AI Governance
- Executive Summary
- Working Knowledge
AI governance is ReGenesis's defining differentiator. While most enterprise SaaS companies treat AI as a feature, ReGenesis treats it as a responsibility. Sasha — the platform's AI coaching intelligence — processes deeply personal content, makes recommendations that affect careers, and operates in real-time during live sessions. This demands a governance framework that goes beyond standard AI safety.
Why This Matters
Most AI coaching tools bolt on safety as an afterthought. ReGenesis builds governance into the architecture:
| Dimension | ReGenesis Approach |
|---|---|
| Transparency | Every AI insight links back to source evidence (L0/L1/L2 Evidence Packs) |
| Human Oversight | Coaches approve all AI-generated insights before delivery |
| Bias Prevention | Continuous monitoring for demographic, cultural, and linguistic bias |
| Safety Guardrails | Crisis detection, escalation protocols, therapy boundary enforcement |
| Risk Management | 25+ identified risks with mitigations mapped to OWASP LLM Top 10 |
| Regulatory Readiness | Designed for EU AI Act compliance from day one |
How AI Governance Is Organized
This section covers the governance framework, risk management, and regulatory compliance for the platform's AI systems. For the technical implementation details of Sasha, see the Security section.
In This Section
| Topic | What It Covers | Context |
|---|---|---|
| Responsible AI Framework | EU AI Act compliance, Sasha transparency, bias monitoring | AI policy and governance decisions |
| AI Risk Register | 25+ risks, OWASP LLM Top 10 mapping, mitigations | Risk reviews and security audits |
Related Pages (In Other Sections)
AI governance touches many aspects of the platform. These pages in other sections contain important AI safety content:
- Sasha AI Engine (Security) — Prompt design, LLM integration, safety guardrails
- Sasha Live (Security) — Real-time intelligence, crisis escalation protocols
- Automated Decisions (Privacy) — GDPR Article 22, human-in-the-loop requirements
- Evidence Packs (Compliance) — L0/L1/L2 explainability system
Governance Gaps Under Development
The following governance areas are actively being designed. Each references specific risks in the AI Risk Register.
Sasha Actions Governance (Target: Pilot)
Sasha Act Mode allows the AI to perform real-world actions (send emails, modify calendars, trigger integrations) on behalf of coaches. This requires governance controls beyond read-only AI risks. See risk register entries AI-011, AI-012, AI-013.
| Governance Dimension | Requirement | Status |
|---|---|---|
| Consent | Coach must explicitly approve every action before execution | Designed |
| Approval workflow | Preview modal showing full action details with confirm/cancel | Designed |
| Audit trail | Every AI-initiated action logged with actor, target, timestamp, and content hash | Designed |
| Scope limitation | Each integration has an allowlist of permitted action types | Designed |
| Reversibility policy | Actions classified as reversible, partially reversible, or irreversible with escalating approval | Designed |
| Rate limiting | Maximum AI-initiated actions per user per day (e.g., 5 emails/day) | Designed |
| PII scanning | Outbound content scanned for PII before dispatch; blocked if detected outside allowlist | Designed |
| New action type governance | Adding a new action type requires security review, DPA verification, and reversibility classification | Planned |
Group Coaching AI Governance (Target: GA)
Group coaching introduces multi-participant dynamics that 1:1 coaching governance does not address. Privacy, consent, and anonymization requirements are significantly more complex. See risk register entries AI-014, AI-015.
| Challenge | Governance Response |
|---|---|
| Multi-participant consent | Granular per-session consent collected from each participant before AI processing begins |
| Cross-participant privacy | Individual AI analysis runs in isolated context windows with no data shared between participants |
| Anonymization | Group-level insights use k-anonymity with a minimum group size of 5 to prevent re-identification |
| Coach responsibility | All group insights require coach review before delivery; coach is accountable for appropriate use |
| Consent withdrawal | Withdrawing participants have their data excluded from future processing and purged from group context; AI features degrade gracefully with partial consent |