Govern
AIAM + 4-framework compliance reporting
Today: audit-logger.ts (143 lines, fully implemented) · admin dashboard with pagination/filter · client_keys table · OWASP Agentic Top 10 mapping 10/10 categories, 866 rule links · NIST AI RMF per-rule metadata mapping (submission in review) · Migrator Enterprise auto-tags EU AI Act + ISO 42001 · Planned: pga report unifies all frameworks · AIAM · SOC 2 Type 1 in preparation.
WHAT THIS LAYER DOES
L7 Govern is what compliance teams and auditors see. Today: audit log of every admin action (actor, IP, timestamp), client key registration + revocation, OWASP Agentic Top 10 mapping (10/10), NIST AI RMF mapping (100% / 1,566 mappings shipped in ATR v2.1.0), EU AI Act + ISO 42001 metadata auto-tagged via Migrator Enterprise. Planned: `pga report --framework <name>` for per-rule Markdown / PDF reports, and AIAM — agent identity, scope, delegation.
WHY YOU NEED IT
EU AI Act high-risk obligations are enforced from December 2027 (omnibus delay). Colorado AI Act enforcement began 2026-06-01. F500 RFPs are asking for per-rule framework mapping, not just "we scan." Auditors need a path from detected event → triggered rule → controlled article. Compliance teams need SOC2 Type II attestation. We publish honest timelines and commit to them.
HOW IT WORKS
Today: threat-cloud/src/audit-logger.ts with audit_log SQLite migrations v2-v3. ATR v2.1.0 rules ship with `compliance.nist_ai_rmf` metadata block (1,566 mappings). Migrator Enterprise auto-tags EU AI Act articles + ISO 42001 clauses on every converted rule. Planned: `pga report` reads rule YAML + TC audit log to build Markdown / PDF reports; AIAM package (panguard-auth) — OAuth 2.0 device flow, JWT issue/verify, policy evaluator.
TRY IT NOW
Check sensor registration + audit log status today:
pga sensor statusATTACKS THIS LAYER CATCHES
Concrete threats, concrete controls
Unauthorized admin action
HIGHAudit log captures every rule create / delete / proposal approve with actor + IP — forensic trail preserved even if admin account is compromised.
Compliance attestation gap
MEDIUMWithout per-rule framework mapping, auditors cannot validate EU AI Act Article 9 risk controls → fix planned.