mancitrus/system-prompts-and-models-of-ai-tools
1
0
Fork 0
mirror of https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git synced 2026-06-17 23:09:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
33af10127d
system-prompts-and-models-o.../docs/governance/pdpl-nca-ai-control-matrices.md

51 lines
2.6 KiB
Markdown
Raw Blame History

# PDPL, NCA ECC, and AI control matrices (operational templates) — WS7
**Not legal advice.** Engineering templates to operationalize [`saudi-compliance-and-ai-governance.md`](saudi-compliance-and-ai-governance.md).
## PDPL control matrix (template)
| Control ID | Topic | Implementation hint | Evidence |
|------------|-------|----------------------|----------|
| PDPL-01 | Lawful basis documented | Link to consent / contract in [`salesflow-saas/docs/legal/`](../../salesflow-saas/docs/legal/) | Policy version + UI copy hash |
| PDPL-02 | Data minimization | Field-level collection review per feature | Design review sign-off |
| PDPL-03 | Subject access / export | Runbook + API capability | Test + ticket |
| PDPL-04 | Retention & deletion | TTL jobs + soft-delete | Job logs |
| PDPL-05 | Processor / subprocessor register | Table of vendors + regions | Updated quarterly |
## NCA ECC readiness gap register (template)
| ECC theme | Gap | Mitigation owner | Target date | Status |
|-----------|-----|------------------|-------------|--------|
| Asset management | … | … | … | Open |
(Replace with organization-specific mapping against ECC 2-2024 controls.)
## AI governance mapping (NIST AI RMF + OWASP LLM)
| RMF function | Practical control | Release gate |
|--------------|-------------------|--------------|
| Govern | Model allowlist per environment | WS6 |
| Map | Data flow for prompts containing PII | WS7 |
| Measure | Offline eval + red-team subset | WS4 |
| Manage | Rollback + incident runbook | WS3/WS6 |
| OWASP LLM risk | Mitigation | Test |
|----------------|------------|------|
| Prompt injection | Tool allowlists + input guards | Automated + manual |
| Insecure output handling | Schema validation on outputs | pytest |
| Excessive agency | Executor vs recommender separation | Policy review |
## Region / residency flags
Define configuration keys for **data region** and **LLM routing** per tenant; document in ADR when enforced in `policy_engine` or external PDP.
---
## Enterprise release gate (operational)
Before tagging an **enterprise** release candidate:
1. Reconcile this matrix with [`../enterprise-readiness.md`](../enterprise-readiness.md) and [`saudi-compliance-and-ai-governance.md`](saudi-compliance-and-ai-governance.md).
2. Attach evidence: PDPL rows above filled (no `…` placeholders for production claims), NCA gap register owner + date, AI RMF row sign-off.
3. Cross-check [`../TIER1_MASTER_CLOSURE_CHECKLIST_AR.md`](../TIER1_MASTER_CLOSURE_CHECKLIST_AR.md) §14 and [`../../salesflow-saas/docs/tier1-master-closure-checklist.md`](../../salesflow-saas/docs/tier1-master-closure-checklist.md) Gate 8.
Reference in New Issue View Git Blame Copy Permalink