AOIS compliance and governance policy

Last Updated: 1st March 2025

1. Purpose

This Compliance & Governance Policy (the “Policy”) sets out how AOIS (Agentic Operating Intelligence System) ensures that its Services operate in strict alignment with applicable laws, regulations, industry standards, and internal governance principles.

AOIS is designed for enterprises, governments, and regulated industries where trust, accountability, and compliance are non-negotiable. This Policy forms part of our governance framework and applies to all AOIS Services, including AOIS Sentinel™, AOIS Agents, AOIS Professor, AOIS Validator, AOIS DevFactory, and related solutions.

2. Governance Principles

AOIS governance is built on the following core principles:

1. Governed Autonomy – all agent actions are subject to runtime enforcement of protected rules, ensuring no action falls outside authorised scope.
    
2. Observability – every action is logged, monitored, and positively confirmed within AOIS’s observability framework.
    
3. Accountability – all activities are traceable to source, with full auditability for regulators, clients, and stakeholders.
    
4. Compliance by Design – governance and compliance controls are embedded at architecture and code level, not added post-hoc.
    
5. Continuous Assurance – policies, controls, and observability measures are subject to regular review, updates, and independent assessment.
    

3. Legal & Regulatory Compliance

AOIS is committed to complying with the following (as applicable by client location and industry):

• UK GDPR and the Data Protection Act 2018.
   
• EU GDPR (where processing of EU personal data occurs).
   
• UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.
   
• ISO/IEC 27001 (Information Security Management).
   
• SOC 2 Type II (Security, Availability, Confidentiality).
   
• NIST Cybersecurity Framework (as applicable to government/defence clients).
   
• Relevant sector-specific regulations (e.g., FCA in financial services, NHS Digital standards in healthcare).
   

AOIS undertakes regular legal review to ensure alignment with emerging UK, EU, and UAE regulatory frameworks, including AI governance and ethics legislation.

4. Governance Controls in AOIS

AOIS applies multiple layers of runtime governance:

1. Policy Enforcement Layer – agent actions validated against protected rules and client policies before execution.
    
2. Milestone Logging – TX, BX, CM milestones logged for every operation, positively confirmed in S3 and audit systems.
    
3. Observability Indexing – all logs cross-checked for completeness and integrity, with escalations on anomalies.
    
4. Escalation Protocols – automatic routing to Quality Management Systems (QMS) and incident queues for breaches.
    
5. Audit & Reporting – exportable audit trails designed to satisfy regulator and client reporting requirements.
    

5. Roles & Responsibilities

• AOIS Governance Team – responsible for policy development, monitoring, and compliance reviews.
   
• Clients – responsible for ensuring that their use of AOIS aligns with applicable laws, sectoral regulations, and contractual obligations.
   
• Authorised Users – must operate within approved roles and scopes; all usage is monitored and enforced at runtime.
   
• Third-Party Providers – subject to due diligence, contractual safeguards, and data protection agreements.
   

6. Monitoring & Auditing

1. Continuous Monitoring – AOIS enforces observability on every action, ensuring logs are tamper-resistant and regulator-ready.
    
2. Independent Audits – AOIS undergoes external security, compliance, and governance assessments on a recurring basis.
    
3. Client Audit Rights – clients in regulated industries may request audit support or reports to meet their own compliance obligations.
    

7. Risk Management

AOIS maintains a risk management framework that:

• Identifies governance and compliance risks;
   
• Assigns ownership and mitigation strategies;
   
• Escalates critical risks to the AOIS executive and (where applicable) client stakeholders;
   
• Reviews risks quarterly or upon major regulatory changes.
   

8. Breach & Incident Response

1. Detection – AOIS continuously monitors for breaches, anomalies, or unauthorised actions.
    
2. Escalation – confirmed incidents trigger automatic escalation to incident queues and governance leads.
    
3. Notification – Clients and regulators (where required by law, e.g. ICO under UK GDPR) will be notified within legally mandated timelines.
    
4. Remediation – AOIS applies corrective and preventative measures to prevent recurrence.
    

9. Training & Awareness

• AOIS staff and operators undergo mandatory compliance, data protection, and governance training.
   
• Authorised Users are provided with onboarding materials explaining governance, observability, and enforcement mechanisms.
   
• Continuous training programmes align with evolving AI governance frameworks.
   

10. Continuous Improvement

AOIS commits to continuous improvement of its governance framework by:

• Monitoring legal, regulatory, and industry developments;
   
• Updating protected rules and enforcement mechanisms;
   
• Engaging with regulators, clients, and industry forums to shape best practice.
   

11. Contact for Compliance Matters

For questions, requests, or compliance concerns, please contact:

AOIS Governance & Compliance Office
AOIS LLC
Email: compliance@aois.ai