Skip to content

Agent Decommissioning

Procedures for securely retiring AI agents while maintaining compliance and audit trail.

Overview

When an agent is no longer needed, it must be decommissioned following a controlled process that ensures data retention requirements are met and all stakeholders are notified.

Decommissioning Triggers

Trigger Action
Business decision Standard decommissioning
Replaced by new agent Migration then decommissioning
Compliance violation Immediate suspension, then decommissioning
Security incident Emergency suspension, investigation, then decommissioning
Owner departure Ownership transfer or decommissioning
Inactivity (>90 days) Review for decommissioning

Decommissioning by Zone

Zone 1 Decommissioning

Approver: Creator (self-service)

Retention Requirements: 30 days minimum (if any logs exist)

Process:

  1. Document reason for retirement
  2. Disable agent access
  3. Wait 30 days for log retention
  4. Delete agent from environment
  5. Remove from inventory (if tracked)

Zone 2 Decommissioning

Approver: Manager + Environment Owner

Retention Requirements: 1 year minimum

Process:

  1. Document business justification for retirement
  2. Obtain manager approval
  3. Notify team members and users (2-week notice recommended)
  4. Disable agent (do not delete yet)
  5. Export conversation history (if required)
  6. Verify audit logs are retained (1-year minimum)
  7. Remove user access
  8. Wait retention period
  9. Delete agent from environment
  10. Update inventory to show decommissioned status
  11. Archive documentation

Zone 3 Decommissioning

Approver: Governance Committee

Retention Requirements: 7-10 years (per regulatory requirements)

Process:

  1. Document detailed business justification
  2. Present to governance committee
  3. Obtain committee approval:
  4. AI Governance Lead
  5. Compliance Officer
  6. CISO
  7. Business Owner
  8. Notify all stakeholders (minimum 30-day notice)
  9. Create transition plan (if replacing with new agent)
  10. Disable agent in production
  11. Complete data exports:
  12. Full conversation history
  13. Audit logs (entire retention period)
  14. Configuration backup
  15. Model/knowledge source documentation
  16. Transfer data to long-term retention storage
  17. Verify retention meets regulatory requirements
  18. Remove user and system access
  19. Preserve agent for retention period (disabled state)
  20. Update inventory to show decommissioned
  21. Archive all governance documentation
  22. Schedule deletion after retention period expires

Data Retention Requirements

Data Type Zone 1 Zone 2 Zone 3
Conversation logs N/A 1 year 7-10 years
Audit trail 30 days 1 year 7-10 years
Configuration N/A 1 year 7 years
Approval records N/A 3 years 7 years
Incident records N/A 3 years 7 years

Regulatory Retention Guidelines

Regulation Requirement Applies To
FINRA 4511 6 years, first 2 years in easily accessible place Broker-dealers
SEC 17a-4 6 years, first 2 years readily accessible SEC registrants
SOX 802 7 years Public companies
GLBA Per institution policy All FSI

Stakeholder Notification Template

Subject: [Agent Name] Decommissioning Notice

Dear [Stakeholder],

This notice informs you that [Agent Name] will be decommissioned on [Date].

REASON: [Brief explanation]

TIMELINE:
- [Date]: Agent disabled (read-only)
- [Date]: User access removed
- [Date]: Agent deleted

IMPACT:
- [Description of impact on users/workflows]

ALTERNATIVES:
- [Replacement agent, if applicable]
- [Alternative processes]

QUESTIONS:
Contact [Name] at [Email] for questions.

[AI Governance Lead]
[Date]

Emergency Decommissioning

For security incidents or compliance violations requiring immediate action:

  1. Immediate Actions (within 1 hour):
  2. Disable agent access
  3. Notify CISO and Compliance Officer
  4. Preserve all logs and evidence

  5. Document reason for emergency action

  6. Within 24 Hours:

  7. Notify AI Governance Lead
  8. Brief governance committee
  9. Complete incident report

  10. Assess data exposure (if any)

  11. Within 7 Days:

  12. Complete root cause analysis
  13. Document lessons learned
  14. Update governance procedures (if needed)
  15. Decide on permanent decommissioning vs. remediation

Decommissioning Checklist Summary

Pre-Decommissioning

  • Business justification documented
  • Approvals obtained (per zone requirements)
  • Stakeholders notified
  • Transition plan created (if applicable)

Decommissioning Execution

  • Agent disabled
  • Data exported and preserved
  • User access removed
  • Systems integrations disconnected

Post-Decommissioning

  • Inventory updated
  • Documentation archived
  • Retention compliance verified
  • Final review completed

Last Updated: January 2026 FSI Agent Governance Framework v1.2