Responsible AI

How ControlFrame governs specialist agents, prompts, traces, SME contributions, and human review.

Review status

ControlFrame agents assist with evidence collection, mapping, scoring, review preparation, and package checks. Agents do not bypass RBAC and do not replace human approval or auditor judgment.

Human gates

Evidence approval, package release, remediation commitments, and external audit responses remain human-reviewed by default.

Traceable output

Agent events show concise rationale summaries, evidence references, control references, confidence, risk flags, and recommended next action.

No chain-of-thought exposure

The product shows audit-useful summaries and references without exposing private reasoning traces.

Scoped permissions

Agent service accounts inherit tenant, workspace, target, control, and artifact boundaries instead of receiving broad access.

Demo labeling

Simulated agent runs are labeled as demo or sandbox data and are not represented as production evidence collection.

Security and privacy review

Sensitive-data, PHI, PII, secrets, redaction, and package-blocking signals are part of the responsible AI posture.