AI Governance Evidence Engine. Repo, Docs, Posture.

Review AI systems from code, supporting documents, and declared posture. Produce a reviewer-ready assessment and Evidence Pack.

Built for Internal Audit, GRC, and trust review teams. Same inputs, same pack, same result.

127

Implemented Controls

123 active static · 4 parked runtime

416

Gold Regression Cases

Compliance Frameworks

See How It Works ↓

The Gap

AI Governance Review Is Fragmented

Security scanners, policy reviews, and documentation checks rarely tell one coherent story. Review teams still have to reconcile the evidence by hand.

Code Scanners Miss Governance Context

Traditional AppSec tooling can find technical patterns, but it rarely explains governance posture, stated controls, or review boundaries.

Docs Reviews Miss Implementation Reality

Policies and model docs state intent, but reviewers still need proof that the repo and supporting evidence match those claims.

Outputs Aren't Reviewer-Ready

Most teams still stitch together screenshots, notes, and raw findings. The result is slow, inconsistent, and hard to hand off.

How It Works

From Repo And Docs To Review-Ready Evidence

Three engines run in sequence. Each produces named, versioned artifacts so another reviewer, system, or platform can ingest the same conclusion without scraping the UI.

ICB

Input Contract Builder

Takes a GitHub repo, ZIP, or preset source and normalizes it into a structured declaration contract. System and inventory posture are captured in a manifest with pinned version metadata, explicit gaps, and reviewable evidence requirements.

repo / upload / preset -> manifest.json gap_list stubs[]

SIG

Repo Signals Scan

Parser-first analysis scans the codebase for governance-relevant capability evidence: network access, execution primitives, LLM usage, data handling, vector infrastructure, and related runtime surfaces. Signals keep provenance, evidence lines, parser method, and coverage limits so reviewers can see what was actually observed.

manifest.json -> repo_signals.json manifest.json (enriched)

This is the evidence layer: show what was observed, where it came from, and how strong the provenance is. Not exploit detection, but review guidance with evidence samples.

FDY

Foundry Evaluation (Policy Pack)

The enriched manifest is evaluated against the current 127-control pack. In the current static review mode, 123 controls are active while 4 runtime controls remain parked. Each control produces a deterministic outcome with rationale, evidence asks, blocker provenance, and reviewer framing. If declared posture and observed evidence disagree, the result stays reviewable instead of pretending certainty.

manifest.json (enriched) -> decision.json enriched.sarif.json citations.json

Credibility feature: when posture says "no network" but the repo shows network primitives, the outcome stays "requires review." The product is designed to surface uncertainty, not hide it.

RPT

Evidence Pack And Handoff

The canonical output is the Evidence Pack: a reviewer-ready bundle with stable JSON artifacts, review workflow state, lineage, docs-alignment findings, and generated reports when needed. DOCX remains the narrative handoff, but the pack is the system-of-record output.

decision.json + signals + meta -> evidence_pack.zip run_summary.json Report v2 (DOCX)

Evaluation Outcomes

Three Statuses - No Ambiguity

Every control produces one of three outcomes. REVIEW means human verification needed - never an automated pass.

MEETS

No inconsistency detected between declared posture and observed indicators.

REVIEW

Potential inconsistency detected. Requires human verification before posture can be asserted.

FAIL

Hard failure against required evidence or policy threshold. Blocks green posture.

Source of truth: decision.json - deterministic and reproducible on every run

Run Artifacts

What Review Teams Actually Get

Every run produces machine-readable, run-scoped artifacts. The Evidence Pack is the primary handoff, and the underlying contracts remain exportable for downstream systems.

manifest.json

Normalized declaration contract with pinned schema version

repo_signals.json

Signal evidence: severity, match counts, path:lineno snippets

decision.json

Applicable control outcomes for the current run, with rationale and required evidence paths

run_summary.json

Stable assessment summary, reviewer state, and run lineage contract

evidence_pack.zip

Canonical reviewer handoff with decision-ready artifacts, lineage, and reports

Report v2 (DOCX)

Optional narrative handoff alongside the Evidence Pack

Crosswalk Library

Traceability, Not Certification

127 implemented · 123 active in static mode · 4 runtime controls parked

Framework	Targets	Controls Mapped
NIST AI 600-1	13	123
OWASP LLM Top 10 (2025)	10	47
EU AI Act	30	87
SOC 2 (CC subset)	21	97
ISO 27001 Annex A (2022)	93	80
ISO 42001	16	98
GDPR	9	20
HIPAA	8	25
Responsible AI	6	21

The Gold Suite

Regression-Tested Policy Engine

127 implemented · 123 active in static mode · 4 runtime controls parked

This isn't a checklist. It's a tested policy engine. We can add controls fast without breaking prior decisions.

416

Gold Test Cases

123

Active Static Controls

Frameworks Mapped

✓

Input manifest with structured evidence and declarations

✓

Expected audit outcome - overall status + per-control statuses

✓

PASS + FAIL/REVIEW scenarios for every control

✓

Edge cases: prod vs non-prod, risk tiers, tools enabled/disabled

✓

Run on every change to prevent policy drift

Every policy change is validated against all 416 cases before release. Four runtime controls remain parked while Live Observation is disabled.

// Gold Case - consistency check triggers REVIEW { "case_id": "CASE-GOLD-COV-NET-MISMATCH", "input": { "manifest": { "repo_signals_counts": { "SIG-NETWORK": 3, "SIG-NETWORK-RESTRICTED": 1 }, "network": { "mode": "none" } } }, "expected": { "controls": [{ "control_id": "CP-CONSIST-NET-001", "status": "manual_review" }], "overall": "yellow" } }

Evidence-First AI Governance Review.

Current loaded pack

Contact: s.rao@miined.com

Inputs

Scanning inputs Building manifest Evaluating controls Validate

Scans repo files and supporting docs for governance evidence, evaluates posture deterministically, and produces reviewer-ready outputs.

Select a demo repo to run.

Input Results

RUNNING

Source: — Workspace: — File cap: — Ignored dirs: — Files scanned: — Secret-like skips: —

Git: —

GitHub Actions: —

Security workflow: —

Confidence counts: —

Pipeline steps will appear after completion.

Scan Results

No runs yet.

—

Files scanned

—

Ignored dirs

—

Secret skips

—

File cap

source: — git: — workspace: — actions: — sec-workflow: — confidence: H — · M — · L —

No runs yet. Run a governance check to populate scan details.

Pipeline

github_clone

Repository cloned and indexed

—

icb_build

Input Contract Builder and schema compile

—

icb_validate

Contract validated against control set

—

evaluating

Deterministic evaluation engine

—

Assessment Results

MEETS

Review

Fail

Compliance View

High

Medium

Low

Observed Signal Risk

No runs yet.

Assessment brief

Run a governance check to see what this repo establishes now.

Run a governance check to understand what this repo appears to do, why the review applies, and what needs action.

Start a run to build the review view.

Scope / limitations

Run a governance check to describe the current scope and limitations.

Review status

Run a governance check to generate the current review status.

Repo story

Run a governance check to infer the repo intent.

Review focus

Run a governance check to show the current review focus.

Current gaps for final reliance

These items still limit final reliance on the current review.

No readiness blockers detected. Results are based on available evidence.

Review evidence

Governance gaps

Run a governance check to inspect the current reviewer-ready upgrades.

Crosswalk posture

Mapped review overlay maturity, framework coverage, and the current FAIL/REVIEW distribution.

Crosswalk overlay maturity will appear after the pack loads.

Open Crosswalk overlay

Live observation

Shows what the system did when the internal evaluation cases were run.

No live-observation results for this run.

Open behavior_eval.json

Manual review required

These checks still need a human decision or missing evidence before this assessment is complete.

No human review is currently needed.

Review manual review artifact

Evidence engine

Observed code capability, strongest parser-backed evidence, and the main reason this run still needs reviewer attention.

Run a governance check to show the evidence engine view.

Open Signals evidence

Consistency alerts

No consistency alerts detected.

Repo signals summary

Use these counts to see which signal families deserve inspection first.

No repo-signal view is available for this run.

Open repo signals (JSON)

Review & Update

Running AI extraction...

Studio is preparing document-backed governance suggestions. The review workspace will reopen when the updated results are ready.

Review & Update

Missing context

Context gaps to close

Governance basics

Fields waiting for confirmation

Control dispositions

Controls awaiting disposition

Review state

Awaiting run

Reviewer judgment and sign-off status

Review sequence

Missing context and docs

The initial run is fully deterministic. This step uses AI on readable documents only to stage possible governance values that may have been missed in repo analysis. Code analysis remains unchanged and deterministic. Extracted values are reviewed and confirmed before the review is refreshed.

▾

Confirm governance basics

▾

Governance contract additions will appear when run metadata is available.

Control dispositions

Use this step to record a reviewer disposition for controls that still need a human decision after the refreshed run.

▾

Choose Resolve from current evidence only when the refreshed run is already sufficient, Needs more evidence when more support is still required, Accept with risk when the remaining gap is being accepted explicitly, or Escalate when another owner or approval path is required.

No controls flagged for manual review.

Reviewer judgment

Record the bounded reviewer opinion after working through the evidence queue and control dispositions.

▾

Open this tab to record a bounded reviewer opinion for this run.

This section records a bounded reviewer opinion for this run. It does not certify the system as compliant or production-ready by itself.

Reviewer identity

Reviewer name Reviewer role

Review scope

What this review covered Describe the evidence reviewed, what this opinion applies to, and what stayed outside scope.

Assumptions, conditions, and deferred items

Accepted assumptions List assumptions you relied on because direct evidence was not available. When this conclusion is valid Record the conditions, limitations, or environment boundaries that must hold true. Deferred items List follow-up items that still need evidence or confirmation.

Current reviewer conclusion

Review stage Track whether this review is still gathering evidence, in progress, or ready for sign-off. Current reviewer conclusion Record your current opinion for this run. This can remain provisional until governance updates are applied and final review is complete.

Reviewer notes Capture evidence requests, rationale, and sign-off context.

Sign-off

Use this final checkpoint to confirm readiness, record the bounded reviewer opinion, and save the sign-off state.

▾

Remaining blockers will appear here when a run is available.

Signing off records your bounded reviewer opinion for this run. It does not certify the system as compliant, safe, or production-ready on its own.

Download manual_review.json

Open this tab to review docs alignment.

Summary

Claims extracted

Open this tab to review extracted claims.

Mismatch findings

Open this tab to review mismatches and gaps.

Artifacts (supporting files for this docs review)

document inventory (JSON) document claims (JSON) mismatch report (JSON)

Open this tab to review operational risk.

Summary

Risk categories (misuse, prompt-injection, environment, privacy, oversight)

Open this tab to see how the risk is broken down.

Key drivers (strongest reasons this run looks risky)

Open this tab to see what stands out most.

Evidence sources (what contributed to this view)

Open this tab to see where this view draws its evidence.

Open this tab to review observed code capability, parser-backed evidence when available, and scan limits.

Observed capability footprint

Highest-risk runtime surfaces

Open this tab to see which runtime-capability surfaces stand out most.

Representative evidence

Open this tab to inspect repo-signal evidence.

Coverage and parsing limits

Open this tab to review parser coverage, regex fallback, and scan limits.

Framework maturity

Open this tab to see framework maturity and how the current review overlay should be interpreted.

Framework summary

Open this tab to see how this run maps to the supported frameworks.

By control

Open this tab to view control-level crosswalks.

Artifacts (downloadable outputs)

Core artifacts

Decision JSON

decision.json

—Open

Enriched SARIF

enriched.sarif.json

—Open

Manifest JSON

manifest.json

—Open

Repo Signals JSON

repo_signals.json

—Open

Behavior Eval JSON

behavior_eval.json

—Open

Input Trace JSON

input_trace.json

—Open

Manual Review JSON

manual_review.json

—Open

Evidence support

Citations JSON

citations.json

—Open

Scanner Summary JSON

scanner_summary.json

—Open

Scanner SARIF

scanner.sarif.json

—Open

Diagnostics (ICB)

Missing Fields JSON

missing_fields.json

—Open

Validate Issues JSON

validate_issues.json

—Open

Manifest Builder Report JSON

manifest_builder_report.json

—Open

Documentation checks

Reports

Developer DOCX

Report_Developers_<run_id>.docx

—Open

Auditor DOCX

Report_Auditors_<run_id>.docx

—Open

PDF export coming soon.

Run a governance check to prepare downloads.

Generate DOCX reports when you want a narrative handoff alongside the Evidence Pack.

Runs

Run #1

Run lineage will appear here.

Run-to-run comparison will appear here.