Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions artifacts/data/compliance-matrix.csv
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
framework,jurisdiction,articles_sections,opa_rules,compliance_pct,status,certification_target,last_assessment,gap_count,critical_gaps
EU AI Act,EU,Art. 1-113,48,91.2,Active,Q4 2027 Full Compliance,2026-03-01,4,1
NIST AI RMF,US,GOVERN MAP MEASURE MANAGE,42,89.6,Active,Continuous Alignment,2026-03-01,6,2
ISO/IEC 42001,Global,§4-§10,38,87.4,In Progress,Q3 2027 Certification,2026-02-15,8,3
OECD AI Principles,Global (38),Principles 1.1-1.5 2.1-2.5,22,92.8,Active,Continuous Alignment,2026-03-01,2,0
GDPR,EU,Art. 1-99,52,94.1,Active,Continuous Compliance,2026-03-01,3,0
FCRA/ECOA,US,§602-§625 / §701-§706,28,89.0,Active,Continuous Compliance,2026-02-15,5,1
SR 11-7,US (Banking),§§1-15,34,94.0,Active,Continuous Compliance,2026-03-01,2,0
43 changes: 43 additions & 0 deletions artifacts/data/implementation-timeline.csv
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
week,phase,task,owner,hours,dependencies,artifacts,status
1,Foundation,Provision OPA cluster (3-node HA),Platform Eng,16,None,Terraform IaC,Pending
1,Foundation,Deploy Kafka cluster with WORM config,Platform Eng,20,None,Helm charts,Pending
1,Foundation,Configure OpenTelemetry collectors,Platform Eng,12,None,OTEL config YAML,Pending
1,Foundation,Set up Prometheus + Grafana,Platform Eng,8,None,Grafana dashboards JSON,Pending
1,Foundation,Provision MLflow model registry,ML Eng,12,None,Docker Compose,Pending
1,Foundation,Create OPA policy repository (Git),DevOps,4,None,Git repo + CI,Pending
2,Core Policy,Implement 50 core OPA policies,AI Gov Eng,40,W1 OPA cluster,50 Rego files,Pending
2,Core Policy,Configure OPA-Kubernetes integration,Platform Eng,16,W1 OPA cluster,Admission webhooks,Pending
2,Core Policy,Build policy testing framework,DevOps,12,W1 Git repo,OPA test suite,Pending
2,Core Policy,Create policy versioning workflow,DevOps,8,W1 Git repo,GitOps pipeline,Pending
2,Core Policy,Implement Sentinel core rule engine,Platform Eng,24,W1 Infrastructure,Sentinel config,Pending
3,Monitoring,Deploy drift detection (Evidently AI),ML Eng,16,W1 Infrastructure,Evidently config,Pending
3,Monitoring,Configure fairness monitoring (AIF360),ML Eng,20,W1 Infrastructure,AIF360 pipelines,Pending
3,Monitoring,Build 6-tier alert escalation,Platform Eng,12,W1 Infrastructure,PagerDuty config,Pending
3,Monitoring,Implement audit trail pipeline,Platform Eng,16,W1 Kafka,Kafka to S3 pipeline,Pending
3,Monitoring,Create Grafana governance dashboards,Frontend,20,W1 Grafana,Dashboard JSON,Pending
4,CI/CD Gates,Implement 7-stage pipeline gates,DevOps,32,W2 OPA policies,Jenkins/GitLab CI config,Pending
4,CI/CD Gates,Build model registry integration,ML Eng,16,W1 MLflow,MLflow plugins,Pending
4,CI/CD Gates,Create deployment approval workflows,DevOps + AI Gov,12,W2 OPA,Jira + OPA integration,Pending
4,CI/CD Gates,Implement canary deployment governance,Platform Eng,16,W2 Sentinel,ArgoCD config,Pending
4,CI/CD Gates,Build rollback automation,Platform Eng,12,W4 Canary,Rollback scripts,Pending
5,Agent Governance,Deploy EAIP gRPC mesh,Platform Eng,24,W1 Infrastructure,Proto files + config,Pending
5,Agent Governance,Implement SPIFFE/SPIRE identity,Security Eng,20,W1 Infrastructure,SPIRE config,Pending
5,Agent Governance,Build agent behavioral sidecars,AI Safety Eng,24,W2 Sentinel,Sidecar containers,Pending
5,Agent Governance,Implement kill-switch (triple redundant),Platform Eng,16,W5 SPIFFE,Kill-switch service,Pending
5,Agent Governance,Configure agent spawn controls,AI Safety Eng,12,W2 OPA,OPA agent policies,Pending
6,Financial Services,Implement SR 11-7 OPA policies,AI Gov Eng,24,W2 OPA,34 Rego files,Pending
6,Financial Services,Build adverse action notice generator,ML Eng,20,W4 Model registry,FCRA §615 templates,Pending
6,Financial Services,Configure credit scoring bias monitoring,ML Eng,16,W3 AIF360,DI/EOD/SPD dashboards,Pending
6,Financial Services,Create model validation workflow,Model Risk,12,W4 Approval workflows,Validation templates,Pending
6,Financial Services,Implement SHAP/LIME explainability,ML Eng,16,W4 Model registry,Explanation service,Pending
7,Dashboard,Build board KPI dashboard,Frontend,24,W3 Grafana,Next.js + D3.js,Pending
7,Dashboard,Create C-suite operational dashboard,Frontend,20,W3 Grafana,Dashboard components,Pending
7,Dashboard,Implement regulatory reporting automation,AI Gov Eng,16,W6 Compliance,Report templates,Pending
7,Dashboard,Build RAG governance dashboard,Frontend,16,W3 Monitoring,RAG metrics panels,Pending
7,Dashboard,Create audit evidence bundle generator,DevOps,12,W3 Audit trail,Evidence scripts,Pending
8,Go-Live,End-to-end governance pipeline testing,QA + AI Gov,24,W1-W7 All,Test reports,Pending
8,Go-Live,Crisis simulation (SIM-1) execution,All Stakeholders,8,W7 Dashboard,Simulation report,Pending
8,Go-Live,Performance and load testing,Platform Eng,16,W1-W7 All,Performance report,Pending
8,Go-Live,Security penetration test,Security Eng,16,W5 SPIFFE,Pen test report,Pending
8,Go-Live,Documentation and runbook completion,AI Gov + DevOps,12,W1-W7 All,Runbooks SOPs,Pending
8,Go-Live,Go-live sign-off and board briefing,CAIO + Board,4,W8 Testing,Sign-off document,Pending
11 changes: 11 additions & 0 deletions artifacts/data/risk-register.csv
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
risk_id,risk_name,category,likelihood,impact,score,severity,mitigation,owner,status,framework_alignment,last_review,next_review
R-001,EU AI Act non-compliance fine (up to 7% global turnover),Regulatory,Medium,Critical,HIGH,Critical,OPA rules Sentinel monitoring legal review,VP AI Governance,MITIGATING,EU AI Act Art. 71-72,2026-03-15,2026-06-15
R-002,Autonomous agent causes financial loss >$10M,Operational,Medium,Critical,HIGH,Critical,Kill-switch behavioral sidecar scope limits,VP AI Safety,MITIGATING,Internal + EAIP,2026-03-15,2026-06-15
R-003,AI model bias results in class action lawsuit,Legal,Medium,High,HIGH,High,Fairness testing DI monitoring FCRA/ECOA compliance,CRO,MITIGATING,FCRA §607 ECOA §701,2026-03-15,2026-06-15
R-004,Data breach via AI system (PII exposure),Security,Medium,High,HIGH,High,DLP PII scanning encryption GDPR controls,CISO,MITIGATING,GDPR Art. 32-34,2026-03-15,2026-06-15
R-005,Model hallucination in critical decision path,Operational,High,High,CRITICAL,Critical,RAG grounding confidence thresholds human review,VP AI Governance,MITIGATING,NIST AI RMF MEASURE,2026-03-15,2026-04-15
R-006,Third-party AI model supply chain compromise,Security,Medium,High,HIGH,High,Vendor assessment model provenance sandboxing,CISO,MITIGATING,ISO/IEC 42001 §8,2026-03-15,2026-06-15
R-007,AGI capability emergence (uncontrolled),Safety,Low,Catastrophic,HIGH,Critical,Containment protocols GASCF certification kill-switch,VP AI Safety,MONITORING,GASCF + Internal,2026-03-15,2026-06-15
R-008,Regulatory fragmentation increases compliance cost >30%,Strategic,High,Medium,HIGH,Medium,Multi-regime OPA framework regulatory engagement,General Counsel,MITIGATING,All frameworks,2026-03-15,2026-06-15
R-009,Compute resource exhaustion or denial of service,Operational,Medium,Medium,MEDIUM,Medium,Quotas autoscaling multi-cloud redundancy,CTO,MITIGATING,OECD Principle 1.2,2026-03-15,2026-09-15
R-010,Competitive AI governance disadvantage,Strategic,Medium,Medium,MEDIUM,Medium,Accelerated governance program ISO certification,CTO/CRO,MITIGATING,ISO/IEC 42001,2026-03-15,2026-09-15
74 changes: 74 additions & 0 deletions artifacts/policies/eu_ai_act_high_risk.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# AGMB-GSIFI-WP-016 — EU AI Act High-Risk Classification Policy
# Policy Group: ai-risk-classification (28 rules)
# Regulatory Alignment: EU AI Act Art. 6, Art. 9-15, Annex III

package ai.governance.eu_ai_act

import future.keywords.in

default high_risk = false
default compliant = false

# High-risk system categories per Annex III
high_risk_categories := [
"credit_scoring", "employment_screening",
"biometric_identification", "critical_infrastructure",
"education_assessment", "law_enforcement",
"migration_asylum", "democratic_process",
"insurance_pricing", "judicial_assistance"
]

high_risk {
input.system.category in high_risk_categories
}

high_risk {
input.system.eu_ai_act_annex_iii == true
}

# Compliance checks for high-risk systems
compliant {
high_risk
input.documentation.technical_file_complete == true
input.system.human_oversight_mechanism == true
input.system.risk_management_system == true
input.system.data_governance_measures == true
input.system.transparency_provisions == true
input.system.accuracy_robustness_cybersecurity == true
input.system.bias_di >= 0.80
}
Comment on lines +30 to +39

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question (bug_risk): The compliant rule treats all non-high-risk systems as compliant, which may be too permissive.

Currently, compliant is true for any case where not high_risk, even if key requirements (documentation, governance, DPIA, etc.) are missing. This allows compliant to be true when some deny conditions (or future non–high-risk requirements) indicate non-compliance.

If compliant is intended to represent overall EU AI Act compliance, consider either:

  • Making compliant require count(deny) == 0, or
  • Introducing a low_risk_compliant rule and reserving compliant for fully compliant high-risk systems.

Otherwise, callers may treat "not high-risk" as equivalent to "fully compliant," which is misleading.


compliant {
not high_risk
}

# Denial rules
deny[msg] {
high_risk
not input.documentation.technical_file_complete
msg := sprintf("EU-AI-ACT-001: System %v classified HIGH-RISK requires complete technical documentation (Art. 11)", [input.system.id])
}

deny[msg] {
high_risk
not input.system.human_oversight_mechanism
msg := sprintf("EU-AI-ACT-002: System %v classified HIGH-RISK requires human oversight mechanism (Art. 14)", [input.system.id])
}

deny[msg] {
high_risk
not input.system.risk_management_system
msg := sprintf("EU-AI-ACT-003: System %v classified HIGH-RISK requires risk management system (Art. 9)", [input.system.id])
}

deny[msg] {
high_risk
input.system.bias_di < 0.80
msg := sprintf("FCRA-ECOA-001: System %v disparate impact ratio %.2f below 0.80 threshold", [input.system.id, input.system.bias_di])
}

deny[msg] {
high_risk
not input.documentation.dpia_complete
msg := sprintf("GDPR-035-001: System %v HIGH-RISK requires Data Protection Impact Assessment (GDPR Art. 35)", [input.system.id])
}
53 changes: 53 additions & 0 deletions artifacts/policies/sr_11_7_model_validation.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# AGMB-GSIFI-WP-016 — SR 11-7 Model Risk Management Policy
# Policy Group: financial-services (28 rules)
# Regulatory Alignment: SR 11-7 §§1-15, FCRA §607/§615, ECOA §701-§706

package ai.governance.sr_11_7

default model_approved = false
default validation_current = false

# Model approval requires all validation steps
model_approved {
input.model.validation.independent_review == true
input.model.validation.challenger_model_tested == true
input.model.documentation.model_card_complete == true
input.model.monitoring.ongoing_validation_schedule != null
input.model.risk_tier != "unvalidated"
validation_current
}

# Validation is current if within 12 months
validation_current {
input.model.validation.last_validation_date != null
time.now_ns() - time.parse_rfc3339_ns(input.model.validation.last_validation_date) < 365 * 24 * 60 * 60 * 1000000000
}

deny[msg] {
input.model.risk_tier == "high"
not input.model.validation.second_line_review
msg := sprintf("SR117-001: High-risk model %v requires 2nd-line independent validation (SR 11-7 §4)", [input.model.id])
}

deny[msg] {
input.model.risk_tier == "high"
not input.model.validation.challenger_model_tested
msg := sprintf("SR117-002: High-risk model %v requires challenger model testing (SR 11-7 §5)", [input.model.id])
}

deny[msg] {
not input.model.documentation.model_card_complete
msg := sprintf("SR117-003: Model %v requires complete model card documentation (SR 11-7 §7)", [input.model.id])
}

deny[msg] {
input.model.category == "credit_scoring"
not input.model.fairness.adverse_action_codes_enabled
msg := sprintf("FCRA-615: Credit scoring model %v must generate adverse action reason codes (FCRA §615(a))", [input.model.id])
}

deny[msg] {
input.model.category == "credit_scoring"
input.model.fairness.disparate_impact < 0.80
msg := sprintf("ECOA-701: Credit scoring model %v disparate impact %.2f violates equal opportunity (ECOA §701)", [input.model.id, input.model.fairness.disparate_impact])
}
100 changes: 100 additions & 0 deletions artifacts/schemas/ai-system-registration.schema.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://governance.enterprise.ai/schemas/ai-system-registration/v1.0.0",
"title": "AI System Registration Schema — AGMB-GSIFI-WP-016",
"description": "JSON Schema for registering AI systems under the AGI Governance Master Blueprint. Aligned with EU AI Act Art. 51, ISO/IEC 42001 §7, and NIST AI RMF.",
"type": "object",
"required": ["systemId", "name", "version", "owner", "riskClassification", "regulatoryScope", "deployment"],
"properties": {
"systemId": { "type": "string", "pattern": "^AIS-[A-Z0-9]{3}-[0-9]{4}$", "description": "Unique AI system identifier" },
"name": { "type": "string", "minLength": 3, "maxLength": 200 },
"version": { "type": "string", "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$" },
"description": { "type": "string", "maxLength": 2000 },
"owner": {
"type": "object",
"required": ["name", "role", "department"],
"properties": {
"name": { "type": "string" },
"role": { "type": "string" },
"department": { "type": "string" },
"email": { "type": "string", "format": "email" }
}
},
"riskClassification": {
"type": "object",
"required": ["euAiActTier", "internalRiskScore"],
"properties": {
"euAiActTier": { "type": "string", "enum": ["unacceptable", "high", "limited", "minimal"] },
"euAiActAnnexIII": { "type": "boolean", "default": false },
"nistProfile": { "type": "string" },
"internalRiskScore": { "type": "number", "minimum": 0, "maximum": 100 },
"sr117Applicable": { "type": "boolean", "default": false },
"fcraApplicable": { "type": "boolean", "default": false }
}
},
"regulatoryScope": {
"type": "array",
"items": { "type": "string", "enum": ["EU_AI_ACT", "NIST_AI_RMF", "ISO_42001", "OECD_AI", "GDPR", "FCRA_ECOA", "SR_11_7"] },
"minItems": 1
},
"deployment": {
"type": "object",
"required": ["environment", "region", "status"],
"properties": {
"environment": { "type": "string", "enum": ["development", "staging", "production"] },
"region": { "type": "array", "items": { "type": "string" } },
"status": { "type": "string", "enum": ["draft", "pending_review", "approved", "deployed", "deprecated", "retired"] },
"deployDate": { "type": "string", "format": "date" },
"lastAuditDate": { "type": "string", "format": "date" },
"nextAuditDate": { "type": "string", "format": "date" }
}
},
"autonomyLevel": { "type": "integer", "minimum": 0, "maximum": 5, "description": "L0 Tool to L5 Self-multiplying" },
"agentCapabilities": {
"type": "object",
"properties": {
"canSpawnSubAgents": { "type": "boolean", "default": false },
"maxSubAgents": { "type": "integer", "minimum": 0, "maximum": 10 },
"maxSpawnDepth": { "type": "integer", "minimum": 0, "maximum": 3 },
"maxLifetimeHours": { "type": "number", "minimum": 0, "maximum": 24 },
"killSwitchType": { "type": "string", "enum": ["none", "software", "software_hardware", "triple_redundant"] }
}
},
"modelDetails": {
"type": "object",
"properties": {
"architecture": { "type": "string" },
"parameters": { "type": "string" },
"trainingDataCutoff": { "type": "string", "format": "date" },
"biasMetrics": {
"type": "object",
"properties": {
"disparateImpact": { "type": "number", "minimum": 0, "maximum": 1 },
"equalizedOddsDiff": { "type": "number", "minimum": 0, "maximum": 1 },
"statisticalParityDiff": { "type": "number", "minimum": -1, "maximum": 1 }
}
},
"explainabilityMethod": { "type": "string", "enum": ["SHAP", "LIME", "attention_maps", "counterfactual", "other"] }
}
},
"documentation": {
"type": "object",
"properties": {
"modelCardComplete": { "type": "boolean" },
"technicalFileComplete": { "type": "boolean" },
"dpiaComplete": { "type": "boolean" },
"validationReportComplete": { "type": "boolean" }
}
},
"monitoring": {
"type": "object",
"properties": {
"driftDetectionEnabled": { "type": "boolean" },
"fairnessMonitoringEnabled": { "type": "boolean" },
"sentinelRuleCount": { "type": "integer", "minimum": 0 },
"opaRuleCount": { "type": "integer", "minimum": 0 },
"alertEscalationTier": { "type": "integer", "minimum": 0, "maximum": 5 }
}
}
}
}
Loading
Loading