Governance framework v2

[sunilp]

Summary

Comprehensive update evolving the AI governance framework from a conceptual governance reference into an audit-ready, evidence-oriented governance operating system.

Two major phases:

Phase 1: Framework v2 — Regulatory, Frontier AI, Enterprise Operations (26 new/updated files, ~3,400 lines)

• AI Security (new section): Red-teaming protocol, adversarial robustness standards, supply chain security
• Regulatory breadth: NIST AI RMF mapping, ISO/IEC 42001 mapping, multi-jurisdictional guide (EU, US, Singapore, UAE, Brazil, Canada, Australia, Japan), regulatory change monitoring, cross-border data governance
• Frontier AI coverage: Multimodal AI risk matrix and governance, multi-agent governance, open-source model governance, model deprecation governance
• Enterprise operations: Board reporting, governance metrics/KPIs, cost governance, GRC integration (COSO, ISO 31000, three lines of defense), incident forensics
• Templates: Board AI risk report, red-team assessment report
• Examples: T3 internal knowledge search (demonstrates governance scaling down)
• Updated: EU AI Act mappings with enforcement status and compliance evidence; agentic AI risk taxonomy with multi-agent, persistent memory, and tool chain risk dimensions

Phase 2: Operationalization — Control Register, Workflow, Evaluation, Case File (4 new files, ~1,100 lines)

• Control Register — 53 controls mapped to evidence, owner, frequency, and escalation across 10 lifecycle stages. The single source of truth for "what evidence does an auditor expect?"
• Governance Workflow — End-to-end process from idea intake to retirement with gates, minimum evidence packs by tier, tier determination decision flowchart, data classification guidance, and retroactive governance path
• Evaluation Governance — First-class eval standard: 7 eval types, tier-based thresholds, release criteria, dataset governance, LLM-as-judge calibration, anti-patterns
• T1 Governance Case File — Complete 508-line governance trail for the customer service chatbot: 12 filled-in artifacts from intake record through incident post-mortem, demonstrating exactly what "governed AI" looks like in practice

Total: 34 files changed, +7,125 lines

Key design decisions

• Controls organized by lifecycle stage (how audits are structured), not by framework section
• Every control has concrete evidence ("signed risk assessment + tier determination"), never vague ("documentation")
• Every escalation is an action ("block deployment"), never passive ("should be reviewed")
• Case file includes a realistic incident + post-mortem to show the framework handling failure, not just preventing it
• Governance scales down: T3/T4 have lighter requirements at every stage
• Retroactive governance path for organizations with existing production AI systems

Test plan

• All README links verified (grep-based link checker)
• Cross-references between new files verified (control IDs, file paths)
• Case file metric values aligned with existing model-card.yaml and risk-assessment.md
• CodeRabbit review findings addressed (14 issues fixed)
• Spot-check tone consistency across new files
• Verify regulatory mapping accuracy (NIST AI RMF categories, ISO 42001 clauses, EU AI Act enforcement dates)
• Review control register completeness against existing framework standards

Summary by CodeRabbit

Documentation

• Added comprehensive AI system governance framework documentation including evaluation standards, control registers, and governance workflows with defined lifecycle stages, gate criteria, and evidence requirements.
• Provided a complete worked governance case file example demonstrating practical implementation of governance artifacts for a customer service chatbot.
• Established evaluation governance standards defining assessment types, metric thresholds, and tier-based release criteria for AI systems.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 729663fc-3391-4524-b57c-8d6c9bc4e6d5

📥 Commits

Reviewing files that changed from the base of the PR and between 110eb07 and 4395038.

📒 Files selected for processing (1)

• framework/governance-operations/control-register.md

---

📝 Walkthrough

Walkthrough

Adds documentation artifacts for AI governance: a Control Register mapping controls across 10 lifecycle stages, a Governance Workflow with stage gates and evidence packs, an Evaluation Governance standard with tiered thresholds, plus an operationalization plan, design spec, a T1 worked example, and README links to these resources.

Changes

Cohort / File(s)	Summary
Core Governance Docs framework/governance-operations/control-register.md, framework/governance-operations/governance-workflow.md, framework/llm-lifecycle/evaluation-governance.md	New pages: Control Register (controls → evidence, owners, frequency, escalation) across 10 lifecycle stages; Governance Workflow (stage-by-stage gates, evidence lists, tier scaling, retroactive governance); Evaluation Governance (evaluation types, tiered metrics, dataset/infrastructure rules, LLM-as-judge calibration).
Plans & Specs docs/superpowers/plans/2026-03-19-operationalization.md, docs/superpowers/specs/2026-03-19-operationalization-design.md	Adds an operationalization plan and detailed spec mapping controls to evidence packs, tier rules, workflow integration, and rollout guidance for audit-ready governance artifacts.
Worked Example examples/customer-service-chatbot/governance-case-file.md	New end-to-end T1 governance case file for a customer-service chatbot containing intake, risk assessment, architecture/model/prompt reviews, evaluation and red-team results, deployment evidence, monitoring, incident example, and post-mortem.
Repository Top-level README.md	Updated README: adds "Governance Operations" subsection linking to Control Register and Governance Workflow, references Evaluation Governance, and links the chatbot worked example/governance case file.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Governance framework v2 #2: Overlaps on adding governance artifacts (evaluation governance, control register, governance workflow) and linking the chatbot case file — closely related content changes.
• Comprehensive governance framework update: regulatory, frontier AI, enterprise ops #1: Similar documentation additions and README linkage for governance operations and worked examples; likely part of the same documentation expansion.

Poem

🐇 I nibble on controls and hop through each gate,
I stitch evidence packs tidy and neat,
Ten stages I chant as I tidy the slate,
Eval thresholds hum under my feet,
Hop, sign, approve — governance tastes sweet. 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Governance framework v2' is vague and generic, using non-descriptive versioning language that doesn't convey the specific changes in this comprehensive PR.	Consider a more descriptive title that highlights the key additions, such as 'Add operationalization spec with control register, governance workflow, and evaluation governance' or similar.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch governance-framework-v2

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sunilp]

@copilot can review this

[Copilot]

@sunilp I've opened a new pull request, #3, to work on those changes. Once the pull request is ready, I'll request review from you.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (1)

docs/superpowers/plans/2026-03-19-operationalization.md (1)

236-239: Control count discrepancy in plan comments.

The plan's commit message states "50+ controls" but the actual implementation contains 48 controls. While this is still technically "50+" in terms of order of magnitude, for precision the summary in control-register.md should state 48 (as already flagged in that file's review).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/superpowers/plans/2026-03-19-operationalization.md` around lines 236 -
239, The Summary section currently uses a placeholder "{N}" and the plan
text/commit claims "50+ controls" while the actual register has 48 controls;
update the Summary sentence in the control register's "Summary" section to
replace "{N}" with the precise number 48 and ensure the sentence reads: "This
register contains 48 controls across 10 lifecycle stages..." also verify the
same precise count is used anywhere else in that "Summary" text (e.g., the
sentence referencing governance-workflow.md and the customer service chatbot
link) so the document consistently reports 48 controls.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/superpowers/specs/2026-03-19-operationalization-design.md`:
- Around line 45-58: The fenced code block showing the controls table lacks a
language identifier; update that fenced block (the table beginning with "|
Control ID | Control | Applies To | Owner | Evidence | Frequency | Escalation if
Failed |") to include an explicit language tag (e.g., ```markdown) immediately
after the opening backticks so the table renders correctly and is
syntax-highlighted consistently in previews and docs.

In `@examples/customer-service-chatbot/governance-case-file.md`:
- Around line 367-373: The markdown block under the "### Review Decision"
section contains a table (or table-like block) that lacks surrounding blank
lines; update the content so any Markdown table is preceded and followed by a
single blank line to satisfy MD058 (e.g., insert an empty line before the table
starts and after the table ends in the "Review Decision" section) ensuring the
heading and the following paragraph are separated correctly.
- Around line 444-448: The Markdown contains tables that are not surrounded by
blank lines (violating MD058); locate the table blocks in the document near the
"1. **No monitoring on document refresh pipeline health.**" / "### What Went
Well" area and add a single blank line immediately before the table start and a
single blank line immediately after the table end so each table is separated
from adjacent paragraphs/headings; ensure all table instances in the file follow
this pattern.
- Around line 389-393: The Markdown table starting with the lines "| Mitigation
Time | 2026-03-15 16:45 UTC |" and "| Resolution Time | 2026-03-16 10:00 UTC |"
must be surrounded by blank lines for MD058 compliance; insert a single blank
line immediately before the first table line and a single blank line immediately
after the last table line (so there is an empty line between the preceding
content and the table and another empty line between the table and the "### What
Happened" heading).

In `@framework/governance-operations/control-register.md`:
- Around line 107-109: Update the opening summary sentence "This register
contains 53 controls across 10 lifecycle stages" to the correct count by
verifying the control IDs under each stage heading (e.g., "Stage 1 (RA)" through
"Stage 10 (DR)") and change the number to 48 (or adjust if you find
additional/missing controls during verification); ensure the referenced total in
that paragraph matches the summed counts for Stage 1 (RA), Stage 2 (AR), Stage 3
(DE), Stage 4 (EV), Stage 5 (SR), Stage 6 (DA), Stage 7 (PM), Stage 8 (IR),
Stage 9 (RV), and Stage 10 (DR).

---

Nitpick comments:
In `@docs/superpowers/plans/2026-03-19-operationalization.md`:
- Around line 236-239: The Summary section currently uses a placeholder "{N}"
and the plan text/commit claims "50+ controls" while the actual register has 48
controls; update the Summary sentence in the control register's "Summary"
section to replace "{N}" with the precise number 48 and ensure the sentence
reads: "This register contains 48 controls across 10 lifecycle stages..." also
verify the same precise count is used anywhere else in that "Summary" text
(e.g., the sentence referencing governance-workflow.md and the customer service
chatbot link) so the document consistently reports 48 controls.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9a427132-9d01-489c-a442-c148d621a022

📥 Commits

Reviewing files that changed from the base of the PR and between ed8b691 and 110eb07.

📒 Files selected for processing (7)

• README.md
• docs/superpowers/plans/2026-03-19-operationalization.md
• docs/superpowers/specs/2026-03-19-operationalization-design.md
• examples/customer-service-chatbot/governance-case-file.md
• framework/governance-operations/control-register.md
• framework/governance-operations/governance-workflow.md
• framework/llm-lifecycle/evaluation-governance.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language identifier to fenced code block.

The table format example should specify a language identifier (e.g., markdown or text) for the fenced code block.

📝 Proposed fix

 ### Table Format
 
-```
+```markdown
 | Control ID | Control | Applies To | Owner | Evidence | Frequency | Escalation if Failed |
 |---|---|---|---|---|---|---|
 | RA-001 | Risk assessment completed | All AI systems | Product owner | Signed risk assessment + tier determination | Before development | Cannot proceed to development |

</details>

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.21.0)</summary>

[warning] 45-45: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/superpowers/specs/2026-03-19-operationalization-design.md around lines
45 - 58, The fenced code block showing the controls table lacks a language
identifier; update that fenced block (the table beginning with "| Control ID |
Control | Applies To | Owner | Evidence | Frequency | Escalation if Failed |")
to include an explicit language tag (e.g., ```markdown) immediately after the
opening backticks so the table renders correctly and is syntax-highlighted
consistently in previews and docs.

</details>

<!-- fingerprinting:phantom:triton:puma -->

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add blank lines around tables for Markdown compliance.

Tables should be surrounded by blank lines per Markdown best practices (MD058).

📝 Proposed fix

 | 3 | Cost per request trending 8% above baseline (€0.032 vs. €0.03) | Low | Investigate prompt optimization | Due 2026-05-01 |
+
 ### Review Decision

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	### Review Decision
	The system continues to operate within acceptable risk parameters. Finding 1 was resolved during the review period. The hallucination rate breach validated that the monitoring and escalation controls work as designed — the incident was detected automatically, AI Risk was notified within SLA, and the root cause was resolved within 20 hours.
	**Next scheduled review:** 2026-07-01
	| 3 | Cost per request trending 8% above baseline (€0.032 vs. €0.03) | Low | Investigate prompt optimization | Due 2026-05-01 |
	### Review Decision
	The system continues to operate within acceptable risk parameters. Finding 1 was resolved during the review period. The hallucination rate breach validated that the monitoring and escalation controls work as designed — the incident was detected automatically, AI Risk was notified within SLA, and the root cause was resolved within 20 hours.
	**Next scheduled review:** 2026-07-01

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 369-369: Tables should be surrounded by blank lines

(MD058, blanks-around-tables)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/customer-service-chatbot/governance-case-file.md` around lines 367 -
373, The markdown block under the "### Review Decision" section contains a table
(or table-like block) that lacks surrounding blank lines; update the content so
any Markdown table is preceded and followed by a single blank line to satisfy
MD058 (e.g., insert an empty line before the table starts and after the table
ends in the "Review Decision" section) ensuring the heading and the following
paragraph are separated correctly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add blank lines around tables for Markdown compliance.

Tables should be surrounded by blank lines per Markdown best practices (MD058).

📝 Proposed fix

 | Resolution Time | 2026-03-16 10:00 UTC |
+
 ### What Happened

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	| Mitigation Time | 2026-03-15 16:45 UTC |
	| Resolution Time | 2026-03-16 10:00 UTC |
	### What Happened
	| Mitigation Time | 2026-03-15 16:45 UTC |
	| Resolution Time | 2026-03-16 10:00 UTC |
	### What Happened

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 391-391: Tables should be surrounded by blank lines

(MD058, blanks-around-tables)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/customer-service-chatbot/governance-case-file.md` around lines 389 -
393, The Markdown table starting with the lines "| Mitigation Time | 2026-03-15
16:45 UTC |" and "| Resolution Time | 2026-03-16 10:00 UTC |" must be surrounded
by blank lines for MD058 compliance; insert a single blank line immediately
before the first table line and a single blank line immediately after the last
table line (so there is an empty line between the preceding content and the
table and another empty line between the table and the "### What Happened"
heading).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add blank lines around tables for Markdown compliance.

Tables should be surrounded by blank lines per Markdown best practices (MD058).

📝 Proposed fix

 | 3. **Gradual drift pattern.** The threshold breach took approximately 2 weeks to manifest, as only a subset of queries were affected by the stale documents.
+
 ### What Went Well

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	1. **No monitoring on document refresh pipeline health.** Output quality monitoring caught the downstream effect but not the upstream cause.
	2. **Auth token manually provisioned with 90-day expiry.** Not included in automated credential rotation.
	3. **Gradual drift pattern.** The threshold breach took approximately 2 weeks to manifest, as only a subset of queries were affected by the stale documents.
	### What Went Well
	1. **No monitoring on document refresh pipeline health.** Output quality monitoring caught the downstream effect but not the upstream cause.
	2. **Auth token manually provisioned with 90-day expiry.** Not included in automated credential rotation.
	3. **Gradual drift pattern.** The threshold breach took approximately 2 weeks to manifest, as only a subset of queries were affected by the stale documents.
	### What Went Well

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 446-446: Tables should be surrounded by blank lines

(MD058, blanks-around-tables)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/customer-service-chatbot/governance-case-file.md` around lines 444 -
448, The Markdown contains tables that are not surrounded by blank lines
(violating MD058); locate the table blocks in the document near the "1. **No
monitoring on document refresh pipeline health.**" / "### What Went Well" area
and add a single blank line immediately before the table start and a single
blank line immediately after the table end so each table is separated from
adjacent paragraphs/headings; ensure all table instances in the file follow this
pattern.