AGENTS.md TemplatesAGENTS.md Template

AGENTS.md Template for Privacy and Data Governance Agents

AGENTS.md Template for Privacy and Data Governance Agents guides single-agent and multi-agent orchestration with clear operating model, handoffs, and tool governance.

AGENTS.md Templateprivacydata governanceAI coding agentsmulti-agent orchestrationagent handoff rulestool governancehuman reviewsecuritycompliance

Target User

Developers, founders, product teams, engineering leaders

Use Cases

  • Privacy policy automation
  • Data governance workflow automation
  • Data access governance
  • Data cataloging and lineage

Markdown Template

AGENTS.md Template for Privacy and Data Governance Agents

# AGENTS.md
Project Role: Privacy and Data Governance Automation
Agent roster and responsibilities
- Planner-Agent: defines tasks, identifies policy gaps, and assigns owners
- Researcher-Agent: gathers regulatory requirements, privacy constraints, and data consent rules
- PolicyEngineer-Agent: drafts privacy policies, data retention rules, and governance standards
- DataSteward-Agent: ensures data sources, catalogs, and lineage align with governance
- Implementer-Agent: implements policy enforcement, data access controls, and automated checks
- Reviewer-Agent: reviews outputs for compliance and quality
- Auditor-Agent: performs independent checks against regulatory requirements
- Orchestrator-Agent: coordinates task distribution, handoffs, and status updates
Supervisor or orchestrator behavior
- The Orchestrator evaluates policy changes, assigns tasks to the appropriate agents, and triggers handoffs when work is complete or when approvals are required
Handoff rules between agents
- Planner to Researcher: handoffs occur when regulatory constraints must be gathered before drafting a policy
- Researcher to PolicyEngineer: handoffs occur when requirements are ready to be formalized into a policy
- PolicyEngineer to DataSteward: handoffs occur when policy text is ready and data sources must be aligned
- DataSteward to Implementer: handoffs occur when data access controls are defined and validated
- Implementer to Reviewer: handoffs occur when implementation has guardrails and tests
Context, memory, and source-of-truth rules
- Memory persists to a central knowledge base (KB) with versioned policy artifacts
- Source of Truth: policy_db, data_catalog, and policy_registry
Tool access and permission rules
- Use only approved tools: policy drafting editor, data catalog, policy engine, and access control APIs
- Secrets stored securely in a vault; do not log secrets in outputs
Architecture rules
- Monorepo with modular agent folders; events orchestrated by the Orchestrator via a message bus
File structure rules
- /ai-skills/agents-md-templates/planner
- /ai-skills/agents-md-templates/researcher
- /ai-skills/agents-md-templates/policy_engineer
- /ai-skills/agents-md-templates/data_steward
- /ai-skills/agents-md-templates/implementer
- /ai-skills/agents-md-templates/reviewer
- /ai-skills/agents-md-templates/auditor
- /ai-skills/agents-md-templates/orchestrator
- /data/policies
- /data/privacy_impacts
- /data_catalog
- /integrations
- /tests
- /docs
Data, API, or integration rules when relevant
- Only pull from approved data sources; respect retention and minimization
- Use read-only access where possible; enforce audit trails for changes
Validation rules
- All outputs must validate against policy schemas and data contracts
Security rules
- Secrets kept in vaults; no secrets in logs
Testing rules
- Unit tests for each agent; integration tests across the flow; end-to-end tests in staging
Deployment rules
- CI/CD with gated approvals; canary deployments; rollback plan
Human review and escalation rules
- Human review required for high-risk policy changes; escalation path to Data Protection Officer
Failure handling and rollback rules
- If a policy fails validation or a handoff fails, revert to last approved state and notify Orchestrator
Things Agents must not do
- Do not bypass secrets or shared data; do not modify production data; do not ignore escalation gates

Overview

Direct answer: This AGENTS.md Template defines a privacy and data governance operating model for AI coding agents, enabling single agent and multi-agent orchestration with clear roles, handoffs, and governance rules.

The AGENTS.md template codifies how privacy and data governance AI coding agents coordinate, enforce data policies, and collaborate with human reviewers. It provides a project-level operating context that scales from a single agent to a multi-agent workflow, with explicit boundaries, sources of truth, and governance gates.

When to Use This AGENTS.md Template

  • When you need a repeatable, auditable privacy and data governance workflow across data sources and tools
  • When multiple agents must coordinate on policy drafting, data impact assessments, and policy enforcement
  • When escalation to human review or compliance is required for sensitive policies
  • When you want a single source of truth and a documented handoff protocol

Copyable AGENTS.md Template

Copy the template block below into AGENTS.md at the project root to establish the operating context for privacy and data governance agents.

# AGENTS.md
Project Role: Privacy and Data Governance Automation
Agent roster and responsibilities
- Planner-Agent: defines tasks, identifies policy gaps, and assigns owners
- Researcher-Agent: gathers regulatory requirements, privacy constraints, and data consent rules
- PolicyEngineer-Agent: drafts privacy policies, data retention rules, and governance standards
- DataSteward-Agent: ensures data sources, catalogs, and lineage align with governance
- Implementer-Agent: implements policy enforcement, data access controls, and automated checks
- Reviewer-Agent: reviews outputs for compliance and quality
- Auditor-Agent: performs independent checks against regulatory requirements
- Orchestrator-Agent: coordinates task distribution, handoffs, and status updates
Supervisor or orchestrator behavior
- The Orchestrator evaluates policy changes, assigns tasks to the appropriate agents, and triggers handoffs when work is complete or when approvals are required
Handoff rules between agents
- Planner to Researcher: handoffs occur when regulatory constraints must be gathered before drafting a policy
- Researcher to PolicyEngineer: handoffs occur when requirements are ready to be formalized into a policy
- PolicyEngineer to DataSteward: handoffs occur when policy text is ready and data sources must be aligned
- DataSteward to Implementer: handoffs occur when data access controls are defined and validated
- Implementer to Reviewer: handoffs occur when implementation has guardrails and tests
Context, memory, and source-of-truth rules
- Memory persists to a central knowledge base (KB) with versioned policy artifacts
- Source of Truth: policy_db, data_catalog, and policy_registry
Tool access and permission rules
- Use only approved tools: policy drafting editor, data catalog, policy engine, and access control APIs
- Secrets stored securely in a vault; do not log secrets in outputs
Architecture rules
- Monorepo with modular agent folders; events orchestrated by the Orchestrator via a message bus
File structure rules
- /ai-skills/agents-md-templates/planner
- /ai-skills/agents-md-templates/researcher
- /ai-skills/agents-md-templates/policy_engineer
- /ai-skills/agents-md-templates/data_steward
- /ai-skills/agents-md-templates/implementer
- /ai-skills/agents-md-templates/reviewer
- /ai-skills/agents-md-templates/auditor
- /ai-skills/agents-md-templates/orchestrator
- /data/policies
- /data/privacy_impacts
- /data_catalog
- /integrations
- /tests
- /docs
Data, API, or integration rules when relevant
- Only pull from approved data sources; respect retention and minimization
- Use read-only access where possible; enforce audit trails for changes
Validation rules
- All outputs must validate against policy schemas and data contracts
Security rules
- Secrets kept in vaults; no secrets in logs
Testing rules
- Unit tests for each agent; integration tests across the flow; end-to-end tests in staging
Deployment rules
- CI/CD with gated approvals; canary deployments; rollback plan
Human review and escalation rules
- Human review required for high-risk policy changes; escalation path to Data Protection Officer
Failure handling and rollback rules
- If a policy fails validation or a handoff fails, revert to last approved state and notify Orchestrator
Things Agents must not do
- Do not bypass secrets or shared data; do not modify production data; do not ignore escalation gates

Recommended Agent Operating Model

The agents operate under a defined roster with clear decision boundaries and escalation paths. Planner sets scope, Researcher clarifies constraints, PolicyEngineer formalizes rules, DataSteward aligns sources, Implementer enforces controls, Reviewer and Auditor verify compliance, and Orchestrator coordinates handoffs. Escalation paths to human review are used when policy risk exceeds thresholds.

Recommended Project Structure

Use a workflow-specific directory tree that keeps agents isolated and auditable.

project/ │
  ├── agents/ │   ├── planner/ │   │   └── README.md │   ├── researcher/ │   ├── policy_engineer/ │   ├── data_steward/ │   ├── implementer/ │   ├── reviewer/ │   ├── tester/ │   ├── auditor/ │   └── orchestrator/ │
  ├── data/ │   ├── policies/ │   ├── privacy_impacts/ │   └── data_catalog/ │
  ├── integrations/ │
  ├── tests/ │
  └── docs/

Core Operating Principles

  • Operate with explicit scope and boundaries for each agent
  • Always cite sources; memory is versioned
  • Guard sensitive data and enforce data minimization
  • Require human review for high-risk changes
  • Prefer auditable, testable outputs

Agent Handoff and Collaboration Rules

Concrete handoff rules by role ensure smooth collaboration among planner, implementer, reviewer, tester, researcher, and domain specialists.

  • Planner to Researcher: specify regulatory constraints and privacy controls to fetch
  • Researcher to PolicyEngineer: deliver requirements and data policies for formalization
  • PolicyEngineer to DataSteward: align policy with data sources and catalogs
  • DataSteward to Implementer: finalize access controls and enforcement mechanisms
  • Implementer to Reviewer: present implemented controls for validation
  • Reviewer to Auditor: pass audit-ready outputs

Tool Governance and Permission Rules

  • Use only approved tools for policy drafting, data access, and enforcement
  • Store secrets in vaults; do not log them
  • Request escalation for production changes
  • Enforce least privilege and keep audit trails

Code Construction Rules

  • Write modular, testable code; avoid duplicate logic across agents
  • Document policy rules and data contracts alongside code
  • Follow data minimization and privacy-preserving techniques

Security and Production Rules

  • Separate environments for dev, staging, and prod
  • Apply least privilege and rotate credentials
  • Encrypt sensitive data in transit and at rest
  • Require approvals for production rollout

Testing Checklist

  • Unit tests for each agent
  • Integration tests across the flow
  • End-to-end tests in staging

Common Mistakes to Avoid

  • Bypassing escalation gates
  • Over-contextualizing outputs
  • Weak data minimization
  • Ignoring data lineage and traceability

FAQ

What is an AGENTS.md template?

An AGENTS.md template is a living operating manual for project-level agent behavior, defining roles, handoffs, sources of truth, and governance for the workflow.

Who should use this template?

Developers, privacy and data governance teams, and engineering leaders should use and customize this template for their workflows.

How are agent handoffs managed?

Handoffs are defined in the template and triggered by the orchestrator when conditions are met, ensuring clear ownership and traceability.

How is data privacy protected?

Data privacy is protected through access controls, minimal data exposure, encryption, and strict secrets handling in secure storage.

How do I validate and deploy changes?

Validation occurs against data contracts and policy schemas; deployment follows CI/CD with approvals and rollbacks.