This framework has been created by Principal Ai Consultants, is opensourced, so use freely and at your discretion. It is designed to be modular and scalable. Start with Chapter 1 to establish your vision and principles, then progress through governance (Chapter 2), risk classification (Chapter 3), and the AI lifecycle (Chapter 4). Chapters 5-7 address specialized topics, while Chapter 8 provides ready-to-use templates and tools.
Watchman: Model Provenance & Integrity for Responsible AI
The RAI Framework defines what responsible AI deployment looks like. Watchman makes it verifiable. Before any third-party or compressed model enters production, a Watchman audit verifies it is what it claims to be: it detects and classifies weight modifications, records a SHA-256 chain of custody, and produces an evidence-grade report plus a CycloneDX AI-BOM attestation.
Together, the RAI Framework and Watchman give regulated organizations:
- Verified model provenance for every model you adopt or release
- Evidence mapped to obligations: EU AI Act, NDAA/DFARS, OMB M-26-04 and AI-BOM procurement
- A CI-native integrity gate for your model registry, on-prem or air-gapped
- Machine-readable AI-BOM attestations that satisfy supply-chain disclosure requirements
Executive Vision & Scope
Governance & Organizational Structure
Risk Classification & Taxonomy
The Responsible AI Lifecycle (Process Controls)
Generative AI & LLM Specifics
Third-Party Procurement & Supply Chain
Culture, Training & Adoption
Appendices & Toolkits
Key Regulatory Frameworks Referenced
EU AI Act
World's first comprehensive AI regulation with risk-based classification. High-risk rules effective August 2026, GPAI obligations from August 2025.
US Executive Orders
Federal AI policy framework seeking uniform national standards. FTC oversight on deceptive AI practices.
NIST AI RMF
Voluntary risk management framework with Govern, Map, Measure, Manage functions. Gen AI Profile released July 2024.
GDPR
Data protection requirements integral to AI systems processing personal data. DPIAs required for high-risk processing.
Implementation Timeline Overview
Foundation
Establish governance structure, appoint CAIO, form AI Ethics Board, complete initial AI inventory
Risk Assessment
Classify all AI systems by risk tier, conduct algorithmic impact assessments, identify shadow AI
Process Implementation
Deploy lifecycle controls, implement guardrails for LLMs, establish monitoring systems
Training & Culture
Roll out workforce training programs, establish feedback mechanisms, launch change management
Optimization & Audit
Conduct internal audits, optimize processes, prepare for external assessments, continuous improvement
Start with Section 1.1: The Business Case for Responsible AI for the case and the obligations it answers, then set your Core Ethical Principles.