AIFC
Back to version

Published version: AIFC-V002. This is the latest published version. All versions.

AIFC-081: Minimal AIFC Compliance

Status: Draft 0.1 Standard: AI-First Community Standard Abbreviation: AIFC Builds on:

Purpose of this document: To define the minimum requirements a community must meet to be considered minimally AIFC-compliant. This document describes the basic safe state: the community has purpose, values, a human owner, a basic source of truth, governed AI use, protection for non-public know-how, fallback for critical workflows, Human Capability Reserve, and a feedback and learning mechanism.

1. Purpose of this document

This document defines Minimal AIFC Compliance.

The AIFC standard is broad. Not every community immediately needs a fully agent-actionable source of truth, advanced AI agents, complex audit, full Human Cockpit Layer, certification, automated validation rules, or Level 4/5 maturity.

But every community that wants to claim responsible AI use according to AIFC must satisfy a basic minimum.

Minimal AIFC Compliance protects against the largest risks: unclear purpose, AI without human owner, unmanaged data input into AI, loss of know-how in AI tools, AI dependency, missing fallback, ghost AI company risk, Operational DNA leakage, unapproved AI outputs, absent feedback loop, and absent responsibility.

Minimal AIFC Compliance is not the final goal. It is a safe starting state.

2. Core principle

The core principle of this document is:

A community may start small, but it must start with purpose, ownership, boundaries and responsibility.

AIFC states:

Minimum compliance is not minimal responsibility.

Even simple AI-first operation must be human-owned, safe, and reviewable.

3. Definition

Minimal AIFC Compliance is the lowest level of conformance with the AIFC standard at which a community demonstrates that its AI use is governed by basic rules of purpose, human ownership, know-how protection, AI boundaries, fallback, feedback, and responsibility.

Minimal AIFC Compliance corresponds approximately to:

AIFC Compliance Level 2 - AIFC Minimum

This level does not mean advanced AI-first maturity. It means the community satisfies basic safety and governance requirements.

Minimum requirement

A community must not claim Minimal AIFC Compliance without evidence for each minimum requirement or without clearly marked exceptions and risk acceptance.

4. Minimal compliance domains

Minimal AIFC Compliance covers these domains:

purpose
values
human/community ownership
source of truth
knowledge classification
AI-NDA Boundary
AI use rules
human review
Human Capability Reserve
fallback
AI capacity awareness
AI lock-in awareness
feedback loop
basic auditability
Operational DNA protection
public responsibility
ghost AI company risk

These domains form the foundation. Without them, an AI-first community lacks a stable responsible frame.

Minimum requirement

Minimal AIFC Compliance must cover all listed domains, even in a simple form.

5. Requirement 1 - Explicit purpose

The community must have explicit purpose.

Purpose answers:

Why does the community exist and what value does it want to create?

Purpose does not need to be perfect, but it must be clear enough to help decide what AI may support and what it may not.

Evidence examples

Minimum requirement

The community must have written purpose usable for basic decision-making.

6. Requirement 2 - Values and non-negotiables

The community must have basic values or non-negotiable boundaries.

General slogans are not enough. Values must help answer what must not be sacrificed, when AI must not decide, how customers and data are protected, how human responsibility is preserved, and how conflicts are resolved.

Evidence examples

Minimum requirement

The community must have at least basic values or boundaries usable for decision-making and AI governance.

7. Requirement 3 - Human/community owner

The community must have a human or community owner.

The owner is responsible for purpose, values, AI use, governance, risks, customer or community impact, decisions, and fallback.

AI cannot be the owner. A vendor cannot be the only owner of community purpose.

Evidence examples

Minimum requirement

Every minimally AIFC-compliant community must have an explicit human or community owner responsible for purpose and AI use.

8. Requirement 4 - Basic source of truth

The community must have a basic source of truth.

It does not need to be perfect. It may be a Git repository, Markdown folder, Confluence space, shared document, structured folder, knowledge base, or governance page.

But it must be clear where authoritative information lives about purpose, values, AI rules, basic decisions, key workflows, contacts or owners, fallback, and security rules.

Evidence examples

Minimum requirement

The community must know where the basic source of truth for critical purpose, rules, and AI governance lives.

9. Requirement 5 - Basic knowledge classification

The community must distinguish at least basic knowledge sensitivity.

Minimal classification may be simple:

public
internal
restricted
critical / operational_dna

It does not need to be fully automated, but people must know what is public, what is internal, what must not go into public AI, what is sensitive, and what is critical know-how.

Evidence examples

Minimum requirement

The community must have basic rules for distinguishing public, internal, restricted, and critical or Operational DNA knowledge.

10. Requirement 6 - Basic AI-NDA Boundary

The community must have a basic AI-NDA Boundary.

This means rules for what data may enter AI, what data must not enter AI, what AI tools are allowed, what must not be stored in agent memory, whether data may be used for training, when approval is needed, and who decides exceptions.

Evidence examples

Minimum requirement

Non-public know-how must not be processed by AI without a basic AI-NDA Boundary or explicit approval.

11. Requirement 7 - Basic access control

The community must have basic Access Control.

It does not need a complex IAM model, but it must be clear who may read sensitive knowledge, change the source of truth, approve AI outputs, export content, give vendor access, and activate AI agents.

Evidence examples

Minimum requirement

Restricted and critical knowledge must have limited access by role, purpose, or owner approval.

12. Requirement 8 - Human review of critical AI outputs

Critical AI outputs must be reviewed by a human.

Critical outputs may include customer communication, legal or compliance text, strategic decisions, security recommendations, source of truth updates, public claims, agent permissions, financial assumptions, hiring or HR recommendations, and operational process changes.

AI may propose. A person or responsible community role must review.

Evidence examples

Minimum requirement

AI-generated critical outputs must be reviewed before they become authoritative, public, or operational.

13. Requirement 9 - Basic fallback for critical AI-assisted workflows

The community must know what happens when AI is unavailable.

For critical AI-assisted workflows, it must be clear what stops, what continues manually, who decides, how affected people are informed, how operation is restored, and what minimum viable operation is.

Evidence examples

Minimum requirement

Critical AI-assisted workflows must have basic fallback or reduced-AI behavior.

14. Requirement 10 - Human Capability Reserve

The community must preserve basic human capability.

This means people understand critical AI outputs, can review them, can intervene in critical workflows, know-how is not only in AI memory, routine work does not stop only because tokens run out, and at least a minimal non-AI path exists for critical activities.

Strong formulation:

If a lack of tokens stops simple routine work, the company has not gained intelligence. It has lost resilience.

Evidence examples

Minimum requirement

The community must have basic human capability to understand, review, and restore critical AI-assisted workflows.

15. Requirement 11 - Basic AI capacity and cost awareness

The community must know that AI is not unlimited capacity.

It must have basic awareness of which AI tools it uses, who pays for them, what budget or limits exist, what happens when capacity is exhausted, where AI creates value, where AI creates waste, and where AI creates dependency.

Evidence examples

Minimum requirement

The community must have basic awareness of AI tools, cost ownership, and capacity limits.

16. Requirement 12 - Basic AI lock-in awareness

The community must know whether it is becoming dependent on one AI vendor, model, agent memory, or proprietary workflow.

Basic questions include: where is the source of truth, can AI skills and agent outputs be exported, is know-how in agent memory, does non-AI fallback exist, can the community move to another tool, and what happens if the vendor ends or becomes more expensive.

Evidence examples

Minimum requirement

Critical AI dependencies must have at least basic lock-in awareness and exit note.

17. Requirement 13 - Basic feedback loop

The community must have a way to collect and process signals.

Feedback may be customer, internal, support, operational, security, AI-generated, or retrospective.

Minimum means there is a path:

signal
-> owner
-> decision or backlog/change proposal

Feedback must not disappear in chat or meetings without further processing.

Evidence examples

Minimum requirement

The community must have a mechanism for converting significant signals into decisions, tasks, or change proposals.

18. Requirement 14 - Basic AI retrospective or review

The community must regularly evaluate AI use.

It does not need to be a formal ceremony. It is enough to regularly ask where AI helped, where AI wasted capacity, where dependency appeared, where AI created risk, what should change in rules, what should become workflow, skill or template, and what should be done without AI.

Evidence examples

Minimum requirement

The community must have a regular mechanism for reviewing AI value, waste, risk, and dependency.

19. Requirement 15 - Basic Operational DNA protection

The community must protect critical know-how.

Even without a full Operational DNA model, it must know that some information is critical, such as business model, customer patterns, internal playbooks, AI skills, agent orchestration, security procedures, strategic decisions, or unique operating model.

Evidence examples

Minimum requirement

The community must identify the most sensitive know-how and protect it from unmanaged sharing, export, and AI processing.

20. Requirement 16 - Basic auditability

The community must be able to trace critical actions.

At minimum, it should trace who approved critical AI output, changed source of truth, granted AI access, exported restricted content, activated an agent, approved a public claim, and when a significant change happened.

It does not need a full audit system, but critical actions must not be entirely untraceable.

Evidence examples

Minimum requirement

Critical changes, access, approvals, and AI actions must be basically traceable.

21. Requirement 17 - Public responsibility and ghost AI company risk

If the community acts externally, it must address public responsibility.

This means identifying operator, accountability, where AI is used, how to escalate to a person, what is real and what is synthetic, whether public claims match reality, how customer data and support are handled, and whether the company appears more robust than it really is.

Evidence examples

Minimum requirement

An external-facing AI-first community must address basic public responsibility and ghost AI company risk.

22. Requirement 18 - Basic security incident path

The community must know what to do when a problem occurs.

Incidents may include data leak, AI-NDA Boundary violation, unauthorized export, agent action outside scope, public claim issue, prompt injection, access mistake, or Operational DNA exposure.

Minimum means knowing who receives the incident, who decides, how risk is stopped, how access is revoked, how source of truth is corrected, and how lessons are recorded.

Evidence examples

Minimum requirement

The community must have a basic procedure for knowledge security and AI governance incidents.

23. Requirement 19 - Minimal documentation of AI use

The community must know where and why it uses AI.

Minimum AI use inventory may include:

ai_use:
  tool:
  owner:
  purpose:
  data_classification:
  human_review_required:
  fallback:
  cost_owner:
  risk_level:

Evidence examples

Minimum requirement

The community must have a basic list of significant AI use cases or AI tools.

24. Requirement 20 - Improvement roadmap

Minimal compliance is not the target state.

The community must know what it wants to improve next.

The roadmap may include better source of truth, classification policy, AI-NDA Boundary, access control, agent permissions, auditability, Human Cockpit Layer, feedback loop, AI retrospective, skills, fallback, security, or compliance level upgrade.

Evidence examples

Minimum requirement

Minimal AIFC Compliance assessment must lead to an improvement roadmap or accepted risk list.

25. Minimal AIFC Compliance checklist

Short checklist:

1. Purpose exists.
2. Values or non-negotiables exist.
3. Human/community owner exists.
4. Basic source of truth exists.
5. Basic knowledge classification exists.
6. Basic AI-NDA Boundary exists.
7. Basic access control exists.
8. Critical AI outputs are human-reviewed.
9. Critical AI-assisted workflows have fallback.
10. Human Capability Reserve exists for critical workflows.
11. AI cost/capacity awareness exists.
12. AI lock-in awareness exists.
13. Feedback loop exists.
14. AI use is periodically reviewed.
15. Operational DNA is basically protected.
16. Critical actions are basically auditable.
17. Public responsibility and ghost risk are addressed if external-facing.
18. Incident path exists.
19. Significant AI use cases/tools are documented.
20. Improvement roadmap exists.

Minimum requirement

The community must be able to go through the checklist and provide evidence, gap, or accepted risk for each item.

26. Allowed simplicity

Minimal AIFC Compliance should be practical.

It is acceptable to start simply: one Markdown file instead of a full knowledge base, a simple AI use guideline, one owner, manual review instead of workflow tooling, a simple restricted data list, a simple fallback description, a simple incident contact, or a simple feedback backlog.

What matters is that the minimum is real and used, not decorative.

Minimum requirement

Minimal compliance artefacts may be simple, but they must be current, owned, and used.

27. What is not sufficient

Minimal AIFC Compliance is not satisfied if the community only uses AI tools, has general AI enthusiasm, has an AI strategy presentation, has an internal chatbot, has one prompt guide, has marketing claims about AI, has unused policy, has documentation without owner, uses AI outputs without review, keeps source of truth only in agent memory, or treats fallback as a wish.

Minimum requirement

Minimal compliance requires real used artefacts, not only declarations.

28. Minimal compliance and AI agents

If the community uses AI agents with tools, write access, or non-public data, minimal compliance also requires agent identity, owner, purpose, scope, permissions, forbidden actions, audit, kill switch or revocation, and fallback.

Without this, agentic use exceeds the safe minimum.

Minimum requirement

An AI agent with tools, write access, or non-public data must have a minimal Agent Permissions record.

29. Minimal compliance and vendors

If the community uses an AI vendor or external AI tool for non-public know-how, it must address what data the vendor processes, where, whether data are stored, whether data are used for training, how they are deleted, how they are exported, who has access, and what happens at termination.

Minimum requirement

External AI vendor use with non-public knowledge requires a basic vendor or AI-NDA boundary and exit awareness.

30. Minimal compliance and public launch

If the community or digital company launches publicly, minimal compliance requires public identity, truthful public claims, AI transparency where relevant, support and escalation path, data handling statement, ghost AI company risk check, and reviewed public content.

Minimum requirement

External-facing AI-first initiatives must not launch publicly without public responsibility review.

31. Minimal compliance assessment

Minimal compliance assessment should answer:

minimal_aifc_compliance_assessment:
  scope:
  owner:
  assessed_at:
  purpose_exists:
  values_exist:
  human_owner_exists:
  source_of_truth_exists:
  classification_exists:
  ai_nda_boundary_exists:
  access_control_exists:
  critical_ai_review_exists:
  fallback_exists:
  human_capability_reserve_exists:
  ai_capacity_awareness_exists:
  lock_in_awareness_exists:
  feedback_loop_exists:
  ai_review_exists:
  operational_dna_protected:
  auditability_exists:
  public_responsibility_reviewed:
  incident_path_exists:
  ai_use_inventory_exists:
  improvement_roadmap_exists:
  key_gaps:
  accepted_risks:
  next_review:

Minimum requirement

Assessment must have scope, owner, date, gaps, accepted risks, and next review.

32. Review frequency

Minimal compliance is not a one-time state.

Review is needed after a new AI tool, new agent, public launch, vendor, restricted data use, operating model change, incident, increased AI autonomy, source of truth change, team change, or significant growth.

Minimum requirement

Minimal compliance must have review cycle and change triggers.

33. Anti-patterns

AIFC rejects the following anti-patterns.

33.1 Minimal compliance as checkbox

The community fills a checklist but uses none of it.

33.2 Purpose missing

AI is used without clear purpose for what it should support.

33.3 AI without owner

No one owns AI use.

33.4 No boundary for non-public data

People put internal or restricted data into AI without rules.

33.5 Critical AI output without review

AI output becomes a decision, public claim, or source of truth without review.

33.6 No fallback

Critical work stops when AI, tokens, or vendor are unavailable.

33.7 Human skill erosion

People stop understanding work that AI performs.

33.8 Operational DNA exposed

Critical know-how is stored in public AI, vendor systems, or public documents.

33.9 Ghost launch

AI-generated website and offer launch without responsibility, support, and identity.

33.10 No improvement roadmap

The community claims the minimum but has no plan to move further.

34. Minimal requirements summary

Minimal AIFC Compliance requires:

  1. Explicit purpose.
  2. Values or non-negotiables.
  3. Human or community owner.
  4. Basic source of truth.
  5. Basic knowledge classification.
  6. Basic AI-NDA Boundary.
  7. Basic Access Control.
  8. Human review for critical AI outputs.
  9. Fallback for critical AI-assisted workflows.
  10. Human Capability Reserve.
  11. AI capacity and cost awareness.
  12. AI lock-in awareness.
  13. Basic feedback loop.
  14. Basic AI retrospective or review.
  15. Basic Operational DNA protection.
  16. Basic auditability.
  17. Public responsibility and ghost risk review if external-facing.
  18. Basic incident path.
  19. Minimal documentation of significant AI use.
  20. Improvement roadmap.

35. Summary

Minimal AIFC Compliance is a safe beginning.

It does not mean a perfect AI-first community. It means the community no longer uses AI blindly.

It has purpose. It has an owner. It has basic boundaries. It protects sensitive know-how. It reviews critical AI outputs. It has fallback. It maintains human capability. It watches AI dependency. It collects feedback. It knows what must improve next.

AIFC states:

Start simple.
Start owned.
Start bounded.
Start reviewable.
Start resilient.

Minimal AIFC Compliance is not the finish line. It is the first stable foundation for an AI-first, human-managed community.

Minimal AIFC Compliance turns responsible AI ambition into a usable starting point.