User Manual

Complete guide to AgentPMO — enterprise AI agent governance.

1. Introduction

AgentPMO is the control plane for organizations running AI agents at scale. It answers three questions every engineering and compliance team faces:

What are all our AI agents doing, and are any of them misbehaving?
Are we compliant with the EU AI Act, NIST AI RMF, and other frameworks?
What does this fleet actually cost, and is it within approved budgets?

AgentPMO connects to your agents via a lightweight CLI push model — agents report heartbeats, token usage, and events; the platform aggregates, evaluates, and surfaces actionable insight.

Concept	What it means
Agent	A registered AI system (chatbot, code reviewer, document processor, etc.)
Assessment	A formal risk evaluation of an agent against a compliance framework
Charter	The approved token budget, model tier, and business owner for an agent
Incident	A reported operational or safety issue linked to an agent
Conformity check	One of six binary tests that determine EU AI Act readiness
Heartbeat	A periodic signal an agent sends to prove it is alive and healthy
Discovery	Passive detection of AI tools running on developer machines

2. Getting Started

2.1 Sign up and create your organization

Go to the AgentPMO web app and click Start Free.
Create an account with email or an SSO provider.
When prompted to create an organization, enter your company name. The slug is used in API calls — choose something short and memorable (e.g. acme).
Invite team members from Settings > Members once your org is set up.

2.2 Get your API key

Settings → enter a descriptive key name (e.g. ci-pipeline or local-dev).
Click Create Key.
The full key is shown once only — copy it immediately and store it securely.

Important: Keys are prefixed with the first 8 characters for identification. If a key is lost, revoke it and create a new one. Never commit keys to source control.

2.3 Install the CLI

npm install -g agentpmo

# Configure your key
agentpmo config set apiKey YOUR_KEY_HERE
agentpmo config set orgSlug your-org-slug

# Verify connectivity
agentpmo status

2.4 Onboarding flow

After creating your organization, the dashboard shows a guided three-step onboarding card:

Register Agents — add your AI agents via the UI or the CLI.
Assess Compliance — run a risk assessment against at least one framework.
Monitor & Report — track metrics, log incidents, and generate reports.

3. Dashboard

The dashboard is the real-time command center for your entire AI agent fleet. It auto-refreshes every 30 seconds and shows a live indicator when data is current.

3.1 Stat cards

Card	What it shows
Total Agents	All registered agents in the organization
High Risk	Agents rated Unacceptable or High on their latest assessment
Monthly Cost	Aggregated token spend in USD since the 1st of the current month
Open Incidents	Incidents with status open or investigating
Budget Health	% of chartered agents currently within their expected token budget

3.2 Stale agent alert

If any active agent has not sent a heartbeat in the last 24 hours, a yellow warning banner appears listing each stale agent by name. Click any agent name to navigate to its detail page.

3.3 Compliance overview panel

Three columns give an instant compliance posture:

Left: % of agents assessed, EU AI Act countdown in days, remediation progress bar.
Middle: Per-framework coverage bars (EU AI Act, NIST AI RMF, ISO 42001, GDPR, SOC 2).
Right: Active production agents with no assessment — highest priority for the compliance team.

4. Agents

4.1 Registering an agent

Click Register Agent (top right of the Agents page).

Field	Required	Description
Name	Yes	Human-readable display name, e.g. "Customer Support Bot"
External ID	Yes	Machine-readable slug for API/CLI, e.g. customer-support-bot
Description	No	What the agent does
Model Provider	No	e.g. anthropic, openai, google
Model Name	No	e.g. claude-sonnet-4-6, gpt-4o
Owner Email	No	Person accountable for this agent
Department	No	Business unit, e.g. engineering, legal
Environment	No	production, staging, or development
Token Budget (Expected)	No	Normal monthly spend in USD — the green zone
Token Budget (Stretch)	No	Upper acceptable limit before a warning
Token Budget (Runaway)	No	Hard ceiling — triggers a critical alert
Approved Model Tier	No	haiku, sonnet, opus, or any

Tip: If a tool was detected by the CLI discovery scanner, promote it to a registered agent directly from the Discovery page — name and external ID are pre-filled.

4.2 Sending heartbeats

agentpmo heartbeat --agent customer-support-bot

Add this to a cron job or health-check loop every 5 minutes for continuously running agents. An agent that misses heartbeats for 24+ hours is flagged as stale on the dashboard.

4.3 Reporting token usage

agentpmo metrics push \
  --agent customer-support-bot \
  --inputTokens 12500 \
  --outputTokens 3200 \
  --cacheHitTokens 8000 \
  --totalCostUsd 0.042 \
  --model claude-sonnet-4-6

4.4 Agent detail page

Click any agent name to open its detail page. Key sections:

Tab / Section	What you will find
Overview	Status, last heartbeat, model, owner, department, environment
Insights	Smart callouts — open P1s, stale heartbeat, stale assessment, over budget
Metrics	Daily token usage charts, cost trend, model breakdown
Bias & Fairness	Bias score trend, flagged rate, calibration error over time
Assessments	All risk assessments across all frameworks for this agent
Incidents	All incidents linked to this agent
Dependencies	Upstream agents this agent calls; downstream consumers

4.5 Agent statuses

Status	Meaning
Active	Running in a live environment; heartbeats expected
Paused	Temporarily suspended; no heartbeats expected
Deprecated	Being wound down; may still receive traffic
Archived	Decommissioned; kept for audit history

5. Compliance

5.1 Supported frameworks

Framework	Abbreviation
EU Artificial Intelligence Act	EU AI Act
NIST AI Risk Management Framework	NIST AI RMF
ISO/IEC 42001 — AI Management Systems	ISO 42001
GDPR applied to AI systems	GDPR AI
SOC 2 applied to AI systems	SOC 2 AI

5.2 Running a new assessment

Navigate to Compliance > New Assessment and fill in:

Field	Description
Agent	The agent being assessed
Framework	Choose from the five supported frameworks
Risk Level	Unacceptable / High / Limited / Minimal
Score	0–100 composite score
AI Act Category	The EU AI Act category applicable to this agent
Findings	Freetext summary of what was found
Recommendations	Actionable steps to improve risk posture

5.3 Assessment reviews (peer sign-off)

After an assessment is created, a colleague with at least member role can submit a peer review. Only Approved reviews satisfy EU AI Act conformity check #3.

Review status	Effect
Approved	Conformity check #3 (Peer reviewed) is satisfied
Changes requested	Assessor must revise findings
Rejected	Assessment is invalid

5.4 Remediation tasks

Each assessment can have one or more remediation tasks:

Field	Options
Status	open, in_progress, completed, wont_fix
Priority	low, medium, high, critical
Assigned to	Email of the responsible person
Due date	Target completion date

Note: An agent satisfies EU AI Act conformity check #4 only when at least 50% of its remediation tasks are marked completed.

5.5 Compliance Matrix

Compliance > Matrix — a grid with agents as rows and frameworks as columns. Each cell shows the latest risk level, score, and a staleness indicator (grey) if the assessment is older than 90 days. Empty cells are agents never assessed under that framework.

5.6 Gap Analysis

Compliance > Gap Analysis — lists every framework and, for each, every agent that has not been assessed. Use Assess Now on any row to jump to a pre-filled new-assessment form.

5.7 Framework Comparison

Compliance > Compare — select any two frameworks for a side-by-side comparison of assessment counts, average scores, and risk level distribution.

5.8 Bulk Assessment

Compliance > Bulk — run the same assessment parameters across multiple agents simultaneously. Useful when a new framework becomes relevant for an entire product line.

6. EU AI Act Readiness

The EU AI Act page is the single source of truth for your readiness against the August 2, 2026 enforcement deadline. It evaluates every agent against six conformity checks and produces a downloadable PDF report.

6.1 The six conformity checks

#	Check	Pass condition
1	Assessed	At least one completed risk assessment on record
2	Fresh	Most recent assessment completed within the last 90 days
3	Peer reviewed	At least one assessment has an approved review from a peer
4	Remediated ≥ 50%	At least half of the agent's remediation tasks are completed
5	No open P1	No open incidents with severity p1 linked to this agent
6	Charter signed	The agent has a token strategy charter with status chartered

6.2 Readiness statuses

Status	Condition
Ready	All 6 checks pass
At Risk	At least 1 check passes, but not all 6
Not Started	Zero checks pass

6.3 Downloading the PDF report

Click Download PDF on the EU AI Act page. The report is suitable for submission to regulators, auditors, or board risk committees. It includes a cover page with the org-level readiness score and a per-agent table with check dots and status badges.

7. Token Strategy Charter

A Token Strategy Charter is the formal agreement about how much an agent is allowed to spend on tokens, which models it is approved to use, and who is accountable. Unchartered agents have no runaway protection.

7.1 Charter fields

Field	Description
Approved Model Tier	haiku, sonnet, opus, or any
Expected Budget (USD/mo)	Normal monthly spend — the green zone
Stretch Budget (USD/mo)	Upper acceptable limit — triggers a warning alert
Runaway Budget (USD/mo)	Hard ceiling — triggers a critical incident
Business Owner	Email of the person accountable for this agent's spend
Rationale	Why this agent needs its approved model tier and budget
Effective Date	When the charter comes into force
Review Date	When the charter should next be reviewed

7.2 Budget health

The dashboard Budget Health card shows the percentage of chartered agents within their expected monthly budget. On the Token Charter list, agents over expected budget are highlighted amber; agents over the runaway limit are highlighted red.

Tip: Saving a charter sets charterStatus to chartered, satisfying EU AI Act conformity check #6 automatically.

8. Dependency Graph

The dependency graph maps which agents call or depend on other agents. Node colors reflect risk level. Agents with open compliance gaps are outlined with a dashed border.

8.1 Adding a dependency

Select the dependent agent (the one that calls another).
Select the upstream agent (the one being depended upon).
Set criticality: critical, high, medium, or low.
Optionally add a description.

8.2 Blast radius

The stats panel lists each agent with its blast radius — the number of other agents that would be affected if it failed. Agents with a blast radius of 3+ warrant additional compliance scrutiny and should be prioritized in remediation.

9. Discovery

Discovery passively detects AI tools running across your organization's developer machines and infrastructure — surfacing shadow AI that has not been formally registered.

9.1 Running a scan

agentpmo discover

# Print results without uploading
agentpmo discover --output json

9.2 Tool types detected

Type	What is scanned
npm_package	node_modules and global npm for AI SDK packages
python_package	pip-installed packages (openai, anthropic, langchain, etc.)
running_process	Active processes matching known AI agent signatures
desktop_app	Installed applications (e.g. Claude Desktop, ChatGPT app)
ide_extension	VS Code, Cursor, and JetBrains extensions
browser_extension	Chrome/Edge extensions matching known AI tools
browser_ai	Browser-native AI features that are enabled
network_egress	Outbound connections to AI provider API endpoints
api_key	Environment variables matching patterns for AI API keys

9.3 Promoting or dismissing

Promote to Agent — opens the registration form with name and external ID pre-filled. Complete the remaining fields and the tool is linked to the new agent.

Dismiss — archives the finding. It will not reappear unless detected again in a future scan.

10. Incidents

10.1 Severity levels

Severity	Code	Response expectation
Critical	P1	Immediate — safety, privacy, or business continuity threat
High	P2	Within 24 hours — significant degradation or risk
Medium	P3	Within one week — moderate issue
Low	P4	Normal sprint cycle — minor or informational

Important: An open P1 incident linked to any agent blocks EU AI Act conformity check #5. P1 incidents must be resolved before an agent can be rated Ready.

10.2 Incident lifecycle

open  →  investigating  →  resolved  →  closed

10.3 Filing an incident

Click New Incident and fill in:

Field	Description
Title	Short summary, e.g. "Customer Support Bot returning PII in responses"
Description	Full description of what happened
Severity	P1–P4
Status	Usually open when first filed
Agent	The agent involved (strongly recommended)

10.4 Filing via CLI

agentpmo incident create \
  --agent customer-support-bot \
  --title "Unexpectedly high hallucination rate detected" \
  --severity p2 \
  --description "Automated eval detected 12% hallucination rate in last 100 runs"

11. Reports

The Reports page combines fleet health, risk posture, token economics, incident summary, EU AI Act countdown, and remediation progress into a single governance view with month-over-month deltas.

11.1 Token economics section

Budget utilization — MTD cost vs expected, stretch, and runaway budgets per agent.
Model tier cost breakdown — haiku vs sonnet vs opus spend.
Cache efficiency — ratio of cache-hit tokens to total (aim for > 40%).
Cache leaderboard — agents with the best and worst cache hit rates.

11.2 Scheduled reports

Navigate to Reports > Schedule to set up automatic PDF delivery:

Click Schedule Report.
Choose Weekly (every Monday at 8 AM) or Monthly (1st of each month at 8 AM).
Enter recipient email addresses.
Save the schedule.

12. Audit Log

The audit log is a tamper-proof, append-only record of every significant action in the platform. Required for regulatory compliance and internal investigations.

12.1 Audited resources

Resource	Events tracked
Agent	Created, updated, archived
Assessment	Created, approved, rejected
Assessment review	Created, status changed
Remediation task	Created, status changed, assigned
Incident	Created, severity changed, resolved, closed
API key	Created, revoked
Charter	Created, updated
Dependency	Added, removed
Comment	Added

12.2 Filters

Filter	Description
Resource type	Show only events for a specific resource
Actor	Filter by the user who performed the action
From date	Show events after this date
To date	Show events before this date

13. Settings

13.1 API Keys

Create keys in Settings. Keys are shown once — if lost, revoke and create a new one. Name keys descriptively to track which system uses them (e.g. github-actions, staging-server).

13.2 Webhooks

Create a webhook endpoint by providing:

URL — the HTTPS endpoint that will receive events
Secret — used to sign payloads with HMAC-SHA256; verify signatures in your receiver
Events — select which event types to subscribe to

The Webhooks page shows a delivery log with HTTP status codes and response times for each recent delivery attempt.

13.3 Integrations

Integration	What it does
Slack	Post incident alerts and weekly summaries to a channel
Microsoft Teams	Same as Slack, for Teams-based organizations
PagerDuty	Escalate P1 incidents directly to on-call rotations
GitHub	Link assessments and remediation tasks to GitHub issues
Jira	Sync remediation tasks as Jira tickets
Datadog	Forward token metrics and heartbeat events to Datadog
Splunk	Stream audit log events to Splunk for SIEM integration

14. CLI Reference

agentpmo status

agentpmo status
# Connected to AgentPMO  org: acme  role: admin

agentpmo heartbeat

agentpmo heartbeat --agent <external-id>

agentpmo metrics push

agentpmo metrics push \
  --agent <external-id> \
  --inputTokens <n> \
  --outputTokens <n> \
  --cacheHitTokens <n> \
  --cacheMissTokens <n> \
  --totalCostUsd <n> \
  --model <model-id>

agentpmo incident create

agentpmo incident create \
  --agent <external-id> \
  --title "Description of the issue" \
  --severity p2 \
  --description "Full details"

agentpmo discover

agentpmo discover
agentpmo discover --output json  # print without uploading

agentpmo agents list / get

agentpmo agents list
agentpmo agents list --format json
agentpmo agents get --agent customer-support-bot

15. API Reference

All endpoints require authentication via API key as a Bearer token:

Authorization: Bearer apk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Agents

Method	Endpoint	Description
GET	/api/agents	List all agents
POST	/api/agents	Create a new agent
GET	/api/agents/:id	Get an agent by ID
PATCH	/api/agents/:id	Update agent fields
POST	/api/agents/:id/heartbeat	Send a heartbeat

Metrics

POST /api/metrics/ingest
{
  "agentId": "agent_xxxx",
  "periodStart": "2026-05-14T00:00:00Z",
  "inputTokens": 12500,
  "outputTokens": 3200,
  "cacheHitTokens": 8000,
  "totalCostUsd": "0.042",
  "modelUsed": "claude-sonnet-4-6"
}

Incidents

Method	Endpoint	Description
GET	/api/incidents	List incidents (filter by status, severity)
POST	/api/incidents	Create an incident
PATCH	/api/incidents/:id	Update severity or status

Webhook payload verification

import crypto from "crypto";

function verifySignature(payload: string, signature: string, secret: string): boolean {
  const expected = crypto
    .createHmac("sha256", secret)
    .update(payload)
    .digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(`sha256=${expected}`)
  );
}

16. Roles & Permissions

Action	Viewer	Member	Admin
View agents, assessments, incidents	Yes	Yes	Yes
View compliance matrix and reports	Yes	Yes	Yes
View audit log	Yes	Yes	Yes
Create / edit agents	No	Yes	Yes
Run assessments	No	Yes	Yes
Submit assessment reviews	No	Yes	Yes
File and update incidents	No	Yes	Yes
Manage remediation tasks	No	Yes	Yes
Create / edit token charters	No	Yes	Yes
Create / revoke API keys	No	No	Yes
Manage webhooks	No	No	Yes
Manage organization members	No	No	Yes
Manage integrations	No	No	Yes

17. Glossary

Agent

A registered AI system managed by AgentPMO. An agent has an external ID, a status, optionally a charter, and accumulates assessments, metrics, incidents, and dependencies.

Assessment

A formal evaluation of an agent against a compliance framework. Records a risk level, score, findings, and recommendations. Must be refreshed within 90 days to stay fresh for EU AI Act purposes.

Assessment review

A peer sign-off on an assessment. An approved review satisfies EU AI Act conformity check #3.

Blast radius

The number of other agents that would be impacted if a given agent failed. High-blast-radius agents should be prioritized in compliance and incident response.

Charter

The formal governance document for an agent's token usage — approved model tier, monthly spend budgets, and a named business owner. Satisfying the charter satisfies EU AI Act conformity check #6.

Conformity check

One of six binary tests (assessed, fresh, peer reviewed, remediated ≥ 50%, no open P1, charter signed) that collectively determine EU AI Act readiness.

Discovery

Passive detection of AI tools on developer machines and infrastructure that have not been formally registered.

Heartbeat

A periodic signal sent by an agent via CLI or API to confirm it is alive. Absence for 24 hours triggers a stale-agent warning.

Incident

A reported operational or safety issue linked to an agent. Severity P1–P4. Open P1 incidents block EU AI Act conformity.

Remediation task

An action item attached to an assessment. Completing ≥ 50% of tasks satisfies EU AI Act conformity check #4.

Risk level

Four-tier classification: Unacceptable (prohibited), High (strict controls), Limited (transparency obligations), Minimal (low obligations).