An open source, end-to-end certification pipeline that transforms FINOS AI Governance Framework (AIGF) guidance into discrete, machine-configurable controls with predefined success criteria and compliance enforcement techniques.
Organizations adopting FINOS frameworks face three key challenges:
- Generalized guidance -- AIGF mitigations provide valuable direction but lack the structured, binary mandates needed for automated implementation.
- No defined success criteria -- Without machine-readable control definitions, pathways for both adoption and validation remain ambiguous.
- No post-deployment enforcement -- There is no open source tooling for enforcing continued compliance at runtime after systems are deployed.
This project establishes FINOS's first certification pipeline by extending CALM bidirectionally -- formalizing AIGF guidance upstream through atomization and enforcing execution-dependent controls downstream through runtime policy evaluation.
Desired outcome: Each FINOS policy (e.g. AIGF) has a companion playbook with universally identifiable controls, predefined success criteria, and compliance enforcement techniques.
The certification pipeline transforms AIGF guidance into enforceable controls through three stages:
┌─────────────────┐
┌───>│ Architectural │───> CALM
│ │ Controls │
┌──────────────┐ ┌──────────┐ │ ├─────────────────┤
│ AIGF │ │ Atomize │ │ │ Runtime │───> CALM ──> Cupcake
│ Mitigation │───>│ and │───┤───>│ Controls │
│ Catalogue │ │Categorize│ │ ├─────────────────┤
└──────────────┘ └──────────┘ │ │ Procedural │───> EQTY Lab
└───>│ Controls │
└─────────────────┘
Extract guidance from AIGF's 23 mitigations and convert it into individual controls with binary mandates. Each control defines:
- Responsible party (e.g. system owners, system owners using RAG)
- Obligation type (must or may)
- Binary or near-binary mandate
Controls are categorized by type:
| Category | ~Share | Description | Modeled In |
|---|---|---|---|
| Architectural | ~50% | Infrastructure/topology decisions (e.g. data segmentation, encryption standards, isolated environments) | CALM |
| Runtime | ~25% | Per-request enforcement (e.g. output filtering, sensitive data detection, context-aware authorization) | CALM + Cupcake |
| Procedural | ~25% | Periodic audits and governance processes (e.g. data filtering audits, incident feedback loops) | CALM + EQTY Lab |
Populate control-specific attributes in CALM format:
- Control ID, name, and description
- Required evidence and enforcement method
- Binary, control-specific requirements
- (Optional) References to related AIGF mitigation categories
Example -- an architectural control for encryption at rest (P14-001):
{
"control-id": "P14-001",
"name": "Establishing Standards for Encrypting Data at Rest",
"description": "System owners must establish clear organizational policies...",
"approvedAlgorithms": ["AES-256", "AES-192", "AES-128-GCM"],
"minimumKeyLength": 256,
"modeOfOperation": "GCM",
"keyManagementSystem": "AWS KMS",
"keyRotationPolicy": "90-days"
}Translate execution-dependent controls into OPA/Rego policies that evaluate inputs, outputs, or agent actions at runtime. Define decision logic (allow, block, warn) applied by the Cupcake enforcement layer.
Only runtime controls flow through both CALM and Cupcake. Architectural controls are defined in CALM alone. Procedural controls are defined in CALM and monitored via external tooling.
This project leverages and complements several existing FINOS work streams pushing towards automated, machine-readable compliance:
| Project | Role in Pipeline |
|---|---|
| AI Governance Framework (AIGF) | Source framework -- risk catalogue with 23 mitigations |
| CALM (Common Architecture Language Model) | Schema for structuring controls in a consistent, machine-configurable format |
| AI Reference Architecture Library | FSI-specific reference architectures with threat models -- taxonomy for specific use cases |
| Gemara | GRC Engineering Model for converting written governance controls into machine-readable, automated policy rules |
| AI Evals Framework | Taxonomy for AI evaluations in finance -- defining evals for specific use cases |
This project focuses on the open source configuration layer:
Can:
- Validate that controls are correctly defined and modeled in CALM and Cupcake
- Monitor that a system's policy logic behaves correctly when passed through open-source enforcement engines
Cannot:
- Produce tamper-evident proof that enforcement occurred consistently in production
- Guarantee that runtime controls were applied on every execution without gaps
The complementary commercial verification layer (e.g. EQTY Lab Governance Studio) can provide tamper-proof evidence, continuous monitoring, audit-ready reports, and hardware-backed attestations for organizations requiring production-grade certification.
- Atomize AIGF mitigations -- Extract and categorize controls from all 23 AIGF mitigations into architectural, runtime, and procedural types
- Model controls in CALM -- Define CALM-format schemas with control-specific requirements and evidence definitions
- Implement Rego policies -- Translate runtime controls into OPA/Rego policies for Cupcake enforcement
- Validate end-to-end pipeline -- Demonstrate full certification flow from AIGF guidance through CALM definition to runtime enforcement
- Expand to additional FINOS frameworks -- Generalize the pipeline to support certification against other FINOS policies beyond AIGF
Copyright (c) Contributors to the AIGF Certification Pipeline project.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
SPDX-License-Identifier: Apache-2.0