A Policy-as-Code, Agentic Workflow, and Trust Assurance Framework for AI Systems
4th.GRC™ is an enterprise-grade Agentic AI Governance Platform combining:
- Policy-as-Code (PaC)
- AI risk & compliance automation
- Agentic workflows (Semantic Kernel / LangGraph)
- FastAPI microservices
- Streamlit analytics apps
- Azure-native integrations
The platform evaluates AI systems against standards like:
- ISO/IEC 42001 (AI Management System — AIMS)
- NIST AI RMF 1.0
- SOC 2 Trust Services Criteria
- HIPAA / HITECH
- EU AI Act (mapping in progress)
It produces scorecards, system cards, and audit-ready artifacts designed for:
- Enterprises
- Regulated industries
- Government R&D
- Academia
- Startups building responsible AI systems
+-------------------------------------------------------------------------------+
| 4th.GRC Platform |
+-------------------------------------------------------------------------------+
| | | |
| PolicyEngine (API) | Agent Layer | Scorecard App |
| FastAPI Microservice | SK / LangGraph Agents | Streamlit UI |
|-------------------------|-------------------------------|---------------------|
| - Profile loader | - Evidence gathering agents | - Dashboards |
| - Rule evaluator | - Reasoning / planning | - Cosmos analytics |
| - Score calculator | - PolicyEngine integration | - Historical trends |
+-------------------------------------------------------------------------------+
4th.grc/
│
├── services/
│ └── policyengine_svc/ # FastAPI evaluation microservice
│
├── apps/
│ └── scorecard/ # Streamlit analytics dashboard
│
├── profiles/ # Governance Profiles (ISO, NIST, SOC2)
├── rules/ # Rule modules (atomic evaluation logic)
├── agents/ # Agentic workflows & Semantic Kernel plugins
│
├── scripts/ # DevOps automation & local tooling
├── docs/ # System cards, API docs, architecture guides
│
└── tests/ # Unit & integration tests
git clone https://github.com/<org>/4th.grc.git
cd 4th.grcpython -m venv .venv
source .venv/bin/activate # macOS/Linux
.\.venv\Scripts\activate # Windowspip install -r requirements.txtbash scripts/dev_run_policyengine.shOr:
uvicorn services.policyengine_svc.main:app --reload --port 8080bash scripts/dev_run_scorecard.shOr:
streamlit run apps/scorecard/streamlit_app.py- Input validation across all schemas
- Evidence sanitization logic
- Azure Key Vault integration for secrets
- API authentication via APIM / OAuth2
- Container-ready for sandboxing
- System card generation (
SYSTEM_CARD.md) - Deterministic rule evaluation
- Versioned profiles for GRC provenance
- Exportable scorecards for audits
- GitOps-friendly PaC workflows
- Declarative governance
- Immutable policy artifacts
- Cross-standard governance alignment
docs/AUTO_INDEX.md— Auto-generated documentation mapdocs/PROFILE_INDEX.md— All profilesdocs/api/openapi.json— PolicyEngine OpenAPI schemaprofiles/README.md— Profile Authoring Guiderules/README.md— Rule Authoring Guidescripts/README.md— Script & tooling guide
- PolicyEngine plugin included
- Agent tools for evidence gathering
- Reasoning + evaluation loops
- Async workflows
- Autonomous agent workflows
- Multi-step orchestration
- Evidence refinement loops
- Findings summarization
- Azure OpenAI
- Blob Storage
- Cosmos DB
- Key Vault
- API Management (APIM)
bash scripts/run_unit_tests.shbash scripts/run_integration_tests.shbash scripts/check_all.shIncludes:
pre-commitpytestmypyblackisortflake8yamllintbandit
| Feature | Status |
|---|---|
| EU AI Act profiles | 🚧 In development |
| SOC2 + ISO-42001 control mapping | Planned |
| Azure APIM auto-publish | Planned |
| Azure Container Apps deployment | Planned |
| Full agent workflow library | Ongoing |
| Multi-tenant scorecard dashboards | Planned |
| Kubernetes-ready deployment | Planned |
Dr. Freeman A. Jackson
Founder & Architect — Fourth Industrial Systems (4th)
Creator of the 4th.GRC™ Agentic AI Governance Platform