Skip to main content

Building the Future of Governance-as-Code

Harmonizing AI Governance with Open Source & Open Standards

Financial institutions are rapidly deploying agentic AI systems, but governance, security, and cost visibility remains opaque. FINOS is leading the charge to fill the "last mile", turning a fragmented landscape of policies, regulations and guidelines into machine-readable runtime-observable assurance and an end-to-end governance-as-code pipeline that enables the industry to scale AI responsibly without hampering innovation.

Get Involved

Why Governance-as-Code?

Agentic AI systems (e.g., AI agents calling Model Context Protocol servers, invoking tools, and making autonomous decisions) require robust governance to ensure compliance, security, and cost efficiency. Traditional governance approaches are manual, siloed, and unable to scale with the complexity of modern AI workloads. FINOS is addressing this gap by building an open-source governance-as-code pipeline that integrates:

  • Policy Definition – Machine-Readable standards for AI governance mapped to major regulatory frameworks.
  • Security & Compliance – Automated controls and audits at scale.
  • Observability – Real-time monitoring and cost tracking.
  • Feedback Loops – Continuous improvement through evals and operational data.

The pipeline we are building is fully open-source, based on projects such as FINOS AI Governance Framework, CALM, Common Cloud Controls, Gemara, Fluxnova, OpenTelemetry and Grafana—to create a unified system for transparent assurance for the financial services industry.

RegulationsGuidelinesStandardsBest practices
AI Governance FrameworkOpen source toolingGovernance as Code
AI Governance Framework logo

For Financial Services, by Financial Services

Since 2024, FINOS brought togeher a vast coalition of financial institutions, technology providers, and researchers to collaboratively build the foundation for harmonized best practices to advance responsible AI adoption in financial services, without hindering innovation. The FINOS AI Governance Framework is the result of this collaboration and serves as the rosetta stone to build a shared industry understanding of use cases, risks, control requirements, architectures, and operational practices. Its main components are:

AI Risks & Mitigations Catalog

AIGF is an open-source initiative designed to provide financial institutions with a comprehensive, standardized catalog of governance controls tailored specifically for AI and agentic systems. As AI adoption accelerates in financial services—spanning use cases from risk modeling and fraud detection to autonomous decision-making—AIGF addresses the critical need for a structured approach to managing risks, ensuring compliance, and embedding ethical considerations. The framework defines what to govern, offering clear guidelines on model selection, agent autonomy levels, operational oversight, supply chain integrity, and alignment with regulatory expectations such as the EU AI Act, FCA Consumer Duty, and PRA operational resilience requirements.

  • Machine-Readable Compliance Specifications for AI Governance
  • Automated Policy Validation in CI/CD and Runtime Environments
Explore the Catalog →

Use Cases Taxonomy

Applicable risks and mitigations vary wildly depending on the use case, whether it be intra- or inter-firm, e.g. AI enhanced fraud detection vs. an AI autonomous trading agent vs. internal AI-aided software development. Use Cases are categorized across multiple dimensions like:

  • AI Type
  • Architecture Pattern
  • Data Handling Requirements
This provides a shared industry understanding of risks mapping to the specific use cases, enablling financial institutions to categorize, compare, and govern their AI use cases consistently bu supporting regulatory alignment, risk management, and effective collaboration across the industry.

Explore the Taxonomy →

AI Reference Architecture Library

On the basis of the Use Cases Taxonomy, and leveraging leveraging Calm as architecure-as-code, FINOS is building collection of FSI-specific AI reference architectures that enterprises can adopt, plus AI architecture threat models that consider AIGF catalog risks, including patterns for multi-agent and tool-using systems. This provides a practical and unified view of the security baseline to design, deploy, and operate the system within agreed risk tolerances. Threat models vary by autonomy level, tool authority, and human-oversight pattern. Provides a practical blueprint for building production AI systems with clear component boundaries for security, observability, and cost-aware operations.

  • Composable system patterns
  • Integration points for telemetry and controls
Explore Library →

Tooling & Integrations

Related open-source projects that extend the ecosystem with architecture-as-code tooling, common cloud control standards, and agentic orchestration building blocks.

CALM logo

CALM (Architecture as Code)

Transforms static governance policies into machine-readable, executable specifications, enabling financial institutions to automate compliance validation for AI systems. In the rapidly evolving landscape of AI and agentic workflows, CALM bridges the gap between high-level regulatory requirements (such as those from the EU AI Act, FCA, or internal risk policies) and technical implementation. By expressing governance rules in a structured, code-like format, CALM allows institutions to embed compliance checks directly into their CI/CD pipelines, development workflows, and runtime environments. This ensures that AI models, agents, and orchestration processes are continuously validated against predefined policies—before deployment and throughout their lifecycle.

  • Machine-Readable Compliance Specifications for AI Governance
  • Automated Policy Validation in CI/CD and Runtime Environments
Learn more →
Common Cloud Controls logo

CCC (Common Cloud Controls)

CCC is an open-source initiative designed to standardize and streamline cloud security and compliance controls specifically tailored for AI and financial services workloads. As financial institutions increasingly deploy AI models and agentic systems in hybrid or multi-cloud environments, CCC provides a unified, industry-aligned catalog of controls that address critical requirements such as data protection, access management, audit logging, and operational resilience. By mapping regulatory expectations (e.g., EU AI Act, FCA, PRA) and internal governance policies to actionable technical controls, CCC eliminates the need for bespoke, siloed solutions—reducing duplication, accelerating compliance, and lowering operational risk.

  • Standardized Cloud Security and Compliance Controls for AI Workloads
  • Automated Governance Alignment with Regulatory Frameworks
Learn more →
Fluxnova logo

Fluxnova (Agentic Orchestration)

Fluxnova enables financial institutions and enterprises to define, automate, and govern complex AI workflows in a visually intuitive and machine-executable way. This approach ensures that agentic processes—such as multi-step decision-making, tool invocation, and human-in-the-loop validations—are not only transparent and auditable but also aligned with regulatory and operational requirements.

  • BPMN/DMN-Based Agentic Workflow Orchestration
  • Governance-Embedded Process Automation
Learn more →