Everything The Compact does, explained from first principles.
This is not a feature list. It is a guided walk through the architecture of an AI governance platform — the why before the what, the story before the specification. A compliance officer, a CRO, or a board member should be able to read this end to end and understand exactly what The Compact is, what it produces, and why it exists.
Who this is for. You are a compliance officer, a chief risk officer, a board member, an internal auditor, or a regulator. You need to understand what The Compact is, what it does, and whether it addresses the governance gap at your institution. You may not have a technical background. That is fine — this document assumes none.
How to read it. Start at Chapter 1 if you want the full story. Jump to the Table of Contents above if you need something specific. Each chapter stands on its own but gains meaning from the ones before it.
The Problem
An AI model is approving consumer loans at your institution. A claims-adjudication algorithm is triaging auto insurance payouts. A clinical decision support tool is flagging high-risk patients for early intervention. These are not future-state projections — they are Tuesday morning.
Now imagine the examiner arrives. Not a theoretical examiner — a real person from the OCC, the FDIC, the NCUA, the state Department of Insurance, or HHS. They will ask four questions:
If you cannot answer those four questions with evidence — not assertions, not policy documents, but evidence — you do not have a governance gap. You have an examination finding waiting to happen.
This is what we call the Frontline Asymmetry. The people responsible for governing AI at most institutions are structurally outmatched by the people examining them. Regulatory bodies have PhD-level technical staff, multi-year research programs, and access to enforcement data across the entire industry. A mid-market bank has a compliance officer who also covers BSA/AML and maybe one risk analyst.
Worse: the existing governance products aim at the third of headcount that sits in risk, engineering, and management. The other 67% — the tellers, loan officers, claims adjusters, and intake nurses who touch AI-visible workflows every single day — hold none of the credentials that exist today. And yet, they make the decisions the examiner reads first.
That is the problem The Compact was built to solve.
The Vow
Before we describe what The Compact does, we need to describe what The Compact believes. This is not marketing — it is the architectural decision that shapes everything downstream.
AI governance methodology should not be a proprietary secret sold by consultants at $500 an hour. It should be shared infrastructure — held in common.
The Compact's methodology is licensed under Apache 2.0. Open. Forkable. Auditable. You can read every framework, every tenet, every scoring rubric, and use them without paying us a dollar. You can fork them and build your own thing.
Why? Because the industry does not need another proprietary framework. It needs a standard. And standards only become standards when they are shared. A hundred competing vendor frameworks fragment the industry and leave the compliance officer — the person we are building for — worse off than before.
What The Compact charges for: the tooling that operationalizes the methodology. The AI coach that walks your workforce through the credential. The simulator that stress-tests your governance. The 105 plugins that produce the evidence your examiner expects. The knowledge of how to govern AI belongs to the profession, not to a vendor.
The AGRS Score
The AI Governance Readiness Score is the through-line that connects everything The Compact does. It is not a one-time assessment. It is not a letter grade. It is a living metric that moves every time your workforce learns, every time your simulator runs, every time your OS produces evidence.
AGRS measures six dimensions. Each one maps to a real capability that an examiner can probe:
Do you have a governance architecture? Not a policy document — a living system that defines how AI decisions flow through your institution, who owns them, and where the controls sit.
Are you evaluating your models before trusting them? Validation, testing, benchmarking — the work that happens before a model touches a consumer.
Is there a governance process around AI? Approval chains, attestations, committee oversight, exception management — the organizational scaffolding that makes governance real and not aspirational.
Can you produce evidence? Not claims, not assertions — timestamped, hash-chained artifacts that prove you did what you said you did.
Is your governance portable? Can you move it between vendors, between cloud providers, between regulatory regimes — or are you locked into a single tool that becomes a single point of failure?
Is a human accountable? When the model makes a decision, who is responsible? Not the algorithm — a person, with a name, a role, and documented authority.
Every Academy chapter, every Simulator cascade, every OS plugin maps to one or more of these six dimensions. When you complete an Academy module, your D3 score moves. When the OS generates an audit trail, your D4 score moves. The AGRS is not a test you pass once — it is the vital sign of your governance posture.
The Six Postures
We call them Postures, not Levels. A level implies a hierarchy you climb and leave behind. A posture is a stance you hold. A Keeper doesn't stop being a Witness. The awareness doesn't go away — it deepens.
Each Posture represents a relationship with AI governance. Some people spend their entire career at Witness — and that is extraordinary, not insufficient. A teller who can clearly describe the AI in her workflow is more valuable to the examiner than an engineer who cannot explain what the model does in plain language.
You see that AI is here. You touch it every day — in the lending queue, the claims triage, the teller screen. You don't need to understand the model. You need to know it's there, and you need to be able to say so honestly when someone asks.
You can open a model risk management policy and follow its logic. You can read a validation report and know what it is claiming. The documentation speaks to you now — not as a specialist, but as a literate practitioner who can engage with the governance conversation.
You manage governance day to day. Intake forms, evidence collection, escalation paths, compliance calendars — the operational rhythm of governance is yours. You don't design frameworks, but you run them.
You design the frameworks. Policy structures, control architectures, risk taxonomies, reporting hierarchies — you build the governance machinery your institution runs on. When the regulator asks "who designed this?", the answer is you.
You maintain, evolve, and defend the framework under examination. When the OCC walks in, you are the one in the room. You know where every piece of evidence lives, why every control exists, and what would happen if it failed.
You set the standard others follow. You don't just run a governance program — you advance the profession. The methodology moves because you move it. Fewer than 1 in 500 practitioners reach this posture.
The AGRS credential follows the Posture path: AGRS L0 (Witness), AGRS L1 (Reader), and so on through L5 (Standard-Bearer). Each credential level requires evidence production — not attendance, not seat time. You earn the credential by demonstrating the posture, not by watching a video.
The Academy
The Academy is the first pillar of The Compact. Its job: credential the workforce. Not just the third in risk, engineering, and management — the entire workforce that touches AI-visible decisions.
The curriculum is organized by Posture. A Witness-level teller studies different material than a Keeper-level CRO. Both are essential. The Academy meets each learner where they are.
AI awareness. What models run in your workflow? What decisions do they influence? Can you name them? The goal is not technical understanding — it is honest description.
Governance literacy. Reading MRM policies, understanding validation reports, interpreting model risk tiering. The learner becomes a participant in the governance conversation.
Operational governance. Running intake processes, collecting evidence, managing compliance calendars, escalating issues. The daily rhythm of governance.
Framework design. Building governance architectures, defining control libraries, structuring risk taxonomies, designing reporting hierarchies.
Examination defense. Maintaining the framework under regulatory scrutiny, managing findings, directing remediation, evolving the architecture as the regulatory landscape shifts.
Every Academy chapter is sector-specific. A community bank teller studies scenarios about AI-assisted check deposit scoring. A claims adjuster at an insurance carrier walks through automated severity triage. A nurse at a health system examines clinical decision support. The framework is universal. The vignettes are local.
The credential is evidence-based, never attendance-based. You do not earn AGRS L0 by sitting through a training. You earn it by producing a Proof Pack that demonstrates the posture. More on Proof Packs in Chapter 12.
Sentinel — The AI Coach
"Welcome. I see your role is teller supervisor at a community bank. You don't need to design or validate models — only to recognize them, describe them honestly, and stay within your approved tool set. That's the whole work at this stage. Let's start with the tools you use every day. Can you name one that you suspect uses AI or an algorithm to make a recommendation?"
"I think the mobile deposit scoring system. When a customer deposits a check through the app, it tells us whether to hold it or release it immediately."
"Good. That's exactly right. The check deposit scoring system uses a model to assess risk. You just demonstrated the first Witness skill — recognizing AI in your workflow. Now: when it recommends a hold, can you override it? And if so, is that override documented anywhere?"
Sentinel is the AI coach that walks with each learner through the Academy. It is not a chatbot. It is not a help desk. It is a Socratic guide that adapts to the learner's Posture, role, sector, and institution.
For a Witness-level teller, Sentinel asks simple, grounding questions: "Can you name the tools?" For a Steward-level compliance analyst, it probes operational depth: "Walk me through your evidence collection workflow for a model change request." For a Keeper, it simulates examination pressure: "The examiner just asked you to produce fair-lending test results for every model deployed in the last 18 months. How do you respond?"
Sentinel generates sector-specific vignettes. It supplies templates. It never scolds, never tests adversarially at the wrong Posture. The learner is still learning what to ask — Sentinel's job is to help them discover the right questions.
The output of Sentinel coaching is not a certificate. It is a Proof Pack — an evidence portfolio that demonstrates the posture. More on that in Chapter 12.
The Simulator
The Simulator is the second pillar. Think of it as the flight simulator for compliance: you crash here so you don't crash in front of an examiner.
You feed the Simulator a profile of your institution — asset size, primary AI use case, model type, governance posture, regulator, fair-lending monitoring, board oversight. It runs a six-stage enforcement cascade — a detailed, sector-specific narrative of what happens when governance fails.
Something goes wrong. A consumer complaint. A model drift alert. A fair-lending anomaly. An internal audit finding. The trigger is always specific to your institution's profile and sector.
The regulator becomes aware. Maybe the consumer escalated. Maybe a routine exam surfaced the anomaly. Maybe a whistleblower. The discovery narrative maps to your specific federal or state regulator.
The regulator opens a formal review. They request documentation. They interview staff. They test the model. Every gap in your governance becomes visible at this stage.
The regulator issues findings. Matters Requiring Attention (MRAs), consent orders, civil money penalties. The cascade maps to real enforcement actions and provides cost estimates based on publicly available penalty data.
You must fix it — under supervision. Remediation timelines, third-party reviews, enhanced reporting. The cascade shows you what remediation looks like and how long it takes.
The cascade doesn't end at remediation. There are second-order effects: reputational damage, rating agency actions, board liability, market reaction, talent attrition. The cascade names them.
Every cascade stage includes: a narrative specific to your institution's profile, regulatory citations where applicable, a timeline estimate, a cost estimate drawn from real enforcement data, the governance control that would have prevented it, and the AGRS dimension it maps to.
The Simulator also produces a governance gaps analysis — a list of every dimension where your current posture falls short of what the cascade would require. Each gap includes your current state, the required state, and a specific remediation action.
Two intake paths: a structured 8-field form (choose from dropdowns) or a free-form text box where a CCO can paste a description of their institution in their own words. The Simulator parses the free-form text, extracts the profile fields with confidence scores, and asks for clarification where needed.
Output is board-ready. You can hand the cascade report to your risk committee and they can read it without needing a technical briefing.
The OS
The OS is the third pillar — the operational layer. The Academy teaches what to do. The Simulator shows where you'd fail. The OS does it at scale and produces the evidence that you didn't fail.
It is a library of 105 governance plugins organized into 10 categories, comprising 526 operational skills. Each plugin is a discrete unit of governance work: policy drafting, risk scoring, bias detection, evidence generation, audit trail construction, vendor assessment, regulatory reporting.
The plugins are not theoretical. They produce artifacts — documents, reports, audit trails, evidence packages — that map directly to the controls your regulator expects to see. Every artifact is hash-chained for tamper evidence, timestamped, and linked to the AGRS dimension it supports.
The OS deploys in your environment. Your tenant. Your data. No data leaves your perimeter unless you choose to send it. Available on Azure Marketplace (draw down from your MACC commitment) and AWS Marketplace (draw down from your EDP).
The Plugin Catalog
105 plugins across 10 categories. Here is what each category does, with specific examples of the plugins inside:
Regulatory Coverage
The Compact maps to 18+ regulatory frameworks. These are not aspirational references — each framework has dedicated plugins, specific control mappings, and purpose-built evidence generation.
Sectors We Serve
Governance looks different at a community bank than at a Tier 1 insurance carrier or a health system. The Compact is sector-aware at every layer — the Academy curriculum, the Simulator profiles, the OS plugins.
AI surfaces: Consumer underwriting, small business credit, auto lending, HELOC, commercial real estate. Vendor-provided (black box), in-house, and hybrid models.
Examination reality: OCC examination with 30-day notice. SR 11-7 as the foundational framework. OCC 2026-13 as the imminent mandate. Fair lending as the sharpest edge.
AI surfaces: Member lending, share account management, BSA/AML screening. Typically vendor-dependent with limited in-house technical staff.
Examination reality: NCUA examination with emphasis on member protection. Smaller governance teams mean the Frontline Asymmetry hits harder here.
AI surfaces: Underwriting and rate-setting, claims adjudication, fraud screening, telematics and behavioral pricing, utilization management. NAIC Model Bulletin §4 as the baseline.
Examination reality: State-level market conduct examinations. ASOP 56 documentation requirements. State DOI footprint complexity — NY, CA, CO, TX as regulatory outlier states.
AI surfaces: Clinical decision support, predictive DSI per ONC HTI-1, imaging and diagnostic AI, prior authorization, claims adjudication, patient triage, RCM/coding automation, care navigation, utilization management, population health.
Examination reality: Overlapping federal + state + accreditor authorities. The clinical safety lens — healthcare failure modes are clinical (patient harm), not just economic. HIPAA, PHI handling, and the BAA architecture add a layer that no other sector faces.
Proof Packs
A Proof Pack is not a certificate. It is an evidence portfolio that demonstrates a Posture.
When a teller completes the Witness curriculum with Sentinel, the output is not a badge. It is a collection of artifacts: a description of the AI tools in her workflow, a documented observation of model behavior, a record of the questions she can now ask about the tools she uses. All timestamped. All linked to her AGRS profile.
When a compliance analyst at Steward produces evidence of a governance workflow she managed — an intake form, an escalation record, a compliance calendar she maintained — that becomes part of her Proof Pack.
When the OS generates an audit trail for a model validation, that trail is hash-chained and becomes part of the institution's evidence binder. When a Keeper defends that evidence binder in an examination, the defense itself becomes part of the institutional record.
Proof Packs are portable. If an employee moves to another institution, their individual AGRS credential travels with them — because the proof is in the evidence, not in the institution that issued it.
This is what we mean by "evidence-based, never attendance-based." The credential is in the work, not in the seat time.
Provenance
A CCO reading a cascade report may reasonably ask: "How was this written? Who is responsible?" The Compact preempts that question with radical transparency.
The 6-stage cascade structure, the 41-citation human-authored regulatory library, the 23 real-enforcement cost references, the AGRS dimension mapping, and the 6 Tenets are 100% human-authored. The narrative text for each specific cascade is generated by AI with templated rule-based fallback. Citation validation runs against the human-authored library before output. The Bench — The Compact's arbitrating body — audits provenance as part of quarterly refresh sweeps.
Every artifact The Compact produces carries this provenance disclosure. What was human-authored. What was AI-generated. What was validated and against what library. Who audits it. This is not a disclaimer — it is a commitment to the kind of transparency a regulated institution must be able to defend.
The Six Tenets
The Tenets are the decision rules of The Compact. When there is a design choice — in the curriculum, in the Simulator, in the OS — we resolve it against these six principles:
Design the governance architecture before you deploy the model. Automation without architecture is risk without guardrails.
Validate, test, and benchmark the model before you trust it with consumer decisions. Trust is earned by evidence, not by deployment.
Put governance in place before you scale the model. Governance after the fact is remediation — governance before the fact is prevention.
Produce the evidence before you make the claim. If you can't show it, you didn't do it. Evidence is the only currency the examiner accepts.
Your governance should survive a vendor change. If switching tools means losing your governance posture, you don't have governance — you have a vendor dependency.
A human must be accountable for every model decision. Not the algorithm — a person, with a name, a role, and documented authority. AI advises. Humans decide.
Deployment
The OS deploys in your environment. No data leaves your perimeter unless you choose to send it.
Deploy from your Microsoft Azure Cloud commitment (MACC). Draw down from existing spend. Single-tenant deployment in your Azure subscription.
Deploy from your AWS Enterprise Discount Program (EDP). Draw down from existing spend. Single-tenant deployment in your AWS account.
Coming Q3 2026. GCP Marketplace listing in progress.
Evidence retention meets OCC guidance: 7 years (2,555 days). Hash-chained for tamper evidence. Your tenant, your encryption keys. The Compact never holds your data — only you do.
The 30-Day Sprint
You have an examination in 30 days. Here is what those 30 days look like with The Compact:
Run the Simulator against your institution's profile. Get the cascade — see where you'd fail, what it would cost, which controls are missing. Get the board-ready threat narrative.
Enroll frontline staff in AGRS L0 (Witness). Sentinel coaches each person in their own role and sector context. Proof Packs begin generating. Your workforce starts being able to describe the AI in their workflows.
Deploy OS plugins: evidence generation, policy gap analysis, audit trail construction. The evidence binder starts taking shape. Each artifact maps to a specific examiner expectation.
Stress-test the evidence binder against the examiner's probable questions. Run the Simulator again with updated governance posture. Identify remaining gaps. Fill them.
Walk into the examination with a complete evidence portfolio mapped to your regulator's control framework. Every artifact timestamped, hash-chained, and linked to an AGRS dimension.
Where AI governance is held in common.
The methodology is open. The tools are built for the compliance officer who opens the exam letter on a Tuesday morning and needs to know what to do.
thecompact.academy · Apache 2.0 methodology · [email protected]