Search cases, suites, agents…⌘K
DEMO · synthetic data
Compliance

Governance

Every artifact the platform already produces — sealed runs, judge certificates, dataset provenance, the override ledger — is the evidence. Governance is a read-side projection over the same entities: compliance as a byproduct of engineering, not a parallel paper trail.

Evidence
Generated by daily work
sealed runs · certificates · provenance · overrides
+ Control mappings
AAG-curated packs
control → evidence types + freshness, each with a why
= Compliance posture
Counts + explicit gaps
never a weighted score — gaps name the missing artifact
L0Unmanaged
  • ·No suites, no gates — quality is vibes and hotfixes
L1Onboarded
  • ·`quality init` done
  • ·Starter case green
  • ·Dev-loop suite runs locally
L2Gated
  • ·Release gate blocks merges
  • ·Functional + safety concerns hard-required
L3Regulated-grade
  • ·Numeric oracle + action coverage where applicable
  • ·Calibrated judges bound (κ ≥ 0.80, certificate current)
  • ·Dataset composition pinned
L4Continuously assured
  • ·Live enabled: guardrails, watch windows, drift feed
  • ·Continuous red-team campaign
  • ·Governance evidence current — no open gaps
no agents here

Mandate schedule

dates are mandated top-down; levels are computed from real entities — a gate that gates nothing cannot reach L2
AgentCurrentTarget
WFM Assistant
production agents
L3Regulated-gradeL4
HR Policy Advisor
pre-production cohort
L3Regulated-gradeL3
Payroll Copilot
high-risk agents — no exceptions
L2GatedL3
People Navigator
production agents
L1OnboardedL2
UKG Bryte 2.0
production agents
L2GatedL2
Benefits Explainer
production agents
L2GatedL2
Shift Swap
production agents
L1OnboardedL2
Candidate Screener
high-risk agents — no exceptions
L0UnmanagedL3

AAG provides, day one

  • CLI + portal, day one
  • Concern → backend routing table (versioned, explainable)
  • Grader packs + judge templates
  • Shared calibrated judges with certificates
  • Substrate registry + shared overlay library
  • Attack packs for red-team campaigns
  • Control mappings per framework (this catalog)

The team owns

  • Cases and suites, in the team's repo
  • Product-specific overlays
  • Thresholds above the AAG floor
  • SME time for domain judges
  • Fixing what the evals find
Non-goals, both ways: AAG never writes team cases; teams never run judge infrastructure.
Rollout is driven top-down with dates (§81) — mandated maturity targets per cohort. The compliance-theater risk is mitigated by construction: a level is a bundle of checkable criteria over real entities, and minimum-viable gaming shows up in the evidence ledger.