> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowx.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Governance

> Policy engine, risk scoring, evidence collection, and assessments — the controls layer for production AI.

Governance is the layer that turns "we can see what the agent does" into "we know it's allowed to do that". Use it to enforce policies before runs reach users, score risk per app, gather evidence with a review workflow, and run repeatable assessments.

***

## What's inside

<CardGroup cols={2}>
  <Card title="Policies" icon="file-shield" href="./policies">
    Define and assign governance rules, evaluate them against runs, score compliance.
  </Card>

  <Card title="Evidence" icon="folder-open" href="./evidence">
    Collect, review, and approve evidence — automated or manual.
  </Card>

  <Card title="Assessments" icon="clipboard-check" href="./assessments">
    Dynamic questionnaires with weighted scoring.
  </Card>

  <Card title="Risk Dashboard" icon="triangle-exclamation" href="./risk-dashboard">
    Six-dimensional risk score per app, rolled up to the org.
  </Card>

  <Card title="AI Registry" icon="server" href="./ai-registry">
    Catalogue of models, deployments, and ownership.
  </Card>
</CardGroup>

***

## How governance fits together

```mermaid theme={"system"}
flowchart LR
    Registry["AI Registry<br/>(what we have)"] --> Risk
    Policies["Policies<br/>(what's allowed)"] --> Risk
    Assessments["Assessments<br/>(how we check)"] --> Evidence
    Evidence["Evidence<br/>(proof)"] --> Risk
    Risk["Risk score<br/>(where to focus)"] --> Compliance[Compliance heatmap]
```

The AI Registry is the inventory layer — what exists in your portfolio. Policies and Assessments produce the inputs to risk scoring. Evidence is the artefact layer that proves controls are met. Risk rolls up the four into a single per-app score, and Compliance translates the score into framework-specific status.

***

## When to start where

| Maturity                             | Start with                                                                  |
| ------------------------------------ | --------------------------------------------------------------------------- |
| You just got Observatory running     | [AI Registry](./ai-registry) — catalogue what you have before governing it. |
| You have telemetry but no controls   | [Policies](./policies) — the highest-leverage place to add guardrails.      |
| You have policies but no audit trail | [Evidence](./evidence) — turn enforcement into proof.                       |
| You report to a risk committee       | [Risk Dashboard](./risk-dashboard) — give them one number per app.          |
| You need formal sign-off             | [Assessments](./assessments) — structured, repeatable, scoreable.           |

***

## Related resources

<CardGroup cols={2}>
  <Card title="Compliance" icon="circle-check" href="../compliance/overview">
    Map controls to EU AI Act, NIST AI RMF, and ISO 42001.
  </Card>

  <Card title="Observability" icon="eye" href="../observability/overview">
    The telemetry that policies and risk scoring read from.
  </Card>
</CardGroup>