Governance Runtime Control Protocol

Open Standard (GRC-P)

GRC-P defines the deterministic, audit-grade requirements for runtime governance enforcement: an Authority plane (Registry) publishing governance state and an Execution plane (Gatekeeper) enforcing it under fail-closed semantics.

Positioning
GRC-P is published here as an open standard for Registry–Gatekeeper interoperability and runtime decision control. It is not a general “GRC framework”; it is a protocol and control-plane specification.
Protocol Posture
AUTHORITY: REGISTRY-BOUND
DECISIONS: DETERMINISTIC
DEFAULT: FAIL-CLOSED
AUDIT: APPEND-ONLY (TAMPER-EVIDENT)
Canonical Spec
RGIS v1.0 (Registry–Gatekeeper Interface)
Scientific Validation

Governance-as-a-Service (GaaS)

The GRC-P standard is the production-ready implementation of the Governance-as-a-Service (GaaS) framework.

Independent academic research (e.g., Gaurav et al., 2025, arXiv:2508.18765v2) validates the necessity of a "decoupled governance layer" for AI safety. GRC-P operationalizes this by strictly separating Authority (GovenAI Registry) from Enforcement (JobQue Gatekeeper), ensuring governance is structural rather than probabilistic.

Read the Foundation Analysis →
/specs/rgis_v1

RGIS Interface Spec

The implementation-binding protocol for Registry-to-Gatekeeper interoperability: authentication, nonces, signing input, deterministic decisions, reason codes, and audit identifiers.

/architecture/gatekeeper_model

Gatekeeper Model

Enforcement semantics: fail-closed behavior, authority separation, and how runtime actions are intercepted and proven compliant before execution.

/architecture/authority_layers

Authority Layers

The non-negotiable separation of Authority (Registry) and Execution (Gatekeeper). Prevents silent overrides and establishes audit-grade traceability.

/specs/schemas

Schema Definitions

Human-readable schema intent and invariants for Registry and Audit. Defines what must be preserved for conformance.

/specs/schemas/

Schema Artifacts

Machine-readable schema artifacts (multi-dialect SQL wrapped as JSON) to accelerate implementer adoption.

/compliance/control_mapping

Control Mapping

Traceability from architectural controls to compliance risks and evidence posture. A regulator-facing map of why each protocol invariant exists.

GRC-P Convictions (Normative Architecture)

01. Determinism over Probability

Runtime governance decisions must be computable and repeatable. If enforcement depends on probabilistic interpretation at decision time, you have policy drift—not a standard.

02. Authority/Execution Separation

The system that defines governance (Registry) must never be the system that executes actions (Gatekeeper). This eliminates silent overrides and creates audit-ready accountability boundaries.

03. Audit Evidence is Structural

Auditability is enforced by system design: append-only events, tamper-evidence (hash chaining or equivalent), and identity-attributed decisions. Trust is not asserted; it is proven.

Resources
Implementation note
Implementers should start with RGIS v1.0, then validate conformance using the checklist. Schema artifacts are provided to reduce adoption friction.