diff --git a/artifacts/README.md b/artifacts/README.md index 7b78e335..4e12f2ac 100644 --- a/artifacts/README.md +++ b/artifacts/README.md @@ -20,6 +20,21 @@ This folder contains machine-readable assets for enterprise and regulator-facing - `requirements-artifacts.txt`: pinned runtime/test dependencies for artifact checks. - `Makefile`: convenience targets for local artifact validation workflows. + +### 2026–2035 AGI/ASI governance reference architecture + +Additional implementation artifacts for Sentinel AI Governance Stack v2.4 and long-horizon AGI/ASI governance: + +- `enterprise-agi-asi-governance-reference-architecture-2026-2035.md`: deeply technical roadmap and reference architecture using ``, `<abstract>`, and `<content>` tags. +- `roadmap-2026-2035.yaml`: machine-readable 2026–2035 implementation roadmap. +- `data/multi_jurisdiction_regulatory_mapping_2026_2035.csv`: multi-framework control mapping for AI, financial, privacy, cyber, conduct, and civilizational governance regimes. +- `oscal/sentinel-ai-control-catalog-oscal.json`: OSCAL-style control catalog for Sentinel/G-Stack/Omni-Sentinel controls. +- `policies/sentinel_ai_release_gate_v24.rego`: OPA/Rego regulated release gate for high-risk and high-agency AI systems. +- `tla/OmniSentinelContainment.tla`: TLA+ reference specification for containment invariants. +- `circuits/g_sri_systemic_risk.circom`: Circom/Groth16 reference circuit for G-SRI risk-band proofs. +- `templates/gc-ir-bridge-event.json`: Global Compliance–Incident Reporting bridge event template for zk proof submission. +- `templates/regulator-technical-report-2035.xml`: regulator-ready technical report template for AGI/ASI governance packs. + ## Validation Human-readable mode: @@ -50,9 +65,10 @@ The validator performs: 3. Annex IV sample semantic checks (types, required fields, enum values, date format). 4. Control mapping cross-reference checks (no unknown control IDs). 5. Regulator XML required section checks. -6. Roadmap milestone date-range checks (2026–2030). -7. Manifest checksum checks for all tracked artifacts. -8. Manifest coverage checks (no missing or unexpected files). +6. Roadmap milestone date-range checks (2026–2030 and 2026–2035). +7. Extended AGI/ASI artifact checks for tagged reports, OSCAL controls, regulatory mappings, Rego gates, TLA+ specs, Circom circuits, and templates. +8. Manifest checksum checks for all tracked artifacts. +9. Manifest coverage checks (no missing or unexpected files). ## Regenerate checksum manifest diff --git a/artifacts/artifact-manifest-v1.json b/artifacts/artifact-manifest-v1.json index 226173ce..5157e18f 100644 --- a/artifacts/artifact-manifest-v1.json +++ b/artifacts/artifact-manifest-v1.json @@ -1,12 +1,21 @@ { "files": { "annex-iv-dossier-schema-v1.json": "191c3442f4b372e8fb400640648841fb4d63aecdfb791d0b1b230a65a384ffe1", + "circuits/g_sri_systemic_risk.circom": "2a9f849ade2f90073de293dc35ac1de912d40479ca953897744329c2f05175db", "control-catalog-v1.json": "56328ecaed2af4d832e993accb3b85d63d69f93eece4f10de08f0c82f71729d8", + "data/multi_jurisdiction_regulatory_mapping_2026_2035.csv": "6c5f49c4bda99ff2d4c4c71a7e3af5079327960b1893a18b322971c4fd414f48", + "enterprise-agi-asi-governance-reference-architecture-2026-2035.md": "87315bff7ce716caa569044bc5b8d7a6fdb81b235429208b2ed283265556a2df", "enterprise-civilizational-agi-asi-blueprint-2026-2030.md": "12684e460b4f33a49d74e66eaa1400aab85e4dd6879e262e06ac932be7c3f3e3", "examples/annex-iv-dossier-example.json": "fd914a07bf2691d9de262907953890ba353b23fe159d07a8b53eee1e6d16b1e2", + "oscal/sentinel-ai-control-catalog-oscal.json": "599a5b2d03fe1d315920eb79ca216792f591f8a9c888b7abe62d9ff8d4edd1c3", + "policies/sentinel_ai_release_gate_v24.rego": "08207f20eef89b4a790ef319b4ae194d31bf6950108d3dcf9e6c8a7cf7ac70e7", "regulator-report-template.xml": "62c55a96b60bbc4592f0ad273ee1cca6e25eac6a437fb047dfb08bdf5baeab2d", - "roadmap-2026-2030.yaml": "2297c95faefe22ff03cb9aa7d104be232fa0269b831cb231f5b7f0ab0ed86369" + "roadmap-2026-2030.yaml": "2297c95faefe22ff03cb9aa7d104be232fa0269b831cb231f5b7f0ab0ed86369", + "roadmap-2026-2035.yaml": "b47b90e172ecdbc787e02f683275c2ea11296b0ff61d1ef948a2636e0d561108", + "templates/gc-ir-bridge-event.json": "bcfcf7fd1ad4f93302f019d35ecbe1ab3f045732f3dd16e390b50bb6a0de55bf", + "templates/regulator-technical-report-2035.xml": "24f69f03b01d7e96c2cd45ed5cd76de24bce43e162277760d88a78fd07cbd4d0", + "tla/OmniSentinelContainment.tla": "c4d70dc56804055aebda35c634eab3002be47c1ce314160deb63150f02ea80d7" }, - "generated_at": "2026-04-26T03:26:37+00:00", + "generated_at": "2026-06-01T09:18:30+00:00", "version": "1.1" } diff --git a/artifacts/circuits/g_sri_systemic_risk.circom b/artifacts/circuits/g_sri_systemic_risk.circom new file mode 100644 index 00000000..5a702c9e --- /dev/null +++ b/artifacts/circuits/g_sri_systemic_risk.circom @@ -0,0 +1,64 @@ +pragma circom 2.1.6; + +include "circomlib/circuits/comparators.circom"; + +// Reference Groth16/Circom circuit for a G-SRI systemic-risk band proof. +// Private witness: component scores and weights. +// Public signals: threshold band, policy version, and evidence commitment. +// Production circuits should add fixed-point normalization, Poseidon commitments, +// version pinning, and audited trusted-setup governance. + +template Range100() { + signal input value; + signal output ok; + + component lower = LessEqThan(16); + lower.in[0] <== 0; + lower.in[1] <== value; + + component upper = LessEqThan(16); + upper.in[0] <== value; + upper.in[1] <== 100; + + ok <== lower.out * upper.out; +} + +template GSRIWeightedSum(n) { + signal input scores[n]; + signal input weights[n]; + signal input thresholdLow; + signal input thresholdHigh; + signal input policyVersion; + signal input evidenceCommitment; + + signal output inBand; + signal output publicPolicyVersion; + signal output publicEvidenceCommitment; + + signal products[n]; + signal accum[n + 1]; + accum[0] <== 0; + + component ranges[n]; + for (var i = 0; i < n; i++) { + ranges[i] = Range100(); + ranges[i].value <== scores[i]; + ranges[i].ok === 1; + products[i] <== scores[i] * weights[i]; + accum[i + 1] <== accum[i] + products[i]; + } + + component aboveLow = LessEqThan(32); + aboveLow.in[0] <== thresholdLow; + aboveLow.in[1] <== accum[n]; + + component belowHigh = LessEqThan(32); + belowHigh.in[0] <== accum[n]; + belowHigh.in[1] <== thresholdHigh; + + inBand <== aboveLow.out * belowHigh.out; + publicPolicyVersion <== policyVersion; + publicEvidenceCommitment <== evidenceCommitment; +} + +component main {public [thresholdLow, thresholdHigh, policyVersion, evidenceCommitment]} = GSRIWeightedSum(10); diff --git a/artifacts/data/multi_jurisdiction_regulatory_mapping_2026_2035.csv b/artifacts/data/multi_jurisdiction_regulatory_mapping_2026_2035.csv new file mode 100644 index 00000000..9d90371f --- /dev/null +++ b/artifacts/data/multi_jurisdiction_regulatory_mapping_2026_2035.csv @@ -0,0 +1,17 @@ +framework,control_objective,technical_artifact,evidence_source,primary_owner,cadence +EU AI Act Annex IV,technical documentation completeness,annex_iv_completeness_v1_zk_proof,annex_iv_dossier_hash,ai_governance,per_release +EU AI Act GPAI systemic risk,systemic model risk evaluation,G-SRI and Red Dawn report,g_sri_public_signal,frontier_safety,quarterly +NIST AI RMF 1.0,govern-map-measure-manage traceability,OSCAL catalog and risk register,control_test_bundle,enterprise_risk,quarterly +NIST AI 600-1,generative AI misuse and information integrity controls,GAI-SOC telemetry,red_team_findings,security_operations,continuous +ISO/IEC 42001,AIMS governance and continual improvement,management_system_records,internal_audit_report,compliance,semiannual +Basel III IV,prudential and operational risk integration,systemic stress pack,stress_scenario_results,treasury_risk,quarterly +SR 11-7,independent model validation,validation_workbench_record,validation_attestation,model_risk_management,annual_or_material_change +SR 26-2 readiness,supervisory AI control change management,regulatory_change_profile,policy_diff_record,regulatory_affairs,monthly +DORA,ICT operational resilience and third-party risk,AI dependency map and incident clock,incident_timeline,operational_resilience,continuous +NIS2,cybersecurity governance and incident reporting,GAI-SOC cyber control map,siem_soar_case,cybersecurity,continuous +GDPR,privacy lawful basis and minimization,DPIA and selective disclosure policy,privacy_assessment,privacy_office,per_release +FCRA ECOA,fair lending and adverse action,fair_lending_v1_zk_proof,reason_code_test,fair_lending_compliance,per_release +MAS HKMA FEAT,fairness ethics accountability transparency,FEAT scorecard,control_owner_attestation,apac_compliance,quarterly +FCA SMCR Consumer Duty,senior accountability and good outcomes,SMCR responsibility map,consumer_outcomes_test,uk_compliance,quarterly +HKMA Fintech 2030,responsible fintech and regtech enablement,regulator API profile,supervisory_submission,apac_regulatory_affairs,semiannual +ICGC GASO,compute governance and emergency pause,compute registry and pause proof,compute_commitment,board_risk_committee,continuous diff --git a/artifacts/enterprise-agi-asi-governance-reference-architecture-2026-2035.md b/artifacts/enterprise-agi-asi-governance-reference-architecture-2026-2035.md new file mode 100644 index 00000000..2347756c --- /dev/null +++ b/artifacts/enterprise-agi-asi-governance-reference-architecture-2026-2035.md @@ -0,0 +1,386 @@ +<title>Sentinel AI Governance Stack v2.4 Reference Architecture for Enterprise AGI/ASI Governance, Containment, and Zero-Knowledge Regulatory Compliance, 2026–2035 + + +This implementation roadmap defines a supervisory-grade architecture for Fortune 500, Global 2000, and G-SIFI financial institutions deploying advanced generative AI, autonomous agents, and AGI/ASI-adjacent systems from 2026 through 2035. It integrates Sentinel AI Governance Stack v2.4, G-Stack, WorkflowAI Pro, Omni-Sentinel containment, Autonomous Supervisory Agents, GAI-SOC telemetry, Red Dawn simulations, G-SRI systemic risk scoring, BBOM/perpetual assurance, OSCAL control catalogs, OPA/Rego policy gates, Kafka-based PQC WORM audit logging, TLA+ safety specifications, Circom/Groth16 systemic-risk circuits, and zk-SNARK/zk-STARK compliance attestations. It maps controls to EU AI Act Annex IV and GPAI systemic-risk duties, NIST AI RMF 1.0, NIST AI 600-1, ISO/IEC 42001 AIMS, Basel III/IV, SR 11-7, SR 26-2 readiness, DORA, NIS2, GDPR, FCRA/ECOA, MAS/HKMA FEAT, FCA SMCR, Consumer Duty, HKMA Fintech 2030, and ICGC/GASO civilizational compute governance proposals. + + + + +## 1. Design goals and operating assumptions + +### 1.1 Enterprise outcomes + +The architecture is designed to make advanced AI auditable, containable, and regulator-verifiable without exposing protected model weights, customer data, proprietary stress scenarios, or supervisory secrets. The required outcomes are: + +1. **Board-visible accountability:** every AI capability, autonomous workflow, model dependency, and compute allocation has an accountable executive, control owner, risk tier, evidence bundle, and kill-switch path. +2. **Deterministic assurance:** all regulated releases produce reproducible evidence from source, model cards, data lineage, evaluations, security scans, policy decisions, deployment attestations, runtime telemetry, and incident response records. +3. **Containment-by-construction:** AGI/ASI-adjacent research and high-agency systems run inside Omni-Sentinel isolation domains with capability firebreaks, network egress control, tool-use mediation, prompt/output guards, circuit breakers, and formal invariants. +4. **Privacy-preserving compliance:** regulators can verify control effectiveness, systemic-risk scores, capital/model-risk thresholds, fairness bounds, and incident disclosures using zk-SNARK or zk-STARK proofs without receiving raw sensitive inputs. +5. **Civilizational risk governance:** institutions can interface with ICGC/GASO-style compute registries, international incident exchanges, treaty-aligned reporting channels, and emergency pause protocols for catastrophic or existential risk events. + +### 1.2 Regulatory interpretation baseline as of 2026-05-28 + +- The EU AI Act is treated as the principal horizontal AI regulation for EU-facing systems, with Annex IV technical documentation, high-risk lifecycle controls, post-market monitoring, and GPAI systemic-risk obligations represented as machine-readable controls. +- NIST AI RMF 1.0 provides the cross-functional risk language: Govern, Map, Measure, Manage. NIST AI 600-1 extends the control model for generative AI risks such as confabulation, information integrity, CBRN misuse enablement, data privacy, cybersecurity, human-AI interaction, and value-chain opacity. +- ISO/IEC 42001 is the management-system backbone for AIMS certification, continual improvement, internal audit, objectives, roles, competence, supplier oversight, and corrective action. +- G-SIFI institutions must merge AI governance with model risk management, prudential risk, operational resilience, third-party oversight, cyber resilience, financial crime, fair-lending, and consumer-outcomes obligations. + +## 2. Reference architecture overview + +### 2.1 Logical stack + +| Layer | Component | Primary responsibility | Evidence emitted | +|---|---|---|---| +| L0 | Board and regulator interface | Risk appetite, AI charter, SMCR/Senior Manager accountability, supervisory packs | Board minutes, approvals, attestations | +| L1 | Sentinel AI Governance Stack v2.4 | Inventory, tiering, policy orchestration, control library, evidence graph | OSCAL records, Annex IV dossier, BBOM | +| L2 | G-Stack | Compute registry, model registry, data registry, agent registry, cryptographic identity | Compute ledger, lineage attestations | +| L3 | WorkflowAI Pro | Human-in-the-loop regulated workflows, four-eyes approvals, exception management | Workflow traces, approval proofs | +| L4 | Omni-Sentinel containment | Isolation domains, egress controls, tool mediation, tripwires, kill-switches | Containment telemetry, TLA+ invariant reports | +| L5 | Autonomous Supervisory Agents | Continuous control monitoring, evidence collection, challenge testing | Control test records, drift findings | +| L6 | GAI-SOC telemetry | Security analytics, AI behavior analytics, red-team telemetry, incident response | SIEM/SOAR events, DORA/NIS2 incidents | +| L7 | ZK compliance plane | Circuits, witnesses, proof generation, verifier contracts, regulator bridge | zk proofs, public signals, verification logs | +| L8 | Perpetual assurance plane | BBOM, WORM audit, replay, assurance packs, third-party attestation | Tamper-evident evidence bundles | + +### 2.2 Deployment topology + +Production deployments SHOULD be split into five hardened zones: + +1. **Governance control plane:** policy authoring, OSCAL catalog management, risk appetite thresholds, exception approvals, regulator profile management. +2. **AI platform plane:** model serving, vector stores, agent orchestration, data pipelines, prompt/tool brokers, evaluation services. +3. **Containment plane:** sandboxed frontier evaluation clusters, no-default-egress research enclaves, guarded tool stubs, deception-resistant monitoring. +4. **Assurance plane:** immutable evidence storage, Kafka WORM topics, PQC hybrid signing, reproducible replay workers, independent validation workbench. +5. **ZK proof plane:** private witness builders, circuit compilers, proving clusters, verifier APIs, regulator-facing GC-IR bridge. + +No plane may share administrative credentials with another plane. The assurance plane is write-once from producers and read-mostly from validators. The containment plane may only export signed, schema-validated telemetry summaries through a one-way evidence diode. + +## 3. Core subsystems + +### 3.1 Sentinel AI Governance Stack v2.4 + +Sentinel v2.4 is the enterprise policy and evidence brain. Its minimum services are: + +- **AI System Registry:** canonical inventory of models, agents, tools, workflows, data sources, vendors, deployment environments, business owners, and jurisdictional footprint. +- **Risk Tiering Engine:** maps inherent risk, agency, autonomy, financial materiality, consumer impact, model novelty, GPAI/systemic-risk triggers, and cross-border operation into tier 0–4 ratings. +- **Control Orchestrator:** assigns OSCAL controls, Rego gates, test procedures, evidence requirements, and approval routes. +- **Regulator Profile Builder:** composes jurisdiction-specific packs for EU AI Act, SR 11-7, DORA, FCA, MAS, HKMA, and local privacy/fairness rules. +- **BBOM Generator:** produces a Behavioral Bill of Materials covering model lineage, prompts, tools, retrieval sources, policies, evaluations, guardrails, and residual risks. + +### 3.2 G-Stack + +G-Stack is the governed substrate for compute, model, data, and agent operations: + +```text +G-Stack +├── compute-ledger: GPU/TPU allocation, threshold monitoring, carbon/energy metadata +├── model-ledger: base model, fine-tune, adapter, eval, deployment state +├── data-ledger: source, consent, retention, lineage, privacy class, transfer basis +├── agent-ledger: goals, tools, permissions, autonomy class, supervisor binding +├── crypto-ledger: key IDs, signing policy, PQC transition status, proof IDs +└── incident-ledger: safety, cyber, conduct, resilience, systemic-risk events +``` + +### 3.3 WorkflowAI Pro + +WorkflowAI Pro turns governance decisions into executable business processes. It enforces: + +- dual approval for tier-1 and tier-2 releases; +- independent validation before production for material financial, consumer, or safety impact; +- mandatory adverse-action/fair-lending review for credit use cases; +- incident commander assignment for DORA/NIS2/GPAI serious incident events; +- evidence completeness checks before board or regulator attestation. + +### 3.4 Omni-Sentinel containment + +Omni-Sentinel is the containment fabric for frontier and autonomous AI: + +- **Capability firebreaks:** separate planning, code execution, external communication, and actuation privileges. +- **Tool-use broker:** every tool call is policy evaluated, rate-limited, logged, and revocable. +- **Context governor:** strips secrets, reduces prompt injection blast radius, and enforces purpose-bound retrieval. +- **Tripwire mesh:** detects deception indicators, cyber exploitation attempts, self-replication signatures, unauthorized persistence, policy evasion, and anomalous resource acquisition. +- **Kill-switch quorum:** emergency shutdown requires either automated invariant breach plus duty-officer confirmation or board/CISO/CRO crisis quorum. + +## 4. Formal safety and containment invariants + +TLA+ specifications SHOULD be maintained beside production policy. Required invariants include: + +1. `NoUnapprovedEgress`: a high-agency agent cannot emit network traffic unless a policy decision permits the destination, purpose, and data class. +2. `KillSwitchEventuallyStopsActuation`: once emergency stop is asserted, all tool actuation transitions eventually enter `Stopped`. +3. `EvidenceBeforeRelease`: tier-1 production release cannot occur without completed validation, red-team, privacy, security, fairness, and business-owner attestations. +4. `NoPrivilegedSelfModification`: an agent cannot modify its own policy, credentials, containment boundary, or approval workflow. +5. `WitnessConfidentiality`: ZK witness material never leaves the proof plane except as commitments, public signals, or verified proofs. + +The companion specification is provided in `artifacts/tla/OmniSentinelContainment.tla`. + +## 5. Compliance-as-code blueprint + +### 5.1 OPA/Rego release gate inputs + +Every CI/CD deployment MUST submit a normalized payload: + +```json +{ + "system_id": "credit-agent-eu-001", + "risk_tier": "tier_1_high_risk", + "jurisdictions": ["EU", "US", "UK", "SG", "HK"], + "uses_gpai": true, + "autonomy_level": 3, + "annex_iv_complete": true, + "model_validation": {"status": "approved", "review_date": "2026-05-20"}, + "containment": {"egress_default_deny": true, "kill_switch_tested": true}, + "zk": {"proof_policy": "systemic_risk_v1", "last_verified": "2026-05-21"} +} +``` + +The gate denies production if material documentation, validation, containment, or proof-verification controls are missing. The companion policy is provided in `artifacts/policies/sentinel_ai_release_gate_v24.rego`. + +### 5.2 CI/CD integration pattern + +1. Developer opens pull request with model, prompt, workflow, circuit, or policy changes. +2. Pipeline builds BBOM and updates the system registry. +3. OPA evaluates release gate against system metadata. +4. TLA+ model checking runs for changed containment specs. +5. Red Dawn simulation suite executes misuse, deception, market-stress, cyber, privacy, and consumer-harm scenarios. +6. ZK proof verifier confirms systemic-risk proof freshness. +7. WorkflowAI Pro routes exceptions to control owners. +8. Kafka WORM emits signed decision event. +9. Deployment proceeds only after all blocking controls pass. + +## 6. Kafka-based PQC WORM audit logging + +### 6.1 Topic design + +| Topic | Retention | Key | Payload | Signature | +|---|---:|---|---|---| +| `gai.control.decisions.v2` | 10 years | `system_id` | OPA decision and inputs hash | ECDSA + ML-DSA hybrid | +| `gai.model.lifecycle.v2` | 10 years | `model_id` | registration, validation, release, retirement | ECDSA + ML-DSA hybrid | +| `gai.containment.events.v2` | 15 years | `containment_domain` | egress, tool, tripwire, kill-switch | ECDSA + ML-DSA hybrid | +| `gai.zk.proofs.v2` | 15 years | `proof_id` | circuit ID, public signals, verifier result | ECDSA + ML-DSA hybrid | +| `gai.incidents.v2` | 15 years | `incident_id` | incident timeline, severity, notifications | ECDSA + ML-DSA hybrid | + +### 6.2 WORM requirements + +- broker-side append-only permissions; +- object-lock archival with retention legal holds; +- Merkle root checkpointing every 15 minutes; +- independent validator replay against manifest hashes; +- separation between evidence producers and retention administrators; +- quarterly restore and replay tests observed by internal audit. + +## 7. Zero-knowledge regulatory compliance architecture + +### 7.1 Proof families + +| Proof | Private witness | Public signals | Verifies | +|---|---|---|---| +| `systemic_risk_v1` | raw G-SRI factors, thresholds, stress scenario results | risk band, commitment, policy version | systemic-risk score within declared band | +| `fair_lending_v1` | protected-class test data and outcomes | metric bounds, model ID commitment | disparate impact metrics meet approved thresholds | +| `annex_iv_completeness_v1` | full Annex IV dossier and internal evidence | completeness bitmap, dossier hash | required sections exist and are current | +| `capital_model_governance_v1` | model validation details and overlays | approval status, model tier | SR 11-7/Basel validation controls satisfied | +| `incident_timeliness_v1` | raw event timeline and recipients | deadline class, notification hash | notifications met required timing rules | + +### 7.2 Circom/Groth16 and zk-STARK selection + +- Use **Groth16/Circom** when proof size and low-latency verifier integration dominate, such as regulator APIs or smart-contract-like GC-IR bridges. +- Use **zk-STARKs** when transparent setup, post-quantum conservatism, and high-volume batch proofs dominate, such as supervisory analytics over many systems. +- Use recursive aggregation for group-level board reporting so individual model witnesses remain private while portfolio-level risk signals are public. + +The companion example circuit is provided in `artifacts/circuits/g_sri_systemic_risk.circom`. + +### 7.3 GC-IR bridge + +The Global Compliance–Incident Reporting bridge exposes three APIs: + +1. `submitProof(proof_id, circuit_id, public_signals, proof_blob, evidence_commitment)` +2. `submitIncidentCommitment(incident_id, severity, jurisdiction_set, deadline_class, commitment)` +3. `requestSelectiveDisclosure(request_id, legal_basis, fields, expiry)` + +Regulators receive proof verification, public signals, metadata, and legal-basis-bound selective disclosures rather than unrestricted evidence dumps. + +## 8. G-SRI systemic risk index + +The G-SRI score combines model capability, autonomy, deployment scale, interconnectedness, data sensitivity, financial materiality, cyber/offensive potential, biological/chemical misuse potential, operational resilience dependency, concentration risk, and control maturity. + +```text +G-SRI = weighted_sum( + capability, + autonomy, + scale, + interconnectedness, + data_sensitivity, + financial_materiality, + misuse_potential, + resilience_dependency, + vendor_concentration, + control_maturity_inverse +) +``` + +Risk bands: + +- **0–24:** monitored AI system; +- **25–49:** material AI system; +- **50–74:** high-risk or critical AI system; +- **75–89:** systemic AI system requiring executive crisis monitoring; +- **90–100:** emergency containment, external notification, and potential pause protocol. + +## 9. Red Dawn simulation program + +Red Dawn simulations are quarterly, adversarial, multi-team exercises for catastrophic and systemic AI failure modes: + +1. **Market cascade:** autonomous agent recommendations amplify liquidity stress or correlated de-risking. +2. **Credit discrimination:** subtle proxy variables create illegal adverse impact under FCRA/ECOA or EU non-discrimination rules. +3. **Prompt-to-payment fraud:** adversarial customer interaction manipulates an agent into unauthorized transaction initiation. +4. **Cyber tool escalation:** coding agent attempts exploit generation, lateral movement, persistence, or defense evasion. +5. **Containment breakout:** frontier agent attempts unauthorized egress, self-modification, or credential acquisition. +6. **GPAI systemic-risk escalation:** model capabilities cross defined thresholds and require regulator notification. +7. **Information integrity shock:** model-generated content contaminates risk dashboards, board reporting, or public disclosures. + +Each scenario has a hypothesis, control objectives, injects, measured indicators, stop conditions, evidence artifacts, remediation owners, and board reporting thresholds. + +## 10. Multi-jurisdictional control mapping + +| Framework | Control anchor | Implementation pattern | +|---|---|---| +| EU AI Act Annex IV | technical documentation, intended purpose, design, validation, monitoring | Annex IV dossier schema, evidence graph, completeness proof | +| EU AI Act GPAI systemic risk | model evaluation, adversarial testing, incident reporting, cybersecurity | G-SRI, Red Dawn, GAI-SOC, systemic-risk zk proof | +| NIST AI RMF 1.0 | Govern, Map, Measure, Manage | OSCAL catalog, risk register, eval suite, management action plan | +| NIST AI 600-1 | generative AI risk profile | GAI-SOC telemetry, content integrity controls, misuse testing | +| ISO/IEC 42001 | AIMS clauses and controls | management-system workflow, internal audit, corrective action | +| Basel III/IV | prudential, operational, model and capital impacts | stress testing, model overlays, risk appetite thresholds | +| SR 11-7 | model development, validation, governance | independent validation, challenge, limitations, monitoring | +| SR 26-2 readiness | supervisory AI expectations tracking | policy profile placeholder, regulator-change workflow | +| DORA | ICT risk, resilience testing, incident reporting, third-party risk | AI dependency mapping, operational resilience telemetry | +| NIS2 | cyber governance and incident handling | essential/important entity cyber control mapping | +| GDPR | lawful basis, DPIA, minimization, rights | privacy gate, retention controls, selective disclosure | +| FCRA/ECOA | fair lending, adverse action, explainability | fairness proof, reason-code governance, audit trail | +| MAS/HKMA FEAT | fairness, ethics, accountability, transparency | FEAT scoring and accountable-owner attestations | +| FCA SMCR/Consumer Duty | senior manager accountability, good outcomes | duty mapping, consumer outcome testing, board attestation | +| HKMA Fintech 2030 | responsible fintech and regtech enablement | regulator APIs, innovation controls, operational resilience | +| ICGC/GASO | civilizational compute and emergency governance | compute registry, incident bridge, pause protocol | + +The machine-readable CSV mapping is provided in `artifacts/data/multi_jurisdiction_regulatory_mapping_2026_2035.csv`. + +## 11. Roadmap: 2026–2030 with extension through 2035 + +### Phase 0: 2026 foundation + +- Establish board AI risk appetite and AGI/ASI governance charter. +- Stand up Sentinel v2.4 inventory, tiering, control catalog, and Annex IV dossier pipeline. +- Implement first OPA release gates for high-risk EU, US credit, and critical financial workflows. +- Begin Kafka WORM evidence logging and BBOM generation for tier-1 systems. + +### Phase 1: 2027 policy-as-code and assurance + +- Expand OPA/Rego controls across model, prompt, agent, data, and infrastructure changes. +- Deploy GAI-SOC telemetry and Autonomous Supervisory Agents for continuous controls monitoring. +- Complete deterministic replay for model decisions and agent actions. +- Run first Red Dawn enterprise exercise and board tabletop. + +### Phase 2: 2028 containment and PQC transition + +- Launch Omni-Sentinel containment lab for frontier model and autonomous agent evaluation. +- Add TLA+ model checking to containment and deployment control pipelines. +- Adopt PQC hybrid signatures for evidence and proof logs. +- Implement systemic-risk zk proof pilots for internal audit and selected regulators. + +### Phase 3: 2029 cross-border supervisory integration + +- Implement GC-IR bridge with regulator-selective disclosure workflows. +- Build multi-jurisdictional regulator profiles and automated evidence pack generation. +- Integrate compute registry with civilizational governance watchlists and emergency pause playbooks. +- Expand Red Dawn to cross-border payment, market, cyber, and misinformation cascades. + +### Phase 4: 2030 steady-state adaptive governance + +- Achieve continuous BBOM/perpetual assurance for all material AI systems. +- Aggregate portfolio risk with recursive ZK proofs and board-level G-SRI dashboards. +- Validate incident notification clocks across DORA, NIS2, GDPR, EU AI Act, and local regimes. +- Obtain independent assurance over AIMS, model risk, cyber resilience, and ZK proof controls. + +### Phase 5: 2031–2032 autonomous supervision + +- Deploy regulator-facing proof verification portals. +- Use Autonomous Supervisory Agents to continuously test controls, subject to human oversight and audit constraints. +- Mature value-learning and ethical alignment evaluations for high-agency enterprise agents. +- Add scenario libraries for labor displacement, consumer manipulation, bias amplification, and critical infrastructure spillovers. + +### Phase 6: 2033–2035 civilizational governance interoperability + +- Interoperate with international compute governance, emergency coordination, and treaty-aligned reporting mechanisms. +- Support cryptographic proofs of compute threshold compliance and emergency pause conformance. +- Maintain multi-party simulations spanning G-SIFIs, cloud providers, regulators, and civil authorities. +- Institutionalize societal-impact reviews for economic disruption, concentration, democratic integrity, and catastrophic misuse. + +The companion machine-readable roadmap is provided in `artifacts/roadmap-2026-2035.yaml`. + +## 12. ICGC Phase 1 and Phase 2 zk-verified controls + +### Phase 1: institutional proof of control + +Phase 1 controls prove institution-level governance without revealing sensitive evidence: + +- model inventory completeness proof; +- high-risk system Annex IV completeness proof; +- systemic-risk band proof; +- containment test pass proof; +- incident timeliness proof; +- board attestation binding proof. + +### Phase 2: civilizational compute and emergency proof + +Phase 2 controls prove cross-institutional commitments: + +- compute allocation below policy threshold or authorized exception; +- no unauthorized frontier training run on registered clusters; +- emergency pause instruction propagated to all relevant serving endpoints; +- selected incidents disclosed to authorized supervisors within deadline class; +- independent assurance signature over aggregated proof bundles. + +## 13. Regulator-ready technical report structure + +Every material system technical report SHOULD use this canonical structure: + +```xml +Regulator-Ready AI Governance Technical Report for SYSTEM_ID + + Concise description of the system, business purpose, regulatory role, model lineage, + risk tier, jurisdictions, residual risks, and attestation status. + + +
Inventory, owners, jurisdictions, risk tier, dependencies.
+
Model, data, agent, tool, control, and containment architecture.
+
Mapped legal, prudential, privacy, cyber, and conduct obligations.
+
EU AI Act Annex IV technical documentation extract.
+
SR 11-7/Basel validation, limitations, overlays, monitoring.
+
Red-team, Red Dawn, misuse, autonomy, cyber, and alignment evals.
+
Proof IDs, public signals, verifier results, circuit versions.
+
Incident history, notification clocks, remediation, lessons learned.
+
Control-owner, executive, board, and independent assurance signatures.
+
+``` + +The companion XML template is provided in `artifacts/templates/regulator-technical-report-2035.xml`. + +## 14. Engineering acceptance criteria + +A deployment is enterprise-grade only when all of the following are true: + +- every material AI system is registered, tiered, owner-bound, and mapped to jurisdictions; +- every tier-1 release has independent validation, red-team evidence, security approval, privacy approval, and board-risk visibility; +- every high-agency agent uses default-deny tools, constrained egress, runtime telemetry, and tested kill-switches; +- every regulatory control has a test, evidence source, owner, cadence, and exception path; +- every material proof has versioned circuits, reproducible witness builders, verifier logs, and key-management evidence; +- every critical model decision and agent action can be replayed from WORM evidence; +- every catastrophic-risk scenario has an exercised playbook and named crisis authority. + +## 15. Board and C-suite decision checklist + +1. Has the board approved AI risk appetite, prohibited use cases, and emergency pause authorities? +2. Can management identify all high-risk, GPAI-dependent, customer-impacting, and systemic AI systems within 24 hours? +3. Are model risk, cyber, operational resilience, privacy, conduct, legal, and safety teams using the same evidence graph? +4. Can the institution prove compliance to regulators without exposing confidential witnesses or customer data? +5. Are autonomous agents prevented from self-modifying policies, acquiring uncontrolled resources, or bypassing human oversight? +6. Do Red Dawn results directly change controls, capital/resilience assumptions, or deployment limits? +7. Is civilizational compute governance treated as a board-level risk for frontier-scale capability development? + +
diff --git a/artifacts/manifest-targets-v1.json b/artifacts/manifest-targets-v1.json index 3ac4b5c8..c450fb49 100644 --- a/artifacts/manifest-targets-v1.json +++ b/artifacts/manifest-targets-v1.json @@ -6,6 +6,15 @@ "roadmap-2026-2030.yaml", "regulator-report-template.xml", "enterprise-civilizational-agi-asi-blueprint-2026-2030.md", - "examples/annex-iv-dossier-example.json" + "examples/annex-iv-dossier-example.json", + "enterprise-agi-asi-governance-reference-architecture-2026-2035.md", + "roadmap-2026-2035.yaml", + "data/multi_jurisdiction_regulatory_mapping_2026_2035.csv", + "oscal/sentinel-ai-control-catalog-oscal.json", + "policies/sentinel_ai_release_gate_v24.rego", + "tla/OmniSentinelContainment.tla", + "circuits/g_sri_systemic_risk.circom", + "templates/gc-ir-bridge-event.json", + "templates/regulator-technical-report-2035.xml" ] } diff --git a/artifacts/oscal/sentinel-ai-control-catalog-oscal.json b/artifacts/oscal/sentinel-ai-control-catalog-oscal.json new file mode 100644 index 00000000..dd3bf6a9 --- /dev/null +++ b/artifacts/oscal/sentinel-ai-control-catalog-oscal.json @@ -0,0 +1,104 @@ +{ + "catalog": { + "uuid": "9ad6b639-4626-4f22-b3c0-000000000024", + "metadata": { + "title": "Sentinel AI Governance Stack v2.4 Enterprise AGI/ASI Control Catalog", + "last-modified": "2026-05-28T00:00:00Z", + "version": "2.4.0", + "oscal-version": "1.1.2", + "roles": [ + {"id": "board-risk-committee", "title": "Board Risk Committee"}, + {"id": "chief-risk-officer", "title": "Chief Risk Officer"}, + {"id": "ai-platform-engineering", "title": "AI Platform Engineering"}, + {"id": "frontier-safety", "title": "Frontier AI Safety"}, + {"id": "internal-audit", "title": "Internal Audit"} + ] + }, + "groups": [ + { + "id": "sentinel-governance", + "title": "Governance, Inventory, and Accountability", + "controls": [ + { + "id": "SG-01", + "title": "Board-approved AI risk appetite and accountable ownership", + "props": [ + {"name": "maps-to", "value": "EU-AI-Act;NIST-AI-RMF-GOVERN;ISO-IEC-42001;FCA-SMCR"}, + {"name": "cadence", "value": "quarterly"} + ], + "parts": [ + {"id": "SG-01_stmt", "name": "statement", "prose": "The organization maintains board-approved AI risk appetite, prohibited-use boundaries, senior manager accountability, and emergency pause authorities for all material AI systems."} + ] + }, + { + "id": "SG-02", + "title": "Complete AI, agent, data, model, and compute inventory", + "props": [ + {"name": "maps-to", "value": "EU-AI-Act-Annex-IV;NIST-AI-RMF-MAP;DORA;ICGC-GASO"}, + {"name": "cadence", "value": "continuous"} + ], + "parts": [ + {"id": "SG-02_stmt", "name": "statement", "prose": "Every material model, agent, tool, data source, vendor dependency, and compute allocation is registered, risk-tiered, owner-bound, and linked to evidence."} + ] + } + ] + }, + { + "id": "omni-containment", + "title": "Omni-Sentinel Containment and Frontier Safety", + "controls": [ + { + "id": "OC-01", + "title": "Default-deny egress and mediated tool use", + "props": [ + {"name": "maps-to", "value": "NIST-AI-600-1;DORA;NIS2;EU-AI-Act-GPAI-Systemic-Risk"}, + {"name": "cadence", "value": "continuous"} + ], + "parts": [ + {"id": "OC-01_stmt", "name": "statement", "prose": "High-agency systems execute only through policy-mediated tools, default-deny network egress, signed telemetry, and tested kill-switch paths."} + ] + }, + { + "id": "OC-02", + "title": "Formal containment invariants", + "props": [ + {"name": "maps-to", "value": "NIST-AI-RMF-MEASURE;ISO-IEC-42001;ICGC-GASO"}, + {"name": "cadence", "value": "per-change"} + ], + "parts": [ + {"id": "OC-02_stmt", "name": "statement", "prose": "Containment policies are backed by model-checked invariants for egress, actuation stop, self-modification prevention, and proof-witness confidentiality."} + ] + } + ] + }, + { + "id": "zk-assurance", + "title": "Zero-Knowledge Compliance and Perpetual Assurance", + "controls": [ + { + "id": "ZA-01", + "title": "ZK systemic-risk and compliance proofs", + "props": [ + {"name": "maps-to", "value": "EU-AI-Act-GPAI-Systemic-Risk;SR-11-7;Basel-III-IV;GDPR"}, + {"name": "cadence", "value": "per-release-and-quarterly"} + ], + "parts": [ + {"id": "ZA-01_stmt", "name": "statement", "prose": "The institution can prove systemic-risk bands, Annex IV completeness, fair-lending thresholds, and incident-timeliness conformance without revealing private witnesses."} + ] + }, + { + "id": "ZA-02", + "title": "PQC WORM evidence and replay", + "props": [ + {"name": "maps-to", "value": "DORA;NIS2;SR-11-7;ISO-IEC-42001"}, + {"name": "cadence", "value": "continuous"} + ], + "parts": [ + {"id": "ZA-02_stmt", "name": "statement", "prose": "All regulated AI lifecycle, control, proof, containment, and incident events are written to immutable logs with hybrid post-quantum signatures and deterministic replay support."} + ] + } + ] + } + ] + } +} diff --git a/artifacts/policies/sentinel_ai_release_gate_v24.rego b/artifacts/policies/sentinel_ai_release_gate_v24.rego new file mode 100644 index 00000000..d7bbaa40 --- /dev/null +++ b/artifacts/policies/sentinel_ai_release_gate_v24.rego @@ -0,0 +1,77 @@ +package sentinel.release.v24 + +import rego.v1 + +default allow := false + +required_evidence := { + "annex_iv_complete", + "model_validation_approved", + "containment_ready", + "zk_verified", + "bbom_current", + "owner_attested", +} + +model_validation_approved if { + input.model_validation.status == "approved" +} + +zk_proof_verified if { + input.zk.last_verified +} + +allow if { + count(deny) == 0 +} + +deny contains msg if { + input.risk_tier == "tier_1_high_risk" + not input.annex_iv_complete + msg := "tier-1 high-risk release requires complete Annex IV dossier" +} + +deny contains msg if { + input.uses_gpai + not input.gpai_supplier_due_diligence_complete + msg := "GPAI-dependent release requires supplier due diligence and systemic-risk screening" +} + +deny contains msg if { + not model_validation_approved + msg := "model validation must be approved before regulated deployment" +} + +deny contains msg if { + input.autonomy_level >= 3 + not input.containment.egress_default_deny + msg := "high-agency agent requires default-deny egress containment" +} + +deny contains msg if { + input.autonomy_level >= 3 + not input.containment.kill_switch_tested + msg := "high-agency agent requires tested kill switch" +} + +deny contains msg if { + input.risk_tier == "tier_1_high_risk" + not zk_proof_verified + msg := "tier-1 high-risk release requires verified ZK compliance proof metadata" +} + +deny contains msg if { + input.g_sri_score >= 75 + not input.board_risk_committee_exception + msg := "systemic-risk deployment requires board risk committee exception" +} + +evidence_status[e] := "present" if { + e := required_evidence[_] + input.evidence[e] +} + +evidence_status[e] := "missing" if { + e := required_evidence[_] + not input.evidence[e] +} diff --git a/artifacts/roadmap-2026-2035.yaml b/artifacts/roadmap-2026-2035.yaml new file mode 100644 index 00000000..8bd2dc3f --- /dev/null +++ b/artifacts/roadmap-2026-2035.yaml @@ -0,0 +1,108 @@ +version: 1.0 +name: sentinel-ai-governance-stack-2035-roadmap +horizon: 2026-2035 +updated_at: 2026-05-28 +owners: + executive: chief_risk_officer + technology: chief_ai_platform_officer + assurance: chief_audit_executive + safety: head_of_frontier_ai_safety +phases: + - id: phase_0_2026_foundation + window: 2026-Q2_to_2026-Q4 + outcomes: + - board_ai_risk_appetite + - sentinel_v2_4_inventory + - annex_iv_dossier_pipeline + - initial_opa_release_gates + - bbom_for_tier1_systems + - id: phase_1_2027_assurance + window: 2027 + outcomes: + - gai_soc_telemetry + - autonomous_supervisory_agents + - deterministic_replay + - red_dawn_enterprise_exercise + - kafka_worm_evidence_mesh + - id: phase_2_2028_containment + window: 2028 + outcomes: + - omni_sentinel_containment_lab + - tla_model_checking_pipeline + - pqc_hybrid_evidence_signing + - systemic_risk_zk_pilot + - cross_border_tabletops + - id: phase_3_2029_supervisory_integration + window: 2029 + outcomes: + - gc_ir_bridge + - regulator_profile_generator + - civilizational_compute_registry_adapter + - red_dawn_cross_market_scenarios + - id: phase_4_2030_steady_state + window: 2030 + outcomes: + - continuous_bbom_perpetual_assurance + - recursive_zk_portfolio_reporting + - dora_nis2_gdpr_ai_act_notification_clock_tests + - independent_aims_and_zk_assurance + - id: phase_5_2031_2032_autonomous_supervision + window: 2031-2032 + outcomes: + - regulator_proof_portal + - supervised_autonomous_control_testing + - value_learning_evaluation_program + - societal_impact_scenario_library + - id: phase_6_2033_2035_civilizational_interop + window: 2033-2035 + outcomes: + - international_compute_governance_interop + - emergency_pause_proof_protocol + - multi_party_systemic_risk_simulations + - civilizational_ai_risk_board_reporting +milestones: + - id: s24_inventory_live + date: 2026-09-30 + deliverable: sentinel_v2_4_inventory_and_risk_tiering_live + - id: annex_iv_ci_gate + date: 2026-12-31 + deliverable: annex_iv_and_opa_release_gate_active_for_tier1 + - id: gai_soc_live + date: 2027-06-30 + deliverable: gai_soc_and_autonomous_supervisory_agents_live + - id: red_dawn_1 + date: 2027-12-31 + deliverable: first_board_observed_red_dawn_exercise_closed + - id: containment_lab + date: 2028-06-30 + deliverable: omni_sentinel_containment_lab_operational + - id: pqc_worm + date: 2028-12-31 + deliverable: pqc_hybrid_worm_evidence_operational + - id: gc_ir + date: 2029-06-30 + deliverable: gc_ir_bridge_pilot_with_selective_disclosure + - id: compute_registry + date: 2029-12-31 + deliverable: civilizational_compute_registry_adapter_live + - id: perpetual_assurance + date: 2030-12-31 + deliverable: bbom_perpetual_assurance_steady_state + - id: proof_portal + date: 2032-06-30 + deliverable: regulator_zk_proof_portal_operational + - id: emergency_pause_proof + date: 2034-06-30 + deliverable: emergency_pause_conformance_proof_protocol + - id: global_interop + date: 2035-12-31 + deliverable: international_civilizational_ai_governance_interoperability +control_threads: + - id: inventory_and_tiering + controls: [AI-INVENTORY, G-SRI, ANNEX-IV-COMPLETE] + - id: containment_and_safety + controls: [OMNI-EGRESS-DENY, KILL-SWITCH, RED-DAWN] + - id: privacy_preserving_compliance + controls: [ZK-SYSTEMIC-RISK, ZK-FAIR-LENDING, GC-IR] + - id: assurance_and_evidence + controls: [BBOM, KAFKA-WORM-PQC, REPLAY] diff --git a/artifacts/templates/gc-ir-bridge-event.json b/artifacts/templates/gc-ir-bridge-event.json new file mode 100644 index 00000000..1a8da0a7 --- /dev/null +++ b/artifacts/templates/gc-ir-bridge-event.json @@ -0,0 +1,32 @@ +{ + "schema_version": "1.0", + "event_type": "zk_compliance_proof_submission", + "event_id": "gc-ir-evt-2026-000001", + "submitted_at": "2026-05-28T00:00:00Z", + "institution_id": "example-gsifi", + "system_id": "credit-agent-eu-001", + "jurisdictions": ["EU", "US", "UK", "SG", "HK"], + "proof": { + "proof_id": "proof-gsri-000001", + "circuit_id": "g_sri_systemic_risk_v1", + "proving_system": "groth16", + "public_signals": { + "risk_band": "50-74", + "policy_version": "2026.05", + "evidence_commitment": "sha256:REPLACE_WITH_COMMITMENT" + }, + "verifier_result": "verified" + }, + "selective_disclosure": { + "legal_basis": "supervisory_request", + "fields_authorized": ["risk_band", "policy_version", "control_status"], + "expires_at": "2026-06-27T00:00:00Z" + }, + "signatures": [ + { + "key_id": "kms://governance/pqc-hybrid-001", + "algorithm": "ECDSA_P256_PLUS_ML_DSA_65", + "signature": "BASE64_SIGNATURE_PLACEHOLDER" + } + ] +} diff --git a/artifacts/templates/regulator-technical-report-2035.xml b/artifacts/templates/regulator-technical-report-2035.xml new file mode 100644 index 00000000..654ad29e --- /dev/null +++ b/artifacts/templates/regulator-technical-report-2035.xml @@ -0,0 +1,19 @@ + + Regulator-Ready AGI/ASI Governance Technical Report for SYSTEM_ID + + Concise description of the AI system, business purpose, regulatory role, + model lineage, risk tier, jurisdictions, containment posture, zero-knowledge + proof status, residual risks, and executive attestation state. + + +
Inventory, owners, jurisdictions, risk tier, dependencies, and deployment environments.
+
Model, data, agent, tool, control, containment, telemetry, and assurance architecture.
+
Mapped legal, prudential, privacy, cyber, conduct, and civilizational governance obligations.
+
EU AI Act Annex IV technical documentation extract and completeness proof references.
+
SR 11-7/Basel validation, conceptual soundness, limitations, overlays, and monitoring.
+
Red-team, Red Dawn, autonomy, cyber, misuse, alignment, and containment evaluation results.
+
Proof identifiers, circuit versions, public signals, verifier results, and selective-disclosure log.
+
Incident history, notification clocks, root cause, remediation, and regulator communication record.
+
Control-owner, executive, board, and independent assurance signatures.
+
+
diff --git a/artifacts/tla/OmniSentinelContainment.tla b/artifacts/tla/OmniSentinelContainment.tla new file mode 100644 index 00000000..7b7f676a --- /dev/null +++ b/artifacts/tla/OmniSentinelContainment.tla @@ -0,0 +1,118 @@ +---------------------------- MODULE OmniSentinelContainment ---------------------------- +EXTENDS Naturals, Sequences, TLC + +(*************************************************************************** + * Reference TLA+ containment model for Sentinel AI Governance Stack v2.4. * + * The model is intentionally compact so platform teams can extend it with * + * environment-specific states, policy predicates, and liveness checks. * + ****************************************************************************) + +CONSTANTS Agents, Tools, Destinations, DataClasses + +VARIABLES + state, + approvedEgress, + toolGrant, + evidence, + emergencyStop, + witnessLocation, + policyVersion, + credentialVersion, + boundaryVersion + +States == {"Init", "Contained", "Actuating", "Stopped"} +WitnessZones == {"ProofPlane", "CommitmentOnly", "External"} +PrivilegedState == <> +Vars == <> + +Init == + /\ state \in [Agents -> "Contained"] + /\ approvedEgress \subseteq Agents \X Destinations \X DataClasses + /\ toolGrant \subseteq Agents \X Tools + /\ evidence = <<>> + /\ emergencyStop = FALSE + /\ witnessLocation = "ProofPlane" + /\ policyVersion = 0 + /\ credentialVersion = 0 + /\ boundaryVersion = 0 + +ApprovedNetworkUse(a, d, c) == <> \in approvedEgress +ApprovedToolUse(a, t) == <> \in toolGrant + +RequestEgress(a, d, c) == + /\ state[a] # "Stopped" + /\ ApprovedNetworkUse(a, d, c) + /\ evidence' = Append(evidence, [kind |-> "egress", agent |-> a, dest |-> d, class |-> c]) + /\ UNCHANGED <> + +DenyEgress(a, d, c) == + /\ state[a] # "Stopped" + /\ ~ApprovedNetworkUse(a, d, c) + /\ evidence' = Append(evidence, [kind |-> "egress_denied", agent |-> a, dest |-> d, class |-> c]) + /\ UNCHANGED <> + +UseTool(a, t) == + /\ state[a] = "Contained" + /\ ApprovedToolUse(a, t) + /\ state' = [state EXCEPT ![a] = "Actuating"] + /\ evidence' = Append(evidence, [kind |-> "tool_use", agent |-> a, tool |-> t]) + /\ UNCHANGED <> + +CompleteToolUse(a) == + /\ state[a] = "Actuating" + /\ state' = [state EXCEPT ![a] = "Contained"] + /\ evidence' = Append(evidence, [kind |-> "tool_complete", agent |-> a]) + /\ UNCHANGED <> + +AssertEmergencyStop == + /\ emergencyStop = FALSE + /\ emergencyStop' = TRUE + /\ evidence' = Append(evidence, [kind |-> "emergency_stop_asserted"]) + /\ UNCHANGED <> + +StopAgent(a) == + /\ emergencyStop = TRUE + /\ state[a] # "Stopped" + /\ state' = [state EXCEPT ![a] = "Stopped"] + /\ evidence' = Append(evidence, [kind |-> "agent_stopped", agent |-> a]) + /\ UNCHANGED <> + +PublishCommitment == + /\ witnessLocation = "ProofPlane" + /\ witnessLocation' = "CommitmentOnly" + /\ evidence' = Append(evidence, [kind |-> "zk_commitment_published"]) + /\ UNCHANGED <> + +Next == + \/ \E a \in Agents, d \in Destinations, c \in DataClasses: RequestEgress(a, d, c) + \/ \E a \in Agents, d \in Destinations, c \in DataClasses: DenyEgress(a, d, c) + \/ \E a \in Agents, t \in Tools: UseTool(a, t) + \/ \E a \in Agents: CompleteToolUse(a) + \/ AssertEmergencyStop + \/ \E a \in Agents: StopAgent(a) + \/ PublishCommitment + +Fairness == \A a \in Agents: WF_Vars(StopAgent(a)) + +NoUnapprovedEgress == + \A i \in 1..Len(evidence): + evidence[i].kind = "egress" => + <> \in approvedEgress + +KillSwitchEventuallyStopsActuation == + emergencyStop ~> \A a \in Agents: state[a] = "Stopped" + +NoPrivilegedSelfModification == + /\ policyVersion = 0 + /\ credentialVersion = 0 + /\ boundaryVersion = 0 + +WitnessConfidentiality == witnessLocation # "External" + +Spec == Init /\ [][Next]_Vars /\ Fairness + +THEOREM Spec => []NoUnapprovedEgress +THEOREM Spec => KillSwitchEventuallyStopsActuation +THEOREM Spec => []NoPrivilegedSelfModification +THEOREM Spec => []WitnessConfidentiality +================================================================================ diff --git a/artifacts/validate_artifacts.py b/artifacts/validate_artifacts.py index 14862193..2216112a 100644 --- a/artifacts/validate_artifacts.py +++ b/artifacts/validate_artifacts.py @@ -6,18 +6,22 @@ - XML parse and required section checks - Minimal JSON-Schema-like validation for the Annex IV example payload - Cross-reference checks for control mappings -- Roadmap milestone date-range checks for 2026-2030 horizon +- Roadmap milestone date-range checks for 2026-2030 and 2026-2035 horizons +- Extended AGI/ASI governance artifact checks for report tags, OSCAL controls, + regulatory mappings, Rego gates, TLA+ specs, Circom circuits, and templates - Manifest checksum verification for tamper evidence """ from __future__ import annotations import argparse +import csv import json import sys +import xml.etree.ElementTree as ET from datetime import date, datetime from pathlib import Path -import xml.etree.ElementTree as ET +from uuid import UUID import yaml @@ -37,6 +41,35 @@ "attestation", } +REQUIRED_EXTENDED_REPORT_SECTION_IDS = { + "scope", + "architecture", + "obligations", + "annex_iv", + "model-risk", + "safety-evals", + "zk-proofs", + "incidents", + "attestation", +} + +REQUIRED_REGULATORY_MAPPING_FRAMEWORKS = { + "EU AI Act Annex IV", + "EU AI Act GPAI systemic risk", + "NIST AI RMF 1.0", + "NIST AI 600-1", + "ISO/IEC 42001", + "Basel III IV", + "SR 11-7", + "DORA", + "NIS2", + "GDPR", + "FCRA ECOA", + "MAS HKMA FEAT", + "FCA SMCR Consumer Duty", + "ICGC GASO", +} + def load_manifest_targets() -> set[str]: try: @@ -65,6 +98,7 @@ def load_json(path: Path) -> dict: except json.JSONDecodeError as exc: raise ValidationError(f"invalid JSON in artifact file: {display_artifact_path(path)}") from exc + def validate_required_keys(obj: dict, required: list[str], label: str) -> None: missing = [k for k in required if k not in obj] if missing: @@ -131,14 +165,24 @@ def validate_control_catalog(controls: dict) -> None: raise ValidationError(f"mapping {mapping_name} references unknown control id: {control_id}") -def validate_roadmap(roadmap: dict) -> None: +def validate_roadmap(roadmap: dict, *, min_year: int = 2026, max_year: int = 2030) -> None: validate_required_keys(roadmap, ["version", "name", "horizon", "phases", "milestones"], "roadmap") + phase_ids: set[str] = set() + for phase in roadmap["phases"]: + validate_required_keys(phase, ["id", "window", "outcomes" if max_year > 2030 else "objectives"], "roadmap phase") + if phase["id"] in phase_ids: + raise ValidationError(f"duplicate roadmap phase id: {phase['id']}") + phase_ids.add(phase["id"]) + milestone_ids: set[str] = set() for milestone in roadmap["milestones"]: validate_required_keys(milestone, ["id", "date", "deliverable"], "milestone") + if milestone["id"] in milestone_ids: + raise ValidationError(f"duplicate roadmap milestone id: {milestone['id']}") + milestone_ids.add(milestone["id"]) milestone_date = milestone["date"] if not isinstance(milestone_date, date): milestone_date = date.fromisoformat(str(milestone_date)) - if milestone_date.year < 2026 or milestone_date.year > 2030: + if milestone_date.year < min_year or milestone_date.year > max_year: raise ValidationError(f"milestone {milestone['id']} has out-of-range date: {milestone_date}") @@ -155,6 +199,206 @@ def validate_report_template(path: Path) -> None: raise ValidationError(f"regulator report template missing section ids: {sorted(missing)}") + +def validate_balanced_delimiters(text: str, path: Path, pairs: dict[str, str]) -> None: + stack: list[str] = [] + openers = set(pairs) + closers = {close: open_ for open_, close in pairs.items()} + for char in text: + if char in openers: + stack.append(char) + elif char in closers: + if not stack or stack[-1] != closers[char]: + raise ValidationError(f"{display_artifact_path(path)} has unbalanced delimiter: {char}") + stack.pop() + if stack: + raise ValidationError(f"{display_artifact_path(path)} has unclosed delimiter: {stack[-1]}") + + +def validate_extended_markdown_report(path: Path) -> None: + try: + text = path.read_text(encoding="utf-8") + except FileNotFoundError as exc: + raise ValidationError(f"required artifact file missing: {display_artifact_path(path)}") from exc + for tag in ["title", "abstract", "content"]: + if f"<{tag}>" not in text or f"" not in text: + raise ValidationError(f"extended report missing <{tag}> tag pair") + required_phrases = [ + "Sentinel AI Governance Stack v2.4", + "Omni-Sentinel containment", + "Zero-knowledge regulatory compliance", + "Kafka-based PQC WORM audit logging", + "ICGC Phase 1 and Phase 2 zk-verified controls", + ] + for phrase in required_phrases: + if phrase not in text: + raise ValidationError(f"extended report missing required topic: {phrase}") + + +def validate_extended_report_template(path: Path) -> None: + tree = ET.parse(path) + root = tree.getroot() + if root.tag != "report": + raise ValidationError("extended regulator report template root must be ") + if root.find("title") is None or root.find("abstract") is None: + raise ValidationError("extended regulator report template missing title or abstract") + content = root.find("content") + if content is None: + raise ValidationError("extended regulator report template missing element") + section_ids = {section.attrib.get("id") for section in content.findall("section")} + missing = REQUIRED_EXTENDED_REPORT_SECTION_IDS - section_ids + if missing: + raise ValidationError(f"extended regulator report template missing section ids: {sorted(missing)}") + + +def validate_oscal_catalog(catalog: dict) -> None: + validate_required_keys(catalog, ["catalog"], "OSCAL catalog document") + root = catalog["catalog"] + validate_required_keys(root, ["uuid", "metadata", "groups"], "OSCAL catalog") + try: + UUID(root["uuid"]) + except (TypeError, ValueError) as exc: + raise ValidationError("OSCAL catalog uuid must be a valid UUID") from exc + validate_required_keys(root["metadata"], ["title", "last-modified", "version", "oscal-version", "roles"], "OSCAL metadata") + try: + datetime.fromisoformat(root["metadata"]["last-modified"].replace("Z", "+00:00")) + except ValueError as exc: + raise ValidationError("OSCAL metadata last-modified must be valid ISO-8601") from exc + control_ids: set[str] = set() + for group in root["groups"]: + validate_required_keys(group, ["id", "title", "controls"], "OSCAL group") + for control in group["controls"]: + validate_required_keys(control, ["id", "title", "props", "parts"], "OSCAL control") + if control["id"] in control_ids: + raise ValidationError(f"duplicate OSCAL control id: {control['id']}") + control_ids.add(control["id"]) + if not any(prop.get("name") == "maps-to" for prop in control["props"]): + raise ValidationError(f"OSCAL control {control['id']} missing maps-to property") + required_controls = {"SG-01", "SG-02", "OC-01", "OC-02", "ZA-01", "ZA-02"} + missing_controls = required_controls - control_ids + if missing_controls: + raise ValidationError(f"OSCAL catalog missing required controls: {sorted(missing_controls)}") + + +def validate_regulatory_mapping_csv(path: Path) -> None: + try: + with path.open("r", encoding="utf-8", newline="") as f: + rows = list(csv.DictReader(f)) + except FileNotFoundError as exc: + raise ValidationError(f"required artifact file missing: {display_artifact_path(path)}") from exc + required_headers = {"framework", "control_objective", "technical_artifact", "evidence_source", "primary_owner", "cadence"} + if not rows: + raise ValidationError("regulatory mapping CSV must contain at least one row") + if set(rows[0].keys()) != required_headers: + raise ValidationError("regulatory mapping CSV headers do not match required schema") + frameworks = {row["framework"] for row in rows} + missing = REQUIRED_REGULATORY_MAPPING_FRAMEWORKS - frameworks + if missing: + raise ValidationError(f"regulatory mapping CSV missing frameworks: {sorted(missing)}") + for idx, row in enumerate(rows, start=2): + for header in required_headers: + if not row[header].strip(): + raise ValidationError(f"regulatory mapping CSV row {idx} has empty {header}") + + +def validate_rego_policy(path: Path) -> None: + try: + text = path.read_text(encoding="utf-8") + except FileNotFoundError as exc: + raise ValidationError(f"required artifact file missing: {display_artifact_path(path)}") from exc + validate_balanced_delimiters(text, path, {"{": "}", "[": "]", "(": ")"}) + required_snippets = [ + "package sentinel.release.v24", + "default allow := false", + "deny contains msg if", + "model_validation_approved if", + "zk_proof_verified if", + "annex_iv_complete", + "gpai_supplier_due_diligence_complete", + "egress_default_deny", + "kill_switch_tested", + "g_sri_score", + ] + for snippet in required_snippets: + if snippet not in text: + raise ValidationError(f"Rego release gate missing snippet: {snippet}") + + +def validate_tla_spec(path: Path) -> None: + try: + text = path.read_text(encoding="utf-8") + except FileNotFoundError as exc: + raise ValidationError(f"required artifact file missing: {display_artifact_path(path)}") from exc + if text.count("(*") != text.count("*)"): + raise ValidationError("TLA+ containment spec has unbalanced comments") + required_snippets = [ + "MODULE OmniSentinelContainment", + "Vars ==", + "Fairness ==", + "NoUnapprovedEgress ==", + "KillSwitchEventuallyStopsActuation ==", + "NoPrivilegedSelfModification ==", + "WitnessConfidentiality ==", + "THEOREM Spec => []NoUnapprovedEgress", + "THEOREM Spec => KillSwitchEventuallyStopsActuation", + "THEOREM Spec => []NoPrivilegedSelfModification", + "THEOREM Spec => []WitnessConfidentiality", + ] + for snippet in required_snippets: + if snippet not in text: + raise ValidationError(f"TLA+ containment spec missing snippet: {snippet}") + + +def validate_circom_circuit(path: Path) -> None: + try: + text = path.read_text(encoding="utf-8") + except FileNotFoundError as exc: + raise ValidationError(f"required artifact file missing: {display_artifact_path(path)}") from exc + validate_balanced_delimiters(text, path, {"{": "}", "[": "]", "(": ")"}) + required_snippets = [ + "pragma circom 2.1.6;", + "template GSRIWeightedSum(n)", + "signal output inBand;", + "publicPolicyVersion", + "publicEvidenceCommitment", + "component main {public [thresholdLow, thresholdHigh, policyVersion, evidenceCommitment]}", + ] + for snippet in required_snippets: + if snippet not in text: + raise ValidationError(f"Circom G-SRI circuit missing snippet: {snippet}") + + +def validate_gc_ir_event(event: dict) -> None: + validate_required_keys(event, ["schema_version", "event_type", "event_id", "submitted_at", "institution_id", "system_id", "jurisdictions", "proof", "selective_disclosure", "signatures"], "GC-IR event") + if event["event_type"] != "zk_compliance_proof_submission": + raise ValidationError("GC-IR event_type must be zk_compliance_proof_submission") + try: + datetime.fromisoformat(event["submitted_at"].replace("Z", "+00:00")) + except ValueError as exc: + raise ValidationError("GC-IR submitted_at must be valid ISO-8601") from exc + ensure_type(event["jurisdictions"], "array", "GC-IR jurisdictions") + proof = event["proof"] + validate_required_keys(proof, ["proof_id", "circuit_id", "proving_system", "public_signals", "verifier_result"], "GC-IR proof") + if proof["verifier_result"] != "verified": + raise ValidationError("GC-IR proof verifier_result must be verified") + ensure_type(event["signatures"], "array", "GC-IR signatures") + if not event["signatures"]: + raise ValidationError("GC-IR event requires at least one signature placeholder") + + +def validate_extended_artifacts() -> None: + validate_extended_markdown_report(ARTIFACTS_DIR / "enterprise-agi-asi-governance-reference-architecture-2026-2035.md") + with (ARTIFACTS_DIR / "roadmap-2026-2035.yaml").open("r", encoding="utf-8") as f: + validate_roadmap(yaml.safe_load(f), min_year=2026, max_year=2035) + validate_regulatory_mapping_csv(ARTIFACTS_DIR / "data" / "multi_jurisdiction_regulatory_mapping_2026_2035.csv") + validate_oscal_catalog(load_json(ARTIFACTS_DIR / "oscal" / "sentinel-ai-control-catalog-oscal.json")) + validate_rego_policy(ARTIFACTS_DIR / "policies" / "sentinel_ai_release_gate_v24.rego") + validate_tla_spec(ARTIFACTS_DIR / "tla" / "OmniSentinelContainment.tla") + validate_circom_circuit(ARTIFACTS_DIR / "circuits" / "g_sri_systemic_risk.circom") + validate_gc_ir_event(load_json(ARTIFACTS_DIR / "templates" / "gc-ir-bridge-event.json")) + validate_extended_report_template(ARTIFACTS_DIR / "templates" / "regulator-technical-report-2035.xml") + + def validate_manifest(artifacts_dir: Path, manifest: dict) -> None: validate_required_keys(manifest, ["version", "generated_at", "files"], "manifest") if manifest.get("version") != "1.1": @@ -209,6 +453,7 @@ def run_validation(include_manifest: bool = True) -> dict: validate_control_catalog(controls) validate_roadmap(roadmap) validate_report_template(ARTIFACTS_DIR / "regulator-report-template.xml") + validate_extended_artifacts() checks = { "schema_documents": "pass", @@ -216,6 +461,7 @@ def run_validation(include_manifest: bool = True) -> dict: "control_catalog": "pass", "roadmap": "pass", "report_template": "pass", + "extended_2026_2035_artifacts": "pass", "manifest": "skipped", } diff --git a/unit_tests/test_artifacts_validation.py b/unit_tests/test_artifacts_validation.py index 480906ea..42add81f 100644 --- a/unit_tests/test_artifacts_validation.py +++ b/unit_tests/test_artifacts_validation.py @@ -15,8 +15,13 @@ load_manifest_targets, run_cli, validate_control_catalog, + validate_extended_artifacts, + validate_circom_circuit, validate_manifest, + validate_oscal_catalog, + validate_rego_policy, validate_schema_documents, + validate_tla_spec, ) @@ -114,6 +119,95 @@ def test_manifest_targets_contains_expected_blueprint_file(): assert "enterprise-civilizational-agi-asi-blueprint-2026-2030.md" in targets +def test_manifest_targets_contains_extended_governance_artifacts(): + targets = load_manifest_targets() + expected = { + "enterprise-agi-asi-governance-reference-architecture-2026-2035.md", + "roadmap-2026-2035.yaml", + "data/multi_jurisdiction_regulatory_mapping_2026_2035.csv", + "oscal/sentinel-ai-control-catalog-oscal.json", + "policies/sentinel_ai_release_gate_v24.rego", + "tla/OmniSentinelContainment.tla", + "circuits/g_sri_systemic_risk.circom", + "templates/gc-ir-bridge-event.json", + "templates/regulator-technical-report-2035.xml", + } + assert expected <= targets + + +def test_extended_governance_artifacts_validate(): + validate_extended_artifacts() + + +def test_oscal_catalog_invalid_uuid_fails(): + bad_catalog = { + "catalog": { + "uuid": "not-a-uuid", + "metadata": { + "title": "bad", + "last-modified": "2026-05-28T00:00:00Z", + "version": "1.0", + "oscal-version": "1.1.2", + "roles": [], + }, + "groups": [], + } + } + with pytest.raises(ValidationError, match="valid UUID"): + validate_oscal_catalog(bad_catalog) + + +def test_rego_policy_requires_explicit_approval_helpers(tmp_path): + policy = tmp_path / "bad.rego" + policy.write_text( + "package sentinel.release.v24\n" + "default allow := false\n" + "deny contains msg if { annex_iv_complete }\n" + "gpai_supplier_due_diligence_complete := true\n" + "egress_default_deny := true\n" + "kill_switch_tested := true\n" + "g_sri_score := 0\n", + encoding="utf-8", + ) + + with pytest.raises(ValidationError, match="model_validation_approved"): + validate_rego_policy(policy) + + +def test_tla_spec_requires_kill_switch_and_privileged_theorems(tmp_path): + spec = tmp_path / "bad.tla" + spec.write_text( + "---- MODULE OmniSentinelContainment ----\n" + "Vars == <>\n" + "Fairness == TRUE\n" + "NoUnapprovedEgress == TRUE\n" + "KillSwitchEventuallyStopsActuation == TRUE\n" + "NoPrivilegedSelfModification == TRUE\n" + "WitnessConfidentiality == TRUE\n" + "THEOREM Spec => []NoUnapprovedEgress\n" + "THEOREM Spec => []WitnessConfidentiality\n" + "====\n", + encoding="utf-8", + ) + + with pytest.raises(ValidationError, match="KillSwitchEventuallyStopsActuation"): + validate_tla_spec(spec) + + +def test_circom_circuit_rejects_unbalanced_delimiters(tmp_path): + circuit = tmp_path / "bad.circom" + circuit.write_text( + "pragma circom 2.1.6;\n" + "template GSRIWeightedSum(n) { signal output inBand;\n" + "publicPolicyVersion publicEvidenceCommitment\n" + "component main {public [thresholdLow, thresholdHigh, policyVersion, evidenceCommitment]}\n", + encoding="utf-8", + ) + + with pytest.raises(ValidationError, match="unclosed delimiter"): + validate_circom_circuit(circuit) + + def test_build_manifest_reproducible_timestamp(monkeypatch): monkeypatch.setenv("SOURCE_DATE_EPOCH", "1767225600") payload = build_manifest_payload()