Merge branch 'main' into dependabot/npm_and_yarn/backend/npm_and_yarn-cebaad6393

Author: gstraccini[bot]

artifacts/data/compliance-matrix.csv

@@ -0,0 +1,8 @@
+framework,jurisdiction,articles_sections,opa_rules,compliance_pct,status,certification_target,last_assessment,gap_count,critical_gaps
+EU AI Act,EU,Art. 1-113,48,91.2,Active,Q4 2027 Full Compliance,2026-03-01,4,1
+NIST AI RMF,US,GOVERN MAP MEASURE MANAGE,42,89.6,Active,Continuous Alignment,2026-03-01,6,2
+ISO/IEC 42001,Global,§4-§10,38,87.4,In Progress,Q3 2027 Certification,2026-02-15,8,3
+OECD AI Principles,Global (38),Principles 1.1-1.5 2.1-2.5,22,92.8,Active,Continuous Alignment,2026-03-01,2,0
+GDPR,EU,Art. 1-99,52,94.1,Active,Continuous Compliance,2026-03-01,3,0
+FCRA/ECOA,US,§602-§625 / §701-§706,28,89.0,Active,Continuous Compliance,2026-02-15,5,1
+SR 11-7,US (Banking),§§1-15,34,94.0,Active,Continuous Compliance,2026-03-01,2,0

artifacts/data/implementation-timeline.csv

@@ -0,0 +1,43 @@
+week,phase,task,owner,hours,dependencies,artifacts,status
+1,Foundation,Provision OPA cluster (3-node HA),Platform Eng,16,None,Terraform IaC,Pending
+1,Foundation,Deploy Kafka cluster with WORM config,Platform Eng,20,None,Helm charts,Pending
+1,Foundation,Configure OpenTelemetry collectors,Platform Eng,12,None,OTEL config YAML,Pending
+1,Foundation,Set up Prometheus + Grafana,Platform Eng,8,None,Grafana dashboards JSON,Pending
+1,Foundation,Provision MLflow model registry,ML Eng,12,None,Docker Compose,Pending
+1,Foundation,Create OPA policy repository (Git),DevOps,4,None,Git repo + CI,Pending
+2,Core Policy,Implement 50 core OPA policies,AI Gov Eng,40,W1 OPA cluster,50 Rego files,Pending
+2,Core Policy,Configure OPA-Kubernetes integration,Platform Eng,16,W1 OPA cluster,Admission webhooks,Pending
+2,Core Policy,Build policy testing framework,DevOps,12,W1 Git repo,OPA test suite,Pending
+2,Core Policy,Create policy versioning workflow,DevOps,8,W1 Git repo,GitOps pipeline,Pending
+2,Core Policy,Implement Sentinel core rule engine,Platform Eng,24,W1 Infrastructure,Sentinel config,Pending
+3,Monitoring,Deploy drift detection (Evidently AI),ML Eng,16,W1 Infrastructure,Evidently config,Pending
+3,Monitoring,Configure fairness monitoring (AIF360),ML Eng,20,W1 Infrastructure,AIF360 pipelines,Pending
+3,Monitoring,Build 6-tier alert escalation,Platform Eng,12,W1 Infrastructure,PagerDuty config,Pending
+3,Monitoring,Implement audit trail pipeline,Platform Eng,16,W1 Kafka,Kafka to S3 pipeline,Pending
+3,Monitoring,Create Grafana governance dashboards,Frontend,20,W1 Grafana,Dashboard JSON,Pending
+4,CI/CD Gates,Implement 7-stage pipeline gates,DevOps,32,W2 OPA policies,Jenkins/GitLab CI config,Pending
+4,CI/CD Gates,Build model registry integration,ML Eng,16,W1 MLflow,MLflow plugins,Pending
+4,CI/CD Gates,Create deployment approval workflows,DevOps + AI Gov,12,W2 OPA,Jira + OPA integration,Pending
+4,CI/CD Gates,Implement canary deployment governance,Platform Eng,16,W2 Sentinel,ArgoCD config,Pending
+4,CI/CD Gates,Build rollback automation,Platform Eng,12,W4 Canary,Rollback scripts,Pending
+5,Agent Governance,Deploy EAIP gRPC mesh,Platform Eng,24,W1 Infrastructure,Proto files + config,Pending
+5,Agent Governance,Implement SPIFFE/SPIRE identity,Security Eng,20,W1 Infrastructure,SPIRE config,Pending
+5,Agent Governance,Build agent behavioral sidecars,AI Safety Eng,24,W2 Sentinel,Sidecar containers,Pending
+5,Agent Governance,Implement kill-switch (triple redundant),Platform Eng,16,W5 SPIFFE,Kill-switch service,Pending
+5,Agent Governance,Configure agent spawn controls,AI Safety Eng,12,W2 OPA,OPA agent policies,Pending
+6,Financial Services,Implement SR 11-7 OPA policies,AI Gov Eng,24,W2 OPA,34 Rego files,Pending
+6,Financial Services,Build adverse action notice generator,ML Eng,20,W4 Model registry,FCRA §615 templates,Pending
+6,Financial Services,Configure credit scoring bias monitoring,ML Eng,16,W3 AIF360,DI/EOD/SPD dashboards,Pending
+6,Financial Services,Create model validation workflow,Model Risk,12,W4 Approval workflows,Validation templates,Pending
+6,Financial Services,Implement SHAP/LIME explainability,ML Eng,16,W4 Model registry,Explanation service,Pending
+7,Dashboard,Build board KPI dashboard,Frontend,24,W3 Grafana,Next.js + D3.js,Pending
+7,Dashboard,Create C-suite operational dashboard,Frontend,20,W3 Grafana,Dashboard components,Pending
+7,Dashboard,Implement regulatory reporting automation,AI Gov Eng,16,W6 Compliance,Report templates,Pending
+7,Dashboard,Build RAG governance dashboard,Frontend,16,W3 Monitoring,RAG metrics panels,Pending
+7,Dashboard,Create audit evidence bundle generator,DevOps,12,W3 Audit trail,Evidence scripts,Pending
+8,Go-Live,End-to-end governance pipeline testing,QA + AI Gov,24,W1-W7 All,Test reports,Pending
+8,Go-Live,Crisis simulation (SIM-1) execution,All Stakeholders,8,W7 Dashboard,Simulation report,Pending
+8,Go-Live,Performance and load testing,Platform Eng,16,W1-W7 All,Performance report,Pending
+8,Go-Live,Security penetration test,Security Eng,16,W5 SPIFFE,Pen test report,Pending
+8,Go-Live,Documentation and runbook completion,AI Gov + DevOps,12,W1-W7 All,Runbooks SOPs,Pending
+8,Go-Live,Go-live sign-off and board briefing,CAIO + Board,4,W8 Testing,Sign-off document,Pending

artifacts/data/risk-register.csv

@@ -0,0 +1,11 @@
+risk_id,risk_name,category,likelihood,impact,score,severity,mitigation,owner,status,framework_alignment,last_review,next_review
+R-001,EU AI Act non-compliance fine (up to 7% global turnover),Regulatory,Medium,Critical,HIGH,Critical,OPA rules Sentinel monitoring legal review,VP AI Governance,MITIGATING,EU AI Act Art. 71-72,2026-03-15,2026-06-15
+R-002,Autonomous agent causes financial loss >$10M,Operational,Medium,Critical,HIGH,Critical,Kill-switch behavioral sidecar scope limits,VP AI Safety,MITIGATING,Internal + EAIP,2026-03-15,2026-06-15
+R-003,AI model bias results in class action lawsuit,Legal,Medium,High,HIGH,High,Fairness testing DI monitoring FCRA/ECOA compliance,CRO,MITIGATING,FCRA §607 ECOA §701,2026-03-15,2026-06-15
+R-004,Data breach via AI system (PII exposure),Security,Medium,High,HIGH,High,DLP PII scanning encryption GDPR controls,CISO,MITIGATING,GDPR Art. 32-34,2026-03-15,2026-06-15
+R-005,Model hallucination in critical decision path,Operational,High,High,CRITICAL,Critical,RAG grounding confidence thresholds human review,VP AI Governance,MITIGATING,NIST AI RMF MEASURE,2026-03-15,2026-04-15
+R-006,Third-party AI model supply chain compromise,Security,Medium,High,HIGH,High,Vendor assessment model provenance sandboxing,CISO,MITIGATING,ISO/IEC 42001 §8,2026-03-15,2026-06-15
+R-007,AGI capability emergence (uncontrolled),Safety,Low,Catastrophic,HIGH,Critical,Containment protocols GASCF certification kill-switch,VP AI Safety,MONITORING,GASCF + Internal,2026-03-15,2026-06-15
+R-008,Regulatory fragmentation increases compliance cost >30%,Strategic,High,Medium,HIGH,Medium,Multi-regime OPA framework regulatory engagement,General Counsel,MITIGATING,All frameworks,2026-03-15,2026-06-15
+R-009,Compute resource exhaustion or denial of service,Operational,Medium,Medium,MEDIUM,Medium,Quotas autoscaling multi-cloud redundancy,CTO,MITIGATING,OECD Principle 1.2,2026-03-15,2026-09-15
+R-010,Competitive AI governance disadvantage,Strategic,Medium,Medium,MEDIUM,Medium,Accelerated governance program ISO certification,CTO/CRO,MITIGATING,ISO/IEC 42001,2026-03-15,2026-09-15

artifacts/policies/eu_ai_act_high_risk.rego

@@ -0,0 +1,74 @@
+# AGMB-GSIFI-WP-016 — EU AI Act High-Risk Classification Policy
+# Policy Group: ai-risk-classification (28 rules)
+# Regulatory Alignment: EU AI Act Art. 6, Art. 9-15, Annex III
+
+package ai.governance.eu_ai_act
+
+import future.keywords.in
+
+default high_risk = false
+default compliant = false
+
+# High-risk system categories per Annex III
+high_risk_categories := [
+    "credit_scoring", "employment_screening",
+    "biometric_identification", "critical_infrastructure",
+    "education_assessment", "law_enforcement",
+    "migration_asylum", "democratic_process",
+    "insurance_pricing", "judicial_assistance"
+]
+
+high_risk {
+    input.system.category in high_risk_categories
+}
+
+high_risk {
+    input.system.eu_ai_act_annex_iii == true
+}
+
+# Compliance checks for high-risk systems
+compliant {
+    high_risk
+    input.documentation.technical_file_complete == true
+    input.system.human_oversight_mechanism == true
+    input.system.risk_management_system == true
+    input.system.data_governance_measures == true
+    input.system.transparency_provisions == true
+    input.system.accuracy_robustness_cybersecurity == true
+    input.system.bias_di >= 0.80
+}
+
+compliant {
+    not high_risk
+}
+
+# Denial rules
+deny[msg] {
+    high_risk
+    not input.documentation.technical_file_complete
+    msg := sprintf("EU-AI-ACT-001: System %v classified HIGH-RISK requires complete technical documentation (Art. 11)", [input.system.id])
+}
+
+deny[msg] {
+    high_risk
+    not input.system.human_oversight_mechanism
+    msg := sprintf("EU-AI-ACT-002: System %v classified HIGH-RISK requires human oversight mechanism (Art. 14)", [input.system.id])
+}
+
+deny[msg] {
+    high_risk
+    not input.system.risk_management_system
+    msg := sprintf("EU-AI-ACT-003: System %v classified HIGH-RISK requires risk management system (Art. 9)", [input.system.id])
+}
+
+deny[msg] {
+    high_risk
+    input.system.bias_di < 0.80
+    msg := sprintf("FCRA-ECOA-001: System %v disparate impact ratio %.2f below 0.80 threshold", [input.system.id, input.system.bias_di])
+}
+
+deny[msg] {
+    high_risk
+    not input.documentation.dpia_complete
+    msg := sprintf("GDPR-035-001: System %v HIGH-RISK requires Data Protection Impact Assessment (GDPR Art. 35)", [input.system.id])
+}

artifacts/policies/sr_11_7_model_validation.rego

@@ -0,0 +1,53 @@
+# AGMB-GSIFI-WP-016 — SR 11-7 Model Risk Management Policy
+# Policy Group: financial-services (28 rules)
+# Regulatory Alignment: SR 11-7 §§1-15, FCRA §607/§615, ECOA §701-§706
+
+package ai.governance.sr_11_7
+
+default model_approved = false
+default validation_current = false
+
+# Model approval requires all validation steps
+model_approved {
+    input.model.validation.independent_review == true
+    input.model.validation.challenger_model_tested == true
+    input.model.documentation.model_card_complete == true
+    input.model.monitoring.ongoing_validation_schedule != null
+    input.model.risk_tier != "unvalidated"
+    validation_current
+}
+
+# Validation is current if within 12 months
+validation_current {
+    input.model.validation.last_validation_date != null
+    time.now_ns() - time.parse_rfc3339_ns(input.model.validation.last_validation_date) < 365 * 24 * 60 * 60 * 1000000000
+}
+
+deny[msg] {
+    input.model.risk_tier == "high"
+    not input.model.validation.second_line_review
+    msg := sprintf("SR117-001: High-risk model %v requires 2nd-line independent validation (SR 11-7 §4)", [input.model.id])
+}
+
+deny[msg] {
+    input.model.risk_tier == "high"
+    not input.model.validation.challenger_model_tested
+    msg := sprintf("SR117-002: High-risk model %v requires challenger model testing (SR 11-7 §5)", [input.model.id])
+}
+
+deny[msg] {
+    not input.model.documentation.model_card_complete
+    msg := sprintf("SR117-003: Model %v requires complete model card documentation (SR 11-7 §7)", [input.model.id])
+}
+
+deny[msg] {
+    input.model.category == "credit_scoring"
+    not input.model.fairness.adverse_action_codes_enabled
+    msg := sprintf("FCRA-615: Credit scoring model %v must generate adverse action reason codes (FCRA §615(a))", [input.model.id])
+}
+
+deny[msg] {
+    input.model.category == "credit_scoring"
+    input.model.fairness.disparate_impact < 0.80
+    msg := sprintf("ECOA-701: Credit scoring model %v disparate impact %.2f violates equal opportunity (ECOA §701)", [input.model.id, input.model.fairness.disparate_impact])
+}

artifacts/schemas/ai-system-registration.schema.json

@@ -0,0 +1,100 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://governance.enterprise.ai/schemas/ai-system-registration/v1.0.0",
+  "title": "AI System Registration Schema — AGMB-GSIFI-WP-016",
+  "description": "JSON Schema for registering AI systems under the AGI Governance Master Blueprint. Aligned with EU AI Act Art. 51, ISO/IEC 42001 §7, and NIST AI RMF.",
+  "type": "object",
+  "required": ["systemId", "name", "version", "owner", "riskClassification", "regulatoryScope", "deployment"],
+  "properties": {
+    "systemId": { "type": "string", "pattern": "^AIS-[A-Z0-9]{3}-[0-9]{4}$", "description": "Unique AI system identifier" },
+    "name": { "type": "string", "minLength": 3, "maxLength": 200 },
+    "version": { "type": "string", "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$" },
+    "description": { "type": "string", "maxLength": 2000 },
+    "owner": {
+      "type": "object",
+      "required": ["name", "role", "department"],
+      "properties": {
+        "name": { "type": "string" },
+        "role": { "type": "string" },
+        "department": { "type": "string" },
+        "email": { "type": "string", "format": "email" }
+      }
+    },
+    "riskClassification": {
+      "type": "object",
+      "required": ["euAiActTier", "internalRiskScore"],
+      "properties": {
+        "euAiActTier": { "type": "string", "enum": ["unacceptable", "high", "limited", "minimal"] },
+        "euAiActAnnexIII": { "type": "boolean", "default": false },
+        "nistProfile": { "type": "string" },
+        "internalRiskScore": { "type": "number", "minimum": 0, "maximum": 100 },
+        "sr117Applicable": { "type": "boolean", "default": false },
+        "fcraApplicable": { "type": "boolean", "default": false }
+      }
+    },
+    "regulatoryScope": {
+      "type": "array",
+      "items": { "type": "string", "enum": ["EU_AI_ACT", "NIST_AI_RMF", "ISO_42001", "OECD_AI", "GDPR", "FCRA_ECOA", "SR_11_7"] },
+      "minItems": 1
+    },
+    "deployment": {
+      "type": "object",
+      "required": ["environment", "region", "status"],
+      "properties": {
+        "environment": { "type": "string", "enum": ["development", "staging", "production"] },
+        "region": { "type": "array", "items": { "type": "string" } },
+        "status": { "type": "string", "enum": ["draft", "pending_review", "approved", "deployed", "deprecated", "retired"] },
+        "deployDate": { "type": "string", "format": "date" },
+        "lastAuditDate": { "type": "string", "format": "date" },
+        "nextAuditDate": { "type": "string", "format": "date" }
+      }
+    },
+    "autonomyLevel": { "type": "integer", "minimum": 0, "maximum": 5, "description": "L0 Tool to L5 Self-multiplying" },
+    "agentCapabilities": {
+      "type": "object",
+      "properties": {
+        "canSpawnSubAgents": { "type": "boolean", "default": false },
+        "maxSubAgents": { "type": "integer", "minimum": 0, "maximum": 10 },
+        "maxSpawnDepth": { "type": "integer", "minimum": 0, "maximum": 3 },
+        "maxLifetimeHours": { "type": "number", "minimum": 0, "maximum": 24 },
+        "killSwitchType": { "type": "string", "enum": ["none", "software", "software_hardware", "triple_redundant"] }
+      }
+    },
+    "modelDetails": {
+      "type": "object",
+      "properties": {
+        "architecture": { "type": "string" },
+        "parameters": { "type": "string" },
+        "trainingDataCutoff": { "type": "string", "format": "date" },
+        "biasMetrics": {
+          "type": "object",
+          "properties": {
+            "disparateImpact": { "type": "number", "minimum": 0, "maximum": 1 },
+            "equalizedOddsDiff": { "type": "number", "minimum": 0, "maximum": 1 },
+            "statisticalParityDiff": { "type": "number", "minimum": -1, "maximum": 1 }
+          }
+        },
+        "explainabilityMethod": { "type": "string", "enum": ["SHAP", "LIME", "attention_maps", "counterfactual", "other"] }
+      }
+    },
+    "documentation": {
+      "type": "object",
+      "properties": {
+        "modelCardComplete": { "type": "boolean" },
+        "technicalFileComplete": { "type": "boolean" },
+        "dpiaComplete": { "type": "boolean" },
+        "validationReportComplete": { "type": "boolean" }
+      }
+    },
+    "monitoring": {
+      "type": "object",
+      "properties": {
+        "driftDetectionEnabled": { "type": "boolean" },
+        "fairnessMonitoringEnabled": { "type": "boolean" },
+        "sentinelRuleCount": { "type": "integer", "minimum": 0 },
+        "opaRuleCount": { "type": "integer", "minimum": 0 },
+        "alertEscalationTier": { "type": "integer", "minimum": 0, "maximum": 5 }
+      }
+    }
+  }
+}