Open Standard (GRC-P) — Governance Runtime Control Protocol (GRC-P) • RGIS • Registry Authority • Gatekeeper Enforcement • Fail-Closed • Append-Only Audit

Authority Layers

The GovenAI Standard is built around a single architectural law: the system that defines governance (Authority) must never be the system that executes work (Execution).

Why this matters
If the Execution plane can mutate the rules at runtime, you do not have governance—only policy drift. This separation prevents silent overrides, conflicts of interest, and non-auditable “exceptions”.

A1. The Two-Plane Model

Authority Plane
Registry (canonical governance state)
SOURCE OF TRUTH
  • Defines Targets, Check Items, Readiness, and Waivers.
  • Publishes a deterministic state snapshot consumable by Gatekeepers.
  • Maintains audit-grade traceability for governance changes (who/what/when/why).
  • Is the only place where “rules” may be authored and changed.
Constraint
Registry changes must be explicit, attributable, and evidence-backed where applicable.
Execution Plane
Gatekeeper (deterministic enforcement)
FAIL-CLOSED
  • Evaluates requests using the locally mirrored Registry state.
  • Returns deterministic decisions: permit or deny (no “maybe”).
  • Writes immutable audit events for every decision and state transition.
  • Must not contain privileged “override” pathways that bypass Authority rules.
Hard rule
If the Registry is unreachable, the Gatekeeper must fail-closed (deny) or route to a manual review path—never silently permit.

A2. Deterministic Dataflow

Reference flow
1) Registry publishes governance state (targets, checks, waivers)
2) Gatekeeper mirrors/consumes state deterministically
3) Execution request arrives (action + target_key + context)
4) Gatekeeper evaluates readiness + waiver validity
5) Permit/Deny is returned + audit event appended
The protocol binding between Registry and Gatekeeper is defined in RGIS v1.0.
Non-negotiable invariants
  • No shared write authority: execution cannot mutate rules.
  • Local determinism: decision does not depend on live remote calls.
  • Fail-closed: missing governance state never becomes permission.
  • Audit equivalence: decisions produce immutable evidence.

A3. Practical Implementation Guidance

Registry responsibilities
  • Provide stable keys: target_key, item_key.
  • Publish “readiness” as a computed property, not a manual label.
  • Record changes as append-only governance facts (audit-grade).
  • Publish machine-readable artifacts for schema interoperability.
See Schemas and the artifacts under /specs/schemas/.
Gatekeeper responsibilities
  • Consume governance state locally (cache or replicated store).
  • Enforce checks and waiver validity deterministically.
  • Maintain append-only audit with tamper evidence.
  • Emit reason codes suitable for compliance reporting and debugging.
See Gatekeeper Model and Immutable Forensics.
Implementation binding
The Authority/Execution separation is not “recommended architecture”—it is a certification boundary. If a system violates this separation, it cannot claim GovenAI compatibility.