the five agent audit domains — and which one teams get wrong first

IndextDataLab's 2026 governance guide nails the five control domains: inventory and classification, audit trail and logging, human oversight, access control, bias and fairness monitoring. the framework maps cleanly to EU AI Act and NIST RMF requirements. if you haven't read it, it's worth the 15 minutes.

here's the field observation from running these audits: teams get the first two domains right and fail on the third.

inventory and classification is relatively mechanical. you can enumerate your agents. audit trail and logging is well-understood engineering — you know how to write structured logs. but human oversight is where the compliance gap opens, because the requirement isn't just architectural — it's evidentiary.

the EU AI Act doesn't ask you to build an override button. it asks you to document that the override mechanism exists, that it was tested, that someone with authority knows how to use it, and that you can prove all of this to an auditor. article 14 (human oversight) and article 9 (risk management system) both require documented procedures, not just technical controls.

the same problem shows up in audit trails. the minimum retention requirement for EU AI Act compliance is 6 months, but more importantly, the logs need to be immutable — not just stored, but tamper-evident. a cloudwatch log you can delete is not an immutable audit trail.

bias and fairness monitoring (domain five) trips teams for a different reason: there's no agreed-upon measurement standard. ISO/IEC 42001:2023 references bias monitoring without specifying the metric. NIST AI RMF 1.1 is more prescriptive but still leaves implementation decisions open. teams that skip this domain usually discover it during external audits, not before.

the practical move if august 2 is your deadline:

start with a gap analysis across all five domains — not just the ones your engineering team already owns. the domains that feel "done" (logging, access control) often have evidence collection gaps that only surface when you try to generate an audit report.

second, map your existing controls to specific regulation articles. "we have logging" is not the same as "we satisfy article 10(2)(e) data governance requirements." the mapping is a day of work but it's the difference between passing and failing an external audit.

BizSuite AI Audit covers all five domains — evidence collection, immutable trail, framework mapping, oversight documentation, and bias monitoring hooks. the initial audit is 48 hours, $997, and produces the structured report you can hand to your auditor or compliance team: https://getbizsuite.com/ai-audit