Skip to content

threadsync-infrastructure/policy-control-evidence

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 

Repository files navigation

Policy → Control → Evidence

An open framework for AI governance that survives contact with production.

License: Apache 2.0 Authored by Cichocki Advisory

The problem

Most AI governance fails in the handoff from policy to production. The board approves a policy. Engineering interprets it. A vendor delivers something close. The audit finds a gap. Everyone reopens the policy.

This framework closes the gap on purpose — by making the policy and the runtime the same artifact.

The framework

         POLICY (Board)
              /\
             /  \
            /    \
   CONTROLS───────EVIDENCE
   (CISO/CTO)      (GC/Audit)
              \  /
               \/
            TRACE ID
            (the binding)

Three layers. One identifier (trace_id) binds them.

The rule: NO POLICY SHIPS WITHOUT A TRACE.

Every policy line traces to a control. Every control emits evidence. Every piece of evidence ties back to its originating policy.

The 24-hour evidence test

Pick one AI-assisted decision from yesterday. Can your team produce all eight fields within 24 hours?

  1. Workflow — which business workflow used AI?
  2. Model + provider — which model was used (e.g., claude-3-5-sonnet-20241022 from Anthropic)?
  3. User/system identity — who or what authorized the call?
  4. Data class — what data class did the request touch (public, internal, confidential, restricted)?
  5. Applicable policy — which approved policy line governed this AI use?
  6. Control outcome — which control fired and what did it decide (allow, deny, require approval)?
  7. Exception path — if the policy was overridden, who approved and why?
  8. Evidence package — what artifact (log entry, attestation, incident record) survives for the auditor?

If you can't produce all eight in 24 hours, your AI governance program has gaps.

How to use this framework

  1. Diagnose — run the 24-hour test on one AI workflow. Identify the gaps.
  2. Map — use templates/policy-control-evidence-worksheet.csv to catalog every policy line with its current control status and evidence artifact.
  3. Close gaps — add controls + evidence emitters for unmapped policy lines.
  4. Operate — use schemas/audit-grade-log-entry.schema.json to standardize logging across your AI platforms.
  5. Audit — when the auditor arrives, export evidence packages by trace_id query.

What's in this repo

  • framework/ — the conceptual layers explained
  • templates/ — fillable worksheets for your own mapping
  • schemas/ — JSON schemas for runtime evidence emission
  • mappings/ — crosswalks to NIST AI RMF, ISO/IEC 42001, EU AI Act, SOC 2
  • examples/ — anonymized worked examples

Status: v0.1.0 — minimum-viable scaffold. Framework documents, schemas, mappings, and examples are being filled in over Weeks 2–5. Star the repo to follow.

Authoring

Authored by Jan Cichocki, Cichocki Advisory & ThreadSync.

The framework is based on patterns from enterprise advisory engagements. It is the same framework operationalized inside ThreadSync's LLM Gateway and Magic Runtime.

Citation

If this framework is useful in your work, please cite:

@misc{cichocki2026pce,
  author       = {Cichocki, Jan},
  title        = {Policy → Control → Evidence: An Open Framework for AI Governance That Survives Production},
  year         = {2026},
  publisher    = {Cichocki Advisory},
  url          = {https://github.com/cichocki-advisory/policy-control-evidence}
}

A CITATION.cff is included so GitHub renders a citation widget on the repo page.

Contributing

Pull requests welcome for:

  • Additional framework crosswalks (HIPAA, GDPR, regional regulations)
  • New worked examples (anonymized)
  • Schema improvements
  • Translations

See CONTRIBUTING.md (coming Week 2).

Related work

License

Apache 2.0 — see LICENSE.


Maintainer: advisory@cichocki.com Last updated: 2026-05-11

About

An open framework for AI governance: Policy → Control → Evidence, with trace_id binding. NIST AI RMF · ISO/IEC 42001 · EU AI Act · SOC 2 crosswalks. Authored by Jan Cichocki, Cichocki Advisory.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors