<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>AI Governance on Control Plane by Karl McGuinness</title><link>https://notes.karlmcguinness.com/tags/ai-governance/</link><description>Recent content in AI Governance on Control Plane by Karl McGuinness</description><generator>Hugo</generator><language>en-us</language><managingEditor>public@karlmcguinness.com (Karl McGuinness)</managingEditor><webMaster>public@karlmcguinness.com (Karl McGuinness)</webMaster><lastBuildDate>Sat, 06 Jun 2026 22:30:00 -0700</lastBuildDate><atom:link href="https://notes.karlmcguinness.com/tags/ai-governance/index.xml" rel="self" type="application/rss+xml"/><item><title>Making Compliance a By-Product</title><link>https://notes.karlmcguinness.com/notes/making-compliance-a-byproduct/</link><pubDate>Sat, 06 Jun 2026 22:30:00 -0700</pubDate><author>public@karlmcguinness.com (Karl McGuinness)</author><guid>https://notes.karlmcguinness.com/notes/making-compliance-a-byproduct/</guid><description>The third kind of outside framing is the one with auditors behind it. NIST AI RMF, the EU AI Act, and ISO/IEC 42001 converge on one demand: show me. Show me who is accountable, what the system is for, how you observe it, and how you stop it. In most agent stacks the honest answer is archaeology through session logs. In this architecture the artifact that enforces is the artifact that documents: the Mission is the documented purpose, the approval is the accountable decision, the evidence family is the log, and Termination is the interrupt. The crosswalk maps eight obligations onto machinery that exists for safety reasons, and then names what compliance still requires, because evidence is not certification.</description></item></channel></rss>