{"agency":"Signal (demo · South Australia Police context)","accountable_official":"Accountable Official (demo)","decisions_covered":8,"chain_valid":true,"chain_head":"4e37effc8d663500d17b9fa61e0b394c88cf6ef92f6bc9bf20cc1a180110188d","note":"Evidence is read live from the audit log at generation time. Items marked 'organisation's responsibility' are management-system controls outside a governance tool's scope and are not claimed as met.","frameworks":[{"framework":"DTA Policy for the responsible use of AI in government v2.0","summary":"The Australian mandatory requirements, each generated live from the log.","items":[{"requirement_id":"DTA-1","requirement":"Designate accountable officials for AI use.","how_signal_meets_it":"The accountable official and agency are configured per deployment and stamped on every decision.","status":"met","evidence":["recorded on each decision entry"]},{"requirement_id":"DTA-2","requirement":"Maintain a register of in-scope AI use cases.","how_signal_meets_it":"The register is computed live from the log, so it can never be out of date.","status":"met","evidence":["2 use case(s)","live at /governance/register"]},{"requirement_id":"DTA-3","requirement":"Publish an AI transparency statement.","how_signal_meets_it":"Generated from the log, so it cannot drift from what the system actually does.","status":"met","evidence":["live at /governance/transparency"]},{"requirement_id":"DTA-4","requirement":"Complete AI use-case impact assessments (mandatory from 15 Dec 2026).","how_signal_meets_it":"One impact assessment per in-scope use case, generated from the log with affected groups, risks, mitigations and residual risk.","status":"met","evidence":["live at /governance/impact-assessment"]}]},{"framework":"NIST AI Risk Management Framework 1.0","summary":"How the four functions are supported by the governance layer.","items":[{"requirement_id":"GOVERN","requirement":"Accountability structures and policies for AI risk are in place.","how_signal_meets_it":"An accountable official and agency are stamped on every decision, and a register of in-scope use cases is generated live from the log.","status":"met","evidence":["2 use case(s) in the live register","register at /governance/register"]},{"requirement_id":"MAP","requirement":"Context is established and AI risks are categorised.","how_signal_meets_it":"Every decision records its use case, a risk tier (EU AI Act aligned) and its data sources.","status":"met","evidence":["risk tiers: {'limited': 8}"]},{"requirement_id":"MEASURE","requirement":"AI risks and trustworthiness are analysed and tracked.","how_signal_meets_it":"Narrative faithfulness is checked on every answer, the check's precision/recall is measured against a labelled set, and anomalous results are flagged for human review.","status":"met","evidence":["mean faithfulness 1.0","human-review rate 75%"]},{"requirement_id":"MANAGE","requirement":"Risks are responded to, monitored and documented over time.","how_signal_meets_it":"A human-review workflow records reviews and overrides (with a required reason), and the tamper-evident log lets any decision be traced and its integrity verified after the fact.","status":"met","evidence":["0 review(s) recorded","integrity check at /governance/verify"]}]},{"framework":"ISO/IEC 42001:2023 (AI management system)","summary":"Evidence toward the Annex A operational controls that an AI management system must implement. Organisation-level controls remain the deployer's.","items":[{"requirement_id":"A.5.5","requirement":"AI system impact assessment is conducted and documented.","how_signal_meets_it":"An AI use-case impact assessment is generated live from the log for every in-scope use case (affected groups, risks, mitigations, residual risk).","status":"met","evidence":["impact assessment available at /governance/impact-assessment","2 use case(s) assessed"]},{"requirement_id":"A.6.2.8","requirement":"Records of AI system operation are kept.","how_signal_meets_it":"Every AI-assisted decision is written to an append-only, tamper-evident log on the request path; the system cannot answer without logging.","status":"met","evidence":["8 decisions logged","chain verified, head 4e37effc8d66"]},{"requirement_id":"A.7.4","requirement":"Data quality and provenance for the AI system are managed.","how_signal_meets_it":"Each decision records its data sources and a risk tier; the analyst operates on aggregates only, with no PII entering the system.","status":"met","evidence":["risk tiers recorded: {'limited': 8}"]},{"requirement_id":"A.8.3","requirement":"Information is provided to users about the AI system.","how_signal_meets_it":"A transparency statement is generated live from the log; every answer carries a traceable decision id.","status":"met","evidence":["transparency statement at /governance/transparency"]},{"requirement_id":"A.9.3","requirement":"Performance of the AI system is monitored and evaluated.","how_signal_meets_it":"The LLM narrative is checked for faithfulness on every answer, and the check's own precision/recall is measured and reported.","status":"met","evidence":["mean faithfulness 1.0","check validation at /governance/faithfulness-eval"]},{"requirement_id":"A.3 / A.4","requirement":"Leadership, policy, roles, competence and resourcing for the AIMS.","how_signal_meets_it":"Signal records the accountable official and agency on every decision, but the surrounding management system (leadership, competence, internal audit) is the organisation's to operate.","status":"organisation's responsibility","evidence":[]}]}],"statement":"# AI governance compliance report\n\n**Organisation:** Signal (demo · South Australia Police context)  ·  **Accountable official:** Accountable Official (demo)\n\nGenerated live from the audit log. Decisions covered: **8**. Audit chain: **verified** (head 4e37effc8d66).\n\nStatus key: *met* — satisfied by the governance layer with live evidence; *partial* — partially supported; *organisation's responsibility* — outside the tool, for the deploying organisation to operate.\n\n## DTA Policy for the responsible use of AI in government v2.0\n\nThe Australian mandatory requirements, each generated live from the log.\n\n- **DTA-1 — Designate accountable officials for AI use.**  \n  _met._ The accountable official and agency are configured per deployment and stamped on every decision.  \n  Evidence: recorded on each decision entry\n\n- **DTA-2 — Maintain a register of in-scope AI use cases.**  \n  _met._ The register is computed live from the log, so it can never be out of date.  \n  Evidence: 2 use case(s); live at /governance/register\n\n- **DTA-3 — Publish an AI transparency statement.**  \n  _met._ Generated from the log, so it cannot drift from what the system actually does.  \n  Evidence: live at /governance/transparency\n\n- **DTA-4 — Complete AI use-case impact assessments (mandatory from 15 Dec 2026).**  \n  _met._ One impact assessment per in-scope use case, generated from the log with affected groups, risks, mitigations and residual risk.  \n  Evidence: live at /governance/impact-assessment\n\n## NIST AI Risk Management Framework 1.0\n\nHow the four functions are supported by the governance layer.\n\n- **GOVERN — Accountability structures and policies for AI risk are in place.**  \n  _met._ An accountable official and agency are stamped on every decision, and a register of in-scope use cases is generated live from the log.  \n  Evidence: 2 use case(s) in the live register; register at /governance/register\n\n- **MAP — Context is established and AI risks are categorised.**  \n  _met._ Every decision records its use case, a risk tier (EU AI Act aligned) and its data sources.  \n  Evidence: risk tiers: {'limited': 8}\n\n- **MEASURE — AI risks and trustworthiness are analysed and tracked.**  \n  _met._ Narrative faithfulness is checked on every answer, the check's precision/recall is measured against a labelled set, and anomalous results are flagged for human review.  \n  Evidence: mean faithfulness 1.0; human-review rate 75%\n\n- **MANAGE — Risks are responded to, monitored and documented over time.**  \n  _met._ A human-review workflow records reviews and overrides (with a required reason), and the tamper-evident log lets any decision be traced and its integrity verified after the fact.  \n  Evidence: 0 review(s) recorded; integrity check at /governance/verify\n\n## ISO/IEC 42001:2023 (AI management system)\n\nEvidence toward the Annex A operational controls that an AI management system must implement. Organisation-level controls remain the deployer's.\n\n- **A.5.5 — AI system impact assessment is conducted and documented.**  \n  _met._ An AI use-case impact assessment is generated live from the log for every in-scope use case (affected groups, risks, mitigations, residual risk).  \n  Evidence: impact assessment available at /governance/impact-assessment; 2 use case(s) assessed\n\n- **A.6.2.8 — Records of AI system operation are kept.**  \n  _met._ Every AI-assisted decision is written to an append-only, tamper-evident log on the request path; the system cannot answer without logging.  \n  Evidence: 8 decisions logged; chain verified, head 4e37effc8d66\n\n- **A.7.4 — Data quality and provenance for the AI system are managed.**  \n  _met._ Each decision records its data sources and a risk tier; the analyst operates on aggregates only, with no PII entering the system.  \n  Evidence: risk tiers recorded: {'limited': 8}\n\n- **A.8.3 — Information is provided to users about the AI system.**  \n  _met._ A transparency statement is generated live from the log; every answer carries a traceable decision id.  \n  Evidence: transparency statement at /governance/transparency\n\n- **A.9.3 — Performance of the AI system is monitored and evaluated.**  \n  _met._ The LLM narrative is checked for faithfulness on every answer, and the check's own precision/recall is measured and reported.  \n  Evidence: mean faithfulness 1.0; check validation at /governance/faithfulness-eval\n\n- **A.3 / A.4 — Leadership, policy, roles, competence and resourcing for the AIMS.**  \n  _organisation's responsibility._ Signal records the accountable official and agency on every decision, but the surrounding management system (leadership, competence, internal audit) is the organisation's to operate.  \n  Evidence: —\n"}