EDENA-AS 1.0 — governing software that can act

Scope & purpose

This standard applies to any AI system that can plan, use tools, manage state, retain memory, coordinate with other agents, or take actions that affect data, systems, people, or the physical world — whether labeled "assistant," "copilot," "workflow," or "autonomous agent."

The purpose of EDENA-AS is to convert lifecycle governance into runtime governance: to ensure that, before an agent acts, its action is classified, bounded, authorized at the correct human level, and recorded. EDENA-AS governs the transition from output to action.

Terms & normative language

The key words MUST, MUST NOT, SHOULD, and MAY are to be interpreted as requirement levels: MUST denotes an absolute requirement for conformance; SHOULD denotes a recommended practice that requires documented justification to omit; MAY denotes an optional practice.

• Agent — a software system that pursues goals by reasoning, planning, and invoking tools, with some degree of autonomy over the order and selection of steps.
• Action — any operation an agent can perform that changes state outside its own reasoning: a tool call, write, message, transaction, retrieval, or hand-off.
• Blast radius — the set of people, records, systems, and downstream processes an action can affect if it is wrong.
• Reversibility — the cost and feasibility of undoing an action after it executes.
• Named human — an identified, role-appropriate person accountable for authorizing or refusing a gated action.
• Steward — the human (in clinical settings, typically a nurse) responsible for the whole-person, systems-aware environment in which the agent operates.

Capability tiering & registration

Every agent MUST be registered before deployment with a named owner, a declared purpose, an enumerated tool set, a declared data scope, and an assigned capability tier (Green Operational, Yellow Strategic, Orange Transformational, Red Existential).

• There MUST NOT be orphaned agents: no deployed agent without a registered, contactable human owner.
• An agent that gains memory, autonomy, recursive self-direction, or the ability to spawn or coordinate other agents MUST be re-tiered — such capabilities raise the tier to at least Orange.
• Capability tier MUST be re-evaluated on any material change to tools, data scope, autonomy, or deployment surface.

Action classification & gating

Before execution, each candidate action MUST be classified into an action-risk tier using, at minimum, five signals: who is asking, what data is involved, what system is touched, how reversible the action is, and what harm could follow. Where signals disagree, the system MUST select the higher tier (ambiguity escalates upward).

The gate MUST resolve every candidate action to exactly one of five governance outcomes, each logged identically:

Anything crossing a boundary — a third-party agent, a non-certified tool, an outbound message, an external API, a payer portal, a public channel, or a cloud model — MUST start at a higher governance posture (externality raises the floor).

Human accountability & the named-human loop

A tier MUST NOT authorize itself. Every REQUIRE_HUMAN outcome MUST resolve to a specific, role-appropriate named human — nurse, physician, pharmacist, allied clinician, compliance officer, privacy lead, or technical steward — who can understand, challenge, override, and stop the action, and who owns it once authorized.

• The reviewing human MUST be given the context, provenance, uncertainty, and alternatives needed to make a substantive judgment — not a one-click accept.
• Systems MUST actively counter automation bias (see EDENA Human Oversight Standard) and MUST NOT design defaults that reward rubber-stamping.

Least privilege & tool authorization

• Agents MUST operate under least-privilege access: the minimum tools, scopes, and credentials required for the declared purpose.
• Each tool MUST carry its own action-risk classification; high-risk tools (write, send, transact, execute code) MUST be individually authorized and gated.
• Tool invocation MUST be sandboxed where feasible, and privileged tools MUST NOT be reachable by untrusted input without an intervening gate.

Memory & data-boundary governance

Movement of sensitive data — and protected health information (PHI) in particular — MUST be treated as a governance event, not an implementation detail. PHI access, persistence in memory, tool exposure, external transmission, and agent-to-agent sharing are each gated actions.

• In the Florence X reference pattern, PHI MUST remain on the edge; cloud inference MUST operate only on redacted, non-PHI prompts.
• Persistent memory MUST have a declared scope, retention limit, and a mechanism to withdraw permissions or remove data — consistent with the reversibility expectation in the ANA 2025 Code (Provision 7.5).
• Re-identification risk, consent, data minimization, and access control MUST be treated as ethical boundaries, not only compliance checkboxes.

Inter-agent communication & hand-offs

• Hand-offs between agents MUST preserve provenance and the originating authority; an action MUST NOT gain privilege merely by passing through another agent.
• Inter-agent messages MUST be authenticated and SHOULD be schema-validated to resist context poisoning and trust exploitation.
• Multi-agent coordination, parallel sub-agents, and long-horizon plans MUST be classified at minimum Orange and MUST carry cascade-failure safeguards.

Containment & kill-switch

Containment MUST be built before scale, not after harm. Every agent MUST have a defined stop condition and a reachable kill-switch that halts further action without requiring the agent's cooperation.

• Exceeding authorized scope, tier, or rate MUST trigger automatic containment and escalation to the named human and steward.
• Stop-the-line authority (see the AI Incident & Stop-the-Line Standard) MUST be available to the steward at all times and MUST NOT be overridable by the agent.

Observability, logging & evidence

Every governance decision — every authentication, tool invocation, delegation hand-off, classification, and outcome (ALLOW / REQUIRE_HUMAN / CONSTRAIN / THROTTLE / DENY) — MUST be captured in a form that supports real-time monitoring and after-the-fact audit, and MUST conform to the Evidence Bundle Standard. Evidence travels with the claim: source grounding, provenance, timestamps, uncertainty, and missing or contradictory data are part of the record.

Threat mapping — OWASP Top 10 for Agentic Applications (2026)

EDENA-AS is, in effect, a control set for the OWASP GenAI Security Project's agentic threat taxonomy. Conformant systems MUST demonstrate coverage of each risk.

Conformance levels

An organization MUST declare the conformance level claimed for each deployed agent. Orange- and Red-tier capabilities MUST meet Level 3.

Mapping to external frameworks