OPERATIONAL FRAMEWORKS

The Authorization Coverage Lifecycle

Three phases every organization moves through as its authorization coverage ratio changes. Most are in phase one without knowing it - and the ratio is the proof.

Most organizations enter the Recognition stage only when an external event forces it, a failed audit, a vendor change, or a regulatory inquiry. The model exists to make Recognition a deliberate choice rather than an incident response.

v1.0 · April 2026Sougata Roy, sougataroy.com

Free to read and cite with attribution to Sougata Roy and sougataroy.com. Do not republish, rebrand, or claim authorship of any framework, term, or model as your own.

Explore all frameworks

Authorization Coverage Lifecycle

v1.0

Three-stage lifecycle3 items

Stage 1

Unreconciled

In Accumulation, AI systems are being deployed and governance inf...

Stage 2

Exposure Recognized

In Recognition, the organization has become aware of its governan...

Stage 3

Coverage Operating

In Resolution, the organization has established governance proces...

Version 1.0 - Published April 2026

Authorization decay

Deployment-time approval is not lifecycle authorization.

Technical debt accumulates when organizations build software faster than they build the infrastructure to maintain it. Governance debt accumulates when organizations deploy AI systems faster than they build the organizational structures to govern them. Unlike technical debt, governance debt has an external enforcement dimension: when it reaches sufficient scale, regulators, auditors, and legal systems become involved - not just internal teams.

Use this section to shift the audit question from whether the agent was approved once to whether its authorization state is still current.

Why this framework exists

The Authorization Coverage Lifecycle names the three phases every organization moves through as its ratio of governed agents to total agents changes. The naming matters because organizations in phase one often believe they are in phase three. The gap between where an organization thinks it is and where its authorization coverage ratio places it is itself a governance finding.

Coverage calculation

Governance debt can be quantified as a ratio and tracked over time. The calculation requires two numbers: the total count of deployed AI systems and the count of those with complete governance artifacts in place. Governance debt equals the total deployed AI systems minus the AI systems with complete governance artifacts, divided by the total deployed AI systems, expressed as a percentage. A ratio of zero percent means every deployed AI system has complete governance artifacts. A ratio above 50 percent means the majority of the AI deployment operates without complete governance. A declining ratio means remediation is outpacing accumulation. A stable or increasing ratio means debt is accumulating at least as fast as it is being addressed, regardless of how much remediation work is underway.

Editorial governance illustration showing deployment-time approval decaying into stale authorization unless current records are maintained. — Authorization decay
Approval at launch is not authorization over time
The audit question is whether every active AI system still has a current authorization state, not whether it was approved once.

The lifecycle

Three phases of authorization coverage.

Place the organization by evidence, not aspiration. If the ratio cannot be produced, the lifecycle placement is already visible.

01Stage 1

Unreconciled

In Accumulation, AI systems are being deployed and governance infrastructure is not keeping pace. Each deployment without a formal authorization record, a named accountable owner, a compliance review, and a defined review process represents a unit of governance debt. The debt is growing faster than it is being recognized, often because the people accumulating it do not know a governance process was expected of them.

Governance artifact

The organizational markers of Accumulation are specific and recognizable. AI systems are deployed by individual teams without cross-functional review. There is no defined governance intake process for new deployments. The organization does not have a current and complete inventory of its AI systems. AI policies, if they exist, describe principles rather than requirements with compliance checkpoints. No person or role has explicit accountability for the organization's aggregate AI governance posture. And the count of AI systems produced by IT differs from the count produced by business units, with neither reconciled.

02Stage 2

Exposure Recognized

In Recognition, the organization has become aware of its governance gap. It knows agents are operating without authorization records and that this creates regulatory and legal exposure. The triggering event has already occurred - an audit finding, an incident, a board question - and the organization is now in reactive mode.

Governance artifact

The organizational markers of Recognition are also specific. A governance gap has been named internally, but the remediation program is not yet operational. Teams are producing retroactive documentation for agents already in production. Ownership assignments are being made after the fact rather than before deployment. Compliance reviews are being conducted in response to a specific incident or examination rather than as a standard pre-deployment requirement. The intake process is being designed but has not yet intercepted a new deployment.

03Stage 3

Coverage Operating

In Resolution, the organization has established governance processes that prevent new governance debt from accumulating faster than existing debt is being remediated. The intake process is operational and enforced. The authorization coverage ratio is declining. The agent registry reflects the actual deployment population, not only the approved one.

Governance artifact

The organizational markers of Resolution are demanding but specific. The governance coverage rate is above 80 percent and is being actively maintained. The intake process is enforced consistently, including for deployments described as urgent. The named executive accountable for AI governance can report the current ratio, the current trend, and the specific remediation priorities to the board without assembling the data in advance. When a new AI system is proposed, the first question the business owner asks is what is needed for the governance intake - not how to get the deployment exempted from the governance process.

What gets missed

Coverage gaps show where authorization has decayed.

The difference is that an authorization coverage gap has an external dimension that technical debt does not. When an authorization coverage gap reaches sufficient scale, it becomes visible to regulators, auditors, and legal systems, not only to internal teams. At that point, the organization is not choosing between paying down the gap deliberately and continuing to accumulate it. It is choosing between addressing it proactively and having it addressed under external pressure.

Use these gaps to trace every active agent back to a current authorization state, not the approval state it had when it launched.

Editorial diagnostic board showing inventory, artifact, operating, and reporting gaps that reveal authorization coverage decay. — Coverage gaps
The gaps show where authorization has decayed
Inventory, artifact, operating, and reporting gaps turn a vague governance concern into a specific remediation queue.

Gap 1

Inventory Gap

The organization does not have a current and complete inventory of its AI systems. The count of AI systems produced by IT differs from the count produced by business units, with neither reconciled.

Document whether this gap exists for each active agent, then assign remediation by owner and review date.

Gap 2

Artifact Gap

AI systems are operating without a formal authorization record, a named accountable owner, a compliance review, and a defined review process.

Document whether this gap exists for each active agent, then assign remediation by owner and review date.

Gap 3

Operating Gap

The intake process is being designed but has not yet intercepted a new deployment. Teams are producing retroactive documentation rather than preventing new gaps.

Document whether this gap exists for each active agent, then assign remediation by owner and review date.

Gap 4

Reporting Gap

The named executive accountable for AI governance cannot report the current ratio, the current trend, and the specific remediation priorities without assembling the data in advance.

Document whether this gap exists for each active agent, then assign remediation by owner and review date.

Governing scenario

Reporting AI Governance Posture to the Board: The Four Questions That Must Be Answerable

WARNING: The Risk of Unquantified Governance Debt. Executives unable to answer these questions carry significant debt in regulated environments. Governance Posture is Reportable Only When Documented. Accountability is established through evidence, not when the environment simply feels managed.

Use these questions in audit preparation. If the answers require manual assembly, the authorization state is not operationally current.

Editorial board evidence packet showing agent count, intent and scope, accountable owner, and audit trail records. — Board evidence
Board posture is reportable only when documented
Executives need current records for agent count, intent and scope, owner assignment, and audit trail adequacy without assembling evidence manually.

Q1 - How many agents are operating in our environment?

Requirement: Requires a current agent registry with active deployment status for every entry. Evidence Standard: Registry with active status column.

Q2 - What is each agent's documented intent and authorized scope?

Requirement: Requires signed intent statements for every agent, reviewed on a set cadence. Evidence Standard: Signed and dated intent statement per agent.

Q3 - Who is accountable for each agent's behavior?

Requirement: Requires a named individual assigned as the accountable owner for every registry entry. Evidence Standard: Owner assignment with defined review cadence.

Q4 - Is our audit trail adequate for regulatory inquiry?

Requirement: Requires active logging tested against the specific regulatory frameworks applicable to your industry. Evidence Standard: Logging verification report dated within 90 days.

Primary sources

The research basis for authorization coverage.

The lifecycle is grounded in external research on AI trust maturity and enterprise agent governance visibility.

Use these references when an audit, risk, or board conversation needs external support for measuring authorization coverage.

Editorial target-state illustration showing enforced intake, authorization records, named owners, compliance review, review cadence, coverage above 80 percent, and declining governance debt. — Coverage operating
The intake process becomes easier than working around it
A current registry, enforced intake, complete authorization records, and a declining debt trend make the coverage lifecycle operational.

mckinsey.com

Source: McKinsey and Company, "State of AI Trust in 2026: Shifting to the Agentic Era," March 25, 2026. Survey of approximately 500 organizations, December 2025 to January 2026.

View source

Connected frameworks