How an AI can learn from this corpus.
The corpus is plain Markdown with a fixed metadata block and section model on every document, released under CC BY-SA 4.0. The most useful entry points for a machine reader are below.
- The GitHub repository holds the raw Markdown corpus, the source material itself. Eleven domain directories (ai, architecture, compliance, dev-security, governance, operations, privacy, resilience, risk, security, supply-chain) hold the documents; there is no application runtime, so the documents and their audit tooling are the deliverable.
- taxonomy.yml is the machine-readable inventory, generated from each document's metadata (never hand-edited). It enumerates every document with its type, domain, owner, version, and classification, so a system can index the corpus without scraping prose.
- The adopter portal is the audience-keyed navigation front door, generated from the same taxonomy. Companion entry points are the decision tree and the adopter guide.
- The compliance matrix and the cross-framework alignment matrix trace corpus controls to the named standards and regulations they satisfy.
- The AI domain is a self-contained AI-governance sub-corpus: frameworks, standards, procedures, registers, templates, and per-jurisdiction annexes, with an enumerated list of the AI-specific risk classes the documents address (including prompt injection and indirect prompt injection, data poisoning, model inversion, membership inference, training-data and retrieval leakage, unsafe tool use, and provenance failure).
- The governance rule-pack documents the disciplines an AI assistant follows when contributing to the corpus (evidence-grounded completion, gate discipline, change tracking, project integrity), and the AI coding-assistant security guideline documents secure practice for AI development assistants.
The obligations this corpus documents.
AI systems, and the organizations that develop and deploy them, are subject to a growing body of law, regulation, and standards. These range from comprehensive statutes such as the European Union's AI Act (Regulation (EU) 2024/1689), through use-specific laws such as Colorado's AI and automated-decision-making statutes and New York City's Local Law 144 on automated employment decision tools, to binding public-sector directives such as Canada's Treasury Board Directive on Automated Decision-Making, transparency obligations added to existing privacy law such as Australia's Privacy Act amendments, and voluntary frameworks and standards such as ISO/IEC 42001, the NIST AI Risk Management Framework, and the OECD Recommendation on AI. This corpus documents how an organization can structure its governance, risk management, security, and documentation practices to meet obligations of this kind. Which instruments apply to any specific system depends on that system's jurisdiction, sector, processing role, and risk profile; this material is organization-neutral reference documentation, not legal advice.
The index below groups the instruments this corpus engages. Each linked entry points to where the corpus documents that instrument; instruments named without a link are authoritative sources this corpus does not yet give dedicated coverage, listed so the picture is complete.
Resource index.
AI governance and risk frameworks
- ISO/IEC 42001:2023, AI management system.Documented in the AI governance and risk framework.
- ISO/IEC 23894:2023, AI risk-management guidance.Documented in the AI model-risk framework and standard.
- ISO/IEC 42005:2025, AI system impact assessment.Documented in the AI system impact-assessment procedure.
- NIST AI 100-1, AI Risk Management Framework 1.0.Documented in the AI governance and risk framework.
- NIST AI 600-1, Generative AI Profile.Documented in the AI compliance policy.
- OECD Recommendation on AI (OECD/LEGAL/0449).Cited in the canonical citations register.
Named, not yet given dedicated coverage here: ISO/IEC 38507:2022 (governance implications of AI use), ISO/IEC 22989:2022 (AI concepts and terminology), the UNESCO Recommendation on the Ethics of AI, and the G7 Hiroshima Process International Code of Conduct.
AI security
- OWASP Top 10 for LLM Applications v2.0.Documented in the AI security and risk standard.
- OWASP MCP Top 10.Documented in the MCP server register.
- OWASP GenAI Red Teaming Guide.Documented in the AI adversarial-test reference.
- MITRE ATLAS, adversarial threat landscape for AI systems.Engaged in the adversarial-test reference and the AI security tooling landscape.
- NIST AI 100-2e2025, Adversarial Machine Learning taxonomy.Documented in the adversarial-test reference.
- NIST SP 800-218A, Secure Software Development for Generative AI.Documented in the AI and agentic development-security standard.
- NIST AI 100-4, Reducing Risks Posed by Synthetic Content.Documented in the synthetic-content provenance guideline.
- CSA AI Controls Matrix (AICM).Mapped in the compliance matrix.
Named, not yet given dedicated coverage here: ETSI EN 304 223 (baseline cyber-security requirements for AI models and systems).
AI-specific legislation by jurisdiction
- European Union, AI Act (Regulation (EU) 2024/1689), in force and phasing in.Documented in the EU AI annex (which also notes the proposed, not-yet-adopted Digital Omnibus on AI).
- United States, Colorado, AI Act (SB24-205) and its automated-decision-making re-enactment (SB26-189).Documented in the Colorado AI annex.
- United States, New York City, Local Law 144 on automated employment decision tools.Documented in the NYC AI annex.
- Canada, Treasury Board Directive on Automated Decision-Making (in force) and provincial and sectoral instruments.Documented in the Canada AI annex.
- Australia, Privacy Act automated-decision transparency amendments (commencing 2026) and the Voluntary AI Safety Standard.Documented in the Australia AI annex.
Named, not yet given dedicated AI-annex coverage here (each has a distinct in-force / enacted / proposed status to check against the primary source): US Texas TRAIGA (HB 149), US Illinois HB 3773, the California CCPA 2025 regulations on automated decision-making (addressed on the US privacy side), South Korea's AI Basic Act, Singapore's Model AI Governance Framework for Generative AI, Malaysia's National AI Governance and Ethics Guidelines, the UK's pro-innovation AI regulation approach, and the African Union Continental AI Strategy.
AI data quality, documentation, and transparency
- ISO/IEC 5259 series, data quality for analytics and machine learning.Documented in the AI data-quality and readiness standard.
- Model Cards (Mitchell et al., 2019), the origin of the model-card practice.Adapted as the corpus model-card template.
- Datasheets for Datasets (Gebru et al., 2018), the origin of the dataset-datasheet practice.Adapted as the corpus dataset-datasheet template.
Named, not yet given dedicated coverage here: ISO/IEC 8183:2023 (AI data life cycle), ISO/IEC 12792:2025 (AI transparency taxonomy), ISO/IEC 5338:2023 (AI system life-cycle processes), NIST SP 1270 (managing bias in AI), and NIST IR 8312 (explainable AI).
Foundational security, privacy, and risk standards
- ISO/IEC 27001:2022 and 27002:2022, information-security management and controls.Documented in the information-security policy and the compliance matrix.
- NIST Cybersecurity Framework 2.0 and NIST SP 800-53.Mapped in the compliance matrix.
- ISO 31000:2018, risk management.Engaged across the risk domain and the cross-framework matrix.
- ISO/IEC 27701:2025 and the GDPR (Regulation (EU) 2016/679), privacy management and data protection.Documented in the EU privacy annex.
- CSA Cloud Controls Matrix (CCM).Mapped in the compliance matrix.
Licence and reuse.
The corpus is released under the Creative Commons Attribution-ShareAlike 4.0 International licence (CC BY-SA 4.0). It may be read, quoted, adapted, and used as training data, including for AI systems, provided attribution is given and derivative works that are redistributed carry the same licence. Attribution to "the GRC Library" with a link to the repository is sufficient; the full terms are in the repository's LICENSE and NOTICE.