Skip to main content
Intelligence | May 12, 2026 | Microsoft Publishes Five-Level DDoS Resilience Maturity Framework for Consume...

ORIGINAL FRAMEWORKS

The Authorization Coverage Lifecycle

Three phases every organization moves through as its authorization coverage ratio changes. Most are in phase one without knowing it - and the ratio is the proof.

Most organizations enter the Recognition stage only when an external event forces it, a failed audit, a vendor change, or a regulatory inquiry. The model exists to make Recognition a deliberate choice rather than an incident response.

v1.0  ·  April 2026Sougata Roy, sougataroy.com

Free to read and cite with attribution to Sougata Roy and sougataroy.com. Do not republish, rebrand, or claim authorship of any framework, term, or model as your own.

Explore all frameworks

The Governance Debt Maturity Model: Three Stages of the Accountability Lifecycle

v1.0
Unre
Expo
Cove
Stage 1Unreconciled

In Accumulation, AI systems are being deployed and governance infrastructure is …

Signal:The organizational markers of Accumulation are specific and recog…
Stage 2Exposure Recognized

In Recognition, the organization has become aware of its governance gap. It know…

Signal:The organizational markers of Recognition are also specific. A go…
Stage 3Coverage Operating

In Resolution, the organization has established governance processes that preven…

Signal:The organizational markers of Resolution are demanding but specif…

Most organizations don't know their stage

Most organizations cannot calculate their authorization coverage ratio. The inability to produce the number is the finding.

The problem

Why this framework exists

Technical debt accumulates when organizations build software faster than they build the infrastructure to maintain it. Governance debt accumulates when organizations deploy AI systems faster than they build the organizational structures to govern them. Unlike technical debt, governance debt has an external enforcement dimension: when it reaches sufficient scale, regulators, auditors, and legal systems become involved - not just internal teams.

Inside the organization

The debt calculation

Governance debt can be quantified as a ratio and tracked over time. The calculation requires two numbers: the total count of deployed AI systems and the count of those with complete governance artifacts in place. Governance debt equals the total deployed AI systems minus the AI systems with complete governance artifacts, divided by the total deployed AI systems, expressed as a percentage. A ratio of zero percent means every deployed AI system has complete governance artifacts. A ratio above 50 percent means the majority of the AI deployment operates without complete governance. A declining ratio means remediation is outpacing accumulation. A stable or increasing ratio means debt is accumulating at least as fast as it is being addressed, regardless of how much remediation work is underway.

The framework

The three phases

The Authorization Coverage Lifecycle names the three phases every organization moves through as its ratio of governed agents to total agents changes. The naming matters because organizations in phase one often believe they are in phase three. The gap between where an organization thinks it is and where its authorization coverage ratio places it is itself a governance finding.

The Governance Debt Maturity ModelThree stages of the accountability lifecycleThe flow moves from invisible governance debt to evidence-based operating control.1Stage 1: AccumulationYou are here without knowing itAgents deploy faster thangovernance work. Intent isassumed and accountabilityis implied.Key characteristics and tagsHigh deployment velocityNo agent registryNo intent documentationNo review cadence2Stage 2: RecognitionThe cost becomes visibleAn incident or audit surfacesthe price of deferredgovernance and missingdocumentation.Key characteristics and tagsReactive governanceRetroactive documentationUnclear ownershipCompliance triggered by incident3Stage 3: ResolutionGovernance as a programThe organization commits tosystematic debt remediation,risk identification, andevidence-based reporting.Key characteristics and tagsAgent registry establishedIntent documentation underwayOwners assignedAudit trail adequate forregulatory inquiryDirection of travelMaximum governance debtGovernance maturityGoverned at scaleMost regulated organizations enter Stage 2 through an incident, not a strategy.

Active maturity stage

Stage 1: Unreconciled

01

In Accumulation, AI systems are being deployed and governance infrastructure is not keeping pace. Each deployment without a formal authorization record, a named accountable owner, a compliance review, and a defined review process represents a unit of governance debt. The debt is growing faster than it is being recognized, often because the people accumulating it do not know a governance process was expected of them.

Stage signal

The organizational markers of Accumulation are specific and recognizable. AI systems are deployed by individual teams without cross-functional review. There is no defined governance intake process for new deployments. The organization does not have a current and complete inventory of its AI systems. AI policies, if they exist, describe principles rather than requirements with compliance checkpoints. No person or role has explicit accountability for the organization's aggregate AI governance posture. And the count of AI systems produced by IT differs from the count produced by business units, with neither reconciled.

Evidence to inspect

Most organizations in Accumulation do not recognize it as a governance problem until an external event forces visibility. The triggering events are predictable: a regulatory examination that asks for a list of AI systems and authorization records, a security incident involving an agent with broader access than anyone remembered, a cost review that surfaces AI subscriptions nobody recognized, or a board question about AI risk that nobody can answer from existing documentation.

Compounding

Compounding

The difference is that an authorization coverage gap has an external dimension that technical debt does not. When an authorization coverage gap reaches sufficient scale, it becomes visible to regulators, auditors, and legal systems, not only to internal teams. At that point, the organization is not choosing between paying down the gap deliberately and continuing to accumulate it. It is choosing between addressing it proactively and having it addressed under external pressure.

Before deployment

Reporting AI Governance Posture to the Board: The Four Questions That Must Be Answerable

WARNING: The Risk of Unquantified Governance Debt. Executives unable to answer these questions carry significant debt in regulated environments. Governance Posture is Reportable Only When Documented. Accountability is established through evidence, not when the environment simply feels managed.

Q1 - How many agents are operating in our environment?

Requirement: Requires a current agent registry with active deployment status for every entry. Evidence Standard: Registry with active status column.

Q2 - What is each agent's documented intent and authorized scope?

Requirement: Requires signed intent statements for every agent, reviewed on a set cadence. Evidence Standard: Signed and dated intent statement per agent.

Q3 - Who is accountable for each agent's behavior?

Requirement: Requires a named individual assigned as the accountable owner for every registry entry. Evidence Standard: Owner assignment with defined review cadence.

Q4 - Is our audit trail adequate for regulatory inquiry?

Requirement: Requires active logging tested against the specific regulatory frameworks applicable to your industry. Evidence Standard: Logging verification report dated within 90 days.

Reporting AI GovernancePosture to the BoardThe four questions that must be answerableEach question has an evidence standard.If the standard cannot be produced,governance posture is not reportable.Q1How many agents are operatingin our environment?RequirementRequires a current agent registrywith active deployment statusfor every entry.Evidence StandardRegistry with activestatus columnQ2What is each agent's documentedintent and authorized scope?RequirementRequires signed intent statementsfor every agent, reviewedon a set cadence.Evidence StandardSigned and dated intentstatement per agentQ3Who is accountable for eachagent's behavior?RequirementRequires a named individualassigned as the accountable ownerfor every registry entry.Evidence StandardOwner assignment withdefined review cadenceQ4Is our audit trail adequatefor regulatory inquiry?RequirementRequires active logging testedagainst SEC, CFTC, NIH, orequivalent review obligations.Evidence StandardLogging verification reportdated within 90 daysWARNING: The Risk of Unquantified Governance DebtExecutives unable to answer these questionscarry significant debt.Governance posture is reportable only when documented.Accountability is established through evidence,not when the environment feels managed.

Why it lasts

Why it lasts

That last sentence is the clearest indicator of Resolution. When the intake process is easier than working around it, the governance program has achieved what no policy document can achieve on its own.

Who it is for

What good looks like

The governance debt ratio is declining quarter over quarter. The intake process is enforced consistently, including for deployments that were described as urgent. The governance coverage rate is above 80 percent and being actively maintained. The named executive accountable for AI governance can report the current ratio, the current trend, and the specific remediation priorities to the board without assembling the data from multiple sources in advance. When a new AI system is proposed, the first question the business owner asks is what is needed for the governance intake - not how to get the deployment exempted from the governance process.

Executive FAQ

Questions leaders ask before deployment

These checkpoints make governance debt visible before it becomes an audit finding, a board question, or an incident response problem.

Related frameworks

Choose the next control point

Governance debt becomes easier to manage when inventory, readiness, and accountability are treated as connected operating disciplines.

01The Governance Readiness MatrixOpen the next piece of the operating model and continue the governance path.Open framework02The Tenant Agent Reconciliation FrameworkOpen the next piece of the operating model and continue the governance path.Open framework03Chain Authorization GapTrace where delegated agent decisions lose visible approval.Open framework

Referenced in

This framework is analyzed in the white paper

"Who Owns the Agent?" applies this framework to real-world deployment scenarios and maps it to named governance incidents from 2024 to 2026.

White paper

Who Owns the Agent?

The Intent Architecture Stack white paper, ten sections, complete diagnostic, named incident analysis, Intent Document template.

Read the paper Download PDF

Research brief

Research brief

Source: McKinsey and Company, "State of AI Trust in 2026: Shifting to the Agentic Era," March 25, 2026. Survey of approximately 500 organizations, December 2025 to January 2026.

View all frameworks

Continue through the connected framework sequence above.

60-minute operating sprint

Apply this framework in one working session

Use this as a live governance exercise. Leave the session with named evidence, a visible gap, and a next owner rather than another discussion note.

Working session board

One pass through the framework. One evidence trail.

6

Steps

60

Minutes

1

Owner

Live

Decision

01

30 minutes

Stage identification

Answer four questions in writing.

Output

Written evidence ready for the next governance decision.

02

Action

Execution checkpoint 2

Question 1: Do you know how many AI agents or tools your organization currently operates, including Microsoft 365 Copilot deployments, custom agents, and third-party AI tools? If no: you are in Accumulation. Governance debt is growing without measurement.

Output

Written evidence ready for the next governance decision.

03

Action

Execution checkpoint 3

Question 2: For the AI deployments you know about, what percentage have documented authorization, named owners, and a defined review process? If less than 50 percent: you are in Accumulation regardless of your answer to question 1.

Output

Written evidence ready for the next governance decision.

04

Action

Execution checkpoint 4

Question 3: Has your compliance or legal team reviewed AI deployment practices in the last six months and produced a written assessment? If no: you are in Accumulation even if the technology deployment is well-managed.

Output

Written evidence ready for the next governance decision.

05

Action

Execution checkpoint 5

Question 4: Is there an active program - with a named owner and a budget - to close the governance gaps identified in questions 1 through 3? If yes: you are in Recognition. If the program has produced closed gaps: you are in Resolution.

Output

Written evidence ready for the next governance decision.

06

30 minutes

Remediation planning

Based on your phase, define one concrete action to take this week. If you are in Unreconciled: complete the agent reconciliation exercise from the Tenant Agent Reconciliation Framework. If you are in Exposure Recognized: produce a written list of the three highest-risk governance gaps and assign an owner to each. If you are in Coverage Operating: schedule a review of the gaps you have already closed to confirm they remain closed.

Output

Written evidence ready for the next governance decision.