AEGIS
AI Evidence & Governance Integrity System | Open-source Reference Implementation | v1.0

AI governance fails
at the enforcement layer.

96% of financial institutions have AI governance policies. Only 53% have turned them into technical controls. AEGIS is the bridge — an open-source governance enforcement platform that operationalises policy into auditable, explainable, real-time compliance evidence.

96%
of FS firms have AI governance policies
53%
have translated policy into technical controls
43pt
governance-to-control gap that AEGIS closes
Aug '26
EU AI Act full enforcement — compliance deadline
IAPP AIGP-aligned
EU AI Act — Articles 9–17
SR 11-7 compliant
NIST AI RMF GOVERN 1.4
FCA · BaFin · SEC
GitHub Pages deployable
Zero backend · Zero cost
EU AI Act
Articles 9–17, Annex IV — High-risk AI documentation & oversight
SR 11-7
Federal Reserve model risk management — validation & documentation
NIST AI RMF
GOVERN 1.4, 6.2 — Accountability mechanisms & feedback loops
IAPP AIGP v2.1
AI Governance Professional Body of Knowledge — February 2026
ISO/IEC 42001
AI management systems — auditability & performance metrics
FCA / PRA
May 2024 model risk rules — independent reviewer documentation standard

Policy without enforcement
is governance theatre.

The data from 2025–2026 is unambiguous. Financial institutions have built the governance architecture. They have not built the controls. The gap between policy and proof is where regulatory exposure lives — and where careers in AI governance are made or broken.

Finding 01 · ADR.org Benchmark Study, 2026
96%
of financial services firms report formal AI governance policies
Yet only 53% say those principles have become specific technical controls — a 43-point gap between governance as declared and governance as enforced. Financial services leads all industries on governance structure. It trails on operational translation.
Source: "From Principles to Practice: A Benchmark Study in AI Governance." ADR.org / survey of 500 senior legal and executive leaders, organisations with annual revenues $100M+. May 2026.
Finding 02 · Wisconsin Bankers Association / IBM, 2026
97%
of organisations surveyed lacked controls governing internal AI use
IBM's 2025 Cost of a Data Breach Report found that 13% of surveyed organisations reported breaches involving AI models or applications directly. Of those, 97% lacked any internal AI governance control at the point of breach. Shadow AI drove 20% of all AI-related incidents in financial services.
Source: IBM Cost of a Data Breach Report 2025. Wisconsin Bankers Association AI Governance Gap analysis, March 2026.
Finding 03 · Aveni.ai / FCA, 2025
2%
of UK financial AI use cases run without human sign-off — but firms cannot prove it
The FCA and Bank of England's joint 2024 research found that 75% of UK financial services firms are using AI, and 98% maintain human oversight on individual decisions. But without a system of record, that oversight is invisible to regulators. Oversight that cannot be evidenced is indistinguishable from oversight that does not exist.
Source: FCA / Bank of England AI in Financial Services joint research, November 2024. Aveni.ai AI Governance in UK Financial Services, May 2026.
Finding 04 · CSA Lab Space / EU Commission, 2026
50%+
of organisations have not established systematic AI inventories
The EU AI Act's August 2026 enforcement deadline activates full high-risk AI obligations under Articles 9–17. Conformity assessments, Annex IV technical documentation, and EU database registration are now mandatory — yet more than half of enterprises have not completed the minimum prerequisite: knowing what AI systems they operate.
Source: EU AI Act High-Risk Deadline: Enterprise Readiness Gap. Cloud Security Alliance Lab Space, March 2026.
The governance-to-control translation gap — financial services, 2026
Have AI governance policies
96%
96%
Policies → technical controls
53%
53%
Governance works in practice
22%
22%
AI systems fully inventoried
<50%
<50%
Sources: ADR.org Benchmark Study 2026 · McKinsey Global AI Survey 2025 · CSA Lab Space March 2026
The 43-point gap is where regulatory exposure lives. A firm with a governance policy and no enforcement controls cannot answer a regulator's simplest question: "Show me the audit trail for this model." AEGIS was designed to answer that question — automatically, completely, in real time.

The moment that makes
AEGIS necessary.

Every governance system needs a founding incident. For AEGIS, it is a scenario that plays out across regulated financial institutions with increasing frequency as EU AI Act enforcement approaches.

⚠ Regulatory Incident
The FCA requests an audit trail. The firm cannot produce one.

A model-assisted research report on a high-yield credit instrument has been distributed to institutional clients. A routine supervisory review flags an anomaly in the model's output. The FCA issues a Section 165 information request: produce the documentation trail for the AI system that contributed to this report — the intake record, the risk classification, the human oversight sign-off, the version used, and the approval chain.


The Documentation Lead has 10 business days to respond. She knows the model was reviewed. She knows a human signed off. She cannot prove either. The model card exists in a draft Confluence page. The approval was an email thread. The intake form was a Word document on a shared drive that has since been reorganised.


The governance existed. The evidence did not. Under the FCA's model risk rules in effect since May 2024, and under EU AI Act Annex IV, undocumented governance is non-compliant governance.

Day 0 · 09:14
FCA Supervisor
Section 165 information request issued. 10 business days to produce complete audit trail for AI-assisted research report distributed to 47 institutional clients.
Day 0 · 11:30
Documentation Lead
Begins searching Confluence for model card. Finds three draft versions, none approved. No intake record found. SME reviewer unreachable — on sabbatical.
Day 1 · 14:00
Compliance Officer
Escalates to General Counsel. Confirms model was classified as EU AI Act Annex III — high risk. Conformity assessment: never completed. EU database registration: pending.
Day 3 · 09:00
Technology Risk
Human oversight logs exist in three separate systems. No unified audit trail. Reconstruction will take estimated 6–8 weeks. Deadline: 10 days.
Day 10 · 17:00
FCA Supervisor
Incomplete response received. Formal supervisory notice issued. Potential fine: £2.3M. Public disclosure required under transparency rules.
With AEGIS
AEGIS System
Complete audit trail generated in under 4 minutes. Intake record, EU AI Act risk classification, approval chain, human oversight log, version history — all timestamped, immutable, regulator-ready.

Meridian Capital Group.
The firm AEGIS was built for.

A fictional but architecturally realistic reference institution. Meridian represents the governance profile of a mid-to-large asset manager operating across three regulatory jurisdictions — the precise environment where the policy-to-control gap is most costly.

Meridian Capital Group
Multi-Jurisdiction Asset Management · London HQ · Frankfurt · New York · £180B AUM
FCA Regulated
BaFin Regulated
SEC Registered
Founded 1994
2,400 employees
Business Profile
£180B assets under management across fixed income, equities, and alternatives
47 institutional clients including pension funds, sovereign wealth, and family offices
Technology division of 380 engineers and 12 ML practitioners operating 34 models in production
Technical Documentation Function: 6-person team producing model cards, API docs, and AI system documentation
Board AI Committee established Q1 2025 following FCA Dear CEO letter on AI governance
Regulatory Exposure
FCA: Senior Managers and Certification Regime (SMCR) — personal accountability for AI system failures
PRA model risk rules (May 2024): independent reviewer standard applies to all 34 production models
EU AI Act: 11 models classified Annex III high-risk. August 2026 conformity deadline active
BaFin: MaRisk and BAIT requirements for algorithmic trading documentation
SEC: AI-related investment adviser disclosure obligations under 2025 guidance
AI Systems in Scope
Trade Signal Confidence Scorer — Annex III high-risk, SR 11-7 Tier 1
Credit Risk NLP Summariser — AI-assisted documentation, human oversight required
Portfolio Allocation Optimiser — high-risk, FCA SMCR accountability chain
ESG Data Enrichment Agent — EU AI Act limited risk, transparency obligations
Research Report Drafting Assistant — AI-generated content, disclosure obligations
+29 additional models across risk, operations, and client reporting
Pre-AEGIS Governance Failures — Identified in Internal Audit Q4 2025
No centralised model inventory. 34 production models tracked across 4 separate systems with inconsistent classification and no unified risk tier assignment.
AI-assisted documentation untraceable. Writers using 3 different AI tools with no disclosure records, no prompt logs, no SME approval audit trail.
Human oversight undocumented. 98% of decisions had human review. 0% had a timestamped, retrievable record linking reviewer identity to the specific model output reviewed.
EU AI Act non-compliance. 11 high-risk systems with no Annex IV technical documentation bundle. Conformity assessments: 0 of 11 completed as of January 2026.

The Documentation Lead.
The person AEGIS serves.

AEGIS is designed for the professional at the intersection of all three governance policies — the person accountable for the artefact evidence chain from intake to publication, operating between engineering, compliance, and the regulator.

SV
Sofía Vargas
Documentation Lead · Technology Division
Meridian Capital Group · London HQ
Manages team of 6 technical writers
Age
34
Experience
8 yrs technical writing, 2 yrs governance
Reports to
VP Technology Risk
Credentials
AIGP (2025), CPTC
Tools
Confluence, Claude, GitHub
Jurisdiction
UK · EU exposure
Produce a regulator-ready audit trail for every AI artifact without manual overhead
Enforce three governance policies across a 6-person team consistently and provably
Classify every AI system by EU AI Act risk tier before the August 2026 deadline
Demonstrate governance maturity to the Board AI Committee in quarterly reporting
Build a governance portfolio that evidences AIGP-level practice for career advancement
Approval trails exist in email, not in a system of record — invisible to auditors
Writers use AI tools inconsistently with no disclosure tracking or prompt hygiene enforcement
Cannot answer "which models are high-risk?" without querying four separate systems
Quarterly compliance reports take 3 days to produce manually — data is stale on arrival
No way to prove human oversight occurred — the review happened, the record did not
"I know the governance happened. The reviewer read the model card. The SME signed off. But when compliance asks for the evidence chain, I'm searching email threads and Confluence history. That's not governance — that's archaeology." — Sofía Vargas, Documentation Lead · Meridian Capital Group

Before and after AEGIS.
The same journey, rewritten.

Sofía's journey from receiving a new AI model intake to producing a regulator-ready audit trail. Five stages. The difference between 14 days of manual archaeology and 4 minutes of automated evidence generation.

Dimension
01 — Intake
02 — Classification
03 — Documentation
04 — Approval
05 — Audit Response
Actions (pre-AEGIS)
Receives email from engineer Model details in free-form email. No standard fields. Must chase for missing info over 3–5 days.
Manual risk assessment Searches EU AI Act Annex III manually. Consults compliance over email. Classification inconsistent across team.
Drafts in Confluence Uses AI tool with no disclosure log. Mandatory fields not enforced. Draft may sit for weeks without review trigger.
Chases SME via Slack Approval is a Confluence comment or email reply. No timestamped record. No audit trail linking reviewer to artifact.
Manual evidence reconstruction Searches email, Confluence history, Slack. Estimated 6–14 days to compile. Regulator deadline: 10 days.
Emotion (pre-AEGIS)
Frustrated — incomplete information, no standard
Anxious — inconsistent classifications across team
Uncertain — no enforcement, no completeness check
Stressed — approval invisible, no system of record
Panicked — deadline imminent, evidence scattered
Actions (with AEGIS)
Structured intake form AEGIS intake gate enforces all mandatory fields. Incomplete submission blocked. Intake record timestamped and logged automatically.
Automated EU AI Act classification AEGIS classifies by risk tier using Annex III logic. Plain-language explanation of why. Classification locked to intake record.
Policy-enforced documentation AEGIS pre-populates mandatory fields. AI tool disclosure captured at draft stage. Writer cannot publish without completing all required fields.
Gated approval workflow Approval is a system event — timestamped, reviewer-identified, immutable. Linked to the specific artifact version. Automatically logged.
Audit package generated in <4 min AEGIS assembles complete evidence chain: intake record, classification rationale, approval log, oversight record, version history.
Emotion (with AEGIS)
In control — standard enforced automatically
Confident — consistent, explainable classification
Efficient — mandatory fields enforced at source
Assured — approval is a provable system event
Prepared — audit package ready before request arrives
Time delta
3–5 dayssame day
2–3 days<60 seconds
Unenforcedgate-enforced
Invisiblesystem record
6–14 days<4 minutes

AEGIS in three layers.
Policy becomes proof.

AEGIS operationalises three governance policies into a live enforcement system. Each layer maps directly to a policy, a regulatory requirement, and a measurable outcome. Every decision the system makes is explained in plain language — no black boxes, no unexplained classifications.

Layer 01
Intake & EU AI Act Classification Gate
A structured intake workflow that enforces mandatory fields before documentation begins. Every submission is automatically classified by EU AI Act risk tier (Prohibited / High-Risk / Limited / Minimal) using Annex III logic — with a plain-language explanation of why the classification was assigned. No intake, no documentation. No classification, no publication.
Enforces: Model Documentation Minimum Standards Policy · EU AI Act Articles 9–17 · Annex IV
01
Layer 02
Human Oversight & Approval Register
Every documentation artifact moves through a gated approval workflow. SME review, Team Lead sign-off, and compliance acknowledgment are system events — timestamped, reviewer-identified, and immutably logged. The register provides a live view of every artifact's compliance status. Approval that cannot be evidenced does not count.
Enforces: Human Oversight Documentation Standard · EU AI Act Article 14 · NIST AI RMF GOVERN 6.2
02
Layer 03
Real-Time Compliance Dashboard
Five governance metrics tracked in real time across the full model registry. Audit trail completeness, EU AI Act risk coverage, policy-to-control translation rate, human oversight coverage, and mean time to compliance evidence. Board-ready reporting generated automatically. The governance story told in numbers, not narratives.
Enforces: AI Content Working Standard · ISO/IEC 42001 · IAPP AIGP v2.1 Body of Knowledge
03
AEGIS is designed and documented in full alignment with the IAPP AI Governance Professional (AIGP) Body of Knowledge v2.1 (effective February 2026). Every architectural decision maps to an AIGP principle: human accountability, transparency, proportionality, auditability, and explainability. The three governing policies that AEGIS enforces were authored under AIGP guidance and are subservient to all existing organisational compliance obligations.
IAPP AIGP v2.1 — Human Accountability
IAPP AIGP v2.1 — Transparency
IAPP AIGP v2.1 — Proportionality
IAPP AIGP v2.1 — Auditability
IAPP AIGP v2.1 — Explainability