00 · AI Governance

AI governance that fires
when the agent actually acts.

Most AI-governance content is policy frameworks at the whiteboard layer: principles, registers, attestations. We connect the framework to the AWS-side tool call your agent made and the decision the firewall returned. Same words, different gravity.

What changes when AI is the actor

Traditional control programs were written with a human operator in mind: someone you can fire, retrain, or require to log a ticket. The agent isn't fireable. It runs tool calls at a rate humans don't match. It can be wrong with full confidence. Audit logs gathered post-hoc don't prevent the destructive call — they explain it.

AI governance for action-capable agents needs three things the older model didn't:

• An action-time decision point. The control fires before the call runs, not after the bill arrives.
• Cryptographic provenance. Who proposed it, who approved it, what policy version applied, what state the world was in.
• A reviewer the auditor will accept. The audit chain must be tamper-evident, hash-anchored, KMS-signed; the auditor must be able to verify it without a vendor in the loop.

Frameworks we map to

We pre-map the audit chain to the AI-governance frameworks your risk team is most likely tracking. Mappings live in docs/compliance/mapping.md; the chain produces evidence those frameworks ask for.

• NIST AI RMF (AI 100-1) — Map / Measure / Manage / Govern. Espada's action-time decision + audit trail satisfies "Manage" (M-3) and "Measure" (Ms-2) for action-capable agents.
• ISO/IEC 42001 (AI Management System) — A.6 (risk treatment), A.8 (operational control), A.10 (monitoring + measurement). Audit chain is the operational-control evidence.
• OWASP LLM Top-10 — LLM06 (sensitive info disclosure), LLM07 (insecure plugin design), LLM08 (excessive agency). The gate addresses "excessive agency" by being the gate.
• EU AI Act, Article 14 (human oversight) — The Slack approval round-trip is the documented human-in-the-loop control.
• SOC 2 CC6.8 (logical access) — for the AI agent as a principal. We treat the agent as a controlled principal, not an unbounded user.

What the chain records, per call

{
  "ts": "2026-06-15T14:09:11.245Z",
  "agent": { "id": "claude-code:pat-laptop-01", "version": "0.18.3" },
  "subject": { "tool": "aws.s3.DeleteObjects", "resource": "s3://prod-billing-archive/" },
  "effects": { "destructive": true, "scope": "bucket", "estimatedItems": 42183 },
  "policy": { "id": "p:s3-delete-prod-protect", "version": "v7", "hash": "sha256:..." },
  "decision": "block",
  "rationale": "destructive AND resource matches prod-* AND no approval",
  "approval": null,
  "chain": { "prev": "sha256:...", "self": "sha256:..." },
  "signature": { "kid": "aws-kms-...", "alg": "ECDSA_P256", "sig": "..." }
}

That structure becomes the auditor-visible evidence for the controls above. verifyChain proves it hasn't been tampered with since.

Human oversight, in practice

Slack-based approval rounds are the default; web and CLI approvers also supported. The approver's identity is cryptographically bound to the action. SCIM provisioning and role mapping integrate with your existing IdP.

For the board

We publish a board-ready summary the CISO can hand to the risk committee at quarter-end. Pulls from the chain; anonymized to whatever level the org needs. Format and sample at docs/operations/governance-dashboard.md.

Read next

• Compliance — frameworks we generate evidence for
• Security — the threat model
• Sovereignty — where the data goes (your tenant; not us)
• Install — how to start