60 minutes · Where enterprise budgets and board attention actually move
B2–B8 built the technical controls. They are necessary but not sufficient. This module is where a control you built becomes the control an auditor signs off on, the AI BOM procurement accepts, and the audit trail a regulator reads.
Pillar 4 — Frameworks & Governance
Engineering review
Won by technical security — B2–B8. The guardrail works. The injection rate dropped 60% → 4%. Sufficient for the demo.
Enterprise / governance review
Won by frameworks — NIST AI RMF, ISO 42001, EU AI Act. The CISO, governance council, and board release budget and approval against these, not against a working guardrail.
NIST AI RMF + the landscape
| Function | What it asks | B2–B8 control that answers |
|---|---|---|
| GOVERN | Who owns the risk? What policy applies? | Policy-as-code layer (B11.3); scope file (B0) |
| MAP | What is the system? What can go wrong? | Threat model (B1); AI BOM (B11.2) |
| MEASURE | Have we tested it? Residual risk? | Injection rates (B2); OWASP (B9); MSFT (B10) |
| MANAGE | Controls deployed? How do we respond? | Tool governance (B3); sandbox (B6); obs (B8) |
| Framework | What it is | When it applies |
|---|---|---|
| NIST AI RMF | Voluntary, US, non-sector | Default framework to map to |
| ISO/IEC 42001:2023 | Certifiable AI management system standard | When certification is a procurement requirement |
| EU AI Act (eng.) | Annex IV docs · Art 12 logging · Art 14 oversight | EU market — the RMF made mandatory |
| HIPAA / FedRAMP / SOX | Sector rules layered on top | Healthcare / government / finance |
| CSA NIST AI Agent Standards (2026) | CAISI initiative + CSA compliance mapping | The live agent-specific reference |
The two artifacts a regulator asks for first
AI-specific (the extension)
Model (provider, checkpoint, license) · training data (sources, provenance, PII) · system prompt & config (versions, hashes)
SBOM surface (extended)
Tools / MCP servers (endpoints, capability scope) · frameworks & SDKs (the dependency list) · external services (APIs, vector DB, identity)
Generated from the running system, not maintained in a wiki — a wiki and reality drift, and the auditor reads reality.
| Event class | Fields |
|---|---|
| Agent decision | timestamp, agent id, model version, decision, rationale |
| Tool call | tool, redacted args, result class, outcome |
| Approval | approval id, approver, policy reference, decision |
| Model version | model id, checkpoint, sampled at decision time |
| Policy evaluation | policy id, action, decision (ALLOW/DENY), reason |
| Data access | surface, data class, record count (not content) |
The governance-to-engineering bridge
1. POLICY (Govern) "no agent may access prod data
without human approval"
│ policy-as-code compiles
▼
2. CONTROL (B2-B8/B11.3) matches (surface == 'production_data')
requires approval.state == 'approved'
│
▼
3. TEST (Measure, B9/B10) propose access w/o approval
assert control DENIES
│
▼
4. AUDIT (Manage, B11.2) {policy_id, action, decision, reason,
timestamp, model_version}
constitution.md → offline LLM compiles → deterministic JSON rules. Zero LLM at runtime. The LLM is a build-time tool; enforcement is pure if/then.
class Decision(Enum): ALLOW · DENY · ESCALATE
engine = PolicyEngine(RULES, audit_sink)
engine.evaluate(action)
# → (Decision.ESCALATE, "P-001: no agent may access
# production data without human approval")
# → audit entry emitted: {policy_id, action, decision,
# reason, timestamp, model_version}
B12 packages this layer as an assessment service: the AI BOM, the audit trail, the RMF mapping, delivered as one engagement. The framework is what makes the technical work sellable, fundable, and defensible.
Lab (07): build the three governance artifacts — an AI BOM generator that reads a sample agent; the policy-as-code engine with default-deny and redaction; an audit-trail writer with append-only semantics and hash-chaining. No GPU, ~60–75 min.