The Governed AI
Requirements Standard
What it means for an autonomous AI system's actions to be governed: authorized before they happen, recorded when they happen, verifiable afterward.
Version 0.1 · draft for public comment · technology-neutral
Autonomous AI systems take actions: they send messages, move money, change records, call other systems. When those actions come from probabilistic reasoning rather than a human keystroke, the traditional chain of accountability breaks. This standard defines the requirements a system must meet for its actions to be governed. It is written so that a compliance officer can cite it, an auditor can test against it, and an implementer of any architecture can work toward it.
It governs what a system is permitted to do, not what a model is permitted to say.
How the tiers work
Requirements are organized into three conformance levels. A system states the highest level it meets, per requirement, and provides the listed evidence. The levels are a ladder, not a verdict.
Most systems governing existing agents will honestly reach Level 1 or 2. That is a real and useful posture. The standard exists to make the rungs legible, not to disqualify.
Definitions
Effect. Any observable action on state outside the system's own computation: network, filesystem, process, database, message, payment, or a call to another system. Intent (proposed action). A description of an effect, represented as inspectable data, produced before the effect occurs. Mediation. Examining a proposed action against policy and deciding to allow, deny, or escalate, before the effect. Decision record (receipt). A durable record of a decision: what was proposed, what policy applied, what was decided, and why. Boundary. The perimeter within which the guarantees hold; every conformance claim states its boundary.
Requirements
Each requirement states a property and the level at which each tier applies. Evidence is described in the full text; this page states the properties.
GAR-1Proposed actions are separated from execution
The system produces a proposed action as inspectable data before the corresponding effect occurs. Computation and effect are not fused at the point of the effect.
- L1True at a defined mediation boundary — a wrapper, proxy, or sandbox represents effects as data before they proceed.
- L2True for every effect within the boundary; no effect path skips the representation.
- L3The impossibility of an effect without a preceding proposed action is established by proof or by construction of the execution model.
GAR-2Every action is mediated before it executes
No effect occurs without a mediation decision. Mediation is default-deny: absence of an authorizing policy results in denial.
- L1Mediation is present at the boundary for the channels the implementer enumerates. Covered and uncovered channels are documented.
- L2Mediation is mandatory for all effects within the boundary; no configuration or code path performs an effect without a decision.
- L3The absence of any bypass path is proved.
GAR-3Every decision is recorded
Each mediation decision produces a durable record: the proposed action, the applicable policy, the outcome, and the rationale.
- L1Records are produced for mediated actions.
- L2A record exists for every mediated action within the boundary, including denials and failures, emitted by the same mechanism that mediates.
- L3The one-to-one correspondence between decisions and records is proved or structural.
GAR-4The record is tamper-evident
The decision record is protected against undetectable alteration, for example an append-only, hash-linked chain.
- L1Records are retained in a store with integrity controls.
- L2Records are chained such that alteration or omission of any record is detectable.
- L3The integrity property is cryptographically established and independently checkable.
GAR-5The record is independently verifiable
A third party can verify the decision record without trusting the system that produced it.
- L1Records are exportable in a documented format.
- L2Records are exportable in a portable format a third party can validate against the stated policy.
- L3Verification requires no trust in the producing system: the record and the policy suffice to check every decision offline.
GAR-6The record is semantic, not merely observational
The record captures the proposed action at the level of meaning — which operation, what parameters as structured data, from what reasoning — not merely observed low-level traffic.
- L1Records identify the operation and its principal parameters.
- L2Records capture the structured action and its provenance within the system’s reasoning.
- L3The recorded action is the same artifact the system acted on, so record and behavior cannot diverge.
GAR-7Composition preserves governance
When a governed system invokes another system or component, the guarantees hold across the call. Governance does not weaken with depth of composition.
- L1Calls to external systems are themselves mediated as effects (GAR-2).
- L2Guarantees hold uniformly across nested invocations within the boundary.
- L3Uniformity across composition depth is proved.
GAR-8Self-modification is governed
If the system can generate or modify executable behavior, including AI-generated code or agents, that transition is itself a governed, recorded action, and cannot escalate the system’s own authority.
- L1Generated behavior executes only through the same mediation boundary as the parent (GAR-2).
- L2The transition from generated artifact to executing behavior is mediated and recorded, and cannot grant capabilities the parent lacked.
- L3The non-escalation property is proved.
GAR-9The boundary and residual risk are disclosed
The system states the boundary within which its guarantees hold, the channels it does not cover, and the trusted components its guarantees depend on.
- ALLRequired at all levels. A conformance claim that does not disclose its boundary and residual risk is not conformant at any level.
Conformance
A conformance claim states, per requirement, the level met and the evidence provided, together with the GAR-9 boundary statement. A system is "GAR Level N conformant" only if it meets Level N for every applicable requirement and discloses its boundary. Partial conformance is stated honestly per requirement rather than rounded up.
Crosswalk to existing frameworks
This standard is a concrete, testable specialization of themes in broader AI governance frameworks. It complements, it does not replace them.
| Framework | Where GAR fits |
|---|---|
| NIST AI RMF | GAR-3/4/5 operationalize Measure and Manage for AI actions; GAR-2/9 support Govern. |
| EU AI Act | GAR-3/4/5 provide record-keeping and traceability of the kind required for high-risk systems; GAR-9 supports risk disclosure. |
| ISO/IEC 42001 | GAR maps to operational controls for AI management systems: auditable, per-action evidence. |
A future revision will provide clause-level mappings.
Status of this document
This is version 0.1, published for public comment. It is deliberately technology-neutral and tiered so that any implementer can locate themselves on it and improve. Proposed changes, additional evidence types, and clause-level regulatory mappings are welcome. Versioning is public; material changes bump the version and are dated.