Principle VI: Governance & Compliance
Source:
.specify/memory/constitution.md
Overview
Enterprise agents must be governed to meet enterprise risk management and regulatory compliance requirements. Regulatory frameworks struggle with autonomous decision-making systems, and enterprise governance must evolve to address agent-specific risks.
Governed catalogs prevent agent sprawl and shadow AI usage. Certification workflows ensure agents meet quality, security, and compliance thresholds before production.
Non-Negotiable Rules
| Rule | Description |
|---|---|
| Governed Catalog | All agents, models, prompts, and tools registered with ownership |
| Certification | Prerelease checks and promotion gates before production |
| Version Control | Semantic versioning with reproducible manifests |
| Regulatory Compliance | ISO, SOC, GDPR, HIPAA as applicable to deployment context |
| Continuous Audits | Fairness, transparency, security, and regulatory audits |
| Data Handling | Classification, minimization, retention, and PII masking policies |
Certification Workflow
Enforcement Implementation
Governance is enforced through a 6-layer defense-in-depth architecture. Each layer catches violations that might slip through the previous one.
Defense-in-Depth Layers
| Layer | Mechanism | Blocking |
|---|---|---|
| 1. Prompt | remind-coordination.sh + detect-nato-violation.sh | Yes (exit 1/2) |
| 2. Tool (pre) | validate-bash.sh + enforce-container-first.sh + block-sensitive-files.sh + enforce-coordination.sh + enforce-specialist-delegation.sh | Yes (exit 1/2) |
| 3. Tool (post) | log-coordination-wrapper.sh + enforce-pdca-cycle.sh | No (audit + escalation) |
| 4. Session | load-project-context.sh | No (initialization) |
| 5. Permissions | settings.json (34 allow / 4 ask / 30 deny) | Yes (runtime) |
| 6. Rules | CLAUDE.md + adlc-governance.md | Behavioral (unhookable surface) |
Anti-Pattern Tracking
23 anti-patterns are documented with root causes, prevention hooks, and fix descriptions. Categories include coordination bypasses, evidence evasion, security incidents, infrastructure misconfigurations, and version management failures.
See Governance Rules for the complete anti-pattern registry and Hook Enforcement Reference for implementation details.
Related Agents
- security-compliance-engineer — Primary agent for compliance
- product-owner — Requirements with compliance context