Governance
In preparation

Governance truly begins after a product ships.

A lifecycle proposal that takes the product deployment version as the unit of governance, extending the mature approval logic of medical devices and aviation to the GenAI and agent product layer. Status: concept paper in preparation, planned for Zenodo archiving with a DOI.

01
The gap

The space between three layers

The organization layer has ISO/IEC 42001. The model layer has the capability threshold frameworks of the AI labs. The regulatory layer has EU AI Act conformity assessment. After reverse-checking 45 factual claims, no governance mechanism was found that takes the deployment configuration of an individual GenAI or agent product as its unit.

02
One architecture

A ten-node governance lifecycle

01 Base principles
A first layer of non-negotiable rules that exists before any product.
02 Deployment candidate
A configuration-frozen version appears and becomes the anchor point of governance.
03 Risk classification
Risk tiering decides review intensity. Only high risk enters the full process.
04 Product-specific rules
Generated from real capabilities, purpose, deployment context and user groups.
05 Third-party verification
Staged maturity: document review and design checks first, measurement protocols later.
06 Approval to deploy
Approver, basis of approval and dissent records enter the governance record.
07 Continuous monitoring
Post-market monitoring, including user-side cognitive risk indicators.
08 Update grading and re-validation
Five-level grading. Major and above triggers re-validation and re-approval.
09 Incident reporting
Incidents link back to the version and its approval record.
10 Rule revision and feedback
Revise and redeploy, or withdraw.
03
Three increments

What can be claimed after verification

Increment 1

The deployment candidate

A configuration-frozen version as the regulatory anchor. Six frozen elements: base model and fine-tuned weights, system prompts and persona, tool permissions, RAG sources, memory configuration, interaction optimization targets.

Increment 2

Five-level update grading

From low-risk updates to emergency safety patches, covering AI-native change types: changes to memory, persona and interaction optimization targets are high-risk triggers.

Increment 3

Cognitive risk in the loop

User-side cognitive and contextual risk enters the mandatory governance loop: pre-deployment review dimensions, update triggers, post-market indicators.

04
Dissent records

One small, hard original point

Who approved, on what basis, who dissented, and which version an incident links back to.

Existing frameworks keep traceability at the technical and documentation layers. No framework requires traceability at the governance decision layer, and dissent records have no counterpart in any framework verified.

05
Two rule layers

Reordering when rules are written

Layer one
Non-negotiable base principles that exist before any product.
Layer two
Product-specific rules, generated after the deployment candidate appears and capabilities are observable.

Layering itself has precedents. The value is in delaying layer two until capabilities can be observed, answering the practical problem that legislation written in advance cannot keep up.

06
Citation discipline

Whose shoulders this stands on

Traceability as a precondition of accountability was formalized by Kroll (FAccT 2021). What this proposal does on top of that premise is institutional design.

07
Relation to USCP

Upstream and downstream

USCP describes user-side risk. It sits upstream. This proposal designs the institutional response. It sits downstream. The two cite each other and are not written as one thing.

08
Verification

How this proposal was checked

Primary sources
Primary-source research across 9 framework groups.
Reverse checking
45 key factual claims reverse-checked one by one: 34 confirmed, 11 corrected, 0 refuted.
Novelty assessment
3 independent perspectives: standards and certification, academic review, policy practice.
09
Status

Where this stands

The concept paper is in preparation, planned for Zenodo archiving with a DOI. This page is a proposal and not a finished document.

Begin

Comments and collaboration start from the contact page.

Go to contact