Part of AI Forge by cubesys
Define how your AI agents behave before you deploy them
An AI Contract is a human- and AI-readable document that defines exactly how an agent should perform its role — including tone of voice, regulatory requirements, guardrails, data access boundaries, and human handoff points. It’s the bridge between business intent and agent behaviour.
Why AI Contracts
AI agents work best when they know exactly what’s expected of them
Most organisations deploying AI agents jump straight to building without defining what the agent should and shouldn’t do. Without clear behavioural boundaries, agents operate inconsistently, create compliance risks, and lose the trust of the teams they’re meant to support. AI Contracts give you that clarity before anything is deployed.
A clear brief for every agent
Just as an employee contract defines responsibilities, reporting lines, and boundaries, an AI Contract defines what an agent does, how it communicates, what data it can access, and when it must hand off to a human. It’s the single source of truth for agent behaviour.
A workshop, not a document dump
AI Contracts are built collaboratively with business stakeholders, not handed down by IT. The workshop process surfaces real-world requirements — edge cases, compliance obligations, tone expectations — that would otherwise be discovered too late in production.
Human- and AI-readable
Every AI Contract is written so business owners can read and approve it, and AI developers can translate it directly into agent configuration. It bridges the gap between what the business needs and what the technology delivers.
The challenge
AI agents without clear boundaries create risk, not value
50% |
of organisations deploying AI agents lack formal guardrails or governance frameworks (Gartner, 2026)
|
88% |
of AI pilots fail to reach production — often because agent behaviour was never properly scoped against real workflows
|
70%
|
of AI success comes from people and processes, not algorithms or technology (BCG Research)
|
ISO 42001
|
now requires human oversight, escalation paths, and audit trails for autonomous AI systems — exactly what an AI Contract defines
|
What’s in an AI Contract
Every facet of agent behaviour, defined before deployment
1
Role and purpose
What is this agent’s job? What department or function does it serve? What specific tasks is it responsible for, and what is explicitly out of scope?
2
Tone of voice
How should the agent communicate? Should it match the organisation’s brand voice, or adopt a specific register for its audience — formal for compliance, approachable for customer service, technical for engineering?
3
Data access and boundaries
What data sources can the agent read? What systems can it write to? What information is off-limits? These boundaries prevent data leakage and ensure the agent operates within its authorised scope
4
Guardrails and constraints
What must the agent never do? This includes prohibited actions, topics it should decline, and limits on autonomy — for example, never approving expenditure above a threshold or never providing legal advice.
5
Human handoff points
When should the agent stop and involve a human? High-stakes decisions, edge cases, emotional situations, and regulatory triggers all need clearly defined escalation paths.
6
Regulatory and compliance requirements
What standards, frameworks, or legal obligations apply? This might include ISO 42001 alignment, data sovereignty rules, industry-specific regulations, or internal audit requirements.
7
Success measures
How will the organisation know the agent is performing well? Define the metrics, feedback loops, and review cadence that keep the agent accountable.
8
Review and change process
AI Contracts are living documents. Define who can update them, how changes are approved, and how often the contract is reviewed against real-world performance.
How It Works
From workshop to working agent — in days, not months
1. Workshop the contract
Business stakeholders, subject matter experts, and technical leads collaborate in a structured workshop to define every facet of the agent’s contract. This is where edge cases surface, compliance requirements are captured, and the agent’s boundaries are agreed.
2. Document and approve
The workshop outputs a human-readable AI Contract that business owners can review, challenge, and approve. Nothing is built until the contract is signed off.
3. Build with confidence
AI developers use the contract as their build specification. Every guardrail, handoff point, and tone requirement is explicit — reducing rework and ensuring the agent behaves as intended from day one.
4. Monitor and refine
Once deployed, the agent’s behaviour is measured against the contract. Feedback from real users drives updates to the contract, which in turn refine the agent. It’s a continuous improvement loop.
Proven at cubesys First
We wrote our own AI Contracts before we offered them to anyone else
When cubesys began deploying AI agents inside our own business — for service desk operations, change control, licensing decisions, and internal knowledge workflows — we quickly realised that the agents needed more than a prompt. They needed a clear understanding of our tone, our compliance obligations, our escalation paths, and the boundaries of their authority.
The AI Contract became our solution. By workshopping the contract for each agent, we created a shared reference that both business stakeholders and developers could work from. It reduced ambiguity, accelerated development, and gave leadership confidence that the agents were operating within agreed boundaries.
This construct is now a core part of the AI Forge methodology.
Early on, we realised that each AI agent needs a contract — just like an employee. It defines the role, the rules, and the boundaries. That simple idea changed how we workshop, build, and govern every agent in our business."
Paul Heaton, Co-Founder & CEO, cubesys
Aligned to Industry Best Practices
AI Contracts are not just a cubesys idea — they reflect a growing consensus across global standards bodies, technology leaders, and governance frameworks that AI agents require explicit, documented behavioural boundaries.
ISO/IEC 42001 — AI Management Systems
The world’s first certifiable AI management standard requires human oversight, escalation paths, override mechanisms, and audit trails for autonomous AI systems. AI Contracts operationalise these requirements at the individual agent level, making ISO 42001 compliance practical rather than theoretical.
Microsoft Responsible AI and Agent Governance
Microsoft’s governance framework for AI agents emphasises autonomy boundaries — defining which actions require human approval, which can proceed automatically, and which are never permitted. AI Contracts map directly to this model, ensuring agents deployed on Microsoft Copilot and Copilot Studio operate within clearly defined limits.
Microsoft Agent 365 — The Control Plane for AI Agents
With the general availability of Microsoft Agent 365 in May 2026, Microsoft has introduced a centralised control plane for governing AI agents at enterprise scale. Agent 365 provides a unified registry for discovering, inventorying, and managing every agent in the environment — including sanctioned, third-party, and shadow agents. Each agent is assigned a unique identity in Microsoft Entra with least-privilege access controls, and policy-based guardrails define what agents are allowed to do across data, applications, and APIs.
AI Contracts complement Agent 365 directly. The contract defines the business intent — what the agent should do, how it should behave, and where its boundaries sit. Agent 365 provides the technical enforcement layer — monitoring compliance with those boundaries, logging every action, and surfacing audit-ready evidence. Together, they close the gap between governance on paper and governance in practice.
Emerging Agentic AI Governance Frameworks
Singapore’s Model AI Governance Framework for Agentic AI (IMDA, 2026) and frameworks from Gartner and Deloitte all converge on the same principle: responsibility must be clearly defined across all actors involved in the agent lifecycle. AI Contracts provide the practical mechanism for documenting and enforcing that responsibility.
Governance aligned to ISO 42001 and Microsoft standards
Autonomy boundaries defined per agent and per use case
Audit-ready documentation that supports compliance and certification
Agent 365 provides the control plane for ongoing monitoring and enforcement
Works within your existing Microsoft 365 and Azure environment
Long-term Governance and Monitoring
AI Contracts are not set-and-forget — they’re governed, monitored, and improved over time
Deploying an AI agent without ongoing governance is like hiring someone and never reviewing their performance. AI Contracts establish the baseline, and Microsoft Agent 365 provides the infrastructure to monitor and enforce that baseline continuously.
Continuous monitoring through Agent 365
Agent 365 logs every agent action, access request, and decision across the environment. Security and compliance teams can use unified observability logs and Advanced Hunting in Microsoft Defender to proactively search for threats, policy violations, or agents operating outside their contracted boundaries. This gives organisations real-time visibility into whether agents are behaving as their contracts define.
Audit-ready by design
Every AI Contract creates a documented, version-controlled record of what the agent was designed to do, what guardrails were applied, and who approved the contract. Combined with Agent 365’s action logs, this produces a complete audit trail — from design intent to runtime behaviour — that supports ISO 42001 certification, internal audit requirements, and regulatory reviews.
Contract review and refinement
AI Contracts include a defined review cadence. As agents operate in the real world, feedback from users, monitoring data from Agent 365, and changes in regulatory requirements all feed back into the contract. This creates a continuous improvement loop where governance strengthens over time, not just at the point of deployment.
Scaling governance across the agent fleet
As organisations move from one or two agents to dozens, the combination of AI Contracts and Agent 365 provides a scalable governance model. Agent 365’s registry gives IT and security teams a single view of every agent in the environment — what it does, what it can access, and whether it’s operating within its contracted boundaries. This is how governance scales without becoming a bottleneck.
Where AI Contracts Add Value
Leadership
Define how AI agents summarise information, flag risks, and escalate decisions — ensuring agents operate within the boundaries leadership expects, not the defaults a developer assumed.
Human Resources
Set clear guardrails for agents handling sensitive employee information, screening candidates, or answering policy questions — with explicit handoff points for situations requiring human judgement.
Sales and Marketing
Ensure agents creating content, qualifying leads, or drafting proposals communicate in the organisation’s voice and comply with advertising standards and data privacy requirements.
Operations
Define agent behaviour for service desk triage, change management, and workflow automation — including what the agent can action autonomously and what must be reviewed.
Finance
Set boundaries for agents involved in reporting, reconciliation, or spend analysis — ensuring they never provide financial advice, approve transactions beyond thresholds, or access restricted financial data.
IT and Security
Define access controls, logging requirements, and prohibited actions for agents operating within infrastructure, identity, and security workflows — aligned to zero-trust principles and regulatory requirements.
The transformation
What changes when you contract your agents before you deploy them
Without AI Contracts
Agent behaviour is inconsistent and unpredictable Compliance gaps discovered after deployment Developers interpret business needs through assumptions No clear escalation paths or human handoff points Tone and voice vary across agents and departments No audit trail for agent design decisions
No ongoing monitoring of agent compliance
With AI Contracts
.png?width=25&height=25&name=checked%20(1).png){kind=small}
Every agent operates within agreed behavioural boundariesRegulatory and compliance requirements captured before build A single document bridges business intent and technical build Explicit escalation and handoff triggers defined per agent Consistent organisational voice enforced through the contract Workshop-driven, documented, and version-controlled contracts Agent 365 provides continuous monitoring against contracted boundaries
How AI Contracts Fit into AI Forge
AI Contracts sit at the heart of the AI Forge methodology — the critical governance step between understanding your workflows and deploying AI agents into production.
1. Readiness Assessment
Confirm your data, governance, and security foundations are ready for AI adoption.
2. SystemsAtlas
Map real workflows and uncover the first high-value AI use cases, grounded in how work actually gets done.
3. AI Contracts
Workshop and document the behavioural contract for each agent — tone, guardrails, data access, handoffs, and compliance requirements.
4. Deploy within system workflows
Build and deploy agents using the contract as the specification, embedded in real workflows from day one.
5. Monitor and govern with Agent 365
Use Microsoft Agent 365 as the control plane to monitor agent behaviour against contracted boundaries, with continuous feedback into contract refinement.
6. Adopt and scale
Feedback from real users refines the contracts, which in turn improve the agents. Learnings flow back into the operating model.
Wherever you are on your AI journey,
we give you the right next step.