From Model Risk to Agent Risk: A Practical Risk Management Approach for Organisations Rolling Out Agents Core idea: Agent risk management is not about proving a technical system is safe at a point in time. It is about governing delegated autonomy in a socio-technical system so that outcomes stay within policy, performance targets, and risk appetite over time. A socio-technical system with self correcting mechanisms SR 11-7 does not mention hallucination rates. It does not define retrieval precision. It has no section on prompt injection, corpus freshness, or agentic decision boundaries. It was issued in 2011, long before today’s enterprise rollout of large language models and agents.1 ...