The Enterprise AI Governance Buyer's Guide

This record contains Version 3.3 of The Enterprise AI Governance Buyer's Guide, together with the companion Procurement Fast Path (Version 3.2). The two documents are designed to be used jointly to support rigorous, evidence-based evaluation of AI governance claims in regulated and high-stakes enterprise environments. The Buyer's Guide presents a vendor-neutral evaluation framework that distinguishes three governance problems: Visibility: logging, monitoring, and observability. Alignment: model- and application-layer safety techniques such as RLHF, guardrails, and content filtering. Authorization: pre-execution governance capable of producing replayable, independently verifiable evidence that a specific action was permitted. It formalizes the distinction between probabilistic governance (likely compliant) and deterministic governance (provably compliant), with emphasis on fail-closed enforcement, non-delegable authorization, and post-incident verifiability. The verdict space is exactly three: ALLOW, DENY, and ABSTAIN. ABSTAIN blocks execution pending authorized human override. The Four Tests Standard (4TS). The guide evaluates governance against the open, vendor-neutral Four Tests Standard and its four canonical tests: Stop: execution can be halted before a side effect occurs, with effect-token issuance gated by approval. Ownership: an identified authority signs the governing policy prior to the execution window. Replay: the decision can be reproduced at the boundary by state or by protocol, including third-party offline reconstruction from the Evidence Package. Escalation: mandatory custody transfer routes on denial or threshold crossings, with ABSTAIN treated as DENY by default pending authorized override. The guide supplies concrete due-diligence questions, a five-point diligence test, five anti-laundering tests, failure-mode analysis, and an illustrative proof-carrying decision artifact mapped to common regulatory requirements such as audit trails, electronic records, signature controls, and retention obligations. A regulatory mapping identifies where the ex-ante authorization requirement is lodged across the major regimes (EU AI Act Article 14, GDPR Article 22, HIPAA 164.312(a), DFARS 252.204-7012, and NIST AI RMF GOVERN). Corpus Doctrine. Observability explains what happened. Enforcement determines what is allowed to happen. Enforcement is realized through a non-bypassable authorization boundary that emits a proof-carrying decision prior to execution. What is new in Version 3.3. The Four Tests section is aligned with the canonical published standard. The four tests are presented as Stop, Ownership, Replay, and Escalation. The procurement concerns expressed in earlier editions are preserved: reproducibility and verifiability fold into Replay; coverage and no-bypass are carried by the State Completeness anti-laundering test and the non-bypassable boundary; and residual-risk bounds, where ungoverned inputs are forced to DENY or ABSTAIN, are carried by fail-closed handling, ABSTAIN semantics, and diligence scoring. The guide adopts the artifact gap designation from FERZ Technical Advisory TA-2026-01 (DOI 10.5281/zenodo.20646404). The artifact gap is the evidentiary condition that arises when observability-based oversight is relied upon to satisfy an ex-ante authorization requirement: records of what occurred exist, but no authorization artifact preceding execution can be produced. The designation is applied at the regulatory mapping and as the baseline-qualification failure mode in the vendor scorecard. Version lineage. 3.2 operationalized the Authorization Artifact Test for procurement, advanced the corpus Doctrine to v1.1, and added the ex-ante regulatory mapping. The Baseline Qualification Gate was framed as the operational verification companion to the Test's structural prongs. 3.1 added a formal Doctrine (v1.0) statement that locked the enforcement boundary across the corpus: observability governs accounts of action; authorization governs permission to act; signed artifacts protect history while signed authorizations govern the future; and authorization governance requires a non-bypassable runtime gate that fails closed when governance conditions fail or required evidence is missing. 3.0 introduced semantic completeness: governed state is incomplete unless each decision is cryptographically bound to the immutable semantic definitions in effect at decision time. This prevents definition laundering, where semantic drift retroactively alters the compliance status of past decisions and breaks audit replay without visible failure. Companion: Procurement Fast Path (Version 3.2). The Fast Path distills the framework into a three-page operational checklist for real-world procurements. It establishes a baseline qualification gate requiring third-party offline replay of a historical governance decision from an exported Evidence Package, applies the canonical Four Tests, and adds anti-laundering tests (exportability, offline replay, state completeness, fail-closed behavior, and mutation or drift resistance) to disqualify marketing-only or trust-based governance claims before full scoring. Version 3.2 aligns the Four Tests with the canonical standard, adds the artifact gap reference at the baseline gate, and is derived from Buyer's Guide v3.3. Audience. Procurement teams, risk officers, General Counsel, auditors, technical evaluators, regulators, and boards seeking evidentiary assurance that AI governance controls can be independently verified at the moment a specific AI decision was made. The framework is published by FERZ, Inc. It is vendor-neutral and architecture-agnostic, and may be applied to any AI governance solution. The documents are conformant with the AI Governance Taxonomy v1.5 (DOI 10.5281/zenodo.18275969) and the Authorization Artifact Test (DOI 10.5281/zenodo.20013582). The Four Tests Standard is published under CC BY-NC-ND 4.0 at github.com/edmeyman/4ts-standard. They are designed to support defensible governance evaluation in sectors such as healthcare, financial services, government, defense, and other regulated domains.

Перевод пока недоступен