Skip to content

Obsidian757/ai-governance-framework

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

53 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AI Governance Framework

Practical governance patterns for AI and GenAI systems in regulated industries

Forked from sunilp/ai-governance-framework and extended with a Virginia state government compliance layer by 12th House AI — Veteran-Owned, Chesapeake, Virginia.


Philosophy

Governance is enablement, not gatekeeping. The goal is not to slow down AI adoption — it is to make AI adoption durable, defensible, and scalable across a regulated organization.

This framework provides opinionated, field-tested patterns for governing both traditional ML and GenAI/LLM systems in financial services, healthcare, state and local government, and other industries where model risk, data privacy, and regulatory compliance are non-negotiable.

The Virginia compliance module (framework/compliance/virginia/) extends the base framework with jurisdiction-specific controls for organizations operating under Virginia EO 30, EO 46, VITA EA-225, VITA Policy Standards, and the Spanberger administration's 2026 AI directives.

Who This Is For

  • Chief Risk Officers who need confidence that AI systems meet regulatory expectations
  • CTOs and Engineering VPs who need repeatable standards for AI productionization
  • AI/ML leads who need clear guardrails without bureaucratic overhead
  • Compliance teams who need to map AI controls to regulatory requirements
  • CISOs who need to assess the security surface of LLM and agentic AI systems
  • Board members who need to understand AI risk posture without operational detail
  • Virginia state agency technology officers subject to EO 30, VITA EA-225, and VITA Policy Standards
  • EdTech vendors navigating Virginia's AI Education Guidelines and student data privacy requirements
  • State and local government AI leads across the mid-Atlantic and Southeast seeking a NIST AI RMF-aligned assessment baseline

Framework Components

Risk Classification

Define how AI systems are tiered by risk and what governance intensity each tier requires.

Model Lifecycle (Traditional ML)

Standards and gates across the full model lifecycle — from development through production monitoring.

LLM Lifecycle (GenAI)

Governance standards specific to large language models and generative AI systems.

AI Security

Standards for securing AI systems against adversarial threats.

  • Red-Teaming Protocol — structured adversarial testing methodology; OWASP LLM Top 10 2025 mapped; recommended tooling (Argus, agentseal)
  • Adversarial Robustness — defenses against jailbreaking, prompt injection, model extraction, data poisoning; OWASP LLM Top 10 2025 aligned
  • Supply Chain Security — model provenance, open-source license risk, AI bill of materials
  • MCP and Agentic Tool Security — MCP server assessment, tool poisoning defenses, least-privilege tool architecture, indirect prompt injection via tool output; OWASP LLM Top 10 2025 LLM01/LLM03/LLM06

Compliance Mapping

How framework controls map to specific regulatory requirements.

Virginia State Government Compliance

Added by 12th House AI — jurisdiction-specific module for Commonwealth of Virginia agencies and vendors.

Virginia operates a layered AI governance regime: executive orders set direction, VITA standards define technical and policy controls, and IA standards govern security. This module maps all layers to framework controls.

  • Virginia Overview — instruments, procurement paths, Spanberger administration watch items
  • Executive Order Mapping — EO 30 (2024), EO 46 (PRC-origin ban 2025), Spanberger EO/Directive (2026), HB 2094 (vetoed)
  • VITA EA-225 Mapping — architecture standard: CTP/Planview registration, decision-path logging, performance monitoring
  • VITA Policy Standard Mapping — governance policy: agency-head approval workflow, ethical-use controls, vendor obligations
  • VITA IA Standards Mapping — ITRM SEC 501-09, SEC 525-01, SEC 528-02, GOV 519-02 — security and privacy controls for AI systems on COV infrastructure
  • Education Guidelines Mapping — K-12 LEA, VCCS, SCHEV requirements; student data privacy; EdTech vendor checklist

US State AI Policies — Mid-Atlantic and Southeast

Added by 12th House AI.

  • Mid-Atlantic and Southeast State Policies — Virginia, Maryland, North Carolina, Tennessee, West Virginia, South Carolina: binding status, procurement teeth, NIST AI RMF integration notes, cross-state compliance matrix

Responsible AI

Standards for ethical and responsible deployment of AI systems.

Operating Model

Who does what, when, and how decisions escalate.

Governance Operations

The operational backbone — controls, evidence, and the end-to-end process.

  • Control Register — master mapping of every control to its evidence, owner, and escalation
  • Governance Workflow — end-to-end process from idea intake to retirement, with gates and evidence packs

Templates

Ready-to-use templates for immediate adoption:

Traditional ML:

GenAI / LLM:

Virginia State Government (added by 12th House AI):

Worked Examples

See the framework applied to real-world use cases:

Traditional ML:

GenAI / LLM:

Virginia State Government (added by 12th House AI):

  • Virginia Agency Policy Navigator — T2 (High), internal GenAI policy Q&A assistant for a state benefits agency; full EO 30 / VITA EA-225 / VITA Policy Standard / VITA IA compliance checklist included

Adoption Approach

This framework is designed for phased rollout:

  1. Phase 1 (Week 1–2): Adopt the risk classification matrix. Tier your existing AI and GenAI systems.
  2. Phase 2 (Month 1): Apply lifecycle standards to one high-risk system as a pilot.
  3. Phase 3 (Month 2–3): Roll out templates (model cards, impact assessments, prompt review checklists) org-wide.
  4. Phase 4 (Ongoing): Establish the operating model — governance cadence, escalation paths, RACI.
  5. Phase 5 (GenAI): Apply LLM lifecycle standards — model selection, prompt governance, RAG governance, deployment gates.
  6. Phase 6 (Security): Establish red-teaming program, adversarial robustness standards, supply chain governance.
  7. Phase 7 (Compliance): Extend compliance mapping to all applicable jurisdictions; implement regulatory change monitoring.

Start where the risk is highest. Expand as the organization builds muscle memory.

Regulatory Alignment

This framework has been designed with explicit alignment to:

Regulation Coverage
NIST AI RMF Govern, Map, Measure, Manage functions — full category-level mapping
ISO/IEC 42001 AI management system — clause-by-clause implementation mapping for certification
SR 11-7 (Fed/OCC) Model risk management — development, validation, governance

Contributing

Contributions are welcome. If you work in regulated industries and have governance patterns worth sharing, open a PR. Practical experience matters more than theoretical frameworks.

Changelog

March 2026 — Comprehensive Update

  • AI Security: Added red-teaming protocol, adversarial robustness standards, supply chain security
  • Regulatory breadth: Added NIST AI RMF mapping, ISO/IEC 42001 mapping, regulatory change monitoring
  • Frontier AI coverage: Added multimodal AI risk matrix and governance, multi-agent governance, open-source model governance, model deprecation governance
  • Enterprise operations: Added board reporting, governance metrics/KPIs, cost governance, GRC integration, incident forensics
  • Templates: Added board risk report and red-team report templates
  • Examples: Added T3 internal knowledge search (lighter governance demonstration)

License

Apache 2.0 — see LICENSE.

About

Practical AI governance framework for regulated industries — extended with Virginia compliance: EO 30, EO 26, Spanberger 2026 EO, VITA EA-225, VITA IA standards, VA Education Guidelines. NIST AI RMF backbone. Mid-Atlantic/Southeast state coverage. Veteran-owned. Framework only — no certification claim.

Topics

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors