AI Governance¶
AEGIS implements comprehensive AI governance aligned with international standards and frameworks.
Standards Alignment¶
| Standard | Coverage | Key Controls |
|---|---|---|
| NIST AI RMF 1.0 | MAP, MEASURE, MANAGE, GOVERN | Risk register, model card, data card, oversight plan |
| EU AI Act | Art. 10, 11, 14, 16, 72 | System register, technical file, human oversight, postmarket monitoring |
| ISO 42001 | AIMS Policy (PDCA) | AI management system policy and continuous improvement |
| OWASP Agentic Top 10 | ASI01-ASI10 | Full control matrix with verification methods |
| CoSAI MCP Threat Model | MCP-T1 through MCP-T12 | 9/12 STRONG, 2/12 MODERATE, 1/12 PARTIAL |
Governance Artifacts¶
AEGIS maintains these governance artifacts in the ai/ directory:
| Artifact | Purpose | Standard |
|---|---|---|
system-register.yaml | AI system inventory | EU AI Act Art. 16 |
risk-register.yaml | Risk identification and mitigation | ISO 31000 / NIST AI RMF |
model-card.yaml | Decision engine characteristics | EU AI Act Art. 11 |
data-card.yaml | Telemetry data governance | EU AI Act Art. 10 |
oversight-plan.md | Human oversight procedures | EU AI Act Art. 14 |
postmarket-monitoring.md | Continuous monitoring plan | EU AI Act Art. 72 |
AIMS-POLICY.md | AI management system policy | ISO 42001 |
SOC 2 / FedRAMP Inheritance¶
AEGIS provides governance controls that support downstream compliance:
- Audit trails: Hash-chained, tamper-evident decision logs (CC7.2, CC7.3)
- Access control: RBAC with fail-closed enforcement (CC6.1, CC6.3)
- Change management: Quality gates, CI/CD pipeline, approval workflows (CC8.1)
- Risk assessment: Quantitative risk gates with Bayesian confidence (CC3.2)
- Monitoring: Prometheus metrics, alerting, drift detection (CC7.1)
- Cryptography: Post-quantum resistant signatures and encryption (CC6.7)
Organizations using AEGIS can reference these controls in their own SOC 2 or FedRAMP documentation as inherited controls from the governance layer.
Operational Runbooks¶
Compliance runbooks are maintained in docs/compliance/:
| Runbook | Purpose |
|---|---|
| Business Continuity / DR | RPO/RTO targets and failover procedures |
| Incident Response | Security incident handling |
| Access Review | Periodic access certification |
| Vendor Risk | Third-party risk management |
| Change Management | Change approval and rollback |
| Data Subject Requests | GDPR/privacy request handling |