Governance & Program Info

Sovereign AI for Regulated Enterprise Tenants — Governance

Cross-builder institution context and per-item ownership, due dates, status, and next actions for the governance-relevant checklist items in this builder.

← Back to checklist
Institution context
Program info
Applies across every builder in the app. Stored locally; nothing leaves the browser.
Checklist governance
Items (0 of 30 marked complete)
Annotate ownership, due date, status, and next action. Items on the left come from the builder's governance / compliance phases.
04 · Tenant-Isolation & Compliance Attestation Gate
Select confidential-computing primitive
requiredtrinidy
Select the CPU / GPU confidential-computing primitive that anchors tenant isolation.
04 · Tenant-Isolation & Compliance Attestation Gate
Integrate remote attestation service
required
Tenant-verifiable remote attestation (Intel Trust Authority / AMD KDS / NVIDIA attestation service) for every workload launch.
04 · Tenant-Isolation & Compliance Attestation Gate
Enforce FIPS 140-2 / FIPS 140-3 validated cryptography
required
All key material and crypto operations use FIPS-validated modules — required for FedRAMP, CMMC, and many BFSI postures.
04 · Tenant-Isolation & Compliance Attestation Gate
Configure tenant-scoped network micro-segmentation
required
Per-tenant VLAN / VRF / VPC segments on the carrier fabric — no shared east-west path across tenants.
04 · Tenant-Isolation & Compliance Attestation Gate
Document and test side-channel mitigations
recommended
Spectre / Meltdown / L1TF / MDS mitigations are on by default and tested — don't assume the default kernel config holds.
04 · Tenant-Isolation & Compliance Attestation Gate
Maintain SOC 2 Type II attestation on platform
required
Annual SOC 2 Type II with AI-specific trust-services-criteria mapping.
04 · Tenant-Isolation & Compliance Attestation Gate
Maintain ISO/IEC 27001, 27017, 27018 certification
required
27001 for ISMS, 27017 for cloud services, 27018 for PII processing. Mandatory baseline for EU regulated tenants.
04 · Tenant-Isolation & Compliance Attestation Gate
Achieve FedRAMP High authorization (if federal tenants)
required
Platform ATO at High impact level is the practical bar for federal civilian and IL4/IL5-adjacent workloads.
04 · Tenant-Isolation & Compliance Attestation Gate
Complete HITRUST CSF r2 assessment (healthcare)
required
HITRUST CSF r2 is the de facto bar for US healthcare and payer tenants layered on top of HIPAA.
04 · Tenant-Isolation & Compliance Attestation Gate
Complete PCI DSS v4.0 attestation for BFSI segments
requiredpci
PCI DSS v4.0 became mandatory 31 March 2024 with 51 new / evolved controls fully in force March 2025.
04 · Tenant-Isolation & Compliance Attestation Gate
Meet DFARS 7012 / CMMC 2.0 requirements (defense)
required
CMMC 2.0 Level 2 for handling CUI; Level 3 where NIST SP 800-172 enhanced controls apply.
04 · Tenant-Isolation & Compliance Attestation Gate
Maintain ISO/IEC 42001 AI management system
required
ISO/IEC 42001:2023 is the first international AI management system standard. Increasingly requested by enterprise procurement.
04 · Tenant-Isolation & Compliance Attestation Gate
Comply with EU AI Act (Reg 2024/1689) obligations
required
EU AI Act Regulation 2024/1689 — prohibited-practice bans took effect February 2025; GPAI obligations August 2025; high-risk obligations staggered through August 2026/2027.
04 · Tenant-Isolation & Compliance Attestation Gate
Complete GDPR Art. 28 processor documentation
required
Processor agreements, Art. 30 records, Art. 35 DPIAs, and Schrems II supplementary measures where relevant.
04 · Tenant-Isolation & Compliance Attestation Gate
Issue tenant-specific attestation bundle at onboarding
required
Signed bundle: platform SOC 2, ISO, FedRAMP, HITRUST, BAA / DPA / 7012 flow-down, residual-risk register, incident-response runbook.
04 · Tenant-Isolation & Compliance Attestation Gate
Verify tenant key and identity provisioning
required
Tenant-controlled root identity (OIDC / SAML / mTLS) and key material provisioned before first workload launch.
04 · Tenant-Isolation & Compliance Attestation Gate
Validate partition attestation end-to-end
requiredtrinidy
Tenant runs a canary workload and independently verifies hardware attestation before production cutover.
04 · Tenant-Isolation & Compliance Attestation Gate
Confirm workforce clearances and citizenship for tenant class
required
ITAR, CMMC, IC workloads constrain who can operate the physical site and the control plane.
05 · Governance & Compliance
Stand up ISO/IEC 42001 AI management system
required
Policy, roles, processes, training, and audit cycle covering every AI workload running on the platform.
05 · Governance & Compliance
Maintain NIST AI RMF 1.0 profile
required
Govern-Map-Measure-Manage profile mapped to each tenant workload class; reviewed on fixed cadence.
05 · Governance & Compliance
Operate EU AI Act compliance register
required
Per-workload classification against Articles 5 (prohibited), 6 (high-risk), 50 (transparency), 53 (GPAI) of Regulation 2024/1689.
05 · Governance & Compliance
Operate GDPR Art. 30 records of processing
required
Per-tenant processing records kept current — platform is processor, tenant is controller.
05 · Governance & Compliance
Conduct DPIAs for high-risk tenant workloads
required
GDPR Art. 35 DPIA and US sectoral equivalents for high-risk inference (clinical decision support, credit, employment).
05 · Governance & Compliance
Apply Schrems II supplementary measures
required
For any EU-origin personal data touching US-controlled infrastructure, document supplementary measures.
05 · Governance & Compliance
Define platform acceptable-use policy
required
Explicit limits on tenant workloads — EU AI Act Art. 5 prohibited practices, US sectoral bans, sanctions compliance.
05 · Governance & Compliance
Integrate sanctions and export-control screening
requiredsanctions
OFAC, UK / EU / UN sanctions screening on tenant onboarding and ongoing — export-control classification for any models crossing borders.
05 · Governance & Compliance
Operate AML / KYC on tenant entity relationships
requiredaml
Beneficial-ownership and sanctions screening for tenant corporate structure — required especially for BFSI and government pipelines.
05 · Governance & Compliance
Track EU AI Act delegated and implementing acts
recommended
Regulation 2024/1689 delegates substantial detail to Commission acts — monitor for scope or timeline changes.
05 · Governance & Compliance
Monitor FedRAMP and CMMC program evolution
recommended
FedRAMP 20x, CMMC 2.0 rulemaking, and DoD memoranda all change the attestation bar on short notice.
05 · Governance & Compliance
Publish platform-level board and tenant reporting
recommended
Quarterly board-level report — incidents, attestation status, tenant complaints, regulatory horizon.