Glossary

Risk tier

A classification of how consequential an agent or action is, used to set the controls it needs.

category ▸ Governance

audit/verify
#101hash ✓#102hash ✓#103hash ✓#104hash ✓#105hash ✓
head 0x9f3a…c1ok: true
verifyChain ▸ chained SHA-256 · signed receipts
What it means

Risk tier, in plain language.

A risk tier is a label — typically low, medium, or high — that captures how much harm an agent or action could cause if it went wrong. Tiering is the bridge between abstract policy and concrete enforcement: it lets you apply heavier controls (approval, review, tighter oversight) exactly where the stakes are highest and lighter ones everywhere else.

Risk-tiering is also a regulatory expectation. Frameworks like the EU AI Act and NIST AI RMF ask organizations to categorize AI systems by risk before deploying them, so that oversight is proportionate to impact rather than uniform.

In Cortex

How Cortex implements it.

This term isn't abstract here — it maps to a real capability in the runtime. Here is exactly how Cortex enforces or relates to it.

Governance

Cortex carries risk tier as a first-class field on agent identities, Action Fabric actions, and MCP servers. An action's tier drives whether it auto-executes or must be approved; an agent's tier informs its oversight and review cycle.

Because tiers are explicit and recorded, the risk register an assessor reviews is generated from the live configuration — every identity shows its tier, and the gate decisions trace back to it.

See Risk tier enforced, not just defined.

Book a walkthrough and watch the controls in this glossary return real verdicts, seal real evidence, and trace every fact back to its source.