Part I: The Manifesto
The Manifesto establishes the organization’s sociotechnical constitution. It recognizes a fundamental truth: in a probabilistic era, we cannot govern solely through rigid process steps. We must govern through Inviolable Principles.
1. Decisions Before Tools
“Value-stream intent, outcomes, and constraints precede any model or vendor selection.”
We do not approve “Tools”; we approve “Decisions.” Before a line of code is written, the business objective must be defined.
2. Humans Accountable; AI Augments
“Autonomy is earned and reversible; authority remains human.”
An AI agent cannot be sued or jailed. Therefore, it can never be the “Accountable” party. Autonomy is a privilege granted by the system, which can be revoked instantly if the agent drifts.
3. Value Streams First
“Adopt and learn where value is created; scale only when evidence and safety permit.”
Governance is not a blanket policy; it is anchored to specific value streams.
4. Evidence Over Assertion
“Every gate is decided on tamper-evident Evidence Packs, not slideware.”
In deterministic software, we trusted a “Green Build.” In probabilistic AI, we require quantitative proof. Authority to Operate (cATO) is derived exclusively from signed Evidence Packs.
5. Safety First (Hard Gates)
“Safety/privacy/policy minima are hard gates; no appeal to future fixes.”
There is a distinction between Quality (sliding scale) and Safety (binary). If a safety gate (e.g., PII leak) is breached, the transaction is blocked immediately.
6. Policy-as-Code at Time-of-Use
“Policies compile to decisions at PEPs (Policy Enforcement Points) when actions occur.”
Governance documents in PDFs are “dead artifacts.” To govern an agent operating in milliseconds, policy must be executable code (e.g., OPA/Rego).
7. Zero Trust Identities
“Distinct identities, least privilege, short-lived secrets; prove, don’t assume.”
Identity is the new perimeter. Every agent must possess a verifiable cryptographic identity (SPIFFE) to access tools or data.