AEGISdocs
Compliance

AI Governance

AEGIS AI governance controls aligned with international standards and frameworks including NIST AI RMF, EU AI Act, ISO 42001, SOC 2, and FedRAMP High.

AEGIS implements AI governance controls aligned with international standards and frameworks. This page provides an honest assessment of maturity per framework.

Framework Maturity Assessment

Maturity LevelDefinition
NascentAwareness exists; no artifacts or controls implemented
DesignedArtifacts created, procedures documented, not yet operationalized
OperationalControls enforced in CI/CD, evidence collected, procedures executed
ValidatedExternal audit or assessment confirms effectiveness

Current Maturity by Framework

FrameworkMaturityWhat's Enforced by CIWhat's Documented OnlyKey Gaps
NIST AI RMF 1.0Designed → OperationalRisk register validated, model card schema checked, artifacts present in CIMAP/MEASURE functions partially coveredMEASURE subcategories need deeper metrics
EU AI ActDesignedTechnical file structure validated, TEV report with real evidenceConformity assessment not startedNo notified body engagement; TEV report needs external validation
ISO 42001DesignedAIMS policy documented, PDCA cycle frameworkOnly Plan and Check phases have substanceDo and Act phases need operational evidence
SOC 2DesignedQuality gates enforce CC8.1 (change management); RBAC enforces CC6.1Runbook templates for trust criteriaNo SOC 2 audit conducted; runbooks not yet executed
FedRAMP HighNascent → DesignedBCP/DRP and IRP documentedAccess review procedures, vendor risk assessmentFedRAMP High is the target baseline. Formal 3PAO process not yet started; technological alignment in progress. FIPS 140-3 validated PQC modules unavailable industry-wide (earliest Q2 2027)

What's Real and Strong

These capabilities are implemented, tested, and enforced:

  • Cryptography: BIP-322 dual signatures, Ed25519, ML-DSA-44 (post-quantum), ML-KEM-768, HybridKEM — all implemented with 500+ tests
  • RBAC: Production-ready enforcement with 8 constraint types, four-eyes principle, fail-closed design
  • PII encryption: 12 fields encrypted at rest using HybridKEM (X25519 + ML-KEM-768), 850+ lines of implementation
  • Two-key overrides: Actually enforced via BIP-322 dual signature verification
  • Quality gates: Blocking in CI — ruff, mypy, bandit, pytest with 90% coverage floor
  • Hash-chained audit trail: SHA-256 hash-chained telemetry events with tamper detection and chain verification
  • Audit trail: Comprehensive logging coverage for all evaluation paths with structured telemetry pipeline

Operational Maturity

Operational procedures (access reviews, BCP/DRP drills, incident response exercises) are scheduled for Q2 2026. See the ROADMAP for current status and the compliance remediation tasks (C3-C5).

Standards Alignment

StandardCoverageKey Controls
NIST AI RMF 1.0GOVERN, MAP, MEASURE, MANAGERisk register, model card, data card, oversight plan. 45/72 subcategories fully implemented across all 4 functions (63% full, 86% including partial)
EU AI ActArt. 10, 11, 14, 16, 72System register, technical file, human oversight, postmarket monitoring
ISO 42001AIMS Policy (PDCA)AI management system policy and continuous improvement
OWASP Agentic Top 10ASI01-ASI10Full control matrix with verification methods
CoSAI MCP Threat ModelMCP-T1 through MCP-T129/12 STRONG, 2/12 MODERATE, 1/12 PARTIAL

Governance Artifacts

AEGIS maintains these governance artifacts in the ai/ directory:

ArtifactPurposeStandardCI Validated
system-register.yamlAI system inventoryEU AI Act Art. 16Yes (schema + required fields)
risk-register.yamlRisk identification and mitigationISO 31000 / NIST AI RMFYes (schema + controls present)
model-card.yamlDecision engine characteristicsEU AI Act Art. 11Yes (schema + required fields)
data-card.yamlTelemetry data governanceEU AI Act Art. 10Yes (schema + required fields)
oversight-plan.mdHuman oversight proceduresEU AI Act Art. 14Yes (content validation)
postmarket-monitoring.mdContinuous monitoring planEU AI Act Art. 72Yes (content validation)
AIMS-POLICY.mdAI management system policyISO 42001Yes (content validation)
technical_file/testing/tev_report.mdTest evidence reportEU AI Act Annex IVYes (non-template check)

SOC 2 / FedRAMP Inheritance

AEGIS provides governance controls that support downstream compliance:

  • Audit trails: Hash-chained, tamper-evident decision logs with SHA-256 chain verification (CC7.2, CC7.3)
  • Access control: RBAC with fail-closed enforcement (CC6.1, CC6.3)
  • Change management: Quality gates, CI/CD pipeline, approval workflows (CC8.1)
  • Risk assessment: Quantitative risk gates with Bayesian confidence (CC3.2)
  • Monitoring: Prometheus metrics, alerting, drift detection (CC7.1)
  • Cryptography: Post-quantum resistant signatures and encryption (CC6.7)

Organizations using AEGIS can reference these controls in their own SOC 2 or FedRAMP documentation as inherited controls from the governance layer.

Current limitation: No SOC 2 Type 2 or FedRAMP audit has been conducted on AEGIS itself. These controls are designed for inheritance, not as evidence of AEGIS's own certification. FedRAMP High is the target baseline; formal authorization process has not started. A FIPS-approved classical crypto path (ECDSA P-256 / ECDH P-384) is planned for FedRAMP deployments alongside the existing post-quantum hybrid. Note: as of Q1 2026, no FIPS 140-3 validated PQC module exists industry-wide (earliest projected: Q2 2027).

Operational Runbooks

Compliance runbooks are maintained in docs/compliance/:

RunbookPurposeStatus
Business Continuity / DRRPO/RTO targets and failover proceduresDocumented; first drill pending Q2 2026
Incident ResponseSecurity incident handlingDocumented; tabletop exercise pending
Access ReviewPeriodic access certificationDocumented; first quarterly review pending Q2 2026
Vendor RiskThird-party risk management (AWS)Completed for AWS; other vendors pending
Change ManagementChange approval and rollbackOperational (enforced via CI quality gates)
Data Subject RequestsGDPR/privacy request handlingDocumented; no requests received (internal-only deployment)

Customer Management Guide

Version: 1.0.0 | Updated: 2026-03-05 | Status: Phase 1 (Visibility)

Guardrail Framework Governance

Governance procedures for the Hardened Quantitative Guardrail Framework including approval workflows, recalibration processes, and dual-control requirements.

On this page

Framework Maturity AssessmentCurrent Maturity by FrameworkWhat's Real and StrongOperational MaturityStandards AlignmentGovernance ArtifactsSOC 2 / FedRAMP InheritanceOperational Runbooks