Compliance | Master Brain

Framework Alignment

🇺🇸

NIST AI Risk Management Framework

Four functions: Govern, Map, Measure, Manage

Function	What It Requires	How Master Brain Satisfies It
Govern	Define accountability, roles and decision rights for AI systems	✓Governance Council model with defined roles (Brain Owner, Technical Custodian, Domain Owner). Decision rights documented in policy library. All approval decisions logged with the deciding party recorded.
Map	Identify and categorise AI risks in context	✓Capability intake assessment rates every skill for risk before it enters the pipeline. Risk ratings (Low, Medium, High, Critical) determine the approval path. Intake records are retained as evidence.
Measure	Evaluate AI system behaviour against defined criteria	✓8-point security scan on every skill. Sandbox sign-off with defined acceptance criteria. Tamper-evident hash on each approved skill. Monthly brain audit for staleness and coverage. Structured audit log per session.
Manage	Respond to identified risks and treat residual risk	✓Human checkpoints at every gate for treatment decisions. Content expiry monitor raises review tasks before content goes stale. Knowledge gap register tracks unresolved gaps. High and Critical skills require two Council members to approve.

🌐

ISO 42001: Artificial Intelligence Management System

International standard for AI management systems, published 2023

Requirement Area	What It Requires	How Master Brain Satisfies It
Policy	Documented AI policy with objectives and leadership commitment	✓Policy library template covers acceptable use, data classification, skill ingestion, access control and audit. Policy ownership is defined in the Governance Council Charter.
Lifecycle Controls	Controls throughout the AI system lifecycle from design to decommission	✓Full skill development lifecycle: intake, specification, quarantine, review, sandbox, approval, distribution, expiry. Each stage has defined controls, roles and documented outputs.
Risk Treatment	Risk-based approach to AI capability deployment	✓Risk-rated review on every skill. High and Critical ratings require two-member Council approval. Critical skills stop at intake if the risk cannot be mitigated. Risk rating is recorded in the Skills Register and retained.
Monitoring	Ongoing monitoring of AI system performance and impact	✓Structured audit log captures every session. Content expiry monitor flags stale knowledge. Monthly brain audit reports coverage, staleness and skill count. Knowledge gap register tracks unresolved information needs.

🔒

ISO 27001: Information Security Management

Access control, audit logging and asset management requirements

Control Area	What It Requires	How Master Brain Satisfies It
Access Control	Need-to-know access enforced at the system level	✓Two-axis model: content tier filters what the retrieval layer returns; platform role controls infrastructure access. Pre-filter applied before semantic search. Default deny: unresolvable tier results in access-denied.
Audit Logging	Structured logs of access events, changes and significant actions	✓Session-level audit log records identity, timestamp, action, documents touched and their tier, and outcome. Access-denied events, restricted document accesses and closed-world unknowns are flagged as significant events.
Asset Management	Inventory and classification of information assets	✓Skills Register maintains a complete inventory of all approved skills. Every knowledge file carries a classification label and tier tag in its frontmatter. Content expiry tracking maintains the currency of the asset inventory.

🇦🇺

Australian Privacy Act 1988

Including the Australian Privacy Principles (APPs)

Obligation	What It Requires	How Master Brain Satisfies It
Data Classification	Personal information handled according to its sensitivity	✓Five-tier classification model. Sensitive content tagged at Tier 1 or 2 and restricted to those tiers in retrieval. Restricted classification label marks content that carries additional handling obligations.
Access Limitation	Personal information accessed only by those with a legitimate need	✓Tier-filtered retrieval enforced at the pre-filter stage, before semantic search runs. Restricted content never enters an uncleared candidate set. Default deny applies when tier cannot be resolved.
Accountability	Documented evidence of privacy-compliant handling	✓Structured audit log records identity, timestamp, document touched, tier and classification of document, and outcome per query. Log is retained in the audit store and available for regulatory reporting.

🌳

First Nations Information Governance (FAIRA, Queensland)

Cultural safety and sovereignty obligations for information systems

Obligation	What It Requires	How Master Brain Satisfies It
Cultural Safety	Restricted cultural material handled with appropriate controls and sovereignty	✓The Tier 1 classification level and the restricted label can accommodate culturally sensitive material. Tier 1 content is accessible only to the brain owner, providing strong sovereignty controls at the system level.
Governance	Defined decision rights and accountability for sensitive information	✓The Governance Council model and policy library can be adapted to include community-specific governance obligations. Policy templates include placeholders for sector-specific compliance requirements.
Audit Trail	Documented record of who accessed what and when	✓Structured audit trail supports regulatory reporting requirements. Access events for Tier 1 content are captured with identity, timestamp and document path, providing an evidential record.

⚠️ This page describes alignment at an architectural level and is intended for information purposes only. It is not legal advice. Organisations should assess their specific compliance obligations with appropriate legal and regulatory counsel before relying on any alignment assessment.

Ready to See How Deployment Works

What you receive at deployment, how licensed skill packs work and what stays protected in the master template.

Getting Started