Done-for-you offer · Fractional CMO with AI Swarm · 5-destination-routing 3-skill bundle · governance-router agent
5-destination decision routing for multi-unit franchise, multi- location service, multi-location retail, and DTC ecommerce operators — Classify + Route + Feedback 3-skill bundle on the governance-router agent, under a 5-anchor governance compliance overlay anchored on NIST AI RMF + EU AI Act human oversight + GDPR Article 22 + SEC Reg S-K board-tier escalation + per- vertical decision-class regulatory escalation
You operate a swarm of 12-20 AI agents across 50-1,500 locations that emit thousands of decisions per day. Every decision needs to route to one of five destinations: auto-approve-and-execute, queue-for-human-review, escalate-to-counsel-review, auto-block- and-log, or escalate-to-CEO-and-board. The classifier that picks the destination has to respect operator-counsel-approved risk classes, jurisdictional overlays (EU AI Act Article 14 human oversight, Colorado AI Act consequential decisions effective February 2026, NYC Local Law 144 automated employment decision tool audits, Illinois Artificial Intelligence Video Interview Act, California Automated Decisionmaking Technology regs under CCPA/CPRA, state ADM patchwork), per-vertical decision-class regulatory escalation (HIPAA + HITECH + FTC Health Breach Notification Rule for healthcare; FCRA + ECOA Reg B for credit; Fair Housing Act for housing; NAIC AI Model Bulletin + Colorado SB21-169 for insurance; NYC LL144 + EEOC AI guidance for employment), and public-registrant materiality thresholds (SEC Reg S-K Item 1.05 four-business-day disclosure obligation for material cybersecurity incidents). The workflow, case-management, decision-engine, AI-governance, ML-monitoring, and approval-workflow vendors below ship strong primitives. The orchestration above them — the operator-counsel-approved risk-class taxonomy, the jurisdictional overlay, the per- vertical decision-class escalation matrix, the SEC Reg S-K Item 1.05 materiality-assessment workflow, the classifier- disposition learning loop that closes when reviewers override the routing, and the audit trail that survives regulator and disclosure-committee scrutiny — is operator-side architecture. The compliance gate is anchored on five real anchors: NIST AI RMF + ISO 42001 + ISO 27001 + SOC 2 risk-class tiering; EU AI Act Articles 9 + 13 + 14 + 26 + 50 + Annex III high-risk categories; GDPR Article 22 + Article 35 DPIA + Colorado AI Act + NYC LL144 + Illinois AIVIA + California ADMT + state ADM patchwork; SEC Reg S-K Item 1.05 + SOX 302/404 + COSO + SAS 99 for board-tier escalation; per-vertical decision-class regulatory escalation matrix across healthcare, financial services, housing, insurance, employment. You keep the workflow + case-management + decision-engine + AI-governance + ML-monitoring + approval-workflow relationships, the operator- counsel-approved risk-class taxonomy, the classifier, the destination contracts, the WORM audit trail, the policy-as- code policies, and the disclosure-committee workflow. You keep the ability to in-house at any time.
Published September 24, 2026
The real ecosystem this sits above
Workflow + case management
ServiceNow, Jira Service Management, Atlassian Compass, Pega, Camunda, Temporal, Apache Airflow, Prefect, Dagster. Each ships strong workflow + ticketing + durable-execution primitives. Cross-vendor routing + per-destination SLA + per-destination rollback above them is operator-side architecture.
Decision engines
AWS Step Functions, Azure Logic Apps, Google Workflows, Camunda Decision Engine, Drools, IBM Operational Decision Manager, DMN tooling. Each ships strong rule-evaluation + decision-table primitives. The risk-class taxonomy + jurisdictional overlay + per-vertical escalation matrix that the engines evaluate is operator-counsel-side architecture.
AI governance + ML monitoring
Credo AI, Holistic AI, Robust Intelligence, Fairly, Arthur AI, Fiddler AI, WhyLabs, Aporia, Mona, Weights & Biases for AI governance. Arize, Evidently, Censius, Truera, Datadog AI Monitoring for ML monitoring. Each ships strong model tracking + drift + bias + explainability primitives. The routing thresholds + confidence + novelty inputs the classifier reads from these vendors is operator-side architecture.
Approval workflow + legal operations
DocuSign CLM, Ironclad, ContractPodAi, Onit, Agiloft. Each ships strong approval-routing + e-signature + privilege- preservation primitives. The counsel-review destination contract + attorney-client privilege preservation across the routing flow is operator-counsel-side architecture.
Policy-as-code + WORM storage + legal research
Policy-as-code: OPA Rego, AWS Cedar, Casbin, Cerbos, Oso. WORM: AWS S3 Object Lock, GCS retention, Azure Blob immutable, Snowflake Time Travel. Legal research: Westlaw, Lexis+, Bloomberg Law, Practical Law, Compliance.ai. Each ships strong primitives. The 5-anchor compliance gate that maps NIST AI RMF + EU AI Act + GDPR/state ADM + SEC/SOX + per-vertical onto an operator-counsel-approved policy bundle is operator-side architecture.
Frequently asked
What does 5-destination decision routing actually deliver, and where does it sit in the swarm?
An orchestration layer that sits above the operator workflow + case-management + decision-engine + AI-governance + ML-monitoring + approval-workflow + policy-as-code + WORM-storage stack and decides — for every AI-swarm-generated decision across all other agents — which of five destinations the decision routes to. The five destinations: Destination 1 auto-approve-and-execute (low-risk, well-known pattern, low-impact, auto-recoverable on rollback); Destination 2 queue-for-human-review (medium-risk, novel pattern, requires human judgment within operator-defined SLA); Destination 3 escalate-to-counsel-review (compliance-implicating, requires legal judgment, possible regulator-facing implications); Destination 4 auto-block-and-log (catastrophic-risk, policy-violating, blocked by rule or precedent, evidence captured for audit); Destination 5 escalate-to-CEO-and-board (crisis-level, regulator-implicating, material-incident-class — triggers SEC Reg S-K Item 1.05 evaluation when a public registrant). The skill is a three-skill bundle on the governance-router agent. Skill 1 — Classify: read the decision context (originating agent, decision class, action requested, affected parties, jurisdictional reach, materiality estimate, confidence, evidence pointers, model lineage) and apply the operator-counsel-approved risk-class taxonomy to pick the destination. Skill 2 — Route: emit the decision to the destination through the operator routing infrastructure (ServiceNow, Jira Service Management, Atlassian Compass, Pega, Camunda, Temporal, Apache Airflow, Prefect, Dagster — operator chooses) with per-destination SLA + escalation path + rollback capability + audit-trail-emission + cross-agent coordination. Skill 3 — Feedback: after the destination resolves (auto-executed, human-approved, counsel-approved, auto-blocked, executive-decided), emit the actual outcome (with actual cycle time, actual reviewer disposition, actual rollback or escalation events) back to the originating agent and to the governance-router classifier — closing the loop so the classifier learns operator-disposition patterns over time. The classifier itself is operator-data-science-team-and-counsel-aligned; thresholds and class boundaries change only via operator-counsel-approved revision. The workflow, decision engine, AI governance, ML monitoring, approval workflow vendors below ship strong primitives. The orchestration above them — risk-class taxonomy, destination contract, SLA enforcement, classifier learning loop, audit trail — is operator-side architecture.
Where does single-vendor workflow tooling stop compounding for governance routing?
Single-vendor workflow tooling is solved. ServiceNow ships a strong case-management + workflow platform. Jira Service Management ships strong ticket + approval workflow. Pega ships strong decisioning. Camunda + Temporal ship strong durable execution. AWS Step Functions + Azure Logic Apps + Google Workflows ship strong cloud-native orchestration. Credo AI + Holistic AI + Robust Intelligence + Arthur AI + Fiddler AI + WhyLabs ship strong AI governance primitives. DocuSign CLM + Ironclad ship strong legal-approval workflow. The compound case the governance-router agent has to handle is the one where 30-200 AI-swarm-generated decisions per minute across the operator catalog of 14+ agents each need a destination assignment that respects operator-counsel-approved risk classes, jurisdictional reach (the same content may route differently in California vs Texas vs EU), per-vertical decision-class regulatory escalation matrix (a healthcare-vertical decision routes through HIPAA-aware destinations; a financial-services-vertical decision routes through FCRA + ECOA + Fair Housing-aware destinations), public-registrant material-incident threshold (SEC Reg S-K Item 1.05 four-business-day disclosure trigger), per-decision SLA bracket (catastrophic-tier must clear within minutes; counsel-review within operator-counsel-set hours), and per-decision rollback capability tied to the underlying agent operation. Without an orchestration layer above the workflow + decision-engine + AI-governance + ML-monitoring + approval vendors, the risk-class taxonomy fragments across vendor consoles (each workflow tool maintains its own approval matrix), the cross-agent coordination breaks (a decision that needs simultaneous counsel review and CEO escalation gets fragmented across two systems with no joining key), the classifier learning loop never closes (human reviewers make decisions that never feed back into routing thresholds), and the audit trail of "what decision, against what classifier version + risk-class taxonomy version + counsel policy version, routed to what destination, with what SLA + reviewer disposition + outcome" splinters across consoles. The orchestration above the vendors is what holds the cross-vendor + cross-agent + cross-jurisdiction + cross-vertical invariants.
How does Skill 1 Classify decide which of the five destinations a decision routes to?
The Classify skill reads the decision context emitted by the originating agent and applies the operator-counsel-approved risk-class taxonomy. The taxonomy is a layered decision tree, not a black-box model — operator counsel must be able to read and modify it. Layer 1 — categorical hard rules. Certain decision types route directly to Destination 4 auto-block (policy-violating content + sanctioned-jurisdiction operations + counsel-listed prohibited actions). Certain decision types route directly to Destination 5 executive escalation (material-incident-class events as defined by operator counsel under SEC Reg S-K Item 1.05 evaluation framework + regulator-correspondence-triggering events + crisis-management-tier events). Layer 2 — jurisdictional overlay. The decision context carries jurisdictional reach (which states + countries the decision affects). For each jurisdiction, the operator-counsel-maintained jurisdiction policy may upgrade the destination — a decision that would otherwise auto-approve may route to counsel review when it touches EU territory under EU AI Act Article 14 human oversight obligations, or when it touches Colorado under the Colorado AI Act (effective February 2026), or when it touches Illinois under the Illinois Artificial Intelligence Video Interview Act, or when it touches NYC under Local Law 144 automated employment decision tool audit requirements. California ADMT (Automated Decisionmaking Technology) regulations under CCPA/CPRA add additional consumer notification + opt-out + access requirements for ADM decisions; the jurisdiction overlay routes such decisions through a destination that completes the ADMT obligations before execution. Layer 3 — per-vertical decision-class regulatory escalation matrix. Healthcare-vertical decisions touching PHI route through HIPAA + HITECH-aware destinations (HIPAA breach notification rule 45 CFR Parts 160 and 164 Subpart D triggers counsel evaluation for breach-class events; FTC Health Breach Notification Rule applies to non-HIPAA-covered health apps). Financial-services-vertical decisions touching consumer credit route through FCRA-aware destinations (FCRA adverse action notice requirements 15 USC 1681m + Reg V); ECOA Reg B notice-of-action requirements apply for credit applications. Housing decisions route through Fair Housing Act + state fair-housing-aware destinations. Insurance decisions route through state insurance-commissioner ADM regs (the NAIC AI Model Bulletin adopted by many states governs insurer use of AI). Layer 4 — confidence and novelty score. The originating agent emits a confidence score and a novelty score (how far outside training distribution the decision is). Low confidence or high novelty escalates the destination up the tier (auto-approve becomes human review; human review becomes counsel review; counsel review becomes executive escalation). Layer 5 — materiality threshold against SEC Reg S-K Item 1.05 for public registrants. Material-incident-class decisions that could trigger four-business-day disclosure obligation route to Destination 5 executive escalation for evaluation by the disclosure committee. All five layers compose. The classifier emits the destination + the rule-citation evidence trail (which rule at which layer drove the routing) + the confidence in the routing decision itself. Decisions classified at the edge of two destinations emit both candidates with the conservative default; operator-counsel-approved policy decides which way the edge resolves and the classifier learns from operator-reviewer dispositions over time.
How does Skill 2 Route emit the decision to the right destination, and what does Skill 3 Feedback do?
Skill 2 Route reads the classification result and emits the decision to the operator routing infrastructure. The infrastructure choice is operator-side — ServiceNow for operators with a strong ServiceNow ITSM/CMDB practice, Jira Service Management when Atlassian is the case-management stack, Atlassian Compass when developer-experience-aligned, Pega when an enterprise BPM is in place, Camunda or Temporal when durable execution is operator-engineering-team-preferred, AWS Step Functions or Azure Logic Apps or Google Workflows when cloud-native, Apache Airflow or Prefect or Dagster when data-pipeline-aligned. The Route skill speaks the chosen infrastructure’s API + emits the decision payload + per-destination SLA + per-destination escalation path + per-destination rollback capability + per-destination audit-trail metadata. For Destination 1 auto-approve, the Route skill emits the execution to the originating agent with cryptographic attestation that classification confidence cleared the operator-counsel-set auto-approve threshold. For Destination 2 human review, the Route skill creates a review task in the operator case-management vendor + sets the SLA bracket + assigns to the operator-counsel-set reviewer pool + emits the decision-context payload + emits the policy-citation evidence trail. For Destination 3 counsel review, the Route skill creates a counsel-review task with attorney-client privilege-preserving metadata + sets the counsel SLA + emits to the operator legal-operations system (Ironclad, ContractPodAi, Onit, Agiloft — operator chooses) with privilege protection. For Destination 4 auto-block, the Route skill records the block + emits the evidence to the operator policy-as-code system (OPA Rego, AWS Cedar, Casbin, Cerbos, Oso — operator chooses) + writes to the operator WORM audit trail + emits the rollback if any upstream agent operation must reverse. For Destination 5 executive escalation, the Route skill emits to the operator executive-notification channel + creates a board-disclosure-committee task for SEC Reg S-K Item 1.05 evaluation + emits the materiality assessment + emits to operator counsel + emits to operator CISO when cybersecurity-implicating. Skill 3 Feedback runs after the destination resolves. For Destination 1 auto-approve, Feedback records the actual outcome (the underlying agent operation succeeded or failed or rolled back) + cycle time + downstream consequences over the operator-counsel-set learning window. For Destinations 2 and 3, Feedback records the reviewer disposition (approved, rejected, modified, escalated up-tier) + reviewer rationale + cycle time + reviewer identity (privilege-preserving) + downstream consequences. For Destination 4, Feedback records that the block was correct (no consequence) or incorrect (false-positive block that was later overridden by counsel) + the override rationale if applicable. For Destination 5, Feedback records the executive decision + the materiality determination + the SEC disclosure outcome if applicable + the regulator-correspondence outcome if applicable. All feedback emits to the Classify skill’s learning store + to the originating agent + to the operator WORM audit trail. The Classify skill’s classifier updates do not happen autonomously; operator data science team + operator counsel review the proposed threshold adjustments on the operator-counsel-set cadence (quarterly is typical) before any change ships to production routing.
What compliance does the per-decision routing enforce, and how does it map to NIST AI RMF + EU AI Act, GDPR + Colorado AI Act + NYC LL144 + Illinois AIVIA + California ADMT, SEC Reg S-K + SOX, and per-vertical decision-class escalation?
Five anchors. Anchor 1 — NIST AI RMF + ISO 42001 + ISO 27001 + SOC 2 risk-class tiering. NIST AI Risk Management Framework (NIST AI 100-1) Govern, Map, Measure, Manage functions provide the operator-counsel-approved framework for AI risk classification; the 5-destination routing operationalizes the Manage function (specifically MG-2 risk responses) by tiering decisions across auto-approve, human review, counsel review, auto-block, executive escalation. ISO/IEC 42001 AI Management System Standard provides the management-system layer (clauses on policy, planning, support, operation, performance evaluation, improvement) that the 5-destination routing fits into. ISO/IEC 27001 + SOC 2 Type II provide the information security control framework that protects the routing infrastructure itself. The gate enforces: per-classification NIST AI RMF citation + per-destination ISO 42001 management-system mapping + per-routing-event SOC 2 control attestation. Anchor 2 — EU AI Act (Regulation 2024/1689) human oversight + risk management + transparency + deployer obligations. EU AI Act Article 9 risk management system + Article 13 transparency to deployers + Article 14 human oversight (high-risk AI systems must be designed to enable effective oversight by natural persons, including through human-in-the-loop capability) + Article 26 deployer obligations + Article 50 generative-AI transparency obligations (AI-generated content marking) + Annex III high-risk AI system categories (employment, education, essential services, law enforcement, migration, justice + democracy). When the originating agent operates within an EU AI Act Annex III high-risk category and touches EU territory, the routing escalates the destination to ensure Article 14 human-oversight is operationalized (auto-approve becomes human review). Anchor 3 — GDPR Article 22 + Article 35 DPIA + state ADM laws. GDPR Article 22 (right not to be subject to solely automated decisionmaking producing legal or similarly significant effects) requires meaningful human involvement or specified exceptions; Article 35 requires Data Protection Impact Assessments for high-risk processing. Colorado AI Act (Senate Bill 24-205, effective February 1 2026) covers consequential decisions in employment, education, financial services, essential services, government services, healthcare, housing, insurance, legal services + requires algorithmic discrimination risk management + consumer notice + appeals process. NYC Local Law 144 (effective July 2023) requires bias audits + notice for automated employment decision tools. Illinois Artificial Intelligence Video Interview Act requires notice and consent for AI video interview analysis. California ADMT (Automated Decisionmaking Technology) regulations under CCPA/CPRA (adopted by CPPA, currently in implementation rulemaking) add consumer notice + opt-out + access + appeal rights for ADM decisions producing significant effects; the gate routes such decisions through destinations that complete ADMT consumer obligations before execution. State patchwork extends: Tennessee + Connecticut + Texas + Virginia + similar state ADM bills (rapidly evolving). Anchor 4 — SEC Reg S-K Item 1.05 + SOX 302/404 + COSO Internal Control + SAS 99 for board-tier escalation. SEC Reg S-K Item 1.05 (effective December 18 2023) requires public registrants to disclose material cybersecurity incidents within four business days of determining materiality; AI-decision incidents with material cybersecurity implications route to Destination 5 executive escalation for materiality evaluation by the disclosure committee. SOX Section 302 (CEO/CFO certification) + Section 404 (internal control over financial reporting) impose internal-control obligations where AI decisions affect financial reporting + reserves + revenue recognition. COSO Internal Control — Integrated Framework provides the control taxonomy. SAS 99 (now AU-C 240) on fraud considerations frames the auditor-facing posture. The gate enforces: per-board-tier-event materiality assessment + per-event SOX-control attestation + per-event COSO mapping. Anchor 5 — Per-vertical decision-class regulatory escalation matrix. Healthcare: HIPAA Privacy + Security + Breach Notification Rule (45 CFR Parts 160 + 164) + HITECH Act + FTC Health Breach Notification Rule (16 CFR Part 318) + state health-data protection (Washington My Health My Data Act effective April 2024 + state patchwork) + per-state board of medicine/dental/pharmacy/optometry/physical therapy regulations. Financial services: FCRA (15 USC 1681) adverse action notice requirements + Regulation V + ECOA (15 USC 1691) Reg B notice-of-action + CFPB UDAAP enforcement + state UDAP. Housing: Fair Housing Act + HUD AI/algorithmic-decisionmaking guidance + state fair-housing acts. Insurance: state insurance-commissioner AI-use bulletins (NAIC AI Model Bulletin adopted by many states) + Colorado SB21-169 insurer use of external data + state-by-state ADM regs. Employment: NYC Local Law 144 + Illinois AIVIA + EEOC AI guidance + ADA + per-state employment-AI bills. Each per-vertical class maps to specific destination tiers in the operator-counsel-approved routing taxonomy. Broader gate also enforced: GLBA Safeguards Rule + PCI DSS 4.0 + FedRAMP when federal customers + per-state breach notification + DSA Article 28 + COPPA + California AADC via policy-as-code (OPA Rego + AWS Cedar + Casbin + Cerbos + Oso). WORM audit trail (AWS S3 Object Lock + GCS retention + Azure Blob immutable + Snowflake Time Travel) with per-statute retention (GDPR 6yr + HIPAA 6yr + SOX 7yr + SEC Reg S-K 5yr + FCRA 5yr + FTC 7yr + IRS 7yr + EU AI Act 10yr + state variable) per operator counsel policy.
What does the engagement look like across Tier 1 → Tier 2 → Tier 3, and what does the Tier 3 reporting cycle commit to?
Tier 1 AI Readiness Assessment ($10k, 2-3 weeks, diagnostic): audits the operator current AI-swarm decision-routing posture against the 3-skill bundle + 5-anchor governance compliance overlay + per-vendor workflow + decision-engine + AI-governance + ML-monitoring state; deliverable is a gap-pack report identifying which originating agents lack risk-class taxonomies, which decisions currently route via ad-hoc paths instead of the 5-destination taxonomy, which jurisdictional overlays are unimplemented (EU AI Act Article 14 + Colorado AI Act + NYC LL144 + Illinois AIVIA + California ADMT), which per-vertical decision-class regulatory escalations are missing, whether SEC Reg S-K Item 1.05 materiality assessment is wired for public-registrant operators, and a recommended remediation sequence for Tier 2. Tier 2 AI Swarm Setup Sprint ($25-50k, 4-8 weeks): builds the 3-skill bundle on the governance-router agent, wires the operator workflow + case-management + decision-engine vendor (operator-chosen subset), wires the operator AI-governance + ML-monitoring vendor (operator-chosen subset), wires the operator approval-workflow + legal-operations system, configures the operator-counsel-approved risk-class taxonomy, configures the jurisdictional overlay + per-vertical decision-class escalation matrix, wires SEC Reg S-K Item 1.05 materiality assessment workflow for public registrants, wires policy-as-code + WORM-storage, runs 30-day shadow + canary period before flipping to enforce-mode. Tier 3 Fractional CMO with AI Swarm ($15-25k/month, 6-month minimum, 1-2 days/wk embedded): continues operating with daily decision-routing monitoring + weekly classifier-disposition audit against reviewer dispositions + monthly classifier-threshold reviews with operator data science + operator counsel + quarterly per-vertical decision-class regulatory escalation matrix updates against statute amendments + quarterly EU AI Act + Colorado AI Act + NYC LL144 + Illinois AIVIA + California ADMT implementing-guidance updates + quarterly compliance evidence packages. Tier 3 reporting is a 6-workstream pre-engagement-baseline reporting cycle (per-originating-agent routing-coverage trend + per-destination disposition trend + per-jurisdiction overlay enforcement + per-vertical decision-class escalation enforcement + classifier-disposition agreement rate against reviewer dispositions + WORM audit-trail completeness) measured against the operator’s pre-engagement baseline. Each workstream surfaces trend direction and the gap to operator-defined targets. Reporting carries explicit caveats: workflow + case-management + decision-engine + AI-governance + ML-monitoring + approval-workflow + policy-as-code vendor SLA + EU AI Act implementing regulation cycle + Colorado AI Act implementing rules + NYC LL144 + Illinois AIVIA + California ADMT rulemaking + NIST AI RMF version updates + ISO 42001 + ISO 27001 amendments + SEC Reg S-K interpretive guidance + per-vertical regulator guidance (HIPAA OCR + FTC + CFPB + EEOC + HUD + NAIC) + state ADM statute amendments sit outside Completions control. Attorney-client privilege preservation across the operator-counsel-approved risk-class taxonomy + jurisdictional overlay policy + per-vertical decision-class escalation matrix + classifier-threshold-revision records + SEC Reg S-K Item 1.05 materiality-assessment records is maintained per operator counsel policy.
Who owns the risk-class taxonomy, the classifier, the destination contracts, and the audit trail?
Operator owns every artifact. The workflow + case-management subscriptions (ServiceNow, Jira Service Management, Atlassian Compass, Pega, Camunda, Temporal, Apache Airflow, Prefect, Dagster — operator chooses) run under operator billing on operator-controlled accounts. The decision-engine subscriptions (AWS Step Functions, Azure Logic Apps, Google Workflows, Camunda Decision Engine, Drools, IBM Operational Decision Manager, DMN tooling — operator chooses) run under operator billing. The AI-governance + ML-monitoring subscriptions (Credo AI, Holistic AI, Robust Intelligence, Fairly, Arthur AI, Fiddler AI, WhyLabs, Aporia, Mona, Weights & Biases, Arize, Evidently, Censius, Truera, Datadog AI Monitoring — operator chooses) run under operator billing. The approval-workflow + legal-operations subscriptions (DocuSign CLM, Ironclad, ContractPodAi, Onit, Agiloft — operator chooses) run under operator account. The operator-counsel-approved risk-class taxonomy + jurisdictional overlay policy + per-vertical decision-class regulatory escalation matrix + SEC Reg S-K Item 1.05 materiality framework + EU AI Act Annex III high-risk-category mapping + Colorado AI Act + NYC LL144 + Illinois AIVIA + California ADMT compliance records all live in operator counsel repo. The Classify + Route + Feedback skill code lives in operator code repo. The classifier itself lives in operator code repo with operator-data-science-team-and-counsel-approved change control. The destination contracts (per-destination payload schema, SLA, escalation path, rollback capability, audit-trail metadata) live in operator code repo. The WORM audit trail lives on operator-controlled cloud storage (AWS S3 Object Lock + GCS retention + Azure Blob immutable + Snowflake Time Travel) with per-statute retention enforcement. The policy-as-code policies (OPA Rego + AWS Cedar + Casbin + Cerbos + Oso) live in operator code repo, counsel-aligned. The NIST AI RMF + ISO 42001 + ISO 27001 + SOC 2 + SOX + COSO + per-vertical compliance evidence records are operator-counsel-and-CISO-maintained. Completions owns the orchestration knowledge — how to design the operator-counsel-approved risk-class taxonomy against the actual decision mix in the operator swarm, how to wire the per-jurisdiction overlay against the operator territory footprint, how to compose the per-vertical decision-class regulatory escalation matrix against the operator vertical mix, how to wire SEC Reg S-K Item 1.05 materiality assessment with the operator disclosure committee for public registrants, how to design the classifier-disposition learning loop without breaking attorney-client privilege, how to coordinate cross-agent routing when a single decision touches multiple originating agents — and that knowledge transfers under the Tier 3 transition path (30-60 days at engagement end with full hand-off of the risk-class taxonomy management playbook, the classifier-disposition learning-loop runbook, the destination-contract library, the jurisdictional-overlay library, the per-vertical decision-class escalation matrix, the SEC Reg S-K materiality-assessment workflow, and the compliance evidence-package generation playbook). Completions credentials revoke on engagement-end.
Engage Completions
Start with the AI Readiness Assessment (Tier 1, 2-3 weeks, $10k): audit of the operator current AI-swarm decision-routing posture against the 3-skill bundle + 5-anchor governance compliance overlay + per-vendor workflow + decision-engine + AI-governance + ML-monitoring + approval-workflow state. Hand off to Tier 2 AI Swarm Setup Sprint ($25-50k, 4-8 weeks): build the 3-skill bundle on the governance-router agent, wire workflow + case-management + decision-engine + AI-governance + ML-monitoring + approval-workflow + legal-operations + policy- as-code + WORM-storage, configure the operator-counsel-approved risk-class taxonomy + jurisdictional overlay + per-vertical decision-class escalation matrix + SEC Reg S-K Item 1.05 materiality assessment, run 30-day shadow + canary before flipping to enforce-mode. Continue under Tier 3 Fractional CMO with AI Swarm ($15-25k/mo, 6-month minimum, 1-2 days/wk embedded).
Related reading
- AI agent governance (per-skill autonomy profiles + the governance posture this routing skill operationalizes)
- AI agent guardrails with override-learning (the closed-loop feedback pattern this routing skill instantiates)
- Fractional CMO with AI Swarm (Tier 3 engagement that operates the 5-destination routing cycle)