Booman Systems LLCSoftware systems and operations

GovernPilot — Governed Control Plane for Agentic AI

A proof-of-work project demonstrating how to move autonomous AI workflows from prototype to controlled pilot in regulated, cleared, and federal-adjacent environments.

Most AI demonstrations stop at “the model works.” GovernPilot builds everything around the model that a federal or regulated buyer actually requires — identity, approval gates, audit evidence, policy-as-code, eval safety gates — and then proves it with an open standard whose every requirement is backed by an automated conformance check.

It is a working proof-of-work: it runs locally in deterministic mode with no production authorization, customer data, or classified data. The point is demonstrated engineering judgment across the AI control layer.

What it demonstrates

One working system spanning identity, control, audit, policy, and federal compliance mapping.

Human-in-the-loop control

Approval-before-write gates on every write-capable agent action, with signed, hash-chained approval records bound to each run.

Enterprise identity & RBAC

Server-enforced role-based access across local, JWT, and OIDC/JWKS identity, with alg=none and key-confusion rejected at the boundary.

Tamper-evident audit

Append-only hash-chained ledger, content-addressed evidence packets, and a full audit export with manifest hashes.

Policy-as-code

Declarative runtime and infrastructure policy with an OPA/Rego-compatible export, plus a model gateway with cost, token, and latency guardrails.

An executable standard (GAGS)

An open AI-governance standard where every requirement maps to an automated check — 48 requirements, L1 34/34 MUST and L2 14/14, signed and CI-gated.

Compliance automation

Generates SSP control statements (34 NIST SP 800-53 controls), a POA&M, and a continuous-monitoring plan from a crosswalk validated against NIST's published catalog.

Proven, not asserted

The reference implementation passes its own open conformance suite and an implementation-independent test kit (TCK). Anyone can reproduce it:

  • npm run conformance — GAGS suite, signed report (L1 34/34 + L2 14/14)
  • npm run tck:check — reference implementation passes the open test kit
  • npm run crosswalk:check — controls verified against NIST’s 800-53 catalog
  • npm run compliance:generate — emits SSP, POA&M, and continuous-monitoring plan

Review it

Source & documentation on GitHub · Live case study

Built with React, TypeScript, and a dependency-free Node API, with an AWS GovCloud-ready deployment skeleton. Honest boundary: conformance is self-asserted, and regulatory items are status-labeled — proposed or not-yet-effective rules are never presented as current law. Not legal advice.