Govern
AIAM + 4-framework compliance reporting
Today: audit-logger.ts (143 lines, fully implemented) · admin dashboard with pagination/filter · client_keys table · OWASP Agentic Top 10 mapping 10/10 categories, 77 rule links · NIST AI RMF 100% mapped (1,566 mappings, ATR v2.1.0) · Migrator Enterprise auto-tags EU AI Act + ISO 42001 · Q2 2026: pga report unifies all frameworks · Q3 2026: AIAM + SOC2 Type 1 attestation target.
WHAT THIS LAYER DOES
L7 Govern is what compliance teams and auditors see. Today: audit log of every admin action (actor, IP, timestamp), client key registration + revocation, OWASP Agentic Top 10 mapping (10/10), NIST AI RMF mapping (100% / 1,566 mappings shipped in ATR v2.1.0), EU AI Act + ISO 42001 metadata auto-tagged via Migrator Enterprise. Q2 2026: `pga report --framework <name>` produces per-rule Markdown / PDF reports. Q3 2026: AIAM — agent identity, scope, delegation.
WHY YOU NEED IT
EU AI Act enforces 2026-08-02. Colorado AI Act 2026-06-01. F500 RFPs are asking for per-rule framework mapping, not just "we scan." Auditors need a path from detected event → triggered rule → controlled article. Compliance teams need SOC2 Type II attestation. We publish honest timelines and commit to them.
HOW IT WORKS
Today: threat-cloud/src/audit-logger.ts with audit_log SQLite migrations v2-v3. ATR v2.1.0 rules ship with `compliance.nist_ai_rmf` metadata block (1,566 mappings). Migrator Enterprise auto-tags EU AI Act articles + ISO 42001 clauses on every converted rule. Q2 2026: `pga report` reads rule YAML + TC audit log to build Markdown / PDF reports. Q3 2026: AIAM package (panguard-auth) — OAuth 2.0 device flow, JWT issue/verify, policy evaluator.
TRY IT NOW
Check sensor registration + audit log status today:
pga sensor statusATTACKS THIS LAYER CATCHES
Concrete threats, concrete controls
Unauthorized admin action
HIGHAudit log captures every rule create / delete / proposal approve with actor + IP — forensic trail preserved even if admin account is compromised.
Compliance attestation gap
MEDIUMWithout per-rule framework mapping, auditors cannot validate EU AI Act Article 9 risk controls → Q2 2026 fix.