Human-AI Governance Framework

Resources

Framework resources

The Human-AI Governance Framework is open-source. The full specification, including the twelve-section rubric, the configuration model, the translation layer between AI Act and HRDD logic, and the Generator configuration, is published in a public GitHub repository.

View the framework on GitHub →

What's in the repository

The repository contains the engineering specification of the framework — the document that defines what the diagnostic checks, how the framework adapts to different organizations, and what the Generator produces. The web tool on this site is built from that specification.

It is organized as follows:

  • README — overview of the framework, its argument, and its scope
  • Rubric scope — methodology of the framework, what it covers and what it does not
  • Configuration model — how the framework adapts to different organizations across three axes (regulatory exposure, ambition, policy integration)
  • Generator configuration — voice, document structure, and runtime behavior of the policy generator
  • Translation layer — how the framework handles the interaction between EU AI Act product-safety classification and HRDD impact-based assessment
  • Architectural note on hybrid mode — special handling for sections where the framework establishes a foundation but invites the organization to express it in its own voice
  • Twelve section files — each containing requirements, source citations, assessment criteria, and Generator behavior

The twelve sections of the rubric

The rubric is the heart of the specification. It contains approximately 75 requirements across twelve sections.

  • Principles — the framework's foundational positions: people-first AI, AI as a category of human rights risk, the surveillance distinction
  • Governance and accountability — ownership of AI governance, board-level oversight, AI Act role classification, human accountability for AI-driven decisions
  • Worker rights and human oversight — algorithmic management, human-in-the-loop for employment decisions, the right to contest, worker consultation
  • Transparency and explainability — disclosure to affected individuals, explanation of automated decisions, public reporting calibrated to ambition tier
  • Data protection and privacy — anchoring to GDPR, BIPA, the Colorado AI Act, CCPA/CPRA, and other applicable regimes; DPIA as a standing instrument
  • AI Risk Classification and Impact Assessment — tiered risk classification (Prohibited / High-Risk / Limited), HRIA triggers, the translation between AI Act risk and human rights severity
  • Human Rights Due Diligence Integration — the framework's signature section, integrating AI risk into existing UNGPs-based HRDD methodology
  • Supply chain and third-party AI — vendor due diligence, model card requirements, right-to-audit, supplier algorithmic management
  • Training and competence — AI literacy across the organization, training calibrated to role and risk exposure
  • Grievance and remedy mechanisms — extending existing whistleblower and grievance channels to AI-related harms, the right to human review
  • Connected internal policies — how the framework extends Code of Conduct, Own Workforce Policy, Supplier Code, Data Protection policy, and other foundational documents
  • Applicable external frameworks — alignment with UNGPs, OECD Guidelines, ILO, the Council of Europe Framework Convention on AI, ISO/IEC 42001

Read the rubric on GitHub →

License

The framework is released under the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0).

In plain terms, this means:

  • You are free to use, adapt, and redistribute the framework for any purpose, including commercial use
  • You must give appropriate credit to the original framework
  • If you adapt or build on the framework, you must share your adaptations under the same license

Full license terms →

Disclaimer

The framework provides recommendations and best-practice guidance. It is not legal advice. Organizations adopting policies generated through this site or built from the framework specification should obtain qualified legal review before adoption, particularly for binding obligations under the EU AI Act, GDPR, CSDDD, national HRDD instruments (Norwegian Transparency Act, German LkSG, French Loi de Vigilance, and others), and sector-specific regulation.

Version 1.0 of the framework is executive-only. The Generator produces an executive Human-AI Policy of approximately 2,500 words across ten sections, suitable for board approval and public posting, along with suggested additions to the Code of Conduct and Own Workforce Policy. Operational implementation detail — procurement specifications, audit cadences, escalation thresholds, KPI targets — is deferred to a later release.

Generator output is intended as a starting point for company-specific refinement, not as a final adoptable text without internal review. The artefacts reflect the framework's methodology and positions; they cannot reflect knowledge of the organization that only the organization holds.

Acknowledgements

The framework draws on the work of many people and organizations. Particular acknowledgement is owed to:

  • The UN Office of the High Commissioner for Human Rights B-Tech Project on AI and human rights
  • The OECD's work on responsible business conduct and AI principles
  • The Council of Europe's work on the Framework Convention on Artificial Intelligence
  • The International Labour Organization's work on workers' rights in digital labour
  • The European Data Protection Board's guidance on AI and personal data
  • Academic and practitioner literature on HRDD methodology, including work by the Shift Project, the Danish Institute for Human Rights, and various business and human rights research centers

Specific source citations are documented per requirement in the rubric files on GitHub.