Compliance
Governance
Every artifact the platform already produces — sealed runs, judge certificates, dataset provenance, the override ledger — is the evidence. Governance is a read-side projection over the same entities: compliance as a byproduct of engineering, not a parallel paper trail.
Evidence
Generated by daily work
sealed runs · certificates · provenance · overrides
+ Control mappings
AAG-curated packs
control → evidence types + freshness, each with a why
= Compliance posture
Counts + explicit gaps
never a weighted score — gaps name the missing artifact
| Agent | Risk class | Level | EU AI Act | NIST AI RMF | ISO 42001 | SOC 2 | US emp. law | Internal | |
|---|---|---|---|---|---|---|---|---|---|
Payroll Copilot development · risk owner B. Weasley · review 2026-10-20 | high-risk | L2Gated | 13/14 | 10/11 | 8/10 | 8/8 | — | 3/5 | |
WFM Assistant production · risk owner P. Weasley · review 2027-06-24 | high-risk | L3Regulated-grade | 13/14 | 6/7 | 5/7 | 4/4 | 1/2 | 5/5 | |
HR Policy Advisor pre-production · risk owner K. Shacklebolt · review 2026-07-15 | limitedapproval pending | L3Regulated-grade | 1/2 | 8/8 | 5/5 | 3/3 | — | 5/5 | |
People Navigator production · risk owner K. Shacklebolt · review 2027-03-01 | minimal | L1Onboarded | 1/1 | 3/3 | — | 2/2 | — | 1/1 |
Cells count applicable controls with current evidence — “—” means the framework doesn't bind that agent, and the profile documents why, because “out of scope” is itself an auditable claim.