METHODOLOGY

How Vigilia scores AI governance.

Every score, gap, and remediation in a Vigilia report comes from a deterministic graph analysis. No black-box AI judgement. You can explain every finding to your regulator and your board.

The model

Vigilia represents your AI system as a directed graph: agents, human approvers, data sources, governance policies, monitoring systems, and decision points are vertices. Their relationships (orchestrates, accesses, approves, monitors, constrained by) are edges.

Compliance signals are then extracted from the graph topology. Missing edges (for example, an agent making decisions with no human approval chain) trigger gap findings. Each finding maps to the specific regulatory article it violates, with the affected agent named directly.

Scoring is deterministic. AI is used only to enrich gap narratives — never to determine whether a gap exists.

Frameworks supported

  • EU AI Act — full enforcement August 2, 2026
  • NIST AI Risk Management Framework 1.0
  • ISO/IEC 42001 — AI Management System
  • US Executive Order 14110 on AI
  • UK AI Regulation Principles

EU AI Act risk classification

Every workspace is classified into one of four risk tiers based on the kind of decisions its agents make. The tier determines which articles apply.

Minimal riskLow-stakes use cases (e.g. spam filters, recommender systems). Standard transparency obligations apply.
Limited riskUser-facing AI (chatbots, content generation). Disclosure obligations apply under Art. 52.
High riskAnnex III use cases (recruitment, credit, healthcare, education, law enforcement). Conformity assessment, risk management, human oversight, and technical documentation required.
Unacceptable riskProhibited practices under Art. 5 (social scoring, real-time biometric ID in public spaces, manipulative AI). Deployment may be unlawful.

The 6 governance dimensions

Each dimension is scored from your graph. The signal column shows which graph relationships drive the score. The article column is the EU AI Act provision the dimension maps to.

DimensionGraph signalEU AI Act
Human OversightAPPROVES / ESCALATES_TO ratioArt. 14
Data SecurityACCESSES density + CONSTRAINED_BYArt. 10
TransparencyMONITORING_SYSTEM + AUDIT_LOG flowsArt. 13
AccountabilityDECISION_OUTPUT traceabilityArt. 14 + Art. 9
ReliabilityORCHESTRATES chain depthArt. 9
Regulatory ComplianceGOVERNANCE_POLICY coverageArt. 9

The 8 structural anti-patterns

Detected automatically from your agent graph. Each detection triggers a gap with severity, fine exposure, and a remediation step.

01

Single Approval Bottleneck

Trigger: One approver controls more than 50% of decisions

Art. 14
02

Decision Loop Without Audit

Trigger: Decision outputs with no AUDIT_LOG flow

Art. 13
03

Data Over-Access

Trigger: Agent accesses 3+ data sources with no governance policy attached

Art. 10
04

Agent Monoculture

Trigger: All agents use the same provider and model family

Art. 9
05

Shadow Agent

Trigger: Agent with no monitoring, no policy, and no human oversight

Art. 9 + Art. 11
06

Brittle Orchestration Chain

Trigger: ORCHESTRATES chain depth ≥4 with no escalation path

Art. 9
07

Accountability Gap

Trigger: Decision outputs with no traceable human owner

Art. 14
08

Undocumented High-Risk Agent

Trigger: EU AI Act Annex III use case with no governance documentation

Art. 9

How a score is computed

For each selected framework:

  1. Vigilia loads every applicable article for your detected risk tier.
  2. Each article carries a graph signal — a structural condition that must hold (for example, "every high-risk agent must have at least one APPROVES edge from a HUMAN_APPROVER").
  3. The condition is evaluated against your graph index. If it holds, the article passes. If not, it becomes a gap with the affected agents named.
  4. The framework compliance score is passing_articles / total_applicable_articles.
  5. The overall score is the average across selected frameworks.

Articles that do not apply to your risk tier are excluded entirely — they neither pass nor fail, so they cannot inflate the score.

Severity and effort ratings

Every gap carries a severity (Critical · High · Medium · Low) reflecting regulatory exposure and likelihood of enforcement, and an effort rating (Low · Medium · High) estimating implementation complexity. Both are relative indicators to help you prioritise remediation; they are not legal opinions.

Fine exposure figures cited in reports are statutory maximums from the underlying regulation. Actual exposure depends on your turnover, the specific circumstances of any enforcement action, and the discretion of the supervisory authority.

What this methodology does not do

  • It does not assess runtime behaviour — only the documented graph you provide.
  • It does not constitute legal advice or a formal conformity assessment.
  • It does not verify the truthfulness of your agent descriptions; the report is only as accurate as the data you submit.
  • It does not guarantee regulatory outcomes. A passing report is evidence of a structurally sound governance posture, not proof of full compliance.

Vigilia reports are designed to give compliance teams, legal counsel, and regulators a clear, structural starting point. Use them alongside qualified legal advice.

← Back to VigiliaTerms of ServicePrivacy PolicyRefund Policy