Frameworks define
Organizational policies, system inventories, evaluation methods, and risk management processes.
FRAMEWORK
How GAFAIG works
GAFAIG operates as a deterministic AI governance certification system. It combines structured evaluation, governed scoring, and cryptographic verification to produce publicly verifiable certification outcomes.
The system separates a private verification engine from a public trust layer. Governance is reviewed internally, while only the certification outcome is exposed and validated through GAFAIG’s verification endpoint.
A system for verifying human oversight
GAFAIG does not rely on self-declared policies or static disclosures. It introduces a structured verification process that evaluates whether human oversight is actually present and functioning across AI systems and organizational operations.
The output is not a report or a claim. It is a certified outcome that can be independently verified through a signed verification payload.
Execution model
GAFAIG runs as a deterministic governance engine with Snowflake as the system of execution. Governance records are processed privately, certification outcomes are snapshotted into the registry, and only the public trust contract is exposed through views, APIs, and verification surfaces.
All governance scoring and decision outputs execute in Snowflake.
Public records are derived from immutable registry snapshots rather than recomputed in downstream layers.
API and UI layers do not perform governance computation; they project and distribute already-determined public outputs.
Verification results are reproducible from source data, registry snapshots, and signed public proof.
Alignment with AI Risk Management Frameworks
GAFAIG does not replace governance frameworks such as the NIST AI Risk Management Framework. It provides a verification layer that confirms whether governance processes are actually functioning in practice.
Frameworks define how organizations should govern AI systems across functions such as Govern, Map, Measure, and Manage. GAFAIG verifies that these processes are implemented, operational, and producing real oversight outcomes.
GAFAIG verifies
That these governance processes are real, functioning, and independently verifiable through certified records and signed proof.
Certification is issued when organizations show that oversight in AI systems is real, functioning, and independently verifiable. Each certification is represented as a verifiable public record, allowing external parties to confirm governance without accessing private internal materials.
The GAFAIG verification pipeline
Every organization moves through a consistent, structured process. This ensures certification outcomes are repeatable, comparable, and grounded in actual oversight evidence rather than self-attestation.
GAFAIG enforces a deterministic pipeline: Application → Case → Findings → Evidence → Events → Scoring → Decision → Registry → Verification.
Step 1
Application
An organization enters the GAFAIG verification process and defines the scope of its AI operations.
Step 2
Evidence Review
Governance materials, controls, and oversight mechanisms are submitted and evaluated.
Step 3
Findings
Structured findings assess how oversight is implemented and where gaps exist.
Step 4
Scoring & Decision
A deterministic process produces a governance outcome based on the reviewed record.
Step 5
Public Certification
The certification outcome is published as a public trust record without exposing private materials.
Step 6
Verification
A signed verification payload is generated and exposed through /api/verify, enabling independent validation.
What certification means
Certification is not manually assigned. It is derived from a governed scoring system and published as a signed, verifiable record. This ensures consistency, transparency, and auditability.
Certification is not self-attestation or a policy statement.
Certification reflects a structured, completed verification process.
Certification results in a public trust record.
Certification can be independently verified using signed proof.
Private verification, public trust
GAFAIG separates internal verification from public trust. This allows rigorous evaluation without exposing private evidence while still producing a clear, verifiable public outcome.
Private verification engine
Applications, evidence, findings, events, and scoring are processed within a controlled environment where oversight is evaluated.
Public trust layer
Only the certification outcome is exposed publicly. External parties can verify the result without accessing internal materials.
Certification becomes verifiable trust
GAFAIG is both a verification system and a trust distribution layer. Once certification is finalized, the outcome becomes a signed, independently verifiable record that can be validated outside the platform.
Each certified record is backed by a signed verification payload. External systems validate records using the canonical messageString and GAFAIG public key.
Registry records provide a durable public certification reference.
The verify endpoint exposes a signed payload for independent validation.
Signed proof enables cryptographic verification of certification.
Trust can be distributed across APIs, widgets, badges, and external platforms.