-
Notifications
You must be signed in to change notification settings - Fork 0
feat(AGMB-GSIFI-WP-016): AGI Governance Master Blueprint + fix PMR metadata endpoint #49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| framework,jurisdiction,articles_sections,opa_rules,compliance_pct,status,certification_target,last_assessment,gap_count,critical_gaps | ||
| EU AI Act,EU,Art. 1-113,48,91.2,Active,Q4 2027 Full Compliance,2026-03-01,4,1 | ||
| NIST AI RMF,US,GOVERN MAP MEASURE MANAGE,42,89.6,Active,Continuous Alignment,2026-03-01,6,2 | ||
| ISO/IEC 42001,Global,§4-§10,38,87.4,In Progress,Q3 2027 Certification,2026-02-15,8,3 | ||
| OECD AI Principles,Global (38),Principles 1.1-1.5 2.1-2.5,22,92.8,Active,Continuous Alignment,2026-03-01,2,0 | ||
| GDPR,EU,Art. 1-99,52,94.1,Active,Continuous Compliance,2026-03-01,3,0 | ||
| FCRA/ECOA,US,§602-§625 / §701-§706,28,89.0,Active,Continuous Compliance,2026-02-15,5,1 | ||
| SR 11-7,US (Banking),§§1-15,34,94.0,Active,Continuous Compliance,2026-03-01,2,0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| week,phase,task,owner,hours,dependencies,artifacts,status | ||
| 1,Foundation,Provision OPA cluster (3-node HA),Platform Eng,16,None,Terraform IaC,Pending | ||
| 1,Foundation,Deploy Kafka cluster with WORM config,Platform Eng,20,None,Helm charts,Pending | ||
| 1,Foundation,Configure OpenTelemetry collectors,Platform Eng,12,None,OTEL config YAML,Pending | ||
| 1,Foundation,Set up Prometheus + Grafana,Platform Eng,8,None,Grafana dashboards JSON,Pending | ||
| 1,Foundation,Provision MLflow model registry,ML Eng,12,None,Docker Compose,Pending | ||
| 1,Foundation,Create OPA policy repository (Git),DevOps,4,None,Git repo + CI,Pending | ||
| 2,Core Policy,Implement 50 core OPA policies,AI Gov Eng,40,W1 OPA cluster,50 Rego files,Pending | ||
| 2,Core Policy,Configure OPA-Kubernetes integration,Platform Eng,16,W1 OPA cluster,Admission webhooks,Pending | ||
| 2,Core Policy,Build policy testing framework,DevOps,12,W1 Git repo,OPA test suite,Pending | ||
| 2,Core Policy,Create policy versioning workflow,DevOps,8,W1 Git repo,GitOps pipeline,Pending | ||
| 2,Core Policy,Implement Sentinel core rule engine,Platform Eng,24,W1 Infrastructure,Sentinel config,Pending | ||
| 3,Monitoring,Deploy drift detection (Evidently AI),ML Eng,16,W1 Infrastructure,Evidently config,Pending | ||
| 3,Monitoring,Configure fairness monitoring (AIF360),ML Eng,20,W1 Infrastructure,AIF360 pipelines,Pending | ||
| 3,Monitoring,Build 6-tier alert escalation,Platform Eng,12,W1 Infrastructure,PagerDuty config,Pending | ||
| 3,Monitoring,Implement audit trail pipeline,Platform Eng,16,W1 Kafka,Kafka to S3 pipeline,Pending | ||
| 3,Monitoring,Create Grafana governance dashboards,Frontend,20,W1 Grafana,Dashboard JSON,Pending | ||
| 4,CI/CD Gates,Implement 7-stage pipeline gates,DevOps,32,W2 OPA policies,Jenkins/GitLab CI config,Pending | ||
| 4,CI/CD Gates,Build model registry integration,ML Eng,16,W1 MLflow,MLflow plugins,Pending | ||
| 4,CI/CD Gates,Create deployment approval workflows,DevOps + AI Gov,12,W2 OPA,Jira + OPA integration,Pending | ||
| 4,CI/CD Gates,Implement canary deployment governance,Platform Eng,16,W2 Sentinel,ArgoCD config,Pending | ||
| 4,CI/CD Gates,Build rollback automation,Platform Eng,12,W4 Canary,Rollback scripts,Pending | ||
| 5,Agent Governance,Deploy EAIP gRPC mesh,Platform Eng,24,W1 Infrastructure,Proto files + config,Pending | ||
| 5,Agent Governance,Implement SPIFFE/SPIRE identity,Security Eng,20,W1 Infrastructure,SPIRE config,Pending | ||
| 5,Agent Governance,Build agent behavioral sidecars,AI Safety Eng,24,W2 Sentinel,Sidecar containers,Pending | ||
| 5,Agent Governance,Implement kill-switch (triple redundant),Platform Eng,16,W5 SPIFFE,Kill-switch service,Pending | ||
| 5,Agent Governance,Configure agent spawn controls,AI Safety Eng,12,W2 OPA,OPA agent policies,Pending | ||
| 6,Financial Services,Implement SR 11-7 OPA policies,AI Gov Eng,24,W2 OPA,34 Rego files,Pending | ||
| 6,Financial Services,Build adverse action notice generator,ML Eng,20,W4 Model registry,FCRA §615 templates,Pending | ||
| 6,Financial Services,Configure credit scoring bias monitoring,ML Eng,16,W3 AIF360,DI/EOD/SPD dashboards,Pending | ||
| 6,Financial Services,Create model validation workflow,Model Risk,12,W4 Approval workflows,Validation templates,Pending | ||
| 6,Financial Services,Implement SHAP/LIME explainability,ML Eng,16,W4 Model registry,Explanation service,Pending | ||
| 7,Dashboard,Build board KPI dashboard,Frontend,24,W3 Grafana,Next.js + D3.js,Pending | ||
| 7,Dashboard,Create C-suite operational dashboard,Frontend,20,W3 Grafana,Dashboard components,Pending | ||
| 7,Dashboard,Implement regulatory reporting automation,AI Gov Eng,16,W6 Compliance,Report templates,Pending | ||
| 7,Dashboard,Build RAG governance dashboard,Frontend,16,W3 Monitoring,RAG metrics panels,Pending | ||
| 7,Dashboard,Create audit evidence bundle generator,DevOps,12,W3 Audit trail,Evidence scripts,Pending | ||
| 8,Go-Live,End-to-end governance pipeline testing,QA + AI Gov,24,W1-W7 All,Test reports,Pending | ||
| 8,Go-Live,Crisis simulation (SIM-1) execution,All Stakeholders,8,W7 Dashboard,Simulation report,Pending | ||
| 8,Go-Live,Performance and load testing,Platform Eng,16,W1-W7 All,Performance report,Pending | ||
| 8,Go-Live,Security penetration test,Security Eng,16,W5 SPIFFE,Pen test report,Pending | ||
| 8,Go-Live,Documentation and runbook completion,AI Gov + DevOps,12,W1-W7 All,Runbooks SOPs,Pending | ||
| 8,Go-Live,Go-live sign-off and board briefing,CAIO + Board,4,W8 Testing,Sign-off document,Pending |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| risk_id,risk_name,category,likelihood,impact,score,severity,mitigation,owner,status,framework_alignment,last_review,next_review | ||
| R-001,EU AI Act non-compliance fine (up to 7% global turnover),Regulatory,Medium,Critical,HIGH,Critical,OPA rules Sentinel monitoring legal review,VP AI Governance,MITIGATING,EU AI Act Art. 71-72,2026-03-15,2026-06-15 | ||
| R-002,Autonomous agent causes financial loss >$10M,Operational,Medium,Critical,HIGH,Critical,Kill-switch behavioral sidecar scope limits,VP AI Safety,MITIGATING,Internal + EAIP,2026-03-15,2026-06-15 | ||
| R-003,AI model bias results in class action lawsuit,Legal,Medium,High,HIGH,High,Fairness testing DI monitoring FCRA/ECOA compliance,CRO,MITIGATING,FCRA §607 ECOA §701,2026-03-15,2026-06-15 | ||
| R-004,Data breach via AI system (PII exposure),Security,Medium,High,HIGH,High,DLP PII scanning encryption GDPR controls,CISO,MITIGATING,GDPR Art. 32-34,2026-03-15,2026-06-15 | ||
| R-005,Model hallucination in critical decision path,Operational,High,High,CRITICAL,Critical,RAG grounding confidence thresholds human review,VP AI Governance,MITIGATING,NIST AI RMF MEASURE,2026-03-15,2026-04-15 | ||
| R-006,Third-party AI model supply chain compromise,Security,Medium,High,HIGH,High,Vendor assessment model provenance sandboxing,CISO,MITIGATING,ISO/IEC 42001 §8,2026-03-15,2026-06-15 | ||
| R-007,AGI capability emergence (uncontrolled),Safety,Low,Catastrophic,HIGH,Critical,Containment protocols GASCF certification kill-switch,VP AI Safety,MONITORING,GASCF + Internal,2026-03-15,2026-06-15 | ||
| R-008,Regulatory fragmentation increases compliance cost >30%,Strategic,High,Medium,HIGH,Medium,Multi-regime OPA framework regulatory engagement,General Counsel,MITIGATING,All frameworks,2026-03-15,2026-06-15 | ||
| R-009,Compute resource exhaustion or denial of service,Operational,Medium,Medium,MEDIUM,Medium,Quotas autoscaling multi-cloud redundancy,CTO,MITIGATING,OECD Principle 1.2,2026-03-15,2026-09-15 | ||
| R-010,Competitive AI governance disadvantage,Strategic,Medium,Medium,MEDIUM,Medium,Accelerated governance program ISO certification,CTO/CRO,MITIGATING,ISO/IEC 42001,2026-03-15,2026-09-15 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| # AGMB-GSIFI-WP-016 — EU AI Act High-Risk Classification Policy | ||
| # Policy Group: ai-risk-classification (28 rules) | ||
| # Regulatory Alignment: EU AI Act Art. 6, Art. 9-15, Annex III | ||
|
|
||
| package ai.governance.eu_ai_act | ||
|
|
||
| import future.keywords.in | ||
|
|
||
| default high_risk = false | ||
| default compliant = false | ||
|
|
||
| # High-risk system categories per Annex III | ||
| high_risk_categories := [ | ||
| "credit_scoring", "employment_screening", | ||
| "biometric_identification", "critical_infrastructure", | ||
| "education_assessment", "law_enforcement", | ||
| "migration_asylum", "democratic_process", | ||
| "insurance_pricing", "judicial_assistance" | ||
| ] | ||
|
|
||
| high_risk { | ||
| input.system.category in high_risk_categories | ||
| } | ||
|
|
||
| high_risk { | ||
| input.system.eu_ai_act_annex_iii == true | ||
| } | ||
|
|
||
| # Compliance checks for high-risk systems | ||
| compliant { | ||
| high_risk | ||
| input.documentation.technical_file_complete == true | ||
| input.system.human_oversight_mechanism == true | ||
| input.system.risk_management_system == true | ||
| input.system.data_governance_measures == true | ||
| input.system.transparency_provisions == true | ||
| input.system.accuracy_robustness_cybersecurity == true | ||
| input.system.bias_di >= 0.80 | ||
| } | ||
|
|
||
| compliant { | ||
| not high_risk | ||
| } | ||
|
|
||
| # Denial rules | ||
| deny[msg] { | ||
| high_risk | ||
| not input.documentation.technical_file_complete | ||
| msg := sprintf("EU-AI-ACT-001: System %v classified HIGH-RISK requires complete technical documentation (Art. 11)", [input.system.id]) | ||
| } | ||
|
|
||
| deny[msg] { | ||
| high_risk | ||
| not input.system.human_oversight_mechanism | ||
| msg := sprintf("EU-AI-ACT-002: System %v classified HIGH-RISK requires human oversight mechanism (Art. 14)", [input.system.id]) | ||
| } | ||
|
|
||
| deny[msg] { | ||
| high_risk | ||
| not input.system.risk_management_system | ||
| msg := sprintf("EU-AI-ACT-003: System %v classified HIGH-RISK requires risk management system (Art. 9)", [input.system.id]) | ||
| } | ||
|
|
||
| deny[msg] { | ||
| high_risk | ||
| input.system.bias_di < 0.80 | ||
| msg := sprintf("FCRA-ECOA-001: System %v disparate impact ratio %.2f below 0.80 threshold", [input.system.id, input.system.bias_di]) | ||
| } | ||
|
|
||
| deny[msg] { | ||
| high_risk | ||
| not input.documentation.dpia_complete | ||
| msg := sprintf("GDPR-035-001: System %v HIGH-RISK requires Data Protection Impact Assessment (GDPR Art. 35)", [input.system.id]) | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| # AGMB-GSIFI-WP-016 — SR 11-7 Model Risk Management Policy | ||
| # Policy Group: financial-services (28 rules) | ||
| # Regulatory Alignment: SR 11-7 §§1-15, FCRA §607/§615, ECOA §701-§706 | ||
|
|
||
| package ai.governance.sr_11_7 | ||
|
|
||
| default model_approved = false | ||
| default validation_current = false | ||
|
|
||
| # Model approval requires all validation steps | ||
| model_approved { | ||
| input.model.validation.independent_review == true | ||
| input.model.validation.challenger_model_tested == true | ||
| input.model.documentation.model_card_complete == true | ||
| input.model.monitoring.ongoing_validation_schedule != null | ||
| input.model.risk_tier != "unvalidated" | ||
| validation_current | ||
| } | ||
|
|
||
| # Validation is current if within 12 months | ||
| validation_current { | ||
| input.model.validation.last_validation_date != null | ||
| time.now_ns() - time.parse_rfc3339_ns(input.model.validation.last_validation_date) < 365 * 24 * 60 * 60 * 1000000000 | ||
| } | ||
|
|
||
| deny[msg] { | ||
| input.model.risk_tier == "high" | ||
| not input.model.validation.second_line_review | ||
| msg := sprintf("SR117-001: High-risk model %v requires 2nd-line independent validation (SR 11-7 §4)", [input.model.id]) | ||
| } | ||
|
|
||
| deny[msg] { | ||
| input.model.risk_tier == "high" | ||
| not input.model.validation.challenger_model_tested | ||
| msg := sprintf("SR117-002: High-risk model %v requires challenger model testing (SR 11-7 §5)", [input.model.id]) | ||
| } | ||
|
|
||
| deny[msg] { | ||
| not input.model.documentation.model_card_complete | ||
| msg := sprintf("SR117-003: Model %v requires complete model card documentation (SR 11-7 §7)", [input.model.id]) | ||
| } | ||
|
|
||
| deny[msg] { | ||
| input.model.category == "credit_scoring" | ||
| not input.model.fairness.adverse_action_codes_enabled | ||
| msg := sprintf("FCRA-615: Credit scoring model %v must generate adverse action reason codes (FCRA §615(a))", [input.model.id]) | ||
| } | ||
|
|
||
| deny[msg] { | ||
| input.model.category == "credit_scoring" | ||
| input.model.fairness.disparate_impact < 0.80 | ||
| msg := sprintf("ECOA-701: Credit scoring model %v disparate impact %.2f violates equal opportunity (ECOA §701)", [input.model.id, input.model.fairness.disparate_impact]) | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,100 @@ | ||
| { | ||
| "$schema": "https://json-schema.org/draft/2020-12/schema", | ||
| "$id": "https://governance.enterprise.ai/schemas/ai-system-registration/v1.0.0", | ||
| "title": "AI System Registration Schema — AGMB-GSIFI-WP-016", | ||
| "description": "JSON Schema for registering AI systems under the AGI Governance Master Blueprint. Aligned with EU AI Act Art. 51, ISO/IEC 42001 §7, and NIST AI RMF.", | ||
| "type": "object", | ||
| "required": ["systemId", "name", "version", "owner", "riskClassification", "regulatoryScope", "deployment"], | ||
| "properties": { | ||
| "systemId": { "type": "string", "pattern": "^AIS-[A-Z0-9]{3}-[0-9]{4}$", "description": "Unique AI system identifier" }, | ||
| "name": { "type": "string", "minLength": 3, "maxLength": 200 }, | ||
| "version": { "type": "string", "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$" }, | ||
| "description": { "type": "string", "maxLength": 2000 }, | ||
| "owner": { | ||
| "type": "object", | ||
| "required": ["name", "role", "department"], | ||
| "properties": { | ||
| "name": { "type": "string" }, | ||
| "role": { "type": "string" }, | ||
| "department": { "type": "string" }, | ||
| "email": { "type": "string", "format": "email" } | ||
| } | ||
| }, | ||
| "riskClassification": { | ||
| "type": "object", | ||
| "required": ["euAiActTier", "internalRiskScore"], | ||
| "properties": { | ||
| "euAiActTier": { "type": "string", "enum": ["unacceptable", "high", "limited", "minimal"] }, | ||
| "euAiActAnnexIII": { "type": "boolean", "default": false }, | ||
| "nistProfile": { "type": "string" }, | ||
| "internalRiskScore": { "type": "number", "minimum": 0, "maximum": 100 }, | ||
| "sr117Applicable": { "type": "boolean", "default": false }, | ||
| "fcraApplicable": { "type": "boolean", "default": false } | ||
| } | ||
| }, | ||
| "regulatoryScope": { | ||
| "type": "array", | ||
| "items": { "type": "string", "enum": ["EU_AI_ACT", "NIST_AI_RMF", "ISO_42001", "OECD_AI", "GDPR", "FCRA_ECOA", "SR_11_7"] }, | ||
| "minItems": 1 | ||
| }, | ||
| "deployment": { | ||
| "type": "object", | ||
| "required": ["environment", "region", "status"], | ||
| "properties": { | ||
| "environment": { "type": "string", "enum": ["development", "staging", "production"] }, | ||
| "region": { "type": "array", "items": { "type": "string" } }, | ||
| "status": { "type": "string", "enum": ["draft", "pending_review", "approved", "deployed", "deprecated", "retired"] }, | ||
| "deployDate": { "type": "string", "format": "date" }, | ||
| "lastAuditDate": { "type": "string", "format": "date" }, | ||
| "nextAuditDate": { "type": "string", "format": "date" } | ||
| } | ||
| }, | ||
| "autonomyLevel": { "type": "integer", "minimum": 0, "maximum": 5, "description": "L0 Tool to L5 Self-multiplying" }, | ||
| "agentCapabilities": { | ||
| "type": "object", | ||
| "properties": { | ||
| "canSpawnSubAgents": { "type": "boolean", "default": false }, | ||
| "maxSubAgents": { "type": "integer", "minimum": 0, "maximum": 10 }, | ||
| "maxSpawnDepth": { "type": "integer", "minimum": 0, "maximum": 3 }, | ||
| "maxLifetimeHours": { "type": "number", "minimum": 0, "maximum": 24 }, | ||
| "killSwitchType": { "type": "string", "enum": ["none", "software", "software_hardware", "triple_redundant"] } | ||
| } | ||
| }, | ||
| "modelDetails": { | ||
| "type": "object", | ||
| "properties": { | ||
| "architecture": { "type": "string" }, | ||
| "parameters": { "type": "string" }, | ||
| "trainingDataCutoff": { "type": "string", "format": "date" }, | ||
| "biasMetrics": { | ||
| "type": "object", | ||
| "properties": { | ||
| "disparateImpact": { "type": "number", "minimum": 0, "maximum": 1 }, | ||
| "equalizedOddsDiff": { "type": "number", "minimum": 0, "maximum": 1 }, | ||
| "statisticalParityDiff": { "type": "number", "minimum": -1, "maximum": 1 } | ||
| } | ||
| }, | ||
| "explainabilityMethod": { "type": "string", "enum": ["SHAP", "LIME", "attention_maps", "counterfactual", "other"] } | ||
| } | ||
| }, | ||
| "documentation": { | ||
| "type": "object", | ||
| "properties": { | ||
| "modelCardComplete": { "type": "boolean" }, | ||
| "technicalFileComplete": { "type": "boolean" }, | ||
| "dpiaComplete": { "type": "boolean" }, | ||
| "validationReportComplete": { "type": "boolean" } | ||
| } | ||
| }, | ||
| "monitoring": { | ||
| "type": "object", | ||
| "properties": { | ||
| "driftDetectionEnabled": { "type": "boolean" }, | ||
| "fairnessMonitoringEnabled": { "type": "boolean" }, | ||
| "sentinelRuleCount": { "type": "integer", "minimum": 0 }, | ||
| "opaRuleCount": { "type": "integer", "minimum": 0 }, | ||
| "alertEscalationTier": { "type": "integer", "minimum": 0, "maximum": 5 } | ||
| } | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question (bug_risk): The
compliantrule treats all non-high-risk systems as compliant, which may be too permissive.Currently,
compliantis true for any case wherenot high_risk, even if key requirements (documentation, governance, DPIA, etc.) are missing. This allowscompliantto be true when somedenyconditions (or future non–high-risk requirements) indicate non-compliance.If
compliantis intended to represent overall EU AI Act compliance, consider either:compliantrequirecount(deny) == 0, orlow_risk_compliantrule and reservingcompliantfor fully compliant high-risk systems.Otherwise, callers may treat "not high-risk" as equivalent to "fully compliant," which is misleading.