How is independence enforced?

We do not implement the infrastructure we attest to. We do not perform the configuration verification we specify. We do not take referral fees from partners. We do not advise both sides of a transaction. We do not take fees from vendors whose products appear in our blueprints.

How does the partner network work?

The network is structural. Cloud security firms execute GuardLayer's verification. Forensics firms, breach counsel, and crisis communications firms participate in IR engagements under our coordination. Sector-specialist advisors contribute to RiskLens and ComplianceCore where domain depth requires it. Partners are coordinated, not subcontracted. Commercial relationships are direct between the client and each provider.

How is reliance offered?

The four deliverables are issued in formats structured for reliance by named audiences — insurance underwriters and reinsurers, investment committees and lenders, boards, and regulators. Reliance terms are documented in each engagement letter.

How does the methodology evolve?

Three triggers. Regulatory change (Loi 25, C-27, OSFI, AMF, applicable international frameworks). Threat and technology change (new agent frameworks, exploit classes, model capabilities). Empirical feedback (post-incident findings, recurring gaps observed in delivery). Each update is documented, versioned, propagated to active engagements on each practice's refresh cadence.

What is the scope of this brief?

This document describes the methodology principles that apply across the practices and the structure of each deliverable. The practice-specific methodology specifications are the firm's operating documents and are available under engagement-level confidentiality where institutional reliance requires that depth.

Methodology brief

How the work is done. Documented, versioned, independent.

Institutional reference for insurers, reinsurers, capital providers, regulators, and the senior teams within client organisations who rely on Agentica's deliverables. Describes how the work is done — not what it costs or how to engage.

Four practices, four deliverables

The full lifecycle under one roof

RiskLens

The RiskLens Assessment

Capability: Risk Intelligence.

ComplianceCore

The ComplianceCore Framework

Capability: Compliance.

GuardLayer

The GuardLayer Attestation

Capability: Control.

Agentica IR

The Agentica IR Protocol

Capability: Incident Response.

Five methodology principles

Non-negotiable, applied across all four practices

Documented

Every methodology element exists in writing, owned by the practice, available to engagement teams. No methodology lives in a partner's head.

Versioned

Every element carries a version number. Every engagement records the version applied. Prior engagements are not retroactively restated; they are tagged and refreshed on cycle.

Defensible

Every finding, score, and attestation can be explained to an underwriter, regulator, or opposing expert. We do not make claims we cannot defend with evidence.

Independent

We do not build, operate, sell, or hold a financial stake in what we attest to. We do not advise both sides of a transaction. We do not take referral fees from partners.

Refined by experience

Every engagement updates the methodology library. Every incident response feeds back into the predictive practices. Theoretical risk modelling is replaced with empirical evidence as the firm's portfolio grows.

The four practices in detail

What each practice produces, and how

**RiskLens — Risk Intelligence.** Produces the RiskLens Assessment, a diligence-grade evaluation covering AI footprint, model and data provenance, agentic exposure mapping, autonomous capital and decision exposure, regulatory obligations, context integrity, governance maturity, and forward-risk mapping. Each domain produces evidence and a finding. Domains roll up into the Agentic Risk Score — documented, calibrated, reproducible. Default variant: 4 to 8 weeks (operating company). Transaction Diligence variant: 2 to 4 weeks (capital). Annual refresh or triggered by material regulatory change, footprint change, insurer requirement, or transaction event.

**ComplianceCore — Compliance.** Produces the ComplianceCore Framework: policy architecture, roles and decision-rights map, process design with review cadences, and a pre-staged incident response plan keyed to the top scenarios in the RiskLens risk register. Quarterly process attestations verify that what is documented is what is happening. Explicit boundary: ComplianceCore produces the plan, Agentica IR is contracted separately to execute it. The separation is required for insurer reliance. Cadence: quarterly attestations, full refresh annually or on material change.

**GuardLayer — Control.** Produces the GuardLayer Attestation in three parts. Agentica produces the infrastructure blueprint (the specification of what controls must be present to satisfy strategy, policy, and insurer conditions). A specialist verification partner reads the client's actual configuration and certifies whether the blueprint is implemented. Agentica integrates the certification into the attestation the insurer relies on. Precise scope: configuration against blueprint. Does not certify foundation-model, agent-framework, or broader AI-stack robustness against unknown adversarial inputs. Re-attestation on material infrastructure change, change in insurer conditions, or defined cycle (six to twelve months by risk class).

**Agentica IR — Incident Response.** Activates the Agentica IR Protocol. Technical incident commander at the centre of the response network: insurer claims team, breach counsel, forensics partner, communications, client IT, regulators where applicable. Produces defensible answers to three questions: why did the agent make this decision, what inputs and context shaped it, where in the control plane did the safeguard fail. Each engagement produces documented attribution to the model layer (vendor exposure), context or input layer (client exposure), or control layer (infrastructure exposure). Activation: per-incident or against a retainer (4 business hours, 1 hour 24/7, or 30 minutes 24/7).

Deliverable succession

Each deliverable is the input to the next

The succession runs in both directions. Forward — assess, govern, control, respond — is the customer-facing flow. Backward, every incident response sharpens the predictive practices for the next client.

Five hand-off points

RiskLens → ComplianceCore: AI footprint, risk register, regulatory exposure, gap inventory.
ComplianceCore → GuardLayer: policy architecture, control requirements.
ComplianceCore → IR (when activated): pre-staged response plan, asset map, decision rights.
GuardLayer → IR: configuration certification, infrastructure topology.
IR → all practices (next cycle): post-incident findings, attribution, methodology updates.

Independence, partners, versioning

Operational rules of the firm

Request a methodology specification.

For methodology depth on a specific practice (RiskLens, ComplianceCore, GuardLayer, Agentica IR), request the corresponding specification under engagement-level confidentiality. For commercial terms, request an engagement proposal.

Contact the firm

Confidential Response within one business day