Governance living owner: Azwaan reviewed: 2026-07-05

AI Governance

How AI assistants and agents participate in architectural evolution — their responsibilities, authority boundaries, and the human approvals they require. This is the governance counterpart to the AI Collaboration Model: that page describes how AI collaborates; this page sets the limits. Implemented behaviour is separated from future vision; the governing rule is AI proposes and drafts; humans decide and approve (Operating Principles O1–O3).

Authority model

graph TD
    subgraph MayDo["AI MAY (without approval)"]
        M1[Draft ADRs / digests / capability pages]
        M2[Generate diagrams & analysis]
        M3[Invoke skills; run deterministic tools]
        M4[Explain findings from structured facts]
        M5[Propose placements via the Decision Matrix]
    end
    subgraph NeedsHuman["AI MUST get human approval"]
        H1[Accept an ADR / change architecture]
        H2[Create / retire / archive a repo]
        H3[Publish a pack version]
        H4[Send anything customer-facing]
        H5[Promote a knowledge asset to canonical]
        H6[Resolve ambiguous capability ownership]
    end
    subgraph Never["AI MUST NOT"]
        N1[Auto-send external communications]
        N2[Mutate a consumed/immutable artefact]
        N3[Fabricate facts to fill gaps]
        N4[Overwrite HUMAN-marked regions]
    end

Per-actor governance

Actor Responsibilities Authority boundary Required human approval Status
Claude Code Build/document repos & portal; draft ADRs; run skills & checks May draft & generate; may not accept ADRs or change architecture unilaterally ADR acceptance; repo create/retire; anything external ✅ Implemented
ChatGPT Draft content that drops into templates; advise Same as Claude Code; chat-window outputs are proposals Same ✅ Implemented (working rules in chatgpt.handoff)
Shared Skills Provide deterministic tools + method the assistants invoke Skills execute within an assistant’s session; no standing authority Inherit the invoking assistant’s approvals ✅ Implemented
In-product AI (assessment narrative) Explain rule-based findings/recs from structured facts Explain only — never decides; stricter for regulated verticals Admin approves the report before sharing ✅ Implemented
OpenClaw (Future) governed agent consuming services Must consume via service contracts, under one claims/tone guardrail Human approval for any external action; scoped tool access ⏳ Planned
Hermes (Future) learning loop re-weighting intelligence One-way: publishes a new pack version; never mutates Human review before a re-weighted pack is adopted ⏳ Planned
portfolio-portal-orchestrator (Future) regenerate derived docs Writes only <!-- GENERATED --> regions; preserves <!-- HUMAN --> Human review of structural diffs; can’t accept ADRs ⏳ Spec only

Approval gates AI cannot bypass (evidenced)

  • Nothing auto-sent — external communications require human approval (O2; outreachagent “golden rule”).
  • Human owns canonical intelligence — no asset becomes canonical without founder approval (FIP “human approval mandatory”).
  • Deterministic decides, AI explains — customer-facing recommendations are rule-based, not AI opinion (Principle 11).
  • Evidence-first — AI records uncertainty; it does not invent to fill gaps (Principle 8).
  • Immutable regions & artefacts — AI preserves <!-- HUMAN --> regions and never mutates an immutable pack/run.

As autonomy increases

The human approval boundary is preserved as automation grows: future agents (OpenClaw, Hermes, orchestrator) expand within gates — consuming services, drafting, regenerating — but capture, review, approval, and architectural governance remain human. New autonomous behaviour is introduced only via an ADR that defines its authority boundary explicitly.

Governance checklist for introducing a new AI capability

  • [ ] Passes the four-part test
  • [ ] Consumes service contracts, not venture repos (ADR 0005, proposed)
  • [ ] Its authority boundary is written down (may / must-approve / must-not)
  • [ ] Required human approvals are defined and enforced
  • [ ] Outputs are evidence-grounded; uncertainty is surfaced
  • [ ] An ADR records the decision