Metadata-Version: 2.4
Name: polygraph-gov
Version: 0.0.0
Summary: Trace-level governance analysis for agentic AI systems, mapped to EU AI Act and NIST AI RMF.
Project-URL: Homepage, https://github.com/jodyb/polygraph-gov
Project-URL: Documentation, https://github.com/jodyb/polygraph-gov
Project-URL: Repository, https://github.com/jodyb/polygraph-gov
Project-URL: Issues, https://github.com/jodyb/polygraph-gov/issues
Project-URL: Discussions, https://github.com/jodyb/polygraph-gov/discussions
Author: Jod
License-Expression: Apache-2.0
License-File: LICENSE
Keywords: agent-trace,agentic-ai,ai-governance,audit,eu-ai-act,llm-evaluation,nist-ai-rmf,responsible-ai
Classifier: Development Status :: 1 - Planning
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: Legal Industry
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Typing :: Typed
Requires-Python: >=3.11
Provides-Extra: dev
Requires-Dist: mypy>=1.10; extra == 'dev'
Requires-Dist: pytest-cov>=5.0; extra == 'dev'
Requires-Dist: pytest>=8.0; extra == 'dev'
Requires-Dist: ruff>=0.6; extra == 'dev'
Provides-Extra: docs
Requires-Dist: mkdocs-material>=9.5; extra == 'docs'
Requires-Dist: mkdocs>=1.6; extra == 'docs'
Description-Content-Type: text/markdown

# Polygraph

**Open-source governance tooling for agentic AI systems.**

> **Status: active development, pre-1.0.** Created May 29, 2026. Targeting v1.0 in late September 2026. Built in the open — star this repository to follow along.

## What this is

Polygraph is a Python library and CLI that ingests execution traces from agentic AI systems and produces structured governance assessments: which policies were violated, which regulatory clauses each violation maps to, and an audit-ready evidence bundle that can be imported into existing GRC platforms.

It is designed to fill a specific gap in the current AI governance stack. Today's platforms (Credo, VerifyWise, Holistic AI, Fairly) are sophisticated document repositories — excellent at storing, organizing, and presenting evidence to auditors, but the evidence still has to be generated by humans running scripts and writing memos. Polygraph is the evidence-generating engine that feeds into those platforms, not a replacement for them.

## Why agents need their own governance layer

The traditional AI governance model — risk assessment before deployment, fairness testing at model promotion, monitoring at the metrics layer — was designed for static models that produce predictions. It breaks down when the subject of governance is an agent that:

- Reasons over many steps, where each step is benign but the composite trajectory is risky
- Uses tools dynamically, potentially outside its declared scope
- Spawns or coordinates other agents, multiplying the surface area faster than any review process can keep up
- Operates against open-ended objectives, making "goal drift" a meaningful failure mode

Pre-deployment review cannot enumerate this state space. The governance function has to migrate from a gate to continuous, trajectory-level evaluation. Polygraph is one piece of the tooling that makes that migration possible.

## Planned v1.0 scope

**Trace ingestion**
- OpenTelemetry GenAI semantic conventions
- LangSmith trace exports
- Langfuse trace exports

**Built-in detectors**
- Tool-scope violations
- Unauthorized tool sequences
- Loop and runaway-behavior detection
- PII exposure in tool arguments and model context
- Prompt-injection patterns in tool outputs
- Goal drift
- Dynamic scope creep
- Multi-step risk accumulation scoring

**Policy and reporting**
- YAML policy DSL for declaring detectors, severity thresholds, allowlists, and regulatory profile
- Regulatory mapping for EU AI Act (high-risk obligations, Annex III and Article 50) and the NIST AI RMF Generative AI Profile (NIST.AI.600-1)
- OSCAL-compatible evidence bundle export for ingestion into existing GRC platforms
- Extension API for writing custom detectors

## Installation

```bash
pip install polygraph-gov
```

(Coming with v1.0. The current repository is a placeholder.)

## Status

| Field | Value |
|---|---|
| Created | May 29, 2026 |
| v1.0 target | Late September 2026 |
| License | Apache-2.0 |
| Maintainer | [@jodyb](https://github.com/jodyb) |

## Follow along

Star this repository to follow progress. The Discussions tab is open for design feedback, use-case suggestions, and requests for additional detectors or trace-format support.

---

*This repository is under active construction. APIs, scope, and design decisions will change before v1.0. If you are working on the same problem space and want to compare notes, open a Discussion.*
