The PAC Framework

The potential of agents is that they make decisions. The risk originates from the same.

PAC Framework — Potential, Accountability, Control

How do you decide when the options change faster than any expert can keep up? By focusing on the right questions.

P
Potential What's worth building that lasts?

The barrier to building agents has never been lower. What's possible changes by the month. The real question isn't whether you can. It's whether what you build today still compounds in a year, or becomes dead weight when the next model drops.

A
Accountability Who's accountable, and can you prove it?

Agents are already making decisions in your organisation. Some you don't even know about. When something goes wrong, someone has to explain what happened. If the liability chain isn't mapped before the incident, it's too late to draw one after.

C
Control Can your infrastructure enforce what policy demands?

Policy says "don't." Architecture says "can't." The difference matters when agents act autonomously across systems and organisations. Identity, delegation, sandboxing: the infrastructure to enforce what governance promises.

See what's really possible. Pick what lasts. Govern it. Enforce it.

They're Interdependent

Drop any one and the others fall short.

Potential without Accountability: reckless adoption. You build fast and hit a wall when the first incident happens and nobody can explain what went wrong.

Accountability without Control: governance on paper. Policies mean nothing if the infrastructure can't enforce them.

Control without Potential: infrastructure without a mandate. If the business doesn't see value, funding stops.

Inside Each Pillar

Each pillar has a specific structure. These are the questions and trade-offs that surface in practice.

P Potential
  • Business value — not every process benefits from an agent. The question is where it actually mattersV1 IncrementalV2 OperationalV3 StrategicV4 Transformative
  • Reliability — how often it gets it right, and how you test it. Measured as a percentage, validated through test coverage and representative sample data
  • Blast radius — what happens when it's wrong. An internal summary and a published report can have the same quality, but very different consequencesB1 ContainedB2 RecoverableB3 ExposedB4 RegulatedB5 Irreversible
  • Autonomy — the level of independence the agent earns. Determined by reliability and blast radius togetherA1 SuggestionA2 ApproveA3 OversightA4 DelegatedA5 Autonomous
  • Workflow design — where does the human come in? Which steps run unattended, which need review before output reaches a client or triggers an action?
  • Context management — what information reaches the agent, and how. Long context windows have reduced the need for RAG and vector databases in most use cases
  • Model selection — frontier or open-weight? Cloud or on-prem? What are you locked into, and where does your data actually go?
  • Cost structure — setup, hosting, and inference. Cloud scales per call; on-prem means hardware that depreciates. Fine-tuning gets less necessary as models get more capable
  • Durability — models improve, protocols land, pricing drops. Build on what stays stable: workflow logic, context infrastructure, evaluation pipelines. Not on what changes every quarter
A Accountability
  • Governance thresholds — where do you draw the line? The reliability bar for each autonomy level depends on blast radius. A contained task might need 80%; an irreversible one needs 99%+
  • Shadow agents — agents already running in your organisation without governance oversight. 68% of employees using generative AI at work do so without informing their manager (Fishbowl, 2023)
  • Liability chains — when an agent makes a bad decision, someone has to explain what happened. If the chain isn't mapped before the incident, it's too late to draw one after
  • Data governance — what data agents can access, where it goes, and what GDPR, sector-specific regulation, and internal policy require. Privacy by design, not privacy by afterthought
  • Audit trails — what you need to log and why. Designed for compliance, not just debugging. The question isn't "what went wrong" — it's "can you show a regulator what happened and why"
  • Regulatory landscape — EU AI Act, NIST, ISO 42001. The frameworks are converging. Regulation can be a catalyst, but it's there regardless. Better to shape your governance around it than react to it
  • Ownership — who owns AI governance internally? IT, legal, risk, the business? If no one owns it, everyone assumes someone else does
C Control
  • Infrastructure — the technical controls that make things impossible, not just discouraged. Logging, sandboxing, credential scoping, access boundariesI1 OpenI2 LoggedI3 VerifiedI4 AuthorizedI5 Contained
  • Policy vs. architecture — policy says "don't." Architecture says "can't." The difference matters when agents act autonomously across systems and organisations
  • Agent identity — who is this agent, who does it act for, and how do you prove it? Traditional IAM wasn't built for non-human actors that make decisions. Verifiable credentials, DIDs, and OAuth on-behalf-of flows are starting to fill the gap
  • Delegation chains — what an agent can access, for how long, and what happens when it hands off to another agent. Revocation and de-provisioning matter as much as granting access
  • Cross-organisation trust — when an agent operates across organisational boundaries, how do you authenticate it, pass authority, and keep someone accountable?
  • Emerging trust infrastructure — eIDAS 2.0, EUDI wallets, mDL, business wallets. The identity layer is being rebuilt, and agent infrastructure needs to interoperate with it
  • Supply chain — which models, plugins, and APIs does your agent depend on? When something breaks, can you trace what changed?
  • Protocols and standards — MCP, A2A, OAuth 2.1, IPSIE. The building blocks exist, but the integration layer is still forming. Where you build and where you wait matters
The six dimensions as used in the Agent Profiler

Reliability

How often it gets it right. Measured as a percentage (e.g. 85%, 95%), validated through test coverage and sample data.

Blast radius

What happens when it doesn't.

B1 ContainedB2 RecoverableB3 ExposedB4 RegulatedB5 Irreversible

Business value

Why it matters.

V1 IncrementalV2 OperationalV3 StrategicV4 Transformative

Governance thresholds

Where the line is drawn. A contained task may need 80% reliability; an irreversible one needs 99%+.

Infrastructure

The guardrails in place.

I1 OpenI2 LoggedI3 VerifiedI4 AuthorizedI5 Contained

Autonomy

The level of independence the agent earns.

A1 SuggestionA2 ApproveA3 OversightA4 DelegatedA5 Autonomous

18 Questions for Your Team

Each pillar translates into concrete questions you can take to your stakeholders. Conversation starters, not a checklist. The right question at the right table surfaces gaps that dashboards and audits miss.

P
  • What decisions are you not yet delegating to agents, and what's that costing you?
  • Will better models make your current setup more valuable, or obsolete?
A
  • Do you know every agent running in your organisation?
  • If an agent causes harm, is the liability chain clear?
C
  • Are your agents contained by architecture, or only by policy?
  • When agents delegate to other agents, can authority only decrease?

All 18 questions, unpacked →

It's Iterative

Models improve, protocols land, regulations tighten, internal policies evolve. And your own progress shifts the landscape too: the right control infrastructure unlocks new autonomy levels, which open new use cases, which create new blast radius, which demands new accountability. This isn't a one-time assessment. It's a living practice. PAC is built to be re-run — and the Agent Profiler gives you a concrete way to track how your positions shift across iterations.

This framework underpins everything: the programme, the workshops, and the consultancy. Start with the free tools, or go deeper when you're ready.

Assess your use case → Join the Programme →

Questions? shane@trustedagentic.ai