sitkastack

Roadmap

The vendor-risk-triage framework is shipped at v1.0.5, eight phases complete, open source under Apache 2.0. 1,377 tests at 100% coverage across twelve packages. Forward direction is themes, not dates.

Last updated: May 2026.

Open source

Executable governance artifacts under Apache 2.0. Working code with documentation, not PDF policy packs.

Framework-mapped

Each phase ships with example runs and docs mapped to NIST AI RMF, EU AI Act, OSFI E-23, NAIC, and SR 11-7.

Themes, not dates

Dates lock plans into specifications the world hasn't approved yet. Themes describe what matters and what comes next.

Stack-agnostic

Designed to integrate with existing GRC platforms and run on any major cloud. No vendor lock-in, no new infrastructure required.

Free framework, paid engagements

The open-source framework is a free Apache 2.0 reference and is deliberately not turnkey audit defense. Paid sitkastack engagements deliver the calibrated, client-specific, audit-ready version. Named case studies publish as engagements complete.

Questions about the framework or how it would apply in your environment? Email me.

The gates

Each gate is a worked example of one shared pattern: confidence-gated, human-in-the-loop AI triage in governed environments, with audit trails and governance artifacts.

ShippedNextLaterEventually
Shipped

Shared patterns documentation

The core architecture: confidence gating, audit logs, PII handling, eval harness, HITL routing, drift monitoring. Documented once, referenced by every gate implementation.

Shipped

Vendor Risk Triage gate

An agent that reads vendor documentation (DPA, SOC 2 report, security questionnaire, AI/ML disclosure) and produces a risk-classified triage decision aligned to NIST AI RMF and EU AI Act categories, with human-in-the-loop escalation and a full audit trail. Shipped at v1.0.5 across eight phases.

Next

Requirements Intake gate

Unified intake with two starter templates. General requirements turn unstructured stakeholder input into structured epics, stories, and acceptance criteria. AI-use-case intake adds a governance overlay, NIST risk classification, and a draft model card and risk assessment.

Later

Portfolio Health gate

For services firms and PE-backed consultancies. Reads engagement data (Jira, Smartsheet, timesheet, financial) and classifies engagement health with reasoning.

Eventually

AML/KYC alert triage gate

The pattern applied to AML/KYC alert disposition in regulated financial services.

The eight phases (shipped)

The Vendor Risk Triage gate ships at v1.0.5 across eight phases. Each phase lives in the repo with its own docs directory.

  1. Phase 0

    Discovery & Risk Classification

    Problem definition, risk classification taxonomy, and explicit out-of-scope boundaries.

    Maps to: NIST AI RMF GOVERN and MAP functions; EU AI Act risk categorization.

    View on GitHub
  2. Phase 1

    Data Contracts & Privacy

    Input and output data contracts, privacy and data handling spec, synthetic data specification, extension guide, and runnable example records.

    Maps to: NIST AI RMF MAP function; EU AI Act data governance requirements; PIPEDA and GDPR data minimization principles.

    View on GitHub
  3. Phase 2

    Architecture & Threat Model

    System architecture, data flow diagrams, threat model, and integration posture for deployment alongside existing GRC platforms and cloud environments.

    Maps to: NIST AI RMF MAP and MEASURE functions; OSFI E-23 model design expectations.

    View on GitHub
  4. Phase 3

    Agent + RAG + Ingestion + Eval

    Working agent code, BM25 retrieval over an OSFI E-23 corpus, ingestion pipeline, and an evaluation harness with graded datasets.

    Maps to: NIST AI RMF MEASURE function; SR 11-7 model validation framework; OSFI E-23 ongoing model validation.

    View on GitHub
  5. Phase 4

    Eval Depth + Retrieval Quality

    Confidence calibration (Brier score, ECE, reliability bins), retrieval-quality metrics, and expanded test splits.

    Maps to: NIST AI RMF MEASURE function; SR 11-7 ongoing performance assessment.

    View on GitHub
  6. Phase 5

    Operational Hardening

    PII handling controls, prompt-injection resistance testing, audit logging schema, structured error handling, and incident response runbooks.

    Maps to: NIST AI RMF MANAGE function; OSFI E-23 ongoing monitoring; EU AI Act technical documentation.

    View on GitHub
  7. Phase 6

    Production Polish

    Rendered audit-pack output, frozen output JSON Schema, agent version pinning, content hashing of system prompts, and reproducibility checks.

    Maps to: NIST AI RMF GOVERN function; OSFI E-23 governance and oversight; EU AI Act technical documentation.

    View on GitHub
  8. Phase 7

    Multi-tenancy + Schema Migration

    Multi-tenant deployment patterns, schema-versioned migrations, additional anchor regulations (NIST AI RMF, SOX PL 107-204, EU AI Act), and corpus-specific retrieval.

    Maps to: NIST AI RMF MANAGE function; OSFI E-23 lifecycle governance; records retention obligations.

    View on GitHub

Forward direction

Post-1.0, the work is themes, not phases. What matters next, in no particular order.

More authoritative corpora

Expanding the anchor-regulation set beyond the four shipped today (OSFI E-23, NIST AI RMF, SOX PL 107-204, EU AI Act) and tightening citation grounding for each.

Real-world calibration evidence

Building out calibration evidence from real deployments. Reliability diagrams, confidence drift over time, and inter-rater agreement against expert review on engagement data.

Deployment patterns from practitioners

Capturing deployment patterns and integration playbooks from operators running the framework in their own environments. What plugs into AuditBoard, ServiceNow GRC, and equivalent GRC stacks.

Maintenance and security

Ongoing dependency hygiene, supply-chain security, secret-handling guarantees, and a published security disclosure path.

Not building

  • M&A diligence document triage. Too narrow a buyer segment.
  • Anything consumer-facing.
  • Anything that handles direct financial decisions without HITL.
  • Anything that processes regulated PHI without a BAA in place.
  • Sourcing as a standalone gate. Folded into Vendor as a renewal template.
  • Code review as a standalone gate. Folded into Vendor's examples directory.
  • Adoption / change-management gate. Too far from the core pattern.

Where to find the work

Code

github.com/sitkastack/vendor-risk-triage

Documentation

docs/ in the repo

Design notes

Published on Medium and LinkedIn weekly.

Questions about the framework or how it applies to your environment? Email me.