Governance-as-Code for the World's AI Laws · Apache-2.0

Governance is a pipeline. Make it verifiable.

Umbrella-GovOps is the open-source governance compiler that converts policy obligations into executable YAML controls, signs every evidence bundle with cryptographic keys an auditor can verify independently, and maps 40+ global frameworks — from the EU AI Act to South Korea's Framework Act to ISO/IEC 42001 — into a single Unified Control ID system. Built for practitioners at every scale, from the solo founder completing a first risk assessment to the enterprise team shipping continuous compliance to regulators.

Get to Yes in 15 minutes → Browse 40+ frameworks → View on GitHub ↗

Forty frameworks. One compiler. Every bundle signed. Policy-as-code for the world's AI laws. Sign it. Ship it.

Umbrella is the governance compiler. AIGovOps Beacon signs the evidence. AIGovOps Lantern reads it for humans. All three are open source under the AIGovOps Foundation 501(c)(3).

Apache-2.0 OpenSSF Best Practices · target SLSA L3 · target WCAG 2.2 AA · target OVERT 1.0 UNESCO-aligned

Live evidence — Sigstore keyless · in-toto v1.0 workflow: govops-ci.yml@main

09:21:14Zbundle v2026.05.29-1430 compiled · 147 controls · NIST 94% · EU 91% · ISO 42001 88% · Korea AI Framework 76%✓

09:21:15Zin-toto statement signed (Fulcio cert · id=workflow@refs/heads/main)✓

09:21:16ZRekor inclusion proof published · log index 142337991✓

09:21:16ZOSCAL assessment-results.yaml emitted · POA&M auto-opened for MEASURE-2.7✓

09:21:17ZAnnex IV technical-documentation.pdf rendered · 9 sections✓

09:21:18Zheatmap.html published · 3 systems × 47 unified control IDs✓

Who this is for

One compiler. Eight practitioner paths.

Choose your role — we'll route you to the three most useful assets first.

Founder / CTO

Founder or CTO building with AI

Get investor-ready governance fast. Starter pack, Decision Card, and a Series-A diligence one-pager.

Start here → ML / AI Engineer

ML or AI engineer

Wire governance into your pipeline, not around it. CI template + UCID-MODEL-SIGN-001 worked example.

Start here → Compliance / Legal

Compliance officer or legal counsel

Map every obligation to evidence you can verify. 40+ framework registry and the UCID crosswalk.

Start here → Product Manager

Product manager or designer

Know what governance your team owes before you ship. 15-minute Decision Card and "Get to Yes" journey.

Start here → Auditor / Regulator

Auditor, regulator, or assessor

Verify any bundle independently, no vendor login required. VERIFY.md and the cosign command.

Start here → Deployer

Deployer of third-party AI

You don't build models — you're still responsible. Deployer checklist + Human Oversight domain.

Start here →

40+ frameworks, one control ID system

The world's AI governance frameworks, compiled.

From the EU AI Act to ISO/IEC 42001 to South Korea's AI Framework Act to UNESCO's global recommendation — every framework is a YAML catalog you can crosswalk, map to controls, and ship as evidence.

Framework	Jurisdiction	Status	Region	Type	UCID Coverage
NIST AI RMF 1.0	United States	In Force	Americas	Voluntary	94%
NIST AI 600-1 GenAI Profile	United States	In Force	Americas	Voluntary	82%
OMB M-24-10	US Federal	In Force	Americas	Legislation	71%
Colorado SB 26-189 (ADMT)	Colorado, US	Phased Jan 2027	Americas	Legislation	54%
NYC Local Law 144	New York City, US	In Force	Americas	Legislation	62%
Illinois AI Video Interview Act	Illinois, US	In Force	Americas	Legislation	48%
Canada AIDA	Canada	Draft	Americas	Legislation	—
Canada TBS Directive on ADM	Canada Federal	In Force	Americas	Guidelines	67%
Brazil PL 2338/2023	Brazil	Draft	Americas	Legislation	—
California SB 1047 (vetoed; successor pending)	California, US	Vetoed	Americas	Legislation	—
EU AI Act (Reg 2024/1689)	European Union	Phased Aug 2026	EMEA	Legislation	91%
GPAI Code of Practice	European Union	Voluntary	EMEA	Code of Practice	74%
GDPR Article 22	European Union	In Force	EMEA	Legislation	58%
CEN-CENELEC JTC 21 Harmonised Standards	European Union	In drafting	EMEA	Standard	—
UK Pro-Innovation Framework	United Kingdom	Voluntary	EMEA	Guidelines	43%
UK AI Security Institute	United Kingdom	Operational	EMEA	Guidelines	—
UK ICO Guidance on AI	United Kingdom	In Force	EMEA	Guidelines	52%
South Korea AI Framework Act	South Korea	In Force Jan 2026	APAC	Legislation	76%
Singapore AI Verify + Model Gov	Singapore	Voluntary	APAC	Standard	68%
Japan METI AI Guidelines for Business v1.1	Japan	Voluntary	APAC	Guidelines	54%
Japan AI Safety Institute	Japan	Operational	APAC	Guidelines	—
China GenAI Interim Measures	China	In Force	APAC	Legislation	—
Australia Guidance for AI Adoption	Australia	Voluntary	APAC	Guidelines	49%
India DPDPA 2023	India	In Force	APAC	Legislation	41%
India MeitY AI Advisories	India	In Force	APAC	Guidelines	—
Singapore IMDA WG on AI Governance	Singapore / ASEAN	Operational	APAC	Guidelines	—
ASEAN Guide on AI Governance & Ethics	ASEAN (10)	In Force	APAC	Guidelines	47%
OECD AI Principles	OECD (38+)	In Force	Global	Guidelines	—
UNESCO Recommendation on AI Ethics	Global (194)	In Force	Global	Guidelines	52%
UN HLAB-AI "Governing AI for Humanity"	UN	Recommendations	Global	Guidelines	—
African Union Continental AI Strategy	African Union (55)	Adopted	Global	Guidelines	—
G7 Hiroshima Process Code of Conduct	G7	In Force	Global	Code of Practice	—
ISO/IEC 42001:2023	International	In Force (certifiable)	Global	Standard	88%
ISO/IEC 23894:2023	International	In Force	Global	Standard	72%
ISO/IEC 5338:2023	International	In Force	Global	Standard	64%
IEEE 7000 Series	International	In Force	Global	Standard	—
OWASP Top 10 for LLMs	International	Voluntary	Global	Guidelines	—
OpenSSF SLSA	International	In Force	Global	Standard	—

Source of truth: umbrella-govops/frameworks/*.oscal.yaml · community contributions welcome — request a framework →

Your governance journey

Get to Yes. Stay at Yes. Return to Yes.

Three journeys map to the lifecycle of every AI system. Each ships with a worked example you can run today.

Journey 1 · ~4 hours

First governance bundle in one afternoon

For teams starting their governance practice — solo founders, university teams, mid-market.

git clone umbrella-govops
cp templates/system-manifest.yaml systems/my-system.yaml
umbrella compile --frameworks nist-ai-rmf,iso-42001
umbrella bundle --sign --out evidence/first.tar.zst
cosign verify-attestation evidence/first.tar.zst

Download Starter Pack →

Journey 2 · every commit

Governance in every merge

For teams with CI/CD pipelines. Governance becomes a merge blocker, not a quarterly project.

name: Governance CI
on: [push, pull_request, schedule]
run: umbrella compile --all
run: umbrella check --fail-on gap
run: umbrella bundle --sign --rekor-upload

CI template library →

Journey 3 · hours, not weeks

Incident to cleared status, cryptographically ordered

For post-incident recovery and regulatory inquiry. The Rekor log is the audit trail.

umbrella incident declare --severity high
umbrella gap-analysis --baseline last-green
umbrella disclose --format eu-art73
umbrella disclose --format oscal
umbrella bundle --sign --incident-closed

Read the incident playbook →

The ten governance domains

Every obligation, executable.

Each domain owns its controls, executable checks, and evidence templates. Add a framework — every domain inherits its requirements via Unified Control IDs.

Data Governance

Provenance, bias evaluation, PII minimization. NIST MEASURE-2.11 · EU Art. 10 · Annex IV §2(d) · ISO 42001 A.7.4.

Model Lifecycle

Training, eval, model cards, signing via OpenSSF Model Signing. NIST MAP-4 · EU Annex IV §2(a–c) · ISO 42001 A.8.4.

Human Oversight

Operator controls, override paths, escalation. EU Art. 14 · NIST GOVERN-3.2 · Korea AI Framework Act Art. 31.

Transparency & Disclosure

User notice, watermarking, deployer instructions. EU Art. 13 · GenAI labeling per India MeitY · NIST MEASURE-2.8.

Security & Robustness

Adversarial, red-team, accuracy targets. EU Art. 15 · NIST MEASURE-2.7 · OWASP LLM Top 10.

Logging & Traceability

Automatic event logs, retention, supply chain. EU Art. 12 · SLSA · OpenSSF Model Signing.

Risk Management

Continuous, lifecycle-wide RMS. EU Art. 9 · NIST MANAGE · ISO 23894.

Post-Market Monitoring

Telemetry sweep, drift detection. EU Art. 72 · Singapore AI Verify lifecycle.

Incident Response

Serious-incident disclosure packs. EU Art. 73 · OECD AI Incidents · UK AISI evaluation referrals.

Unified Control ID

One control, every framework, no duplication.

UCIDs are the pivot. Edit a crosswalk row — every report reflects it.

UCID	Title	NIST AI RMF	EU AI Act	ISO 42001	Korea AI Framework	Singapore AI Verify
`UCID-DATA-BIAS-001`	Dataset bias examination	MEASURE-2.11 · MAP-2.3	Art. 10(2)(f) · Annex IV §2(d)	A.7.4	Art. 28 (high-impact AI assessment)	Fairness testable principle
`UCID-OVERSIGHT-001`	Human oversight measures	GOVERN-3.2 · MANAGE-2.4	Art. 14 · Annex IV §2(e), §3	A.6.2	Art. 31 (operator controls)	Human agency & oversight
`UCID-LOG-001`	Automatic event logging	MEASURE-2.8 · MANAGE-4.1	Art. 12 · Art. 19	A.8.3	Art. 32 (record-keeping)	Repeatability & reproducibility
`UCID-MODEL-SIGN-001`	Model artifact attestation	MANAGE-4.2	Annex IV §2(c), §7	A.8.4	Art. 33 (provenance disclosure)	Security & supply chain
`UCID-WATERMARK-001`	GenAI output watermarking	NIST 600-1 · MEASURE-2.8	Art. 50	A.7.6	Art. 31 (GenAI transparency)	GenAI labeling extension
`UCID-INCIDENT-001`	Serious incident reporting	MANAGE-4.3	Art. 73	A.9.1	Art. 34	Robustness & safety

The pipeline

Six stages from YAML to a signed evidence bundle.

Every push to main runs the same DAG that produces your audit pack.

01 · Ingest

Frameworks

Load 40+ OSCAL catalogs (NIST, EU, ISO, Korea, Singapore, …). Schema-validate.

02 · Classify

Risk tier

Determine each system's risk tier across every binding jurisdiction.

03 · Run

Domain checks

10 domains in parallel — pytest, Python, and OPA / Rego policies.

04 · Crosswalk

UCID pivot

Resolve every result to its NIST subcategory, EU article, ISO clause, Korea article.

05 · Sign

Evidence bundle

in-toto + SLSA attestation, Sigstore keyless signature, Rekor receipt.

06 · Report

Conformity

OSCAL AR + Annex IV technical doc + cross-framework heatmap.

Reproducible · deterministic · independently verifiable

Cryptographic evidence

Every bundle is a signed, reproducible, transparency-logged artifact.

Sigstore keyless. in-toto v1.0 statement. SLSA provenance. Rekor receipt.

// bundle-v2026.05.29-1430.intoto.jsonl
{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [{ "name": "bundle.tar.zst",
                "digest": { "sha256": "9f3a…" } }],
  "predicateType":
      "https://aigovops.org/attestations/govops-evidence/v1",
  "predicate": {
    "orchestration": {
      "repo":        "bobrapp/umbrella-govops",
      "commit":      "c4f1d2…",
      "workflowRef": ".github/workflows/govops-ci.yml@refs/heads/main"
    },
    "scope":     { "systems": ["SYS-001", "SYS-002", "SYS-003"] },
    "frameworks":[
      { "id": "nist-ai-rmf-1.0", "catalogHash": "sha256:7a1b…" },
      { "id": "eu-ai-act",       "catalogHash": "sha256:33ec…" },
      { "id": "iso-iec-42001",    "catalogHash": "sha256:91d4…" },
      { "id": "korea-ai-framework-act", "catalogHash": "sha256:f02c…" }
    ],
    "results":   { "evaluated": 147, "passed": 144,
                  "failed": 0, "waived": 3 },
    "coverage":  { "nist": 0.94, "eu": 0.91, "iso_42001": 0.88, "korea": 0.76 }
  }
}

Verify any bundle with one command — no keys to manage, identity bound to the workflow ref:

# Auditor verification — no Umbrella account required
cosign verify-attestation \
  --type https://aigovops.org/attestations/govops-evidence/v1 \
  --certificate-identity-regexp "https://github.com/bobrapp/umbrella-govops/.+" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  bundle.tar.zst

Built for founders & vendors

The governance primitive the AI ecosystem builds on.

Conformance you can run. An SDK you can ship. A registry your customers can find you in. Office hours where you can ask the maintainers anything.

umbrella-conformance

Certify your product against the spec

Three levels: Compatible (bundle structure + crypto), Certified (≥80% UCID coverage + all mandatory tests), Verified (independent third-party audit). Apache-2.0.

# Run the conformance suite
npx umbrella-conformance test \
  --bundle ./my-vendor-output.tar.zst \
  --profile umbrella-govops.v1 \
  --report ./conformance-report.json

Umbrella Certified · Level 2 Run the test suite →

umbrella-sdk

Build your integration in five lines

Python and TypeScript bindings. Emit a valid, signed evidence receipt from your product. The plugin lifecycle, the receipt schema, and the signing identity are handled for you.

# Python
from umbrella_sdk import UmbrellaPlugin, ControlEvidence

class AuditCoPlugin(UmbrellaPlugin):
    def collect_evidence(self, system_id, ucid):
        return ControlEvidence(
            ucid=ucid, source="auditco-api-v2",
            payload=self.auditco_api.get(system_id, ucid),
            signed_by=self.signing_identity)

Read SDK docs →

registry.umbrella-govops.org

List your Umbrella-compatible product

Practitioners search by category, conformance level, and framework coverage. Five hypothetical categories are seeded: Enterprise GRC, AI Red-Team, MLOps Platform, Agent Runtime, Compliance Audit Firm.

umbrella-plugin-servicenow · Enterprise GRC
umbrella-plugin-giskard · AI Red-Team
umbrella-plugin-mlflow · MLOps Platform
umbrella-plugin-langchain · Agent Runtime

Submit your integration →

Founder Office Hours

Monthly — first Tuesday, 60 minutes

30 minutes of Foundation updates. 30 minutes of founder demos and open Q&A. Open to anyone building on Umbrella primitives. Sessions recorded and published.

Foundation roadmap walkthrough
Founder demo (slot rotates)
Open Q&A with maintainers
Architecture office hours

Add to calendar →

Open and equitable by design

Global access. Diverse practitioners. Verifiable accountability.

Three commitments backed by Foundation governance.

Built for every scale

Three tiers, one Apache-2.0 license. Complexity scales with org size — never access.

StarterSolo founders & <10-person teams · 5-framework YAML pack · Decision Card template

SME10–500 people · 15-framework YAML pack · UCIDs · Beacon integration · audit bundle generation

EnterpriseF500 & public sector · full 40+ framework catalog · OSCAL · Sigstore keyless · Rekor registration

Core primitives are permanently free · Apache-2.0 forever

Designed for a global community

Framework catalogs published in English canonical form; community translations accepted and reviewed by regional ambassadors. Target languages within 18 months: Arabic, French, Portuguese, Spanish, Japanese, Korean.

Community calls rotate timezones in 90-day cycles — Americas (16:00 UTC) → EMEA (10:00 UTC) → APAC (02:00 UTC).

Aligned with UNESCO AI Ethics Recommendation (2021) · UN Global Digital Compact

Accessible by design

WCAG 2.2 AA target. Alt text on all graphics. prefers-reduced-motion respected throughout. Keyboard navigable with visible focus indicators. ARIA landmarks on every section.

Signal Green is used as a decorative color only — never as body text — to meet AA contrast requirements (4.5:1 minimum).

Report an accessibility issue →

Join the foundation

The community that governs AI governance.

Four working groups. Three certification tiers. One open, neutral foundation building toward 100,000 practitioners worldwide.

Working Groups

Frameworks-WG Maintain the 40+ framework YAML catalog · bi-weekly · v1.0 catalog
Crosswalks-WG Cross-jurisdictional UCID mapping · monthly · NIST↔EU↔ISO 42001 full crosswalk
Evidence-WG in-toto predicate spec · OVERT profile · monthly · govops-evidence/v2
Practitioner-Cert-WG Certification curriculum · exam bank · capstone requirements · bi-weekly

Join a working group →

Certification Ladder

Umbrella-Aware

1 hour · self-paced · free

Understands the governance-as-pipeline model. Can read a Decision Card and a UCID crosswalk.

Umbrella Certified Practitioner (UCP)

8 hours + exam · ~$400

Can produce a complete evidence bundle for a new system. Understands Sigstore verification and YAML control authoring.

Umbrella Certified Engineer (UCE)

40 hours + capstone · ~$900

Can architect a governance pipeline for an enterprise. Writes new UCID crosswalk rows. Builds Umbrella plugins.

Start with Umbrella-Aware →

Foundation & specs

The documents under the program.

Umbrella is more than a website. It is a Foundation specification: a versioned UCID registry, a ratified threat model, a published release calendar, and a 41-item vendor checklist anyone can use to evaluate Policy-as-Code claims — including ours.

📋

Policy-as-Code Vendor & Approach Checklist v.3

41 questions across 6 sections. Two disqualifying. Self-score your vendor or your own approach against framework-grade AI governance.

🆔

UCID Registry

IANA-style registry of Unified Control IDs. Four lifecycle statuses (provisional · stable · deprecated · superseded). Designated Expert review process.

🛡️

Threat Model

STRIDE-style threat model for the governance pipeline: 6 assets, 5 adversary classes, scoped threats and mitigations.

📜

Policy Positions

P1–P7 ratified Foundation positions on signing, neutrality, evidence binding, and crosswalk integrity. P8–P9 in draft.

🗓️

Release Calendar

Beacon v0.1.0 → v1.0.0 and Umbrella v0.1 → v1.0 cadence. Beacon is slow and signed (~2 stable releases/year); Umbrella moves with the frameworks.

📖

Glossary

Authoritative definitions for UCID, evidence bundle, receipt, crosswalk, conformance, and the Beacon ↔ Umbrella boundary.

Architecture: docs/architecture.md · Crosswalk source: crosswalks/unified-control-id.yaml · Conformance schemas: conformance/schemas/ · Beacon repo: github.com/bobrapp/aigovops-beacon · Lantern repo: github.com/bobrapp/aigovops-lantern

Companion projects

Beacon signs. Lantern reads.

Umbrella is the framework. Two paired-light projects live under it: Beacon, the always-on policy-as-code runtime that signs and attests, and Lantern, the human-carried companion that reads those artifacts and illuminates conformance for the people doing the work.

🔦

AIGovOps Beacon™

The spotlight. Machine-facing. Signs, attests, and emits machine-verifiable evidence bundles. Always-on infrastructure. Sigstore keyless · in-toto v1.0 · SLSA L3 target.

github.com/bobrapp/aigovops-beacon ↗

🏮

AIGovOps Lantern™

The carried light. Human-facing. Reads Beacon-signed bundles and renders them as role-targeted narratives for engineers, compliance leads, auditors, and regulators. Local-first. No telemetry.

github.com/bobrapp/aigovops-lantern ↗ · v0.0 — scoping

Both companion projects must always appear in their compound AIGovOps form in product branding, package names, and domain names. See the Foundation Trademark Policy § 7.

Proven in production

Governance that survives real incidents.

Umbrella ships with Beacon's 100-incident failure database mapped to framework controls. Your case study could be next.

Case Study · slot 1

Your story here

First production team to ship an Umbrella-signed bundle for the EU AI Act.

Case Study · slot 2

Your story here

First public-sector deployment using Umbrella for OMB M-24-10 use-case inventory.

Case Study · slot 3

Your story here

First plugin from the registry achieving Umbrella Verified (Level 3).

Governance is not a PDF. It is a pipeline. Every control is a YAML contract, every assertion is a test, every audit is a signed artifact. Umbrella-GovOps · founding principle

Open the repo