Skip to main content
Intelligence | May 12, 2026 | Microsoft Publishes Five-Level DDoS Resilience Maturity Framework for Consume...

ORIGINAL FRAMEWORKS

The Deployment Accountability Map

Three tiers. One deployment. A map of who owns what - and the gap the deploying organization cannot delegate away.

The gap between provider accountability and deploying organization accountability is where most enterprises are currently exposed. The provider documents what the platform can do. Nobody documents what the organization decided it was permitted to do, and who made that decision.

v1.0  ·  April 2026Sougata Roy, sougataroy.com

Free to read and cite with attribution to Sougata Roy and sougataroy.com. Do not republish, rebrand, or claim authorship of any framework, term, or model as your own.

Explore all frameworks

The Accountability Cascade

v1.0
Accountability flows
T1
Tier 1

The AI Provider

The AI provider is the organization that built and maintains the underlying model, the pla…

T2
Tier 2

The Control Infrastructure

The control infrastructure is the governance and management layer through which the deploy…

T3
Tier 3

The Deploying Organization

The deploying organization is your organization - the entity that decided to deploy AI age…

Accountability does not travel upward

Governance design starts at Tier 3.

RUNTIME ACCOUNTABILITY MAP

Runtime Accountability MapRuntime Accountability MapOwnership tiers for enterprise AI agent deployments.The examination gap lives where platform control ends.PROVIDERProvider tierMicrosoft, model behavior, platform SLA,and infrastructure availability.Model BehaviorPlatform SLAInfrastructure AvailabilityPLATFORMPlatform tierCopilot Studio, Entra Agent ID,and policy enforcement controls.Agent RuntimeIdentity EnforcementPolicy ControlsDEPLOYING ORGDeploying organization tierAuthorization, human ownership,use case boundaries, and review triggers.Authorization RecordHuman OwnerUse Case BoundaryReview TriggerAccountability transfers hereMost governance programs have closed the Provider and Platform tiers.The Deploying Organization tier is where examination exposure lives.

The problem

Why this framework exists

When an AI system produces a harmful output, the natural organizational response is to look toward the vendor. The vendor's terms of service have already answered that question. The answer is almost always no. This is the Accountability Assumption in practice: the implicit organizational belief that accountability for an AI agent's decisions resides with the team that built it, the vendor that supplied it, or the platform that hosts it - rather than with the business owner who authorized its deployment.

Inside the organization

The governance question

When an AI agent makes a consequential decision that causes harm, which tier of your accountability structure is responsible for that outcome, and can your organization demonstrate that assignment was made before the harm occurred?

The framework

The three tiers

When things go right, credit flows upward through the tiers. When things go wrong, accountability does not cascade - it lands. It lands on the deploying organization, because the decision to deploy was theirs. The provider's disclaimers do not change that. The platform's audit logs do not substitute for the authorization record the organization failed to create.

The Accountability CascadeAccountability moves downward into the deployment decision.It does not travel back upward to the vendor.Tier 1The VendorFor example Microsoft or OpenAIIs accountable for model behavior,safety evaluations, and model cards.Is not accountable for configurationor organizational tasks.Tier 2The PlatformFor example Copilot Studio or Azure FoundryIs accountable for identity managementand data boundary enforcement.Is not accountable for organizational intentor business decisions.Tier 3The Deploying OrganizationRegulated enterpriseIs accountable for intent,data access, and human review.Is not relieved of liabilityby vendor controls.Accountability does not travel upward.Governance design starts at Tier 3.

Active accountability tier

The AI Provider

T1

The AI provider is the organization that built and maintains the underlying model, the platform infrastructure, or the agent-building tooling that the deploying organization uses.

What this tier owns

The provider is responsible for the behavior of its model within published specifications and documented limitations, platform security and availability within the terms of the service agreement, disclosure of known limitations and appropriate use cases, and compliance with applicable laws in the jurisdictions where the service operates.

Enterprise action

Before deploying any AI system, review the provider's terms of service specifically for liability disclaimers on outputs. Document what the provider is contractually accountable for. The gap between that documentation and what your organization is accountable for is the minimum scope of your organizational governance work. That gap is always larger than organizations expect when they review the terms of service carefully for the first time.

Diffused versus distributed

Why accountability diffuses

Ethyca's 2026 governance analysis names the consequence directly: when ownership of an AI system's behavior is distributed without structure, liability does not concentrate - it spreads. And when regulators or courts come looking, they do not accept 'that was another team's responsibility' as a defense.

Before deployment

Before the Agent Goes Live: The Pre-Deployment Accountability Review

GOVERNANCE DEBT BEGINS THE MOMENT THIS CHECKLIST IS SKIPPED.

Before the Agent Goes LiveThe Pre-Deployment Accountability ReviewA deployment should not move forward until these four records exist.Intent StatementDocumented purposeAuthorized scope and prohibited actionsExpected output formatData AccessMinimum required permissions grantedSensitivity labels confirmedNo standing access to unneeded dataAccountabilityAccountable owner namedEscalation path documentedHuman review checkpoints definedAudit TrailLogging enabled and verifiedAudit trail connected to SIEMIncident response trigger conditions documentedSignoff RequirementsLegal review completeCompliance review completeDeployment authorizedGovernance debt beginsthe moment this checklist is skipped.

Why it lasts

What good looks like

Your organization can produce a completed three-tier accountability map for each AI system currently deployed. The map shows what each tier is responsible for, the gap between what Tiers 1 and 2 cover and what Tier 3 is accountable for, and the organizational governance artifacts that address that gap. When a regulator asks who is responsible for an AI system and what they were authorized to decide, the answer is in the map, not in someone's memory.

Who it is for

Who it is for

The Deployment Accountability Map maps the three tiers that exist in every AI deployment - the provider who built the model or platform, the control infrastructure through which the agent is deployed and governed, and the organization that decided to deploy it. Understanding what each tier is responsible for, and what it is not responsible for, defines the organizational design work that falls to the deploying organization by default. That work does not happen automatically. It happens because someone in the organization decided it was required.

Quick reference

Download the Accountability Worksheet

A one-page worksheet for mapping all three accountability tiers and identifying the gap that lands on your organization by default.

QUICK CHECK

Deployment Accountability Map Worksheet

Three tiers. One agent. Map who owns what before the agent goes live.

Download PDF

Executive FAQ

Questions leaders ask before deployment

These checkpoints separate vendor capability, platform control, and organizational accountability before a consequential agent goes live.

Related frameworks

Choose the next control point

The map connects naturally to intent architecture, authorization records, and the organizational agent controls because accountability has to survive across all three tiers of a deployment.

01The Intent Architecture StackOpen the next piece of the operating model and continue the governance path.Open framework02The Organizational Agent ControlsOpen the next piece of the operating model and continue the governance path.Open framework03Chain Authorization GapTrace where delegated agent decisions lose visible approval.Open framework

Referenced in

This framework is analyzed in the white paper

"Who Owns the Agent?" applies this framework to real-world deployment scenarios and maps it to named governance incidents from 2024 to 2026.

White paper

Who Owns the Agent?

The Intent Architecture Stack white paper, ten sections, complete diagnostic, named incident analysis, Intent Document template.

Read the paper Download PDF

Research brief

Research brief

Source: Ethyca, "AI Governance: Framework, Compliance and Operational Guide 2026," February 2026.

View all frameworks

Continue through the connected framework sequence above.

60-minute operating sprint

Apply this framework in one working session

Use this as a live governance exercise. Leave the session with named evidence, a visible gap, and a next owner rather than another discussion note.

Working session board

One pass through the framework. One evidence trail.

4

Steps

60

Minutes

1

Owner

Live

Decision

01

15 minutes

Map the vendor tier

Who built the underlying model or platform? What does the vendor's terms of service say about liability when the AI produces a harmful output? Write down what the vendor is contractually responsible for and what they explicitly disclaim. Most vendors disclaim liability for outputs used in high-stakes decisions.

Output

Written evidence ready for the next governance decision.

02

15 minutes

Map the platform tier

If you are using Microsoft 365 Copilot or Copilot Studio, Microsoft is the platform. What controls does the platform enforce by default? What controls require configuration by your organization? What does the platform audit and what does it not audit? Write the line between what the platform handles and what you handle.

Output

Written evidence ready for the next governance decision.

03

15 minutes

Map the deploying organization tier

For this specific agent, what decisions has your organization made about scope, access, permitted actions, and accountability that the vendor and platform do not make for you? Write what you have decided and what you have not yet decided.

Output

Written evidence ready for the next governance decision.

04

15 minutes

Identify the gap

Look at the three tiers. Where does accountability go unmapped? The unmapped space is your deployment accountability gap. In most environments, the deploying organization tier is the least documented of the three - because the vendor and platform tiers are handled by contracts and configuration, and the organizational tier requires deliberate design.

Output

Written evidence ready for the next governance decision.