Governance Workspace

What you must prove to deploy

Every requirement below maps to a real obligation under the EU AI Act, NIST AI RMF, US OMB M-24-10, ISO/IEC 42001, or Singapore IMDA. Owners must produce signed, portable evidence — not slide decks.

Thesis ·AGProtocol is the continuous verification and governance infrastructure layer institutions require before autonomous AI agents are allowed to operate inside procurement-sensitive and regulated environments.

Compliance score

64%

● 16 passed● 5 in review● 1 action needed○ 3 available

Frameworks covered

EU AI Act

NIST AI RMF

OMB M-24-10

ISO/IEC 42001

IMDA Model AI Gov

Last full audit

8 days ago

Next quarterly: Aug 12, 2026

Owner & legal entity

Legal name: MunicipalAI Inc.

EIN: 12-3456789 · DUNS: 07-842-1199

Jurisdiction: Delaware, USA

DPO: dpo@municipalai.example

Data residency: EU (eu-central-1) · US (us-east-1) failover

eIDAS root: 0x8f1a...c4d2

EU AI Act DB ID: EU-AIAct-DB-2026-04419

Beneficial owners & coverage

Andrei — Product / Governance / GTM50%
Gabe — Infrastructure / Provenance50%

Insurance: Munich Re Specialty · AI-Liability 2026-A · $10M aggregate

Subprocessors: Cloudflare Workers, Supabase EU, Anthropic, OpenAI, Base L2 (Coinbase)

Incorporation docs: Delaware Cert. of Incorporation · Operating Agreement v3 · EIN Letter (IRS)

KYC verified

25 of 25

Verified legal entity & beneficial ownersPassed
Owner: Legal
Provider is an identifiable legal entity with KYC'd beneficial owners ≥25%.
EU AI Act · Art. 16 (Provider obligations)
ISO/IEC 42001 · Cl. 5.1 Leadership
KYC packCert. of IncorporationUBO register
Last updated: 12 days ago
EU authorised representativePassed
Owner: Legal
Non-EU providers appoint an EU-based authorised representative before placing on market.
EU AI Act · Art. 22
Mandate agreementRep contact on file
Last updated: 21 days ago
Qualified electronic signature (eIDAS)Passed
Owner: Gabe
All declarations are signed with a QES tied to the legal entity.
EU AI Act · Art. 47 (Declaration of conformity)
eIDAS root certQES audit log
Last updated: 3 days ago
AI liability insurance in forcePassed
Owner: Legal
Active policy covering AI-caused harm with adequate aggregate.
OMB M-24-10 · §5(c) Risk mgmt minimum
Policy declarationCarrier confirmation
Last updated: 1 mo ago

Risk classification with rationalePassed
Owner: Andrei
Document why the system is high-risk (Annex III) or limited risk, with mitigations.
EU AI Act · Art. 6 + Annex III
NIST AI RMF · MAP 1.1 / 5.1
Risk classification memoAnnex III mapping
Last updated: 5 days ago
Risk management system (lifecycle)Passed
Owner: Andrei
A documented, iterative RMS covering identification, estimation, mitigation across the lifecycle.
EU AI Act · Art. 9
ISO/IEC 42001 · Cl. 6.1
RMS policy v2.1Quarterly review minutes
Last updated: 9 days ago
Technical documentation (Annex IV)In review
Owner: Gabe
Complete technical file: architecture, training data, metrics, known limitations.
EU AI Act · Art. 11 + Annex IV
System card v3Architecture diagramEval report
Last updated: Yesterday
Fundamental Rights Impact AssessmentAction needed
Owner: Legal
Public-sector deployers complete a FRIA before first use.
EU AI Act · Art. 27
FRIA reportStakeholder consultation log
Last updated: Overdue · 4 days
Data Protection Impact AssessmentPassed
Owner: Legal
GDPR Art. 35 DPIA covering automated decision-making and profiling.
EU AI Act · Art. 26(9)
DPIA v2DPO sign-off
Last updated: 2 weeks ago
Quality management systemIn review
Owner: Andrei
Operational QMS covering change-control, testing, release.
EU AI Act · Art. 17
ISO/IEC 42001 · Cl. 8
QMS handbookChange-control log

Training & validation data governancePassed
Owner: Gabe
Data is relevant, representative, free of obvious bias, lawfully sourced.
EU AI Act · Art. 10
NIST AI RMF · MAP 2.3
DatasheetBias auditSource licenses
Last updated: 11 days ago
Content & model provenance (C2PA)Passed
Owner: Gabe
Outputs carry a C2PA manifest tying them to a signed model + run.
EU AI Act · Art. 50 (GPAI disclosure)
IMDA Model AI Gov · Provenance
C2PA manifestSigned model hashEAS attestation
Last updated: Today
GPAI upstream disclosureAvailable
Owner: Andrei
Foundation-model providers and versions disclosed; copyright policy honored.
EU AI Act · Art. 53
Upstream model registryCopyright policy
Key management & rotationPassed
Owner: Security
Signing keys and API credentials are HSM-backed and rotated on schedule.
ISO/IEC 42001 · A.7
OMB M-24-10 · §5(b)
KMS policyLast rotation log
Last updated: 6 days ago

Automatic event loggingPassed
Owner: Gabe
All inferences, tool calls and custody transitions are logged and tamper-evident.
EU AI Act · Art. 12
Append-only logDAG root anchor
Last updated: Today
Effective human oversightPassed
Owner: Andrei
Humans can interpret outputs, override, and stop the agent at any time.
EU AI Act · Art. 14
NIST AI RMF · MANAGE 2.3
Oversight runbookKill-switch testReviewer training
Last updated: 8 days ago
Accuracy, robustness & cybersecurityPassed
Owner: Security
Adversarial, prompt-injection and permission-escalation testing with measurable thresholds.
EU AI Act · Art. 15
NIST AI RMF · MEASURE 2.7
Red-team reportAdversarial eval
Last updated: 4 days ago
Serious incident reporting (15 days)In review
Owner: Legal
Process to report serious incidents to the market-surveillance authority within 15 days.
EU AI Act · Art. 73
Incident SOPNotification template
User-facing transparencyPassed
Owner: Andrei
End-users are informed they are interacting with an AI system and of its limits.
EU AI Act · Art. 13 + 50
UI disclosure copyLimitations notice

Conformity assessment & CE markingIn review
Owner: Legal
High-risk system passed conformity assessment and bears CE marking.
EU AI Act · Art. 43 + 48
Notified body reportCE declaration
EU AI Act database registrationPassed
Owner: Legal
High-risk system registered in the EU public database before placing on market.
EU AI Act · Art. 49 + 71
Registration IDPublic listing URL
Last updated: 30 days ago
US federal AI use-case inventoryAvailable
Owner: Legal
Rights/safety-impacting uses listed in agency AI use-case inventory.
OMB M-24-10 · §3
Inventory entryCAIO sign-off
Post-market monitoring planPassed
Owner: Andrei
Active plan to monitor performance and harms after deployment.
EU AI Act · Art. 72
ISO/IEC 42001 · Cl. 9
PMM planQuarterly metrics report
Last updated: 18 days ago
IMDA AI Verify report (SG)Available
Owner: Andrei
Independent IMDA AI Verify testing for Singapore deployments.
IMDA Model AI Gov · Testing Framework
AI Verify report
ISO/IEC 42001 AIMS certificationIn review
Owner: Andrei
Certified AI management system audited by an accredited body.
ISO/IEC 42001 · Full
Stage-2 audit reportCertificate

Next best actions

Fundamental Rights Impact Assessment — EU AI Act Art. 27
GPAI upstream disclosure — EU AI Act Art. 53
US federal AI use-case inventory — OMB M-24-10 §3

Owner & Entity IdentityProve who is operationally and legally accountable for the agent.4/4 passed

Risk Classification & Technical DocumentationClassify the agent's risk and document the system end-to-end.3/6 passed

Data & Model ProvenanceShow where training and runtime data came from, and how the model is governed.3/4 passed

Runtime Oversight & Incident ResponseDemonstrate continuous monitoring, human oversight, and incident handling.4/5 passed

Continuous Assurance & DisclosureIndependent assurance, public registration, and post-market monitoring.2/6 passed