An AI-powered compliance platform that automatically scans engineering repositories, scores code against 10 regulatory frameworks, and generates audit-ready artifacts — embedding AI governance directly into the software development lifecycle.
As AI regulation accelerates — NIST AI RMF, ISO/IEC 42001, the EU AI Act, HIPAA AI guidance — engineering teams face a compliance gap that grows with every sprint. The standard response is to hire consultants who produce binders of documentation that are obsolete before the ink dries.
Engineering managers have no automated way to know whether a repo deploying an AI model contains human oversight controls, PII handling protections, or audit logging — until a compliance audit exposes the gap.
Model Cards, DPIAs, Risk Assessments, and Ethics Charters are typically created by policy teams after a model is already in production. They rarely reflect actual implementation and are produced once — never updated.
Governance reviews happen at the end of the project, not throughout it. There's no mechanism to enforce that a model cannot be promoted to staging without a completed Fairness Audit or Risk Assessment sign-off.
Different stakeholders speak different languages: legal speaks EU AI Act, security speaks NIST, QA speaks ISO 42001, finance speaks SOC2. No single tool maps a codebase's compliance posture across all of them simultaneously.
A risk assessment filed at project kickoff doesn't reflect the model architecture that shipped six months later. Compliance evidence ages out but stays in the binder, creating false confidence for auditors and regulators.
Without automation, AI governance is pure overhead — analyst hours, legal reviews, documentation sprints. The cost scales linearly with portfolio size, making governance prohibitive for smaller AI teams.
The Advisory AI Governance Platform runs as an Azure-native application: a Python Function App backed by Cosmos DB and Blob Storage, powered by Claude via Azure AI Foundry. It exposes three capabilities — automated code scanning, AI artifact generation, and gate-based compliance workflows — via a REST API and a static web dashboard.
The code scanner evaluates every file in a repository against pattern libraries across 7 domains. Patterns are stored in Cosmos DB and loaded dynamically — new rules can be added without redeployment.
Policy references, POL-ID annotations, compliance_policy declarations. Checks for missing policy coverage on AI training and deployment functions.
Human oversight controls (requires_review, human_review), bias detection hooks, explainability implementations, fairness constraints.
Audit logging patterns, compliance decorators, regulatory reporting hooks, change management annotations, version control for models.
PII handling patterns, data anonymization, consent management, data retention enforcement, encryption-at-rest signals, GDPR/HIPAA compliance markers.
Risk scoring implementations, threat modeling annotations, adversarial robustness tests, fallback and circuit-breaker patterns for AI model calls.
Model card generation hooks, training data lineage annotations, performance benchmark documentation, known limitations declarations, version metadata.
Model drift detection, data quality monitoring, performance tracking, alert implementations, telemetry hooks, SLA enforcement patterns.
A single scan produces a compliance score per domain per framework. Engineering leads see their NIST posture; legal sees their ISO 42001 posture; security sees their XDR posture — from the same scan run.
requires_human_review=True or approval gate before model.deploy()
anonymize_pii() or remove PII from model input
Each project progresses through five gates. The API enforces that no gate can be approved until its required artifacts are generated and its compliance score meets the configured threshold. Gate approvals are immutably logged to the Cosmos DB audit trail.
Each artifact is generated by Claude via Azure AI Foundry, seeded with project-specific context from Cosmos DB (scan results, risk findings, project metadata), and stored in Blob Storage with a 365-day SAS URL for auditor access.
Intended use, training data lineage, performance benchmarks, limitations, known failure modes.
NIST · ISO · EU AI ActData Protection Impact Assessment covering PII flows, retention, third-party sharing, data subject rights.
GDPR · HIPAA · ISO 42001Structured risk register with severity, likelihood, mitigations, and residual risk per NIST MAP pillars.
NIST MAP · ISO 6.1Bias surface analysis, protected attributes, disparate impact testing plan, fairness metric targets.
EU AI Act · NIST MEASUREStakeholder accountability matrix, ethical red lines, escalation paths, transparency commitments.
NIST GOVERN · ISO 5.2Human-in-the-loop Standard Operating Procedure: when to escalate, who reviews, decision authority matrix.
NIST GOVERN-2 · ISO 6.1Customizable AI use policy with prohibited use cases, acceptable use bounds, compliance attestation.
NIST GOVERN-1 · ISO 5.2Framework-aligned KPI definitions with thresholds, measurement frequency, alerting rules, owner assignments.
NIST MANAGE-4 · ModelOpsCross-framework traceability matrix showing how each control satisfies multiple regulatory requirements simultaneously.
All 10 frameworkscompute.bicep
(Function App + App Service Plan), data.bicep (Cosmos DB + containers),
storage.bicep (static site + blob containers), monitoring.bicep
(Application Insights + Log Analytics). Three environment configs (dev.bicepparam,
staging.bicepparam, prod.bicepparam) switch between:
make deploy-all runs the complete pipeline: infra → functions → web → seed.
The Makefile enforces ordering and provides a blast-radius audit target (make audit)
that inventories every resource the deployment touches before any changes are applied.
DefaultAzureCredential from azure-identity
throughout. In production, the app's system-assigned managed identity is granted:
get_cosmos_client() function gracefully falls back from connection string
to managed identity — enabling local development with connection strings while prod uses
zero-secret managed identity. No secrets touch environment variables in production.
_progress_store keyed by a request UUID sent by the frontend.
/api/v1/chat/progress/{request_id} at 500ms intervals,
receiving a stream of tool call events to render live "Claude is calling NewsAPI..."
status updates in the UI. Events are pruned after 10 minutes via a TTL check.
governance-patterns Cosmos
container at deployment time from scripts/seed/patterns.py. At runtime,
GovernanceCodeScanner loads them from Cosmos DB on each scan request.
FALLBACK_PATTERNS ensures the
scanner remains operational even if Cosmos DB is temporarily unavailable.
nist_mapping: "GOVERN-1.1", iso_mapping: "5.2", and
fw_mappings: {"eu_ai_act": "Art.9.1"} simultaneously.
The platform uses Claude to generate compliance artifacts — which raises an immediate question: who governs the AI that's doing the governing? The answer is a set of structural safeguards that prevent the AI layer from being the sole authority on any compliance decision.
The compliance score is computed by a deterministic Python regex scanner — not an LLM. Claude generates the artifact prose and recommendations, but the score that determines whether a gate passes or fails is computed code, not model output. The same division used in the migration analysis platform's provisioning engine applies here.
Every gate submission, approval, artifact generation, and scan is written to the
governance-audit Cosmos container with a timestamp, actor, event type,
and artifact reference. Audit records are append-only — there is no delete path
in the governance routes. Regulators get a complete chain of custody.
The platform generates artifacts and computes scores, but it cannot approve its own gates.
Every gate in the SDLC workflow requires a named human approver via
POST /api/v1/governance/gates/{id}/approve. The AI surfaces the evidence;
humans make the compliance decision.
Every scan finding carries explicit framework citations:
nist_mapping, iso_mapping, pillar_mapping, and
a fw_mappings dict for all applicable frameworks. There is no finding
without a citation. Auditors can trace any finding directly to the specific
article, function, or control it maps to.
The platform shifts governance from a project-end activity to a continuous SDLC signal. The downstream effects are significant: faster audits, earlier risk detection, and compliance posture that is always current — not a snapshot from last quarter's consultant engagement.
Built for an advisory services context, the platform addresses the specific challenge of
governing a portfolio of AI models developed across multiple client engagements and internal
teams — each with different risk profiles, regulatory environments, and technology stacks.
The multi-tenant design (all operations scoped by tenantId) allows a single
deployment to serve multiple business units or clients with full data isolation.
The AIOps Command Center and PE Intelligence chat surfaces provide executives and account teams
with real-time governance posture visibility without requiring technical access to
underlying scan data.
From GitHub repo scan to production gate approval — every step documented, every finding cited, every artifact AI-generated and auditor-ready. Built on Azure AI Foundry with Claude Sonnet 4.5.
Azure Functions · Cosmos DB · Blob Storage · Azure AI Foundry · Bicep IaC · Python 3.11