An open framework for AI governance that survives contact with production.
Most AI governance fails in the handoff from policy to production. The board approves a policy. Engineering interprets it. A vendor delivers something close. The audit finds a gap. Everyone reopens the policy.
This framework closes the gap on purpose — by making the policy and the runtime the same artifact.
POLICY (Board)
/\
/ \
/ \
CONTROLS───────EVIDENCE
(CISO/CTO) (GC/Audit)
\ /
\/
TRACE ID
(the binding)
Three layers. One identifier (trace_id) binds them.
The rule: NO POLICY SHIPS WITHOUT A TRACE.
Every policy line traces to a control. Every control emits evidence. Every piece of evidence ties back to its originating policy.
Pick one AI-assisted decision from yesterday. Can your team produce all eight fields within 24 hours?
- Workflow — which business workflow used AI?
- Model + provider — which model was used (e.g.,
claude-3-5-sonnet-20241022from Anthropic)? - User/system identity — who or what authorized the call?
- Data class — what data class did the request touch (public, internal, confidential, restricted)?
- Applicable policy — which approved policy line governed this AI use?
- Control outcome — which control fired and what did it decide (allow, deny, require approval)?
- Exception path — if the policy was overridden, who approved and why?
- Evidence package — what artifact (log entry, attestation, incident record) survives for the auditor?
If you can't produce all eight in 24 hours, your AI governance program has gaps.
- Diagnose — run the 24-hour test on one AI workflow. Identify the gaps.
- Map — use
templates/policy-control-evidence-worksheet.csvto catalog every policy line with its current control status and evidence artifact. - Close gaps — add controls + evidence emitters for unmapped policy lines.
- Operate — use
schemas/audit-grade-log-entry.schema.jsonto standardize logging across your AI platforms. - Audit — when the auditor arrives, export evidence packages by
trace_idquery.
framework/— the conceptual layers explainedtemplates/— fillable worksheets for your own mappingschemas/— JSON schemas for runtime evidence emissionmappings/— crosswalks to NIST AI RMF, ISO/IEC 42001, EU AI Act, SOC 2examples/— anonymized worked examples
Status: v0.1.0 — minimum-viable scaffold. Framework documents, schemas, mappings, and examples are being filled in over Weeks 2–5. Star the repo to follow.
Authored by Jan Cichocki, Cichocki Advisory & ThreadSync.
The framework is based on patterns from enterprise advisory engagements. It is the same framework operationalized inside ThreadSync's LLM Gateway and Magic Runtime.
If this framework is useful in your work, please cite:
@misc{cichocki2026pce,
author = {Cichocki, Jan},
title = {Policy → Control → Evidence: An Open Framework for AI Governance That Survives Production},
year = {2026},
publisher = {Cichocki Advisory},
url = {https://github.com/cichocki-advisory/policy-control-evidence}
}A CITATION.cff is included so GitHub renders a citation widget on the repo page.
Pull requests welcome for:
- Additional framework crosswalks (HIPAA, GDPR, regional regulations)
- New worked examples (anonymized)
- Schema improvements
- Translations
See CONTRIBUTING.md (coming Week 2).
- ThreadSync — enterprise platform that runs this framework
- Cichocki Advisory — engagement model: 90-Day AI Governance OS Sprint
- AI Evidence Readiness Diagnostic — 90-minute working session to test your own gaps
Apache 2.0 — see LICENSE.
Maintainer: advisory@cichocki.com Last updated: 2026-05-11