AIFC
Back to version

Published version: AIFC-V002. This is the latest published version. All versions.

AIFC-080: Compliance Levels

Status: Draft 0.1 Standard: AI-First Community Standard Abbreviation: AIFC Builds on:

Purpose of this document: To define AIFC Compliance Levels as maturity and conformance levels of a community against the AIFC standard. AIFC compliance is not binary. It is a progressive path from basic conscious AI use to a human-readable, agent-actionable, software-verifiable, and human-managed community system.

1. Purpose of this document

This document defines Compliance Levels.

The AIFC standard is broad. It covers purpose, values, knowledge base, source of truth, Human Cockpit Layer, AI governance, AI-NDA Boundary, Human Capability Reserve, AI capacity planning, AI retrospective, workflow conversion, skill evolution, interfaces, security, auditability, Company as a System, ghost AI company risk, and agent-actionable artefacts.

It is not realistic to expect every community to meet all of this immediately.

AIFC therefore needs compliance levels. They help state where the community is, what it already satisfies, what is still missing, what risk it carries, what next step makes sense, and whether AI is used responsibly relative to the state of the system.

Compliance Levels are not a prestige label. They are a navigation mechanism.

2. Core principle

The core principle of this document is:

AIFC compliance is not a badge. It is a visible maturity path toward responsible AI-first community operation.

AIFC states:

Do not claim AI-first maturity. Demonstrate governed capability.

3. Definition

AIFC Compliance Level is a defined level of conformance with the AIFC standard according to how explicitly the community has purpose, values, source of truth, human-managed AI, governance, security, feedback, skills, interfaces, auditability, and the ability to operate both with and without AI.

Compliance Level may be used for self-assessment, onboarding, improvement roadmap, AI readiness assessment, governance review, vendor assessment, customer trust, certification model, public transparency, internal audit, and AI adoption planning.

Minimum requirement

AIFC compliance must be assessed through real artefacts, decisions, workflows, and capabilities, not only declarations.

4. Compliance is not all-or-nothing

AIFC compliance is not binary.

A community may be strong in values but weak in security, strong in AI governance but weak in source of truth, strong in documentation but weak in Human Capability Reserve, strong in agent permissions but weak in feedback loops, or strong in public interface but weak in Operational DNA protection.

Therefore AIFC uses dimensions and levels.

Minimum requirement

Compliance assessment must show strong and weak areas, not only an overall score.

5. Compliance dimensions

AIFC compliance may be assessed across several dimensions.

Recommended dimensions:

Purpose and values
Community ownership
Knowledge structure
Source of truth
Human Cockpit Layer
Human-managed AI
AI-NDA Boundary
AI capacity planning
AI autonomy governance
Human Capability Reserve
Feedback and change proposals
AI retrospective
Workflow conversion
Skill evolution
Community interfaces
Security and classification
Access control
Agent permissions
Auditability
Operational DNA protection
Company as a System
Ghost AI company risk
Agent-actionable implementation

Minimum requirement

The compliance model must include purpose, human ownership, AI governance, knowledge security, and fallback capability.

AIFC recommends these levels:

Level 0 - Unmanaged AI Use
Level 1 - AI-Aware Community
Level 2 - AIFC Minimum
Level 3 - Governed AI-First Community
Level 4 - AI-Operable Human-Managed Community
Level 5 - Continuously Learning AI-First Community

These levels describe a progressive path.

Minimum requirement

The community must be able to identify its current level or at least its target level.

7. Level 0 - Unmanaged AI Use

Level 0 means that the community uses AI without governance.

Typical signs include individual AI use, unclear rules, no AI-NDA Boundary, unclear data rules, no AI budget governance, no audit, no fallback, no Human Capability Reserve, unreviewed AI outputs, chaotic or missing source of truth, and hidden AI dependency.

Level 0 is not necessarily malicious. It is a common starting state. But it is risky for non-public data, critical workflows, or customer impact.

Minimum requirement

A community at Level 0 must not claim AIFC compliance.

8. Level 1 - AI-Aware Community

Level 1 means that the community knows it uses AI and begins to govern it.

Typical signs include a basic AI use policy, awareness of AI risks, basic rules for non-public data, human review of critical AI outputs, initial mapping of source of truth, a basic owner for AI adoption, first AI dependency risks, and initial public claim and AI transparency rules.

Level 1 is useful for communities that are starting. It is not full AIFC compliance.

Minimum requirement

Level 1 must have a basic AI use boundary and a responsible role for AI rules.

9. Level 2 - AIFC Minimum

Level 2 means minimal AIFC compliance.

The community has the basic elements that protect against the largest risks:

Level 2 is the minimum state where a community may say it works in the spirit of AIFC.

Minimum requirement

Level 2 must satisfy AIFC-081 Minimal AIFC Compliance.

10. Level 3 - Governed AI-First Community

Level 3 means that the community has systematic governance.

Typical signs include purpose and values connected to decisions, structured source of truth, defined roles and owners, agent permission records, planned AI capacity, defined AI operating modes, AI lock-in and exit strategy, functional data classification, auditability, feedback loop producing change proposals, AI retrospectives, skill evolution, distinction between support, maintenance and change work, a basic Human Cockpit Layer, and identified and protected Operational DNA.

Minimum requirement

Level 3 must demonstrate that AI is not only used but governed through roles, rules, artefacts, and review.

11. Level 4 - AI-Operable Human-Managed Community

Level 4 means that AI can safely work over significant parts of the community system.

Typical signs include a human-readable and agent-actionable knowledge base, consistent metadata, validation rules for critical areas, AI agents working in defined scopes, auditable agent permissions, Human Cockpit Layer showing system state, AI retrieval respecting classification and access control, workflow conversion, lineage and review for AI outputs, fallback for critical workflows, governed AI capacity and costs, governance-ready AI proposals, and governed source of truth write-back.

Level 4 does not mean that AI decides for the community. It means the community is designed so AI can safely help.

Minimum requirement

Level 4 must remain human-managed even when AI is deeply integrated.

12. Level 5 - Continuously Learning AI-First Community

Level 5 means that the community systematically learns from AI, people, feedback, incidents, support, and the market.

Typical signs include regular impact-oriented AI retrospectives, active AI Waste Backlog, Workflow Conversion, Skill Evolution, paired Human Skills and AI Skills, support signals flowing into strategy, visible maintenance debt, monitored AI dependency, actively maintained Human Capability Reserve, improving governance, growing validation rules, transparent public interface, and a system that learns faster than it degrades.

Level 5 is the target: a community that can improve without losing human responsibility.

Minimum requirement

Level 5 must demonstrate that experience is regularly converted into source of truth, skills, workflow conversion, and governance updates.

13. Compliance profile

A community does not need the same level in every dimension.

It may have a compliance profile:

aifc_compliance_profile:
  overall_level: 2
  purpose_and_values: 3
  source_of_truth: 2
  human_managed_ai: 2
  ai_capacity_planning: 1
  agent_permissions: 1
  knowledge_security: 2
  auditability: 1
  human_capability_reserve: 2
  feedback_loop: 2
  skill_evolution: 1
  company_as_system: 2

A profile is more useful than a single number.

Minimum requirement

Compliance assessment must allow a dimensional view or state significant exceptions.

14. Evidence-based compliance

AIFC compliance must be evidence-based.

Evidence may include source of truth artefacts, decision records, access policies, AI-NDA Boundaries, agent permissions, audit logs, skills, workflows, retrospectives, feedback records, change proposals, fallback procedures, security classification, cockpit views, and validation reports.

It is not enough to say:

We use AI responsibly.

The community must show how responsibility is structured.

Minimum requirement

A compliance claim must be supported by artefacts or verifiable processes.

15. Compliance and risk

The required compliance level depends on risk.

A low-risk community may begin at Level 1 or Level 2. A high-risk company needs Level 3 or higher.

Risk increases with personal data, customer impact, regulated domains, financial decisions, health and safety, Operational DNA, cross-community impact, high AI autonomy, external AI agents, public claims, vendor dependency, and critical workflows.

Minimum requirement

Required compliance level must be proportional to risk and impact.

16. Compliance and AI intensity

The higher the AI intensity, the stronger the governance must be.

Low AI intensity:
Level 1 or 2 may be sufficient.

Medium AI intensity:
Level 2 or 3 needed.

High AI intensity:
Level 3 or 4 needed.

High autonomy agents:
Level 4 recommended.

Critical AI-driven operations:
Level 4 or 5 target.

AI intensity without compliance maturity is a risk.

Minimum requirement

AI intensity and autonomy must not exceed governance maturity for critical areas.

17. Compliance and Human Capability Reserve

AIFC compliance must check Human Capability Reserve.

A community must not receive a high compliance level if people cannot explain critical workflows, fallback does not exist, AI is the only carrier of know-how, reviewers do not understand AI outputs, token outage stops routine work, or junior learning paths disappeared.

Minimum requirement

Level 3 and above require active Human Capability Reserve for critical workflows.

18. Compliance and AI lock-in

Higher compliance levels require an exit strategy.

The community must know where the source of truth, AI skills, agent memory, and logs live; how to export them; how to replace a vendor; how to operate in reduced-AI mode; and how to restore human workflow.

Minimum requirement

Level 3 and above require AI lock-in assessment and exit strategy for critical AI dependencies.

19. Compliance and Operational DNA

If the community identifies Operational DNA, it must protect it.

Higher compliance requires classification, access control, AI-NDA Boundary, audit, export control, public interface review, backup and recovery, and ownership.

Minimum requirement

No community can be Level 3 or above if Operational DNA is unmanaged.

20. Compliance and ghost AI company risk

Digital Company or Company Generation must assess ghost AI company risk.

A community cannot be AIFC-compliant if owner, accountability, real support, supported public claims, relevant AI transparency, fallback, source of truth, or real responsible community are missing.

Minimum requirement

An external-facing AI-first company must address ghost AI company risk to claim AIFC compliance.

21. Compliance and public claims

An AIFC compliance claim is a public claim.

If a company states:

We are AIFC-compliant.

it must be clear at what level, for what scope, according to what assessment, whether self-assessed or independently reviewed, when last reviewed, and with what exceptions.

Minimum requirement

An AIFC compliance claim must state level, scope, and assessment basis.

22. Scope of compliance

Compliance must have scope.

Scope may be a whole company, team, product, project, knowledge base, AI workflow, AI agent, customer interface, Company as Product package, generated company, or vendor relationship.

Without scope, the claim is unclear.

Minimum requirement

Compliance assessment must define scope.

23. Self-assessment

Self-assessment is the first step.

The community assesses level, evidence, gaps, risks, roadmap, exceptions, and next steps.

Self-assessment must be honest. It is not marketing.

Minimum requirement

Self-assessment must include evidence, gaps, and improvement plan.

24. Independent review

For higher risk or public claims, independent review may be appropriate.

It may be performed by internal audit, external auditor, customer, partner, certification body, community governance body, or peer review.

Independent review does not replace community responsibility. It increases trust.

Minimum requirement

High-risk public AIFC compliance claims should be independently reviewed or clearly marked as self-assessed.

25. Compliance drift

Compliance may degrade because of a changed AI tool, new agent, new vendor, new data, team growth, outdated source of truth, changed strategy, new public claims, security incident, loss of people, loss of Human Capability Reserve, or increased AI autonomy.

Minimum requirement

Compliance status must have a review cycle and change triggers.

26. Compliance roadmap

Compliance assessment should lead to a roadmap.

The roadmap may include adding purpose or values, creating a source of truth, introducing classification, defining AI-NDA Boundary, describing agent permissions, introducing audit, creating fallback, improving Human Capability Reserve, running AI retrospectives, creating skills, improving public transparency, and reducing AI lock-in.

Minimum requirement

Compliance gaps must be translated into a prioritized improvement roadmap.

27. Compliance and Human Cockpit Layer

The Human Cockpit Layer may show compliance status.

It may show current compliance level, gaps, risks, expired reviews, missing owners, missing fallback, unreviewed AI outputs, agents without permissions, Operational DNA exposure, ghost risk indicators, and upcoming review dates.

Minimum requirement

Responsible roles must have human-readable visibility of critical compliance gaps.

28. Compliance and agent-actionable standard

AIFC compliance should be partially software-verifiable.

Examples include checking that each agent has an owner, each restricted artefact has classification, each critical workflow has fallback, each active decision has an owner, each high-impact AI output has review status, and each public claim has approval.

Not everything can be automatically validated, but repeatable checks should be converted into validation rules.

Minimum requirement

Repeatable compliance checks should be converted into validation rules where practical.

29. Suggested metadata

Example metadata for compliance assessment:

aifc_compliance_assessment:
  id:
  title:
  status: draft | under_review | approved | expired | archived
  scope:
  assessed_level: 0 | 1 | 2 | 3 | 4 | 5
  target_level: 0 | 1 | 2 | 3 | 4 | 5
  assessment_type: self_assessment | internal_review | external_review | certification_review
  owner:
  reviewer:
  assessed_at:
  valid_until:
  evidence_references:
  dimension_scores:
    purpose_and_values:
    source_of_truth:
    human_managed_ai:
    ai_nda_boundary:
    ai_capacity_planning:
    human_capability_reserve:
    feedback_loop:
    skill_evolution:
    security:
    access_control:
    agent_permissions:
    auditability:
    operational_dna:
    ghost_company_risk:
  key_gaps:
  accepted_risks:
  improvement_roadmap:
  public_claim_allowed: true | false

Example metadata for a compliance gap:

compliance_gap:
  id:
  title:
  status: observed | accepted | planned | in_progress | resolved | deferred | risk_accepted
  related_assessment:
  dimension:
  current_level:
  target_level:
  risk_level: low | medium | high | critical
  description:
  required_action:
  owner:
  due_date:
  related_change_proposal:
  evidence_required:

Example metadata for a compliance claim:

aifc_compliance_claim:
  id:
  claimant:
  scope:
  claimed_level:
  assessment_reference:
  assessment_type:
  valid_from:
  valid_until:
  exceptions:
  public_statement:
  reviewer:
  evidence_available: true | false

These structures are illustrative. The final schema should be defined in the agent-actionable layer of the standard.

30. Anti-patterns

AIFC rejects the following anti-patterns.

30.1 Compliance as marketing badge

The company claims AIFC compliance without evidence.

30.2 No scope

The claim does not state whether it applies to the whole company, team, product, or workflow.

30.3 AI maturity theater

The company has a presentation about AI governance but no real artefacts.

30.4 High AI autonomy with low governance

AI agents act autonomously while the community has only Level 1 governance.

30.5 Paper compliance

Documents exist but are not used in decisions and work.

30.6 Compliance without Human Capability Reserve

The company has AI rules, but people cannot perform critical workflows without AI.

30.7 Compliance without source of truth

The company claims governed operation but has no authoritative knowledge base.

30.8 Compliance without security

The company structures Operational DNA but does not protect it.

30.9 Self-assessment presented as certification

The company presents self-assessment as independent confirmation.

30.10 Compliance without review cycle

The assessment is one-off and becomes outdated.

30.11 Compliance ignores ghost risk

The AI-first company acts externally but does not assess ghost AI company risk.

30.12 Single score hides critical gap

The overall score looks good, but a critical dimension is weak.

31. Minimal requirements

AIFC Compliance Levels must at minimum:

  1. Assess compliance through real artefacts, workflows, and capabilities.
  2. Show strong and weak areas.
  3. Include purpose, human ownership, AI governance, knowledge security, and fallback capability.
  4. Allow the community to identify current or target level.
  5. Prevent Level 0 from claiming AIFC compliance.
  6. Require Level 1 to have basic AI use boundary and responsible AI rules role.
  7. Require Level 2 to satisfy Minimal AIFC Compliance.
  8. Require Level 3 to prove governed AI use through roles, rules, artefacts, and review.
  9. Require Level 4 to remain human-managed even with deep AI integration.
  10. Require Level 5 to regularly convert experience into source of truth, skills, workflow conversion, and governance updates.
  11. Allow dimensional assessment or state significant exceptions.
  12. Support claims with artefacts or verifiable procedures.
  13. Keep required compliance proportional to risk and impact.
  14. Prevent AI intensity and autonomy from exceeding governance maturity in critical areas.
  15. Require Human Capability Reserve for Level 3+ critical workflows.
  16. Require AI lock-in assessment and exit strategy for Level 3+ critical dependencies.
  17. Prevent Level 3+ if Operational DNA is unmanaged.
  18. Require external-facing AI-first companies to address ghost AI company risk.
  19. Require claims to state level, scope, and assessment basis.
  20. Require compliance assessment scope.
  21. Require self-assessment to include evidence, gaps, and improvement plan.
  22. Require high-risk public claims to be independently reviewed or clearly marked self-assessed.
  23. Require review cycle and change triggers.
  24. Convert compliance gaps into prioritized improvement roadmap.
  25. Give responsible roles visibility of critical compliance gaps.
  26. Convert repeatable checks into validation rules where practical.

32. Summary

AIFC Compliance Levels describe the path from unmanaged AI use to a responsible AI-first community.

AIFC compliance is not a label. It is evidence that the community knows why it exists, holds values, owns its purpose, protects its know-how, governs AI, plans AI capacity, preserves human capability, makes auditable decisions, learns from work, and remains responsible even at high AI intensity.

AIFC states:

Do not claim maturity.
Show the system.
Show the evidence.
Show the human responsibility.

Compliance Levels allow a community to grow gradually, safely, and visibly.

Compliance Levels turn AI-first ambition into visible, evidence-based maturity.