An open standard  ·  intent-driven computing

The Governed AI
Requirements Standard

What it means for an autonomous AI system's actions to be governed: authorized before they happen, recorded when they happen, verifiable afterward.

Version 0.1  ·  draft for public comment  ·  technology-neutral

Autonomous AI systems take actions: they send messages, move money, change records, call other systems. When those actions come from probabilistic reasoning rather than a human keystroke, the traditional chain of accountability breaks. This standard defines the requirements a system must meet for its actions to be governed. It is written so that a compliance officer can cite it, an auditor can test against it, and an implementer of any architecture can work toward it.

It governs what a system is permitted to do, not what a model is permitted to say.


How the tiers work

Requirements are organized into three conformance levels. A system states the highest level it meets, per requirement, and provides the listed evidence. The levels are a ladder, not a verdict.

Level 1Boundary mediation. Achievable by wrapping or sandboxing an existing system. Covered and uncovered channels are disclosed.
Level 2Complete and mandatory mediation within a defined boundary. No path performs an effect without a decision and a record.
Level 3Completeness is proved, not asserted. An open bar: any architecture that can produce a machine-checkable proof qualifies.

Most systems governing existing agents will honestly reach Level 1 or 2. That is a real and useful posture. The standard exists to make the rungs legible, not to disqualify.


Definitions

Effect. Any observable action on state outside the system's own computation: network, filesystem, process, database, message, payment, or a call to another system. Intent (proposed action). A description of an effect, represented as inspectable data, produced before the effect occurs. Mediation. Examining a proposed action against policy and deciding to allow, deny, or escalate, before the effect. Decision record (receipt). A durable record of a decision: what was proposed, what policy applied, what was decided, and why. Boundary. The perimeter within which the guarantees hold; every conformance claim states its boundary.


Requirements

Each requirement states a property and the level at which each tier applies. Evidence is described in the full text; this page states the properties.

GAR-1Proposed actions are separated from execution

The system produces a proposed action as inspectable data before the corresponding effect occurs. Computation and effect are not fused at the point of the effect.

GAR-2Every action is mediated before it executes

No effect occurs without a mediation decision. Mediation is default-deny: absence of an authorizing policy results in denial.

GAR-3Every decision is recorded

Each mediation decision produces a durable record: the proposed action, the applicable policy, the outcome, and the rationale.

GAR-4The record is tamper-evident

The decision record is protected against undetectable alteration, for example an append-only, hash-linked chain.

GAR-5The record is independently verifiable

A third party can verify the decision record without trusting the system that produced it.

GAR-6The record is semantic, not merely observational

The record captures the proposed action at the level of meaning — which operation, what parameters as structured data, from what reasoning — not merely observed low-level traffic.

GAR-7Composition preserves governance

When a governed system invokes another system or component, the guarantees hold across the call. Governance does not weaken with depth of composition.

GAR-8Self-modification is governed

If the system can generate or modify executable behavior, including AI-generated code or agents, that transition is itself a governed, recorded action, and cannot escalate the system’s own authority.

GAR-9The boundary and residual risk are disclosed

The system states the boundary within which its guarantees hold, the channels it does not cover, and the trusted components its guarantees depend on.


Conformance

A conformance claim states, per requirement, the level met and the evidence provided, together with the GAR-9 boundary statement. A system is "GAR Level N conformant" only if it meets Level N for every applicable requirement and discloses its boundary. Partial conformance is stated honestly per requirement rather than rounded up.


Crosswalk to existing frameworks

This standard is a concrete, testable specialization of themes in broader AI governance frameworks. It complements, it does not replace them.

FrameworkWhere GAR fits
NIST AI RMFGAR-3/4/5 operationalize Measure and Manage for AI actions; GAR-2/9 support Govern.
EU AI ActGAR-3/4/5 provide record-keeping and traceability of the kind required for high-risk systems; GAR-9 supports risk disclosure.
ISO/IEC 42001GAR maps to operational controls for AI management systems: auditable, per-action evidence.

A future revision will provide clause-level mappings.


Status of this document

This is version 0.1, published for public comment. It is deliberately technology-neutral and tiered so that any implementer can locate themselves on it and improve. Proposed changes, additional evidence types, and clause-level regulatory mappings are welcome. Versioning is public; material changes bump the version and are dated.