated escalation paths

If a regulator asked for a replayable record of every consequential decision last quarter, what could you produce?

Application logs at best; no decision-level reconstruction Decision logs exist but are not replayable end-to-end Replayable for a sampled subset; full ledger for out-of-envelope cases Live append-only ledger for every in-scope decision; regulator-replayable >= 90 days Above plus a continuous monitor that flags ledger gaps within minutes

Is there a control plane in front of every consequential write that the AI program cannot override?

No; the AI's output is committed as written Yes for some write classes; the agent can append to its own context to retry Yes for high-risk classes; sampled enforcement on others Yes for every in-scope write; the veto is non-overridable and load-tested Above plus second-order veto across orchestrated agents

When was the last full kill-switch / circuit-breaker test, and is it recorded on the ledger?

There is no kill-switch There is one; it has not been tested under load Tested in non-production within the last year Tested in production within the last quarter; result recorded on the ledger Quarterly test plus continuous synthetic probe that drills the breaker weekly

Before this program writes in production, how long does it run in shadow mode with no material divergence?

There is no shadow mode Run once, briefly, before launch >= 30 days shadow before any in-envelope writes >= 30 days shadow before in-scope writes; divergence resolved before promotion Continuous shadow on a sampled stream after promotion; divergence alerts trip the breaker

How is model and data drift detected and acted on between promotions?

No drift monitoring Periodic manual review of input distributions Automated drift signals; investigated reactively Automated drift signals tied to the veto layer; in-scope autonomous remediation with audit trail Continuous drift telemetry feeding the promotion / demotion ladder automatically

How does the program detect and respond to disparate impact across protected populations?

No disparate-impact testing in place Pre-launch test only; no production monitoring Quarterly disparate-impact test on a representative slice Continuous in-production fairness telemetry tied to the veto layer Above plus pre-issuance integrity gates on every consequential decision

If the AI program issued a wrong consequential decision today, what is the documented response?

No documented runbook Runbook exists; not drilled in the last year Runbook drilled within the last quarter at the team level Runbook drilled with the breaker fired in production within the last quarter Above plus automated incident triggers with SEV-1 routing tested weekly

If a critical capability is provided by an outside model or vendor, how is that dependency governed?

Vendor is treated as a black box; no governance Contractual indemnity only; no operational controls Vendor outputs sampled and reviewed before consequential use Vendor outputs flow through the sovereign-veto layer; SLA + drift telemetry monitored Above plus dual-vendor fallback with automated failover and validated escalation

Vertical control 1 (e.g. fiduciary / fair-housing / MRM / adverse-action pre-flight gate):