mancitrus/system-prompts-and-models-of-ai-tools
1
0
Fork 0
mirror of https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git synced 2026-06-17 23:09:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e1c629bacf
system-prompts-and-models-o.../docs/governance/saudi-compliance-and-ai-governance.md
Sami Assiri b4531f0a4c feat(tier1): docs-governance CI, evidence gate, closure artifacts, trust/execution docs 
- Replace repo-preflight with docs-governance workflow and check_docs_links.py
- Class B bundle: require correlation_id for external_*; AuditMetadata trace fields
- Root-safe TIER1 §2; optional .githooks pre-push for main
- Add RELEASE_READINESS_MATRIX_AR, SOURCE_OF_TRUTH_INDEX, operational severity, external index
- ExecWeeklyGovernanceContract; expand trust-fabric, execution-fabric, ADR-0001, ws5, Saudi overlays
- Wire MASTER TOC, enterprise-readiness, completion-program, architecture_brief paths

Made-with: Cursor
2026-04-16 16:46:36 +03:00

81 lines
4.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Saudi compliance & AI governance register (design-time)
**Not legal advice.** This is an engineering **readiness register** for building Dealix as a **Tier-1** operating system in KSA/GCC. Legal review remains required for production claims and customer contracts.
**Canonical trust model:** [trust-fabric.md](trust-fabric.md). **Product legal texts:** [`salesflow-saas/docs/legal/`](../../salesflow-saas/docs/legal/).
---
## 1. PDPL / personal data (design checklist)
When processing data that may identify individuals in the Kingdom:
- **Inventory** data categories, purposes, lawful basis, retention, subprocessors, and cross-border transfers (if any).
- **Minimize** collection; default deny for exports and bulk analytics on personal fields.
- **Consent and notices** aligned with product copy ([`salesflow-saas/docs/legal/consent-policy-ar.md`](../../salesflow-saas/docs/legal/consent-policy-ar.md), privacy / data protection docs).
- **AI-specific:** training, enrichment, search, scoring, messaging, and **logs** can all be processing — classify sensitivity (S0S3) per [approval-policy.md](approval-policy.md) and route S2/S3 away from unreviewed third-party models/tools.
- **Subject rights / export:** define operational runbooks before offering enterprise SLAs.
**References (external):** Saudi PDPL / SDAIA knowledge center and official guidance — verify current text with counsel.
---
## 2. NCA cybersecurity posture (readiness, not certification)
Design so the platform **can** align with **ECC** and related cloud/data controls (**DCC**, **CCC**) as the customer tier demands:
- Asset inventory, patch cadence, access control, logging, incident response hooks.
- **Segregation** of prod/staging; break-glass for admin; audit streaming for long retention (pair with [github-and-release.md](github-and-release.md) audit notes).
**References (external):** NCA published controls and updates (e.g. ECC 2-2024 track) — map controls to features in an ADR when pursuing attestation.
---
## 3. AI governance (NIST + OWASP)
Use as a **risk and testing** frame for agentic features:
| Frame | Use in Dealix |
|-------|----------------|
| **NIST AI RMF** | Govern, map, measure, manage — tie to release gates and evidence packs |
| **NIST Generative AI profile** | Supplement for LLM-specific risks |
| **OWASP Top 10 for LLM Apps** | Prompt injection, insecure output handling, excessive agency, sensitive disclosure — explicit test cases in CI where feasible |
Pair with [trust-fabric.md](trust-fabric.md): red-team workflows, structured output validation, tool allowlists, and rollback plans for Class B / R2+.
### Plane overlay (where each frame lands)
| Plane | NIST GenAI emphasis | OWASP LLM emphasis |
|-------|---------------------|-------------------|
| **Decision** | Map/manage model behavior in prompts & memos | Prompt injection, insecure output handling |
| **Trust** | Measure/manage evaluations & incidents | Sensitive disclosure, excessive agency (governance) |
| **Connector** | Map third-party tool/data exposure | Supply chain for tools/MCP |
| **Data** | Map PDPL-relevant flows | Training data poisoning (if applicable) |
| **Runtime / cost** | Manage capacity & monitoring | Unbounded tool loops, denial of wallet |
Detailed control rows live in [pdpl-nca-ai-control-matrices.md](pdpl-nca-ai-control-matrices.md). External link list: [`../references/tier1-external-index.md`](../references/tier1-external-index.md).
**References (external):** NIST publications portal; OWASP LLM Top 10 and GenAI security project pages.
---
## 4. Arabic-first execution (product, not theme)
Beyond RTL UI:
- Arabic **classification** and **summaries** for internal notes where policy allows.
- **Partner memos** and **notification templates** with terminology normalization (sector-specific).
- **Retrieval quality** for Arabic queries (embedding model + chunking + evaluation).
- **Trust cues** in UX (support, compliance, local expectations).
See [design-and-arabic.md](design-and-arabic.md).
---
## 5. Review cadence
- **Quarterly:** re-read this register against shipped features and incident postmortems.
- **Per major release:** update PDPL/NCA mapping appendix when product surface area changes.
See also: [technology-radar-tier1.md](technology-radar-tier1.md), [`../execution-matrix-90d-tier1.md`](../execution-matrix-90d-tier1.md), [pdpl-nca-ai-control-matrices.md](pdpl-nca-ai-control-matrices.md).
Reference in New Issue View Git Blame Copy Permalink