01 / 08
Governance & Compliance

Governance & Compliance Framework

AI Under Control + Industry Regulations Built-In. Complete autonomous agent oversight with SOC 2 Type 2 alignment and regulated vertical support.

18
AI Governance Controls
8
Industry Verticals
120-150
Target Controls
5
Defense Layers
02 / 08

Governance & Compliance: The Strategic Advantage

AI Under Control + Industry Regulations Built-In

18
Controls
100%
Compliant
<4hr
Drift Detection
76%
Cost Savings
Claude Code SDLC
Bias detection, security scanning, audit trails, quarterly reviews
Poetry Chatbot
OTEL tracing, hallucination scoring, PII scrubbing, evidence gen
CortexOne Functions
Cost tracking, usage metrics, audit trails, model routing

Regulated Verticals Built-In

💊
Pharmaceuticals
FDA OPDP - Fair Balance
Off-label Prohibition
🏦
Financial Services
SEC - FINRA - CFPB
APR Disclosures
🏥
Healthcare
CMS - HHS
Medicare Ad Approval
🎰
Gaming & Betting
State Gaming Commissions
Responsible Gaming
🍺
Alcohol & Cannabis
TTB - State Authorities
Age-Gating Required
🛡
Defense & Aerospace
DoD - ITAR/EAR
Export Controls
🎓
Education
Dept of Education
Outcome Claims
📈
+ More Daily
AI targeting = new risk
Pattern expanding
03 / 08

AI Governance Framework

18 Controls Across 5 Categories - Complete Autonomous Agent Oversight

18
Controls
5
Categories
100%
Automated
13mo
Retention
~$55-75
/month
🔍 TRANSPARENCY
  • Intelligent model routing (H/S/O)
  • 87% success, 12h/wk saved
  • Explainable decisions
3 Controls
📜 ACCOUNTABILITY
  • Decision audit trail
  • Data minimization
  • Human oversight gates
3 Controls
🔒 SECURITY
  • Risk register updated
  • Security review integration
  • PII detection & masking
  • Incident response ready
4 Controls
📈 OBSERVABILITY
  • Metrics collected
  • Drift detection alerts
  • SLA compliance >=99%
  • Continuous improvement
4 Controls
QUALITY
  • Bias detection metrics
  • Fairness validation
  • LLM-as-Judge evaluation
  • Quarterly reviews
4 Controls
Prometheus Metrics + Alerts
Phoenix LLM Tracing
Grafana Dashboards
OTEL Collection

Complete Framework: Every AI decision is logged, every model call is traced, every output is evaluated - automated governance that scales with your agents

04 / 08

Compliance Evidence Architecture

BPMN-Driven Automated Evidence Collection & Gap Detection

10
Workers
8
Evidence Types
11
API Endpoints
2
Portals
📥 EVIDENCE SOURCES
  • * Access Logs
  • * Backup Verification
  • * Security Scans
  • * Policy Documents
  • * Attestations
⚙ BPMN WORKFLOW
  • * compliance-monitoring.bpmn
  • * Gap Detection Loop
  • * Score Calculation
  • * Alert Triggers
  • * Dashboard Updates
🔌 EVIDENCE SERVICE
  • * CRUD Operations
  • * File Upload (S3/GCS)
  • * Validation Rules
  • * Audit Trail
  • * API + GraphQL
📊 OUTPUTS
  • * Compliance Scores
  • * Gap Reports
  • * Email/Slack Alerts
  • * Real-time Dashboard
  • * Audit Reports
ATTESTATION AUDIT_LOG SCREENSHOT POLICY_DOC CONFIG_FILE API_RESPONSE TEST_RESULT CERTIFICATION

Automated Compliance: BPMN-orchestrated evidence collection with real-time gap detection - compliance becomes a continuous process, not an annual scramble

05 / 08

Multi-Persona Compliance Portals

Role-Based Views for Clients and Auditors

👤

Client Dashboard

/compliance/evidence
5
Pages
28
Unit Tests
  • ✓ Evidence Submission UI
  • ✓ Compliance Score Display
  • ✓ Gap Remediation Actions
  • ✓ Framework Progress Tracking
  • ✓ Control Status Overview
🔍

Auditor Portal

/auditor/*
5
Pages
80
Unit Tests
  • ✓ Evidence Review & Verification
  • ✓ Complete Audit Trail
  • ✓ Report Generation (PDF)
  • ✓ Framework-Specific Views
  • ✓ Compliance Dashboard
Dashboard Metrics Overview
Evidence Review & Verify
Reports Generate & Export
Audit Trail Complete History

Dual Persona Design: Clients manage their compliance posture while auditors verify evidence - 108 unit tests ensure reliability across both portals

06 / 08

GRC Framework Foundation

SOC 2 Type 2 + Rival AI Governance - 120-150 Controls Target

120-150
Target Controls
5
TSC Categories
10
AI Domains
10
PoC Controls

🛡 SOC 2 Trust Service Criteria

CC - Security
~50-60 controls
A - Availability
~10-15 controls
PI - Processing
~8-10 controls
C - Confidentiality
~8-10 controls
P - Privacy (+ GDPR)
~8-10 controls

🤖 Rival AI Governance (30-40 Controls)

Model Governance (MG)5
Prompt Security (PS)4
Agent Oversight (AO)5
Cost Management (CM-AI)3
Output Quality (OQ)4
Data Governance (DG)5
Observability (OB)5
Incident Response (IR)4
Vendor Management (VM)3
Ethics & Fairness (EF)4
PoC Controls: MG-1 MG-2 PS-1 AO-1 OB-1 AC-1 AU-1 CM-1 IA-1 IR-1

Right-Sized Framework: 120-150 controls targeting SOC 2 Type 2 certification - inspired by RI AI CoE 214-control framework, adapted for commercial SaaS

07 / 08

Security Posture: Comprehensive Protection

5-Layer Defense + 5-Gate CI/CD Security Pipeline | SOC 2 CC Aligned

5
Defense Layers
5
CI/CD Gates
10
Scanning Tools
15
Custom Rules
8
HTTP Headers

🛡 Runtime Defense Layers

1. Edge (Cloudflare)
WAF, DDoS, Zero Trust
2. Transport (TLS 1.3)
HSTS, mTLS, Cert Pinning
3. Application (Next/Nest)
CSP, Input Validation
4. Authorization (OPA)
WASM, ABAC, Tenant Isolation
5. Data (PostgreSQL)
RLS, Encryption at Rest

🔍 CI/CD Security Pipeline

Gate 1: SAST
ESLint Security + Semgrep (15 rules)
Gate 2: SCA
npm audit + Socket.dev (supply chain)
Gate 3: Secrets
Trivy FS + Gitleaks pre-commit
Gate 4: Config/IaC
Trivy config + Hadolint
Gate 5: Container
Trivy + Grype + SBOM

🔧 Security Toolchain

ESLint
Security Plugin
Semgrep
15 Custom Rules
npm audit
Dependency Scan
Socket.dev
Supply Chain
Trivy
Container/Config
Grype
2nd Opinion
Hadolint
Dockerfile
OPA/Rego
Policy Engine

SOC 2 Alignment: CC6.1 (Access) * CC6.6 (Encryption) * CC6.7 (Transmission) * CC7.2 (Monitoring) * CC8.1 (Change Management)

08 / 08

Key Takeaways

Why Governance & Compliance is a Strategic Advantage

AI Under Control

18 automated controls across 5 categories ensure every AI decision is logged, traced, and evaluated with complete audit trails.

Regulated Verticals Built-In

8 industry verticals with pre-built compliance rules - from Pharma (FDA OPDP) to FinServ (SEC/FINRA) to Healthcare (CMS).

Evidence Automation

BPMN-orchestrated evidence collection with real-time gap detection transforms compliance from annual scramble to continuous process.

GRC Foundation

120-150 controls targeting SOC 2 Type 2 certification with comprehensive AI governance domains and PoC controls ready.

The Bottom Line

Poetry builds compliance into the platform from day one - a strategic advantage for us and a competitive edge for our clients in an increasingly regulated AI landscape.