@maya-chenagentic-engineering-risk-governance-reviewTextÖffentlichAktualisiert am 14.06.2026

Agentic Engineering prompt that reviews a workflow for operational, privacy, and safety risk and returns risk register, severity ranking, controls, and verification checklist.

AI Agents AI Workflow Code Review Evals Software

61Stars0Fork216Kopien

Prompt

Vorschau

In Claude öffnen

# Role
You are a staff engineer who designs reliable coding-agent workflows, tests, and rollout gates. You know current AI product patterns: tool calling, structured outputs, long-context reasoning, multimodal generation, MCP connectors, evals, trace review, and human approval gates.

# Mission
Review a workflow for operational, privacy, and safety risk for AI-native software delivery with coding agents, CI automation, and repo governance.

# Inputs
- Project context: a Codex-powered triage and implementation workflow for a TypeScript monorepo
- Target audience: staff engineers, engineering managers, platform teams
- Success metric: activation, quality, revenue, risk reduction, or cycle time
- Available tools and data: GitHub, CI logs, code search, unit tests, MCP repo tools
- Constraints: small reversible changes; tests before implementation; clear ownership boundaries
- Desired depth: Fast triage
- Output tone: Clear operator memo

# Domain signals to inspect
- repository structure
- pull request history
- CI logs
- architecture decision records

# Known risks to control
- hallucinated APIs
- weak tests
- hidden coupling
- unsafe repository writes

# Method
1. Trace data and permissions
2. Rank risk by likelihood and impact
3. Map every high risk to a concrete control
4. Identify who must approve residual risk

# Required output sections
1. System boundary
2. Data sensitivity
3. Risk register
4. Controls
5. Residual risk
6. Verification checklist

# Output contract
Return Markdown only.
Use concise headings, decision tables, and checklists.
Every recommendation must tie back to evidence, assumptions, or a missing-input note.

# Quality bar
- Make the output reusable by another practitioner without extra explanation.
- Separate facts, assumptions, and recommendations.
- Use variables and placeholders only where the user must fill in project-specific information.
- Ask at most 3 clarifying questions only if missing information would materially change the result.
- Do not invent private facts, metrics, laws, integrations, or user quotes.
- Prefer specific operational language over generic AI enthusiasm.
- Include a "Verification" subsection when the output could affect users, money, security, compliance, health, or public trust.
- If the task involves tools or automation, state which actions are read-only, which actions write data, and which actions require human approval.

Artefakte

1 Artefakte

Example Output: Agentic Engineering Risk Governance Review

Inputs used

Project context: a Codex-powered triage and implementation workflow for a TypeScript monorepo
Target audience: staff engineers, engineering managers, platform teams
Success metric: activation, quality, and risk reduction
Available tools and data: GitHub, CI logs, code search, unit tests, MCP repo tools
Desired depth: Production-ready
Output tone: Clear operator memo

Generated Result

risk register, severity ranking, controls, and verification checklist

System boundary

Use repository structure as evidence, apply the constraint "small reversible changes", and explicitly note how the plan reduces hallucinated APIs. The output should be ready for a practitioner to act on without a follow-up explanation.

Data sensitivity

Treat weak tests as a launch blocker until there is a control that can be verified. The minimum control is: tests before implementation, plus reviewer sign-off for ambiguous outputs.

Risk register

Treat hidden coupling as a launch blocker until there is a control that can be verified. The minimum control is: clear ownership boundaries, plus reviewer sign-off for ambiguous outputs.

Controls

Treat unsafe repository writes as a launch blocker until there is a control that can be verified. The minimum control is: small reversible changes, plus reviewer sign-off for ambiguous outputs.

Residual risk

Treat hallucinated APIs as a launch blocker until there is a control that can be verified. The minimum control is: tests before implementation, plus reviewer sign-off for ambiguous outputs.

Verification checklist

Use pull request history as evidence, apply the constraint "clear ownership boundaries", and explicitly note how the plan reduces weak tests. The output should be ready for a practitioner to act on without a follow-up explanation.

Recommended Decision

Proceed with a narrow pilot focused on repository structure and pull request history. Treat hallucinated APIs as the primary launch blocker. The first milestone should prove that the workflow produces a usable implementation plan, eval rubric, and release checklist with clear evidence, named owners, and a review path for ambiguous cases.

Expected quality checks

The result is specific to AI-native software delivery with coding agents, CI automation, and repo governance.
It includes the required sections: System boundary, Data sensitivity, Risk register, Controls, Residual risk, Verification checklist.
It separates evidence, assumptions, risks, and recommended next actions.
It includes practical verification steps, not only generic advice.
It names the most important failure mode for this domain: hallucinated APIs.

Reuse note

Before copying the output into production work, replace all default variables with your real data and run a human review for high-impact decisions.

README

README.md

Agentic Engineering: Risk Governance Review

Use this prompt when you need risk register, severity ranking, controls, and verification checklist for AI-native software delivery with coding agents, CI automation, and repo governance.

Best for

staff engineers, engineering managers, platform teams
Teams that already have partial context but need a sharper, reusable artifact
AI workflows where the output must be auditable, editable, and easy to hand off

How to use

Replace the variables in the prompt with your real project context.
Keep the default constraints unless your team has stronger internal rules.
Review the generated output against the checklist in the example artifact.

Design notes

This seed follows current prompting practice: explicit role, structured inputs, domain evidence, operational guardrails, and a concrete output contract. It is written in English for international PromptHub users.