Policy Cards: Machine-Readable Runtime Governance for Autonomous AI Agents

TL;DR

Policy Cards are a standardized, machine-readable format for embedding operational, regulatory, and ethical constraints directly into autonomous AI agents, enabling compliance, transparency, and assurance at runtime.

Contribution

The paper introduces Policy Cards as a novel standard for encoding and enforcing governance constraints within AI agents at runtime, extending existing transparency artifacts.

Findings

Enables automatic validation and version control of Policy Cards

Supports compliance with frameworks like NIST AI RMF and ISO/IEC 42001

Facilitates verifiable, accountable autonomy in multi-agent systems

Abstract

Policy Cards are introduced as a machine-readable, deployment-layer standard for expressing operational, regulatory, and ethical constraints for AI agents. The Policy Card sits with the agent and enables it to follow required constraints at runtime. It tells the agent what it must and must not do. As such, it becomes an integral part of the deployed agent. Policy Cards extend existing transparency artifacts such as Model, Data, and System Cards by defining a normative layer that encodes allow/deny rules, obligations, evidentiary requirements, and crosswalk mappings to assurance frameworks including NIST AI RMF, ISO/IEC 42001, and the EU AI Act. Each Policy Card can be validated automatically, version-controlled, and linked to runtime enforcement or continuous-audit pipelines. The framework enables verifiable compliance for autonomous agents, forming a foundation for distributed assurance in multi-agent ecosystems. Policy Cards provide a practical mechanism for integrating high-level governance with hands-on engineering practice and enabling accountable autonomy at scale.