The challenge
A fictitious infrastructure operator runs an AI video-analytics system for restricted-area intrusion detection across 13 sites — a high-risk system under its assurance framework. Policy is unambiguous: a material change to a high-risk system triggers reassessment before continued operation. The obligation mirrors real regimes — the NSW AI Assessment Framework, ISO 42001 clause 8 change management, and the EU AI Act's "substantial modification" rules all say the same thing.
The problem: the obligation lived in a PDF. The ML team's retraining pipeline lived in a model registry. Nothing connected them. When the intrusion-detection model was retrained mid-year — new data, materially changed behaviour — the pipeline did exactly what it was built to do, and the policy did exactly what documents do: nothing.
What happened
The mechanism
No new platform, no workflow migration. The agent reads two systems the operator already had and tests one rule continuously:
Every finding is traceable: this artefact, this framework clause, this gap. When a board member asks why the score dropped, the answer is a chain of evidence — not professional opinion.
The result
The gap that would have waited a quarter for an audit — or longer, if sampling missed it — was found, flagged, owned and scheduled for remediation inside a day. The reassessment happened while the change was fresh. The audit trail wrote itself.
That is the difference between having a policy and having assurance: a policy describes the obligation; assurance is the mechanism that checks it — continuously.
Why this pattern is spreading
The regulatory logic is global. The EU AI Act requires fresh conformity assessment on "substantial modification" of high-risk systems — retraining is the canonical trigger. The NSW AI Assessment Framework has applied to every NSW agency since January 2026. And continuous-compliance programs report 3-year ROI above 285% against periodic-audit baselines.