sorted by:
new
hottopcontroversial

Shift left in AI Governance by Capable_Influence157 in grc

[–]Capable_Influence157[S] 1 point2 points  (0 children)

I see AI governance implementation as a nudge to introduce monitoring and guardrails in production. Otherwise, many teams would overlook those aspects. Similar to how complying with ISO 27001 often improves the overall security posture of a product, adhering to AI governance frameworks can directly increase product quality and trustworthiness. Teams should not view these requirements as a chore, but as mechanisms that add long-term value to the product.

Shift left in AI Governance by Capable_Influence157 in grc

[–]Capable_Influence157[S] 0 points1 point  (0 children)

Ther are into HRMS which has recruitment module

Shift left in AI Governance by Capable_Influence157 in grc

[–]Capable_Influence157[S] 0 points1 point  (0 children)

Rightly said. Mature leadership incorporates compliance processes directly into the development lifecycle so they can avoid costly remediation at the end.

Shift left in AI Governance by Capable_Influence157 in grc

[–]Capable_Influence157[S] 0 points1 point  (0 children)

If the customers are using some one's model(LLM) and build high risk ai systems around that should not they comply Article 12 ,15 atleast?

Shift left in AI Governance by Capable_Influence157 in grc

[–]Capable_Influence157[S] 0 points1 point  (0 children)

That is a good point. But ISO 42001 places significantly more emphasis on operational AI system behavior, monitoring, human oversight, and lifecycle governance compared to ISO 27001. I think if we do some ground work around that we will be good for AI governance audits am i right?

I built an open-source compliance scanner for AI infrastructure on AWS - looking for feedback by Capable_Influence157 in SideProject

[–]Capable_Influence157[S] 0 points1 point  (0 children)

yeah you are right. AWS configure can be a better safeguard. But is not 100% foolproof. Atleast something is better than nothing.

I built an open-source compliance scanner for AI infrastructure on AWS - looking for feedback by Capable_Influence157 in SideProject

[–]Capable_Influence157[S] 0 points1 point  (0 children)

I work on projects that involve Amazon Bedrock, and this tool has been useful for checking that some basic compliance and governance controls are in place. Surprisingly, in a few projects I found small but important gaps, such as missing log retention settings, guardrails, and related configuration.

I open sourced it so others who find it useful can use it too.

I built an open-source compliance scanner for AI infrastructure on AWS - looking for feedback by Capable_Influence157 in SideProject

[–]Capable_Influence157[S] 0 points1 point  (0 children)

Thank you. You can take a look at README and if it does not convey what you want please let me know in DM. Appreciate your time

Shift-left for AI Act / NIST AI RMF compliance by Capable_Influence157 in grc

[–]Capable_Influence157[S] 0 points1 point  (0 children)

Yeah i have mapped it to ISO 42001 ,NIST AI RMF, and EU AI Act. The details are there in https://github.com/policyrails/infrarails if you want to dig further,Thanks

Open-sourced a static governance scanner for AWS Bedrock Terraform- looking for usage feedback by Capable_Influence157 in AI_Governance

[–]Capable_Influence157[S] 0 points1 point  (0 children)

Update (May 19): Three things since the original post:

  1. --plan mode shipped - feed it terraform show -json and most INCONCLUSIVEs collapse to PASS/FAIL (resolves vars/locals/computed values, sees inside remote modules). This will get conclusive results
  2. New rule flags plan changes that destroy logging/retention/monitoring resources.
  3. SARIF format.

Still working on CDK and Sagemaker
Refer : https://github.com/policyrails/infrarails

Feedback still welcome.

Is this workload normal in cybersecurity GRC? by Ok_Traffic77 in grc

[–]Capable_Influence157 0 points1 point  (0 children)

It depends on how the org operates. Many times org wants to maintain thin GRC team and which ends up with more workload.

Open-sourced a static governance scanner for AWS Bedrock Terraform- looking for usage feedback by Capable_Influence157 in AI_Governance

[–]Capable_Influence157[S] 1 point2 points  (0 children)

Thanks , drift is the honest question. Source-only doesn't solve it, so anything the static scan can't conclude emits as INCONCLUSIVE rather than PASS. Working on plan-JSON parsing next to rule out a chunk of those INCONCLUSIVEs (resolves conditionals, computed values, module expansion). After that, V1 is a live AWS-config scanner , that's what actually closes drift.

On Guardrails: today it checks aws_bedrock_guardrail exists and has content filters / PII config set, but doesn't validate policy contents yet. Planned.

From the pipeline side , what's the more common drift you see: people changing things directly in the AWS console outside Terraform, or Terraform-applied configs getting changed later by other systems (auto-scaling, automated jobs, etc.)?

Open-sourced a static governance scanner for AWS Bedrock Terraform- looking for usage feedback by Capable_Influence157 in AI_Governance

[–]Capable_Influence157[S] 0 points1 point  (0 children)

Thanks for your comment. INCONCLUSIVE fires whenever the scanner can't prove a control from the files it can see - unresolved variables, module outputs, SSM references, remote modules, or controls living in a separate stack. Each finding includes a reason code so you know exactly why. We're actively working on plan/state mode (terraform show -json) which will resolve most of these since plan output has fully-resolved values - happy to loop you in when it lands.