Canonical Reference
The Void Vanguard Framework Stack
Canonical definitions for every named framework in the Void Vanguard governance architecture.
Each framework answers a different question about AI governance at a regulated institution. The Governance Spine answers structural integrity. V³ answers assessment surface. AIGPCMM answers maturity. The Diagnostic Arc answers engagement sequencing. The Decision Authority Matrix, the Complete Scaffolding Framework, and the Agent-as-Synthetic-Employee model answer control design. The definitions on this page are canonical: when a Void Vanguard article, episode, or assessment references one of these terms, it means exactly what is written here.
Governance Spine
Structural
Appetite → Strategy → Controls → Evidence → Reporting
The Governance Spine is Void Vanguard's structural framework for AI governance: Appetite, Strategy, Controls, Evidence, Reporting. The sequence is immutable.
When a governance program fails, the diagnostic question is which Spine stage broke first. Policy without mechanism is a Controls failure. Mechanism without evidence is an Evidence failure. Evidence without reporting is a Reporting failure. The Spine operationalizes the NIST AI Risk Management Framework's four functions (Govern, Map, Measure, Manage) into mechanism design that produces examiner-ready evidence.
Canonical article
V³ Domain Assessment
Assessment
Visibility · Velocity · Verification
The V³ Domain Assessment is Void Vanguard's AI governance gap assessment framework: nine domains, D-01 through D-09, grouped under three tiers. Visibility asks whether you can see it. Velocity asks whether you can act on it. Verification asks whether you can prove it.
Visibility holds D-01 AI Strategy & Risk Appetite, D-02 Model & System Inventory, and D-03 Data Governance & Lineage. Velocity holds D-04 Identity, Access & Agentic Boundaries, D-05 Development, Deployment & Runtime Controls, and D-06 Monitoring, Drift & Explainability. Verification holds D-07 Third-Party, Vendor, Resilience & AI Incident Response, D-08 Workforce & Change Management, and D-09 Regulatory Alignment & Reporting. Each domain is scored on the AIGPCMM scale.
D-01 to D-09Nine domainsThree tiers$40K productized assessment
AIGPCMM
Maturity
The AIGPCMM, the AI Governance Practitioner Capability Maturity Model, is Void Vanguard's five-level maturity scale for AI governance programs, applied per domain and as a composite score: 1 Initial, 2 Repeatable, 3 Defined, 4 Managed, 5 Optimized.
Composite thresholds: below 2.5 is Red, a critical gap. From 2.5 to 3.4 is Yellow, a material gap. At 3.5 and above is Green, a defensible posture. Scoring follows an evidence hierarchy: system-generated evidence ranks highest, then process artifacts, then documentation, then verbal attestation.
1 Initial2 Repeatable3 Defined4 Managed5 Optimized
Diagnostic Arc
Engagement
Diagnose → Expose → Architect → Prove
The Diagnostic Arc is Void Vanguard's engagement narrative and delivery sequencing model: Diagnose, Expose, Architect, Prove.
Diagnose surfaces the gap through assessment and maturity scoring. Expose frames the risk in examiner language, what an auditor would find. Architect designs the mechanism, structural controls rather than policy documents. Prove produces defensible evidence, auditable and system-generated where possible.
Decision Authority Matrix
Control
The Decision Authority Matrix is a governance control that maps AI risk tier to approval authority and required evidence artifacts across four governed actions: evaluate, deploy, modify scope, and retire.
Critical-tier AI, the systems that influence regulated decisions or operate with broad autonomy, requires board or executive committee approval with no exceptions. High requires senior management with documented risk acceptance. Medium requires department head approval with IT security review. Low requires manager acknowledgment with an acceptable use attestation. Scope change without re-evaluation is the single most common failure mode the matrix prevents: a medium-tier system quietly becomes critical-tier through unchecked scope creep, and the matrix requires re-approval at the new risk level. It lives at the Controls stage of the Governance Spine and produces artifacts at the Evidence stage.
Canonical article
Complete Scaffolding Framework
Architecture
The Complete Scaffolding Framework (CSF) is a four-pillar deterministic logic gate architecture that sits between the user or agent and the LLM in any AI deployment at a regulated institution.
Each pillar is a deterministic control checkpoint on a distinct part of the transaction flow, with a defined completion criterion, failure mode, and evidence requirement. Unlike probabilistic LLM guardrails, CSF gates are deterministic: if a pillar's condition is not met, the transaction does not proceed. CSF is the technical architecture layer of the framework stack, the answer to what the scaffolding around the LLM actually looks like as code.
Agent-as-Synthetic-Employee
Identity
The Agent-as-Synthetic-Employee model holds that AI agents operating inside regulated enterprise environments are Non-Human Identities: synthetic members of the workforce with entitlements, a lifecycle, and the capacity to cause regulatory harm if ungoverned.
Agents are not tools, not applications, and not generic service accounts. The governance discipline that applies to them is the same identity and privileged access discipline that applies to human privileged users, reframed and extended. The common failure is a category error: agents treated as applications, running on static unvaulted credentials, unregistered in the identity governance platform, with unrecorded sessions and no decommission process. The related Foundation Gap names the structural exposure that even mature IAM programs carry when non-human identities sit outside the identity governance perimeter.
Canonical article
Model vs. Non-Model Determination
Classification
The Model vs. Non-Model Determination is a documented classification of each AI system against current interagency model risk guidance, with rationale an examiner can evaluate independently.
OCC Bulletin 2026-13, issued jointly by the OCC, Federal Reserve, and FDIC on April 17, 2026, rescinded OCC 2011-12 and explicitly excludes generative AI and agentic AI from its scope while still covering traditional statistical models and non-generative AI/ML. The governance failure is not treating every AI tool as a model. The governance failure is never performing the Determination at all. The examiner wants the Determination, not the assumption.
Canonical article
Policy without mechanism → paper, not outcomes
Governance is mechanism design
voidvanguard.com/frameworks