<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[Regulated Intelligence]]></title><description><![CDATA[ TRIZ × AI | Regulated Markets]]></description><link>https://www.regulated-intelligence.com</link><image><url>https://substackcdn.com/image/fetch/$s_!Jegk!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F98289774-d713-4794-bf0c-361f211a1129_256x256.png</url><title>Regulated Intelligence</title><link>https://www.regulated-intelligence.com</link></image><generator>Substack</generator><lastBuildDate>Tue, 07 Jul 2026 21:45:26 GMT</lastBuildDate><atom:link href="https://www.regulated-intelligence.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[JL CREPPY]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[jlcreppy@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[jlcreppy@substack.com]]></itunes:email><itunes:name><![CDATA[JL CREPPY]]></itunes:name></itunes:owner><itunes:author><![CDATA[JL CREPPY]]></itunes:author><googleplay:owner><![CDATA[jlcreppy@substack.com]]></googleplay:owner><googleplay:email><![CDATA[jlcreppy@substack.com]]></googleplay:email><googleplay:author><![CDATA[JL CREPPY]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[Prompt Kit 07 — Model Explainability]]></title><description><![CDATA[Four prompts to build explainability where it actually lives &#8212; in the system around the model, not inside it.]]></description><link>https://www.regulated-intelligence.com/p/prompt-kit-07-model-explainability</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/prompt-kit-07-model-explainability</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Mon, 06 Jul 2026 00:08:05 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Jegk!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F98289774-d713-4794-bf0c-361f211a1129_256x256.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Four prompts to build explainability where it actually lives &#8212; in the system around the model, not inside it.</p><p>They sequence from a use-case explanation matrix, to the instrumentation layer around a chosen model, to a human-in-the-loop that captures the reason, to a decision-reconstruction pack that ends in one number: your time-to-explain. Designed for both technical and non-technical users.</p><p>Companion essay: &#8220;<a href="https://www.regulated-intelligence.com/p/stop-asking-the-black-box-to-explain">Stop Asking the Black Box to Explain Itself</a>&#8221;</p><div class="file-embed-wrapper" data-component-name="FileToDOM"><div class="file-embed-container-reader"><div class="file-embed-container-top"><image class="file-embed-thumbnail-default" src="https://substackcdn.com/image/fetch/$s_!0Cy0!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack.com%2Fimg%2Fattachment_icon.svg"></image><div class="file-embed-details"><div class="file-embed-details-h1">Prompt Kit 07</div><div class="file-embed-details-h2">80.2KB &#8729; PDF file</div></div><a class="file-embed-button wide" href="https://www.regulated-intelligence.com/api/v1/file/e6fc61a7-16c3-4671-904d-cade5d372365.pdf"><span class="file-embed-button-text">Download</span></a></div><a class="file-embed-button narrow" href="https://www.regulated-intelligence.com/api/v1/file/e6fc61a7-16c3-4671-904d-cade5d372365.pdf"><span class="file-embed-button-text">Download</span></a></div></div><p></p><p>TRIZ &#215; AI | Regulated Markets &#183; JL CREPPY</p>]]></content:encoded></item><item><title><![CDATA[Stop Asking the Black Box to Explain Itself]]></title><description><![CDATA[Explainability was never a property of the model. It is a property of the system you build around it.]]></description><link>https://www.regulated-intelligence.com/p/stop-asking-the-black-box-to-explain</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/stop-asking-the-black-box-to-explain</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Mon, 06 Jul 2026 00:06:43 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/16345c9b-347a-4998-8ecf-a1ae5072c7c0_1456x816.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>On 29 June 2026, the Council of the European Union gave its final approval to the Digital Omnibus, and a date fixed for four years quietly moved. The heaviest part of the EU AI Act &#8212; the high-risk regime for the stand-alone systems listed in Annex III, which in Article 13 requires that a system be &#8220;sufficiently transparent to enable deployers to interpret a system&#8217;s output and use it appropriately&#8221; &#8212; now applies from 2 December 2027 rather than 2 August 2026. Sixteen months of runway, granted not because the problem was solved but because the machinery to comply with it &#8212; harmonized standards, notified bodies, national supervisors &#8212; was not built in time.</p><p>One requirement did not move. Article 50, the duty to tell a person they are dealing with a machine and to mark synthetic content, still lands on 2 August 2026. Set the two side by side and the Union has said something precise, if by accident: you must disclose that the machine is present, but you have another eighteen months before you must make it interpretable. The easy half kept its date. The hard half slipped. Oops!!</p><p>The reaction in most steering committees has been relief &#8212; which is the wrong response, and not because the delay is unwelcome. The deadline was never the reason to do the work; the delay has merely exposed how many firms believed it was.</p><p></p><h3>The consensus is reading a reprieve where there is only a runway</h3><p>The consensus take is that the explainability pressure has eased; the interpretability line on the roadmap slides down a few quarters, and the vendor briefings say &#8220;delayed to 2027.&#8221; That treats explainability as a compliance artifact &#8212; something you produce because a regulator asks, on the regulator&#8217;s calendar.</p><p>That is the mistake. Explainability is not, at root, a regulatory deliverable; it is an operating necessity you also happen to owe a regulator. You need it the afternoon a model declines a good customer and someone has to say why, and the morning an output drifts and the on-call engineer has to find the cause before the customers do, not the auditors. December 2027 changes none of that. We have spent a decade asking the wrong entity to do the explaining.</p><p></p><h3>The trade-off is a category error</h3><p>The received wisdom is a trade-off: more performance, less explainability. The powerful models are opaque, the transparent ones weak, and governance is the melancholy art of choosing a point on that line. It is drawn as a straight line because everyone has agreed, without quite noticing, on one hidden premise &#8212; that the explanation must come from <em>inside</em> the model.</p><p>Drop that premise and the line dissolves. Here is the inversion it hides, and the thesis of this essay: t<em><strong>he most explainable AI systems are usually built on the least explainable models.</strong></em> Explainability is not extracted from a model by crippling it; it is engineered into the system around it.</p><p>We even named the problem after its own cure. We call an opaque model a &#8220;black box&#8221; &#8212; which is precisely what aviation calls the one device on the aircraft designed to make an unexplainable event explainable. The flight recorder is not the engine made transparent; it sits outside the engine, reconstructing what the engine will never confess. The explanation was never in the component. It was in the system around it.</p><h4>What follows:</h4><p>- The TRIZ move that dissolves the <em>performance-versus-explainability</em> trade-off instead of splitting the difference</p><p>- The three altitudes of explanation &#8212; <strong>model, system, institution</strong> &#8212; and why most programs never leave the ground floor</p><p>- What each altitude owes you, quoted from MAS, the HKMA and the EU AI Act</p><p>- The two audiences of every explanation &#8212; the <em><strong>reason</strong></em> a regulator needs, the <em><strong>diagnosis</strong></em> an engineer needs &#8212; and why one mechanism cannot serve both</p><p>- A diagnostic to run before Friday on your highest-stakes model, ending in a single uncomfortable number</p><p></p><h3>The framework: explainability is an altitude, not a property</h3><p>TRIZ &#8212; the inventive-problem-solving tradition built from studying how thousands of hard engineering contradictions were resolved &#8212; has a name for this move. When two requirements fight inside one system and no compromise satisfies both, you stop hunting for the compromise and *<em><strong>transition to the supersystem</strong></em>*: you let the larger system carry the property the component cannot. An engine cannot both burn hot for power and stay cool for longevity, so the cooling requirement moves outward, into a system wrapped around it. Nobody demands a cooler flame; they build a better surround.</p><p>Model performance and explainability are that contradiction exactly. The resolution is not a more interpretable model, bought with accuracy you cannot spare; it is a more intelligent system around the model you already run. Three altitudes, each with two moves &#8212; and most programs never leave the first, which is why they feel explainability as a tax on performance rather than a property of design.</p><p></p><h2>Altitude One &#8212; The model: decide what the model does not owe you</h2><h4>1. Let the decision set the standard, not the architecture</h4><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> How much explanation a decision requires is a function of its stakes, not the model&#8217;s internals. A recommendation you can reverse needs almost none; a decision that denies a livelihood needs a great deal. The standard is set by the consequence, and can never be read off the architecture.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> This is how MAS found mature banks operating. Its December 2024 information paper on AI Model Risk Management, from a thematic review of selected banks, observed that they applied global and local explainability methods and, in stronger cases, defined *the minimum level of explainability required for different use cases*. The same network can be fine behind a marketing ranker and unacceptable behind a credit refusal &#8212; nothing about the weights changed, only the altitude of the decision.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> You stop asking &#8220;is this model explainable?&#8221; and start asking &#8220;what does <em><strong>this decision</strong></em> require, and can our system produce it?&#8221; &#8212; set by model risk, the business owner and compliance together, before a model is chosen.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A one-page use-case explanation matrix: every live AI decision, its stakes tier, the standard that tier demands. The mismatches are your finding.</p><p></p><h4>2. Separate the two audiences of every explanation</h4><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> An explanation for a customer or regulator is a different object from one for an engineer. The first is a <em><strong>reason</strong></em> &#8212; why this outcome, in language a person can act on or contest. The second is a <em><strong>diagnosis</strong></em> &#8212; which feature moved the output, in numbers a builder can debug. A feature-attribution chart is a fine diagnosis and a useless reason.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> The regulators are unambiguous about which they want, and it is never the weights. MAS&#8217;s FEAT principles require that data subjects receive, on request, &#8220;clear explanations on what data is used to make AIDA-driven decisions about the data subject and how the data affects the decision,&#8221; and on &#8220;the consequences that AIDA-driven decisions may have on them.&#8221; The EU AI Act&#8217;s Article 86 grants a person subject to a high-risk decision the right to &#8220;clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken.&#8221; Both ask for a reason a human can hold.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> Every high-stakes use case gets two explanation templates &#8212; a reason-shaped artifact for the customer and regulator, a diagnosis-shaped one for the engineer. Different mechanisms, different owners.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> For your highest-stakes model, draft the two side by side. If you cannot fill the reason-shaped one without gesturing at a feature-importance plot, you have found the gap.</p><p></p><h2>### Altitude Two &#8212; The system: build the thing that produces the explanation</h2><h4>3. Instrument the model; do not interrogate it</h4><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> You cannot make an opaque process honest by staring harder at it. You wrap it in instruments. Post-hoc explanation methods, counterfactual probes, a challenger model in shadow, complete input-output logging &#8212; none of these open the box, and none need to. They are sensors bolted to an engine no one can see into, and together they produce the account the engine never could.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> The EU AI Act, tellingly, does not demand a high-risk model be inherently interpretable. It demands the *system* ship with the means to explain it: Article 13 requires the instructions for use to state &#8220;the technical capabilities and characteristics of the high-risk AI system to provide information that is relevant to explain its output&#8221; &#8212; the <strong>supersystem</strong> move, written into statute.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> Model risk owns an instrumentation specification, not a hope that the vendor&#8217;s model is legible: which explanation method attaches to which model, what is logged and for how long, whether a challenger runs alongside to catch the day the box and a transparent approximation disagree.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> An instrumentation sheet for your highest-materiality model &#8212; explanation method, logging retained, any challenger. Blank cells are the build backlog.</p><p></p><h4><strong>4. Make the human-in-the-loop an explanation surface, not a rubber stamp</strong></h4><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> Somewhere, a model&#8217;s output becomes an accountable human decision. That handover is the richest place in the whole system to capture a reason. A human who approves or overrides, and records why, converts a silent output into an explained decision &#8212; but only if the system is built to catch the sentence.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> Hong Kong&#8217;s regulator has made this structural. The HKMA&#8217;s guiding principles on generative AI in customer-facing applications, issued 19 August 2024, require that customers be able to request human intervention and that institutions continuously monitor generative outputs; its Deputy Chief Executive clarified in April 2025 that the human-in-the-loop is a safeguard scaled to the risk of the use case.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> The human-review step is redesigned to capture the reason at approval or override &#8212; a structured field, not a signature &#8212; so review produces a logged explanation instead of mere delay. Done well, your reviewers become your largest source of genuine reasons.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A revised review protocol for one high-stakes workflow, in which every human decision records a one-line reason in a retrievable field.</p><p></p><h2>Altitude Three &#8212; The institution: make the supersystem the unit of accountability</h2><h4>5. Audit the system, not the model</h4><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> Return to the aircraft. When a flight ends badly, the board does not interrogate the turbine and wait for a confession; it reads the recorder, the maintenance history and the crew testimony, and assembles an account the engine could never give. An institution that can only explain its AI by pointing at the model has no account at all.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> This is exactly the shape of explanation Article 86 requires &#8212; &#8220;the main elements of the decision taken,&#8221; assembled from the record, not extracted from the network. MAS makes the stakes explicit in its AI Model Risk Management paper: explainability is vital for accountability, inside the institution and toward the customer.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> You can assemble, for any challenged decision, the documents that constitute its explanation &#8212; the input record, the model version, the instrumentation output, the reviewer&#8217;s reason, the governing policy. Not a diagram of the model. A dossier from the system, owned by governance.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A decision-reconstruction pack for one live high-stakes decision: the exact artifacts you would assemble, and where each lives today. The gaps are the parts of your <strong>supersystem</strong> that do not yet exist.</p><p></p><h4><strong>6. Put the explanation on a clock</strong></h4><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> An explanation you cannot produce in time is not an explanation; it is an intention. Resilience engineering measures what matters by recovery time. Explanation is the same: not &#8220;could we, eventually, reconstruct why?&#8221; but &#8220;how many hours until we can?&#8221;</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> Article 86 gives an affected person the *right* to an explanation, and a right with no latency behind it is a right in name only. No regulator has yet named a number &#8212; this is the frontier &#8212; but the direction is one way.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> Time-to-explain becomes a tracked metric for your highest-stakes decisions: the measured hours to reconstruct, from the system, why one specific decision was made. Architecture and governance own the number.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> An explanation runbook for your most consequential AI decision, ending in one number: hours-to-reconstruct. The first time you run it, that number will embarrass someone. That is the point.</p><p>None of this is unique to finance. A pharmaceutical company whose model flags an adverse-event signal, a hospital deploying a diagnostic aid &#8212; each will one day be asked not &#8220;how does your model work?&#8221; but &#8220;why did it decide *this*, for *this* person, on <em><strong>this</strong></em> day?&#8221; That is answered by the <strong>supersystem</strong> or not at all, under whichever regulator holds jurisdiction. Regulated intelligence is wider than financial services, and the altitude problem is identical across it.</p><p></p><h3>A note on confidence</h3><p>The reader deserves the line between what is documented and what is argued. <em><strong>Confirmed</strong></em>, and linked below: the Digital Omnibus, approved by the Council on 29 June 2026, postponing the stand-alone Annex III high-risk regime &#8212; Article 13 included &#8212; to 2 December 2027, while Article 50 transparency holds at 2 August 2026; the verbatim texts of Articles 13 and 86; the MAS FEAT transparency principles; the MAS AI Model Risk Management paper of December 2024; the HKMA&#8217;s August 2024 generative-AI principles. One caveat: the Omnibus still awaits publication in the Official Journal, and until it appears the original dates remain, technically, the law plan against the new timeline, document against the old. <br><em><strong>Strong inference</strong></em>, from repeated observation rather than measurement: that most firms treat explainability as a model property, and are surprised by how little their instrumentation yields when a real explanation is demanded. I have seen this across jurisdictions; I have not seen it counted, and will not dress a pattern as a statistic. <em><strong>Design hypothesis</strong></em>, for argument: that time-to-explain is the metric this decade converges on, and that three altitudes is the right decomposition &#8212; fewer collapses the system into the model, more rebuilds the bureaucracy the <strong>supersystem</strong> was meant to replace. Disagree with that last one; I would like to be wrong cheaply.</p><p></p><h3>What a heat-map cannot say</h3><p>A diagnostic that takes an afternoon and tends to end the argument. <br>Ask your model-risk committee to produce, for one live high-stakes decision, the explanation a customer would actually receive. What comes back, reliably, is a feature-attribution chart &#8212; the third variable contributed 0.18, the seventh minus 0.04. A competent diagnosis and a worthless reason; no customer was ever consoled by a ranked list of partial derivatives. That gap is the whole distance between the model and the system you failed to build around it &#8212; visible in ten minutes, which is why so few teams look.</p><p></p><h3>What the kit does</h3><p>Knowing explainability lives in the <strong>supersystem</strong> is the easy half. Building it &#8212; turning &#8220;score the decision, instrument the model, reconstruct the account&#8221; into artefacts your risk and engineering teams can produce next week &#8212; is the work, and it is exactly the structured, repetitive work a well-made prompt does quickly. <br></p><p>This week&#8217;s <strong><a href="https://www.regulated-intelligence.com/p/prompt-kit-07-model-explainability">Prompt Kit is four sequenced prompts</a></strong>: the first builds the use-case explanation matrix that sets each decision&#8217;s standard, the second designs the instrumentation layer around a chosen model, the third turns the human-in-the-loop into a logged explanation surface, the fourth assembles the decision-reconstruction pack and its time-to-explain number. It is this essay&#8217;s framework rendered as something you run against a real model, not admire as a diagram.</p><p></p><h3>Run this in seventy-two hours</h3><p>Take your highest-stakes AI decision &#8212; the one that most affects a real person. Imagine that tomorrow a customer, or a regulator behind them, demands a clear and meaningful explanation of one specific instance of it. Ask four questions. Who produces it &#8212; a person, or a vendor you have to email? From what &#8212; a dossier the system assembled, or a model no one can read? In what form &#8212; a reason the person can act on, or a chart only your engineers understand? And in how many hours? Most readers reach the recognition by the third question: they spent their effort trying to make the model talk, when they should have been building the system that speaks for it. The black box was never going to explain itself. It was never supposed to. That was always the supersystem&#8217;s job &#8212; and Brussels just gave you until December of next year to build it, which is not the same as permission to wait.</p><p></p><p>If you are building AI governance for high-stakes decisions &#8212; and want a structured outside read on your explanation standards, your instrumentation layer, or your institution&#8217;s ability to reconstruct a decision on demand &#8212; mention it in your reply. </p><p>I take one such conversation per month. Specific beats general: name the decision that would be hardest to explain under pressure, and we will start there.</p><p></p><p>Replies to this post reach me directly. I read all of them.</p><h5>Regulated Intelligence &#8212; TRIZ &#215; AI | Regulated Markets. Written by JL CREPPY.</h5>]]></content:encoded></item><item><title><![CDATA[Prompt Kit 06 — AI Vendor Governance]]></title><description><![CDATA[Four prompts to rebuild your AI vendor scorecard around the metrics that actually de-risk you.]]></description><link>https://www.regulated-intelligence.com/p/prompt-kit-06-ai-vendor-governance</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/prompt-kit-06-ai-vendor-governance</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Tue, 30 Jun 2026 14:27:08 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Jegk!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F98289774-d713-4794-bf0c-361f211a1129_256x256.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Four prompts to rebuild your AI vendor scorecard around the metrics that actually de-risk you.</p><p>They sequence from an audit of your current scorecard, to the model-transparency questions for your RFP, to the contract addendum and flow-down clause, to a concentration map with a time-to-substitute number. Designed for both technical and non-technical users.</p><p>Companion essay: &#8220;<a href="https://www.regulated-intelligence.com/p/your-vendor-scorecard-is-grading">Your Vendor Scorecard Is Grading the Wrong Company</a>&#8221;</p><div class="file-embed-wrapper" data-component-name="FileToDOM"><div class="file-embed-container-reader"><div class="file-embed-container-top"><image class="file-embed-thumbnail-default" src="https://substackcdn.com/image/fetch/$s_!0Cy0!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack.com%2Fimg%2Fattachment_icon.svg"></image><div class="file-embed-details"><div class="file-embed-details-h1">Prompt Kit 06</div><div class="file-embed-details-h2">80.5KB &#8729; PDF file</div></div><a class="file-embed-button wide" href="https://www.regulated-intelligence.com/api/v1/file/8ce492d1-40e4-4248-b689-2abe6a72f665.pdf"><span class="file-embed-button-text">Download</span></a></div><a class="file-embed-button narrow" href="https://www.regulated-intelligence.com/api/v1/file/8ce492d1-40e4-4248-b689-2abe6a72f665.pdf"><span class="file-embed-button-text">Download</span></a></div></div><p>TRIZ &#215; AI | Regulated Markets &#183; JL CREPPY</p>]]></content:encoded></item><item><title><![CDATA[Your Vendor Scorecard Is Grading the Wrong Company]]></title><description><![CDATA[A traditional scorecard measures the supplier. Your AI risk lives in the model &#8212; and in the accountability you were never allowed to outsource.]]></description><link>https://www.regulated-intelligence.com/p/your-vendor-scorecard-is-grading</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/your-vendor-scorecard-is-grading</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Tue, 30 Jun 2026 14:25:31 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/b5bd42d4-76b6-46bf-8658-b5bfd1c06f3a_1456x816.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div><hr></div><p>On 18 November 2025, the three European Supervisory Authorities did something they had never done before. They published a list of the companies the financial system cannot afford to lose. The press release is dry the ESAs &#8220;publish today the list of designated critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act.&#8221; Read past the acronyms and it is remarkable: a banking regulator, an insurance regulator and a markets regulator agreed, jointly, on the firms whose failure would threaten European finance. None of them are banks. They are the cloud, data and infrastructure providers everyone else quietly runs on.</p><p>The criteria are worth holding onto, because a vendor scorecard never asks about them. The assessment weighed each provider&#8217;s &#8220;systemic importance, its role in supporting critical or important functions for financial entities, and the level of substitutability of its services.&#8221; Not revenue. Not certifications. Substitutability &#8212; how badly you are stuck if it changes or fails.</p><p>DORA had applied since January 2025; November is when it bit, the moment third-party concentration stopped being a slide in a risk deck and became a named supervisory object. Earlier this month the Financial Stability Board put the same anxiety into a global frame, consulting on twelve &#8220;sound practices&#8221; for AI adoption &#8212; a report it says draws on &#8220;financial institutions and their technology vendors.&#8221; The regulators have noticed where the dependency now lives. Most procurement functions have not caught up.</p><p></p><h3>The consensus is sharpening the wrong instrument</h3><p>Every third-party briefing this quarter is asking the same question: how do we get AI vendors into our vendor risk management process? Tighten the scorecard. Add a row for &#8220;AI.&#8221; Bolt a model-risk annex onto the supplier questionnaire and move on.</p><p>That instinct treats the scorecard as incomplete. It is not incomplete. It is pointed at the wrong entity. A traditional vendor scorecard was built to answer one question  <em><br>will this supplier still be standing next year</em>, and it answers that question well. Financial health, uptime, certifications, support responsiveness. But AI did not add a row to that question. It moved the risk to two places the scorecard has no column for: <strong>the model</strong>, which you cannot see into, and <strong>your own accountability</strong>, which you were never permitted to hand over. You cannot patch a measurement problem by measuring the same thing harder.</p><p>Here is the thesis, and it is meant to land somewhere uncomfortable. A vendor scorecard tells you whether the company will survive. Your regulator is measuring whether <strong><span data-color="#f1c232" style="color: rgb(241, 194, 50);">you</span></strong> will &#8212; and those are not the same audit. You can buy the capability. You cannot sell the accountability.</p><p><code>What follows:</code></p><p>- Why AI relocates risk from the supplier to the model &#8212; and why &#8220;the vendor is certified&#8221; stops being an answer</p><p>- The two metrics your selection process is missing: <strong>opacity</strong> and <strong>concentration</strong></p><p>- The two clauses that do the work a scorecard cannot: <strong>on-demand audit</strong>, and <strong>flow-down</strong> to the model behind your model</p><p>- The two operating metrics that matter after signature: <strong>compensatory testing</strong> in your context, and <strong>time-to-substitute</strong></p><p>- A seventy-two-hour diagnostic on your last three AI purchases that names which company your scorecard was really grading</p><p></p><h3>The framework: score the model, write the access, measure the dependency</h3><p>Three stages, following the life of a vendor relationship: selection, contract, operation. Each carries two metrics the traditional scorecard omits &#8212; and the omission is not carelessness but an artefact of the question the old scorecard was built to answer.</p><p>The contradiction underneath rewards naming. You want the vendor&#8217;s capability  that is why you are buying rather than building, but you cannot accept the vendor&#8217;s opacity, because your regulator holds <span data-color="#f1c232" style="color: rgb(241, 194, 50);">you</span> to account regardless. Outsource the build; insource the verification and the accountability. That separation is the whole design, and every missing metric falls straight out of it.</p><p></p><h4>Stage One &#8212; Selection: score the model, not the company</h4><p><code>1. Measure opacity, not just assurance</code></p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> Procurement rewards what it can inspect &#8212; certifications, audited accounts, reference calls. The trouble with AI is that its core risk sits in the part you cannot inspect: the training data, the weights, the behaviour at the edges. A scorecard that only credits the visible is structurally blind to what matters most.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> The Singapore MAS information paper on AI Model Risk Management names this directly. Third-party AI, it observes, brings &#8220;the lack of transparency&#8221; as &#8220;a key challenge,&#8221; because providers &#8220;may be reluctant to disclose proprietary information about their training data or algorithms, hindering banks&#8217; efforts in risk assessment and ongoing monitoring.&#8221; The Bank of England and FCA&#8217;s 2024 survey of AI in UK financial services found the predictable consequence: 46% of firms reported only &#8220;partial understanding&#8221; of the AI technologies they use, the gap concentrated in the third-party models they bought rather than built.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> Opacity becomes a scored dimension in selection, not a footnote discovered later. The RFP asks for training-data provenance, evaluation access, model-card depth and change-notification policy &#8212; and a vendor that will not answer scores worse than one that answers badly, because a known weakness is governable and an unknown one is not. Procurement, model risk and architecture own it together, not in sequence.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A model-transparency disclosure section appended to your AI RFP template; six to eight questions a vendor answers in writing before the commercial conversation starts.</p><p></p><p><code>2. Map the concentration, not just the contract</code></p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> Resilience engineering measures shared dependencies, not the quality of individual parts. Ten excellent components that all rest on one power supply is not a robust system; it is one failure wearing ten green lights.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);"> </span>This is the risk DORA&#8217;s designation was built to surface, with substitutability as a named criterion. The European Banking Authority&#8217;s outsourcing guidelines require firms to weigh &#8220;concentration risks at the sector level, e.g. where multiple institutions or payment institutions make use of a single service provider or a small group of service providers.&#8221; And it is already measurable: the Bank of England and FCA survey found the top three providers account for **73%, 44% and 33%** of all reported cloud, model and data providers respectively, while a third of AI use cases are now third-party implementations, up from 17% two years earlier.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> Concentration is mapped across the AI estate, not assessed one contract at a time &#8212; because a per-contract review structurally cannot see a cross-portfolio risk. Architecture owns the map; risk reads it. The question it answers: how many of our critical use cases trace back to the same foundation model, cloud region, or data provider.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A one-page concentration map. List your live AI use cases; behind each, name the underlying model and cloud region; count the use cases sharing a single model. That number is your finding.</p><p></p><h4>Stage Two &#8212; Contract: write the access you cannot see into the agreement</h4><p><code>3. The audit-and-notification clause</code></p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> When you cannot inspect something continuously, you contract for the right to inspect it on demand, and to be told when it changes. Every discipline that depends on something it cannot watch every second &#8212; aviation maintenance, food safety, reinsurance &#8212; writes the right to look, and the duty to disclose, into the agreement.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> MAS sets this out almost as a checklist. Legal agreements with third-party AI providers, the AI MRM paper advises, should include clauses on &#8220;performance guarantees, data protection, the right to audit, and notification when AI is introduced (or not incorporating AI without the bank&#8217;s agreement) in existing third-party providers&#8217; solutions.&#8221; That last clause is the quietly radical one &#8212; the right to be told when a vendor *adds* AI to a product you already bought without it. A traditional scorecard has no mechanism for a supplier silently becoming an AI vendor between renewals.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> These clauses become a standard addendum, drafted once and attached to every AI procurement, not renegotiated deal by deal &#8212; because a right you must argue for each time is a right you will eventually trade away under deadline. Legal, procurement and model risk own the template jointly.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A one-page AI contract addendum naming four non-negotiable clauses: right to audit, performance guarantees, data-protection terms, and change-notification &#8212; including when AI is newly introduced into an existing service.</p><p></p><p><code>4. The flow-down clause: reach the model behind your model</code></p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> A guarantee that stops at your direct supplier is not a guarantee; it is a handoff. The risk lives one layer down, in their suppliers, and obligations that do not pass downstream leak out the bottom of the chain.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> The EU AI Act writes this into law. Under Article 25, the provider of a high-risk AI system and a third party supplying a component &#8220;shall, by written agreement, specify the necessary information, capabilities, technical access and other assistance&#8221; needed for compliance. The EBA guidelines make the same demand of sub-outsourcing: a subcontractor must grant &#8220;the same contractual rights of access and audit&#8221; as the primary provider. Translated: your right to audit is worthless if it stops at the reseller and never reaches the foundation-model provider doing the actual work.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> The contract requires your vendor to pass audit and notification rights through to the model provider behind them &#8212; and you first establish which of your vendors are, in truth, reselling someone else&#8217;s model. Legal and architecture own this together, because you cannot write a flow-down clause for a dependency you have not mapped.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A flow-down clause for your addendum, plus a short list of which current AI vendors are intermediaries for a larger model provider. The list is usually longer than procurement expects.</p><p></p><h4>Stage Three &#8212; Operation: measure the dependency, not just the performance</h4><p><code>5. Compensatory testing in your own context</code></p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> You test the bridge under your traffic, not the manufacturer&#8217;s. A vendor&#8217;s benchmark describes the vendor&#8217;s conditions; your risk lives in yours &#8212; your data, your customers, your edge cases &#8212; and the gap between the two is where the unpleasant surprises wait.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> MAS calls this compensatory testing: &#8220;conducting rigorous testing of third-party AI models using various datasets and scenarios to verify the model&#8217;s robustness and stability in the bank&#8217;s context, and to detect potential biases.&#8221; The phrase &#8220;in the bank&#8217;s context&#8221; carries the whole point. A vendor&#8217;s 94% accuracy on their evaluation set tells you almost nothing about behaviour on the population you actually serve.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> You own an evaluation harness, run it on your data on a cadence &#8212; and you treat the vendor&#8217;s dashboard as a marketing artefact, not an assurance one. Model risk and engineering own the harness; its output is a drift metric you control, not one the vendor reports to you.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A context-specific test set for your highest-materiality third-party model, and one drift metric you own &#8212; measured by you, on your data, on a fixed interval.</p><p></p><p><code>6. Substitutability: measure time-to-exit</code></p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> Resilience is measured by recovery, not by uptime. For any dependency, the metric that matters is not how well it performs on a good day but how quickly you can replace it on a bad one. A supplier you cannot leave is not a supplier; it is a single point of failure with an invoice attached.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> This is the criterion the European regulators placed at the centre of the DORA designation &#8212; substitutability &#8212; and the contingency MAS asks firms to plan for: &#8220;developing robust contingency plans to address potential failures, unexpected behaviour of third-party AI, or discontinuing of support by vendors.&#8221; The accountability spine sits underneath it, and three regulators say it in nearly identical words. The HKMA: outsourcing transfers &#8220;day-to-day managerial responsibility, but not accountability.&#8221; The EBA: &#8220;the outsourcing of functions cannot result in the delegation of the management body&#8217;s responsibilities.&#8221; MAS, on outsourcing, expects an arrangement &#8220;managed as if the services were still managed by the Bank.&#8221; If the model fails and you cannot exit, the regulator does not turn to your vendor. It turns to you.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> Time-to-substitute becomes a tracked metric for high-materiality use cases &#8212; the measured cost, in days, of moving off the current model. Architecture and the product owner own it. A dependency you have never rehearsed leaving is one you do not actually understand.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A vendor-exit runbook for your single most critical AI use case, ending in one number: the realistic time-to-substitute. The first time you measure it, it will be longer than anyone guessed.</p><p></p><p>None of this is unique to finance. A pharmaceutical company validating a vendor&#8217;s model for adverse-event triage, an energy operator buying a model for load-balancing, a hospital deploying a supplier&#8217;s ambient documentation &#8212; each carries an accountability no contract can transfer, under a different regulator using the same logic. Regulated intelligence is wider than financial services, and the scorecard problem is identical across it.</p><div><hr></div><h3>A note on confidence</h3><p>The reader deserves the line between what is documented and what is argued. <em>Confirmed</em>, and linked below: the DORA designation and its substitutability criterion; the FSB consultation and its dates; the EBA guidelines on non-delegation and sector concentration; the HKMA and MAS accountability language; the MAS AI Model Risk Management paper&#8217;s third-party section; the Bank of England and FCA statistics. <em>Strong inference</em>, from repeated observation rather than measurement: that most firms&#8217; AI vendor scorecards are inherited wholesale from SaaS and IT procurement, carrying no column for model opacity, concentration, or time-to-exit. I have seen this across jurisdictions; I have not seen it counted at scale, and will not dress a pattern as a statistic. <em>Design hypothesis</em>, for argument: that time-to-substitute is the highest-leverage metric to add, and that six across three stages is the right granularity &#8212; fewer misses the model, more rebuilds the bureaucracy you were escaping. Disagree with that last one.</p><div><hr></div><h3>What the column count tells you</h3><p>A diagnostic that takes ten minutes and tends to settle the argument. Pull the vendor scorecard your team used on its last three AI purchases and sort its columns into two piles: those describing the <em>vendor</em> &#8212; revenue, headcount, certifications, SLA, support tier &#8212; and those describing the <em>model</em> &#8212; evaluation results on your own data, training-data provenance, audit rights actually exercised, measured time-to-substitute. The first pile is almost always full, the second almost always empty. That lopsidedness is not a gap in diligence. It is a portrait of which company you were really grading &#8212; rarely the one whose model is now making decisions about your customers.</p><div><hr></div><h3>What the kit does</h3><p>Knowing the scorecard is pointed at the wrong entity is the easy part. Rebuilding it &#8212; turning &#8220;score the model&#8221; into six questions your procurement and risk teams can run on Monday &#8212; is the work, and it is exactly the structured, repetitive work a well-built prompt does fast. This week&#8217;s Prompt Kit is four sequenced prompts: the first audits your existing scorecard for the missing columns, the second builds the model-transparency disclosure for your RFP, the third drafts the contract addendum and flow-down clause, the fourth produces the concentration map and time-to-substitute template. It is this essay&#8217;s framework rendered as something you run against your real vendor list, not admire as a diagram.</p><div><hr></div><h3>Run this in seventy-two hours</h3><p>Take your three most important AI vendors. For each, answer four questions without calling the vendor. Have we tested this model on our own data, or are we trusting their benchmark? Do we hold a written, exercisable right to audit it and to be told when it changes? If they retired it next quarter, how many days to substitute? And how many of our other critical use cases sit on the same underlying model? Most readers reach the recognition by the second vendor: the scorecard answered none of these. It certified the vendor was solvent and SOC 2 compliant &#8212; which is to say it graded a company that was never the source of the risk. That accountability, every regulator above agrees, did not move when the contract was signed. It is still sitting on your side of the table.</p><p>If you are rebuilding AI vendor governance &#8212; and want a structured outside read on your selection metrics, your contract addendum, or the concentration map of your AI estate &#8212; mention it in your reply. I take one such conversation per month. Specific beats general: name the vendor or use case that is keeping you up, and we will start there.</p><p></p><h3>What the Prompt kit does</h3><p>This week&#8217;s <a href="https://www.regulated-intelligence.com/p/prompt-kit-06-ai-vendor-governance">Prompt kit 6 is Four prompts</a> to rebuild your AI vendor scorecard around the metrics that actually de-risk you.</p><p></p><p>Replies to this post reach me directly. I read all of them.</p><h5>Regulated Intelligence &#8212; TRIZ &#215; AI | Regulated Markets. Written by JL CREPPY.</h5>]]></content:encoded></item><item><title><![CDATA[Prompt Kit 05 — Proportionate AI Governance]]></title><description><![CDATA[Four prompts to run the diagnostic from &#8220;Your Slowest AI Use Case Is Pricing All the Others&#8221; against your own AI delivery pipeline.]]></description><link>https://www.regulated-intelligence.com/p/prompt-kit-05-proportionate-ai-governance</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/prompt-kit-05-proportionate-ai-governance</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Mon, 22 Jun 2026 14:27:31 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Jegk!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F98289774-d713-4794-bf0c-361f211a1129_256x256.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Four prompts to run the diagnostic from &#8220;Your Slowest AI Use Case Is Pricing All the Others&#8221; against your own AI delivery pipeline.</p><p>They sequence from a four-question materiality classifier, to a sort of your live AI inventory, to an explicit fast-lane skip-list, to a one-page graded gate map. Designed for both technical and non-technical users.</p><p>Companion essay: &#8220;<a href="https://www.regulated-intelligence.com/p/your-slowest-ai-use-case-is-pricing">Your Slowest AI Use Case Is Pricing All the Others</a>&#8221;</p><div class="file-embed-wrapper" data-component-name="FileToDOM"><div class="file-embed-container-reader"><div class="file-embed-container-top"><image class="file-embed-thumbnail-default" src="https://substackcdn.com/image/fetch/$s_!0Cy0!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack.com%2Fimg%2Fattachment_icon.svg"></image><div class="file-embed-details"><div class="file-embed-details-h1">Prompt Kit 05</div><div class="file-embed-details-h2">83.6KB &#8729; PDF file</div></div><a class="file-embed-button wide" href="https://www.regulated-intelligence.com/api/v1/file/5dafc41a-ebe4-49fd-b397-f80559c89aca.pdf"><span class="file-embed-button-text">Download</span></a></div><a class="file-embed-button narrow" href="https://www.regulated-intelligence.com/api/v1/file/5dafc41a-ebe4-49fd-b397-f80559c89aca.pdf"><span class="file-embed-button-text">Download</span></a></div></div><p>TRIZ &#215; AI | Regulated Markets &#183; JL CREPPY</p>]]></content:encoded></item><item><title><![CDATA[Your Slowest AI Use Case Is Pricing All the Others]]></title><description><![CDATA[Speed and regulatory readiness are not a trade-off. Treating them as one is a sorting failure.]]></description><link>https://www.regulated-intelligence.com/p/your-slowest-ai-use-case-is-pricing</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/your-slowest-ai-use-case-is-pricing</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Mon, 22 Jun 2026 14:25:33 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/e7907739-1e82-4add-abb1-c515e682afe7_1456x816.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>In March 2026, the financial industry was handed a seventeen-item answer to a question most firms had been asking backwards.</p><p>The MindForge consortium &#8212; two dozen banks, insurers and capital-markets firms convened under the Monetary Authority of Singapore &#8212; published its <em>AI Risk Management: Executive Handbook</em>, the operational companion to the MAS <em>Consultation Paper on Guidelines on Artificial Intelligence Risk Management</em>, issued on 13 November 2025 and closed to comment on 31 January 2026. The Handbook sets out seventeen Considerations spanning board accountability, third-party risk, data management, pre-deployment testing and ongoing monitoring. It is the most concrete articulation yet of what a regulator in this region expects an AI program to look like from the inside.</p><p>Buried in the consortium&#8217;s own description of its purpose is the line that matters more than the seventeen Considerations combined. The Handbook exists, in its authors&#8217; framing, to enable AI use that is &#8220;rapid but responsible.&#8221; Three words, one conjunction, and the entire tension of the regulated-AI program folded inside it. Everyone underlines &#8220;responsible.&#8221; Almost nobody asks how the &#8220;rapid&#8221; survives contact with it.</p><p>That is the question this essay is about. Not what controls to add the Handbook lists those well enough. The question is why most firms experience every new control as a tax on speed, and what the firms that don&#8217;t have understood that the rest have missed.</p><h3>The consensus is reading it as an addition problem</h3><p>Steering committees are already turning the seventeen Considerations into a program backlog, and the backlog is already being described, with a straight face, as the reason the AI roadmap has slipped two quarters. Seventeen Considerations; build seventeen capabilities; check seventeen boxes; deploy.</p><p>That reading misses the load-bearing word in the entire document. It is not &#8220;governance.&#8221; It is &#8220;proportionate.&#8221; The organising principle of both the Guidelines and the Handbook is that controls scale to risk &#8212; that the depth of governance applied to an AI use case is a function of how much damage that use case can do, not a flat tariff levied on all of them equally. The consensus treats the Handbook as a longer checklist. Read correctly, it is the opposite: a licence to do less, deliberately, almost everywhere &#8212; so that you can do far more where it counts.</p><p>Here is the thesis, and it is meant to sting a little. <em>Speed and regulatory readiness only trade off when you refuse to sort.</em> A portfolio governed by a single gate pays the compliance cost of its most dangerous use case on every use case it ships &#8212; and then calls the bill &#8220;prudence.&#8221;</p><h3>What follows:</h3><p>- Why the AI inventory is a speed instrument, not a compliance chore &#8212; and why most firms build it last</p><p>- The risk-materiality classifier that turns one queue into three, and the four questions that drive it</p><p>- How &#8220;prior action&#8221; &#8212; readiness built before deployment, not during it &#8212; is the only thing that makes a gate fast</p><p>- Why two deployment lanes beat one, and what the fast lane is actually allowed to skip</p><p>- A seventy-two-hour diagnostic that will tell you, uncomfortably, which gate your last ten deployments were really waiting behind</p><p></p><h2>The framework: sort, pre-load, release</h2><p>The framework has three stages, and they are strictly ordered. You cannot pre-load readiness for a use case you have not classified, and you cannot run differentiated lanes if you have not pre-loaded the controls each lane depends on. Sort, then pre-load, then release.</p><p>There is a TRIZ move underneath it, and it is worth naming once. A contradiction that looks unwinnable the system must be both fast and rigorous usually dissolves the moment you stop demanding both <em><strong>in general</strong></em>. Separate the requirements by condition. Be rigorous where the stakes are high, fast where they are not, and let a classifier decide which is which. The rest of this is engineering.</p><p></p><h1>Stage One &#8212; Sort (before anything ships)</h1><p>You cannot move fast on anything until you know what is allowed to move fast. Sorting is not the bureaucratic prelude to the work. It is the work that makes everything downstream cheap.</p><h2>1. The AI inventory as a speed instrument</h2><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> Every system that triages a hospital, an airport, a help desk &#8212; begins by knowing what is in the queue. You cannot prioritize a queue you cannot see. The inventory is not a record-keeping artefact; it is the precondition for ever treating two items differently.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> The Executive Handbook&#8217;s sixth Consideration requires firms to ensure AI inventory capabilities that record and maintain core information on AI use cases. In financial services the inventory is invariably built last and resented most a compliance deliverable assembled the week before an examination. That sequencing is exactly inverted. The inventory is the first thing that lets you go fast, because it is the thing that lets you decide what <em><strong>not</strong></em> to govern heavily.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> The inventory is owned by whoever owns delivery velocity, not by whoever owns the audit response. Its primary consumer is the person deciding which use case ships next quarter, not the examiner arriving next year. If your AI inventory lives in the second line of defense and nowhere else, it has been built for the wrong reader.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A single register with one column most inventories lack: <span data-color="#ffff00" style="color: rgb(255, 255, 0);">a materiality tier</span>. Not a description. A verdict.</p><h2>2. The risk-materiality classifier</h2><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> Triage works because it sorts on consequence, not on category. The emergency room does not prioritize by which limb is involved; it prioritizes by what happens if the patient waits. Good sorting asks one question: how bad is &#8220;wrong&#8221; here?</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> The Handbook&#8217;s fifth Consideration directs firms to enhance use-case-level risk management through risk-materiality assessments, proportionate controls, and pre- and post-deployment reviews. Public commentary on the MAS Guidelines has converged on four dimensions that drive that assessment: <span data-color="#ffff00" style="color: rgb(255, 255, 0);">the significance of the impact on customer outcomes, the financial loss if the model fails, the reputational exposure, and the criticality to ongoing operations</span>. A model that drafts internal meeting summaries and a model that shapes a claims decision are not the same animal, and the entire point of proportionality is to stop pretending they are.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span> </strong>The classifier is a one-page rubric: four questions, a forced ranking  high, medium, low and no ties permitted. The roles affected are the use-case sponsor, who proposes the tier, and a risk owner, who can challenge it. Critically, the classifier runs in hours, not weeks. A sorting function that is itself slow has reintroduced the problem it was built to solve.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> The four-question rubric, applied retroactively to your ten most recent AI deployments. The distribution will surprise you, and the surprise is the finding.</p><p></p><h1>Stage Two &#8212; Pre-load (before the queue forms)</h1><p>This is TRIZ Inventive Principle #10, Prior Action, applied to governance: perform the required change in advance, so it need not be performed in the rush. A gate is slow when every passage through it is bespoke. A gate is fast when the controls it checks for were built, approved and shelved months earlier, waiting to be picked up.</p><h2>3. The reusable control library</h2><p><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern. </span>No fast-moving operation re-engineers its safety equipment per journey. The fire door, the circuit breaker, the seatbelt &#8212; pre-built, pre-certified, installed on demand. Speed at the moment of action comes from rigour completed before it.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> Most firms assemble guardrails per use case, which means every high-materiality deployment re-litigates prompt-injection defences, human-override design, logging standards and &#8212; for any agentic use case &#8212; the zero-trust controls at the agent boundary that a high-materiality classification should make non-negotiable. The Handbook expects use cases to be built with appropriate guardrails. It does not require that they be invented from scratch each time. A control library is how &#8220;appropriate&#8221; becomes &#8220;already on the shelf.&#8221;</p><p>*<strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong>* The platform or architecture function owns a versioned catalogue of pre-approved controls. The high-materiality lane assembles from the catalogue; it commissions bespoke controls only at the genuine frontier. This is the difference between a readiness function that scales and one that becomes the bottleneck everyone routes around.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A list &#8212; even a short one of the five controls your high-materiality use cases always need, with an owner for each and an honest note on which are built versus aspirational.</p><h2>4. The graded pre-deployment gate</h2><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);"> </span>A gate that asks every traveller the same hundred questions is not secure; it is theatre with a queue. Real screening varies its depth by risk, and is trusted precisely because it does.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> The Handbook calls for thorough testing and review prior to deployment. &#8220;Thorough&#8221; is not the same as &#8220;uniform.&#8221; For a low-materiality use case, thorough may be a one-page attestation against the control library. For a high-materiality use case, thorough is a full adversarial review with documented sign-off. Same principle, calibrated depth. The firms that run one gate at maximum depth are not safer than the firms that grade it; they are merely slower, and they have taught their delivery teams that governance is the enemy of shipping.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> The gate is a branch, not a wall. The materiality tier set in Stage One selects the review depth. Low clears in days against pre-built controls; high gets the scrutiny it earns. The role that changes most here is the reviewer, who stops being a uniform bottleneck and becomes a risk-weighted allocator of their own scarce attention.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A one-page gate map: three tiers down the side, the required evidence for each across the top. One page. If it needs more than one, it is not yet a decision aid.</p><h1>Stage Three &#8212; Release (and keep watching)</h1><h2>5. Differentiated deployment lanes</h2><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern.</span></strong> Every mature logistics system runs more than one speed of delivery. Express and standard are not a failure to standardize; they are the standard. One lane for everything optimizes for the wrong case.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation.</span></strong> The Handbook asks firms to consider risk-informed deployment options. Read that phrase slowly: the regulator&#8217;s companion document is explicitly endorsing differentiated release. A low-materiality summarization tool and an agentic underwriting assistant should not share a deployment path, an approval chain, or a rollback posture. The firm that forces them to has not reduced risk on the dangerous one; it has only added drag to the harmless one.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation. </span></strong>Two lanes, minimum: a fast lane for low-materiality use cases that clears on attestation against pre-built controls, and a gated lane for high-materiality use cases with full review and named accountability. A third, middle lane is optional and usually emerges on its own. The product owner takes the lane the classifier assigns and cannot self-upgrade to the fast lane without re-classification.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A written definition of what the fast lane is allowed to skip. This is the hardest and most clarifying artefact in the entire framework, because it forces you to state, on paper, the risks you have consciously decided are acceptable to move quickly on.</p><h2>6. Proportionate monitoring</h2><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The universal pattern</span></strong><em><strong>. </strong></em>Attention after launch should follow consequence, the same way attention before launch did. You do not watch the smoke detector in the store cupboard as closely as the one over the stove.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">The regulated-industries manifestation</span></strong><em><strong>. </strong></em>The Handbook requires ongoing monitoring of AI use cases to ensure they remain fit for purpose over time. Proportionality does not stop at deployment. High-materiality use cases earn real-time drift and performance monitoring; low-materiality ones earn periodic review. Monitoring everything equally produces the same failure as gating everything equally scarce attention spread thin enough to miss the case that mattered.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">Your translation.</span></strong> Monitoring cadence is set by the materiality tier, recorded against the inventory entry, and owned by the use-case sponsor with second-line oversight on the high tier. The same four-question verdict that set the gate depth now sets the watch interval. One sort, used three times.</p><p><strong><span data-color="#3d85c6" style="color: rgb(61, 133, 198);">What to build by Friday.</span></strong> A monitoring-cadence column added to the inventory quarterly for low, continuous for high &#8212; so the watch plan is visible the day the use case ships, not reconstructed after an incident.</p><p></p><p>None of this is peculiar to finance. A pharmaceutical company validating a generative model for adverse-event triage, an energy operator placing AI in load-balancing, a hospital network deploying ambient clinical documentation, each faces the identical sorting problem under a different regulator, and each pays the same hidden tax if it refuses to sort.</p><p></p><h3>A note on confidence</h3><p>The seniority of the reader deserves the distinction. What is <em>confirmed</em>: the MAS Consultation Paper&#8217;s dates and scope, the existence and structure of the MindForge Executive Handbook and its seventeen Considerations, and the proportionality principle running through both; these are matters of public record, cited above and linked below. What is <em><strong><span data-color="#f1c232" style="color: rgb(241, 194, 50);">strong inference</span></strong></em> from observed pattern, not documented fact: that the default failure mode in regulated AI programs is the single uniform gate, and that it is the largest uncosted drag on delivery velocity in most portfolios. I have seen this repeatedly across jurisdictions; I have not seen it measured at industry scale, and I will not pretend the plural of steering-committee anecdote is data. What is <em>design hypothesis</em>, offered for testing rather than asserted: that two-to-three lanes is the right number, and that a four-dimension classifier is sufficient. Fewer lanes under-sort; more lanes re-introduce the overhead you were trying to escape. That one is worth arguing with.</p><p></p><h3>The diagnostic</h3><p>It takes an afternoon. Take your last ten AI deployments. For each, write down two dates: when it was ready to ship, and when it actually shipped. Then, for each, name the single governance step that consumed the gap. The pattern is reliable enough that I will predict it before you run it: most of your delay was low-materiality work waiting behind a review designed for a use case far more dangerous than it was. The summarization tool sat in the queue behind the underwriting model&#8217;s risk assessment, inherited its scrutiny, and waited. You did not govern the harmless thing. You taxed it at the dangerous thing&#8217;s rate.</p><p></p><h3>What the Prompt kit does</h3><p>Reading about proportionate governance is pleasant. Knowing which of your own use cases are over-governed, and which are dangerously under-governed, is the part that changes what you build next week. That is mechanical work; apply a rubric, sort a list, define a lane and mechanical work is exactly what a well-built prompt does fast and consistently. This week&#8217;s <a href="https://www.regulated-intelligence.com/p/prompt-kit-05-proportionate-ai-governance">Prompt Kit is four sequenced prompts</a>: the first builds your materiality classifier, the second runs your existing inventory through it, the third drafts the fast-lane skip-list, and the fourth produces the one-page gate map. It is the sorting machine in this essay, rendered as something you can run on Monday against your real portfolio rather than admire as a diagram.</p><p></p><h3>Run this in seventy-two hours</h3><p>Open your AI inventory &#8212; or, if you have none, list your AI use cases on one page, which is itself the finding. Tier each one high, medium or low against four questions: <strong><span data-color="#ffff00" style="color: rgb(255, 255, 0);">customer impact, financial loss on failure, reputational exposure, operational criticality</span></strong>. Now look at how each is governed today. If a use case you tiered &#8220;<span data-color="#ffff00" style="color: rgb(255, 255, 0);">low</span>&#8221; went through the same review as one you tiered &#8220;<span data-color="#ffff00" style="color: rgb(255, 255, 0);">high</span>,&#8221; you have found a tax you have been paying without booking it. If a use case you tiered &#8220;<span data-color="#ffff00" style="color: rgb(255, 255, 0);">high</span>&#8221; took the same fast path as a &#8220;<span data-color="#ffff00" style="color: rgb(255, 255, 0);">low</span>,&#8221; you have found something worse than a tax. The uncomfortable recognition most readers reach, somewhere around use case number six, is that their governance has been sorting on visibility who shouted loudest rather than on consequence. That is the gap. It has been hiding inside the word &#8220;thorough.&#8221;</p><p>If you are standing up a proportionate AI governance model &#8212; and want a structured outside read on your materiality classifier, your lane definitions, and the specific controls your fast lane is allowed to skip, mention it in your reply. </p><p>I take one such conversation per month. Specific beats general: name the use case that is currently stuck, and we will start there.</p><p></p><p>Replies to this post reach me directly. I read all of them.</p><p></p><p><strong>Regulated Intelligence &#8212; TRIZ &#215; AI | Regulated Markets. Written by JL CREPPY.</strong></p>]]></content:encoded></item><item><title><![CDATA[Prompt Kit 04 — Mixed-Environment Chain Audit]]></title><description><![CDATA[An interactive audit you can run against your own AI delivery pipelines, paired with &#8220;Governing the System When the System Is Not Just AI&#8221; on Regulated Intelligence.]]></description><link>https://www.regulated-intelligence.com/p/prompt-kit-04-mixed-environment-chain</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/prompt-kit-04-mixed-environment-chain</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Sun, 14 Jun 2026 12:54:30 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Jegk!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F98289774-d713-4794-bf0c-361f211a1129_256x256.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>The toolkit walks you through four steps: map your AI workflows by governance class, identify the cross-class handoffs that have no contract, classify the chain-level accountability gaps, and produce a single chain-level governance manifest for your highest-stakes workflow.</p><p>Built for both technical and non-technical practitioners. The output is an artefact your AI Centre of Excellence can put in front of a supervisor &#8212; not a generic checklist.</p><p>Companion essay: <em><a href="https://www.regulated-intelligence.com/p/governing-the-system-when-the-system">Essays/Governing the System When the System Is Not Just AI</a></em></p><div class="file-embed-wrapper" data-component-name="FileToDOM"><div class="file-embed-container-reader"><div class="file-embed-container-top"><image class="file-embed-thumbnail-default" src="https://substackcdn.com/image/fetch/$s_!0Cy0!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack.com%2Fimg%2Fattachment_icon.svg"></image><div class="file-embed-details"><div class="file-embed-details-h1">Prompt Kit 04</div><div class="file-embed-details-h2">339KB &#8729; PDF file</div></div><a class="file-embed-button wide" href="https://www.regulated-intelligence.com/api/v1/file/c8c994f0-745e-4959-81c4-8097cf4d9103.pdf"><span class="file-embed-button-text">Download</span></a></div><a class="file-embed-button narrow" href="https://www.regulated-intelligence.com/api/v1/file/c8c994f0-745e-4959-81c4-8097cf4d9103.pdf"><span class="file-embed-button-text">Download</span></a></div></div><p></p><p>TRIZ &#215; AI | Regulated Markets &#183; JL CREPPY</p>]]></content:encoded></item><item><title><![CDATA[Governing the System When the System Is Not Just AI]]></title><description><![CDATA[The chain crosses agentic, GenAI, deterministic and human workflows. The frameworks don&#8217;t.]]></description><link>https://www.regulated-intelligence.com/p/governing-the-system-when-the-system</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/governing-the-system-when-the-system</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Sun, 14 Jun 2026 12:51:57 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/0678cf55-0f69-465a-af1d-41abd36ce133_1456x816.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>After eighteen years operating across six regulated jurisdictions, the AI governance gap that surfaces most consistently in my work is the one no current framework names cleanly.</p><p>It is not the agentic accountability problem &#8212; Singapore IMDA&#8217;s Model AI Governance Framework for Agentic AI v1.5 names that. It is not the chained accountability problem inside agentic systems &#8212; my last essay covered that through the lens of TRIZ Local Quality. It is the gap one level up: governance frameworks address single classes &#8212; agentic, GenAI, model risk, data governance &#8212; but most real-world AI workflows in regulated industries are mixed environments. Agentic systems hand off to deterministic rules engines. GenAI summaries feed human reviewers. Human approvals trigger orchestrated agentic actions. Each link is governed by a different framework. The chain itself, as a unit of governance, is governed by none.</p><p>I have not seen this composition problem cleanly named in any framework I have read. That is the gap this essay names.</p><h3></h3><div><hr></div><h3>The Gap Defined</h3><p>The MAS November 2025 <em><strong>Consultation Paper on AI Risk Management for Financial Institutions</strong></em> addresses AI risk in regulated FIs. IMDA&#8217;s Agentic AI Framework v1.5 (May 2026) addresses agentic systems specifically. ISO/IEC 42001 addresses AI management systems. NIST AI RMF addresses AI risk management. Each is rigorous within its scope. Each leaves a structural problem at the boundary.</p><p>The problem is not inside any framework. It is in what happens between them.</p><p>Consider the actual shape of a credit decision in a modern regulated financial institution. The application arrives in a deterministic rules engine that performs eligibility filters. A GenAI component produces a structured narrative summary of the applicant&#8217;s profile. An agentic policy lookup queries the firm&#8217;s exception-handling history and recommends a decision tier. A human reviewer reads the GenAI summary and the agent&#8217;s recommendation and chooses to override, escalate, or approve. The approved decision flows through a deterministic booking system that updates the loan portfolio.</p><p>That is one workflow. Four governance classes. Four different frameworks. One chain.</p><p>When the decision is wrong, and they will be wrong &#8212; accountability traces back across class boundaries. The rules engine logged its filter outcome cleanly. The GenAI summary&#8217;s reasoning is partial and difficult to reconstruct. The agentic recommendation carries the IMDA v1.5 attribution chain within its own boundary, but the boundary itself is the discontinuity. The human reviewer&#8217;s override rationale sits in free text. The booking system logged its parameters but not the reasoning that produced them.</p><p>Reconstructing the decision requires assembling evidence across four governance regimes, each speaking a different language about risk, control, and accountability. The supervisor asking *who decided* receives four partial answers. None is wrong. None is complete.</p><h3></h3><div><hr></div><h3>TRIZ Frame &#8212; Inventive Principle #5: Merging</h3><p>TRIZ Inventive Principle #5, <strong>Merging or Consolidation</strong>, instructs the designer to combine in space or time related operations that have been treated as separate. Applied to mixed-environment AI governance, the implication is structural: the governance overlay must be the chain itself, not the components.</p><p>Most current AI governance investment runs in the opposite direction. Each class gets its own discipline. Agentic AI gets agentic governance. Model risk gets MRM. Data lineage gets data governance. Rules engines get business-process management. The chain that runs across them gets a project manager.</p><p>The structural fix inverts that allocation. Govern the chain explicitly. Treat each class as a node within it. Class-specific governance becomes a property of nodes. Chain governance becomes the binding artefact.</p><h3></h3><div><hr></div><h3>Three Implications for Regulated Financial Services</h3><h4>First: every multi-class chain needs an explicit governance manifest.</h4><p> A document that names each link&#8217;s class &#8212; deterministic, GenAI, agentic, human &#8212; the framework applicable to that link, the handoff contract between adjacent links, and the chain-level accountability assignment. Most current chain documentation describes the workflow as a process. The governance manifest describes the chain as a regulated artefact, audit-defensible end-to-end. The institutions that name this artefact first will be the ones whose first cross-class supervisory examination resolves cleanly.</p><h4>Second: handoff contracts are the load-bearing element, and they do not yet exist.</h4><p>When an agentic system hands off to a deterministic rules engine, what evidence accompanies the handoff? When a human reviewer overrides an agentic recommendation, what reasoning is captured in a form the downstream rules engine can act on? Most current handoffs lose the reasoning at the class boundary. The fix is structural: every cross-class handoff must carry forward four things &#8212; <code>the input state, the reasoning trace, a confidence indicator, and the named human accountable for the decision to hand off</code>. Handoff contracts borrow directly from API contract design and inter-team RACI matrices. They are new in AI governance practice. They will not be new in twenty-four months.</p><h4>Third: incident response must span classes natively. </h4><p>When a credit decision is challenged, the response cannot triage to <strong>the AI team</strong> or <strong>the rules team</strong>, it must trace the chain. This requires a single chain-level incident protocol, not class-level protocols stitched together at the end of the investigation. Most current incident response stitches. The chain breaks at the seams. The fix is operational rather than architectural; a single incident-response runbook keyed to chain identifiers, with class-specific evidence collection as steps within that runbook rather than as separate workflows.</p><h3>What&#8217;s Worth Doing Tomorrow</h3><p>For any AI program with a multi-class chain in production, three actions are worth taking before the next governance review.</p><p><em><strong>1- Map your chains by class.</strong></em> For your top three AI workflows, draw the chain and label each link with its governance class. Count the cross-class boundaries. That count is the number of handoff contracts you need.</p><p><em><strong>2- Write one handoff contract end-to-end.</strong></em> Pick the highest-stakes cross-class boundary in your portfolio. Specify what evidence crosses, what reasoning is preserved, what accountability is named. This is the artefact regulators will increasingly expect to see when they begin to ask about chains as chains rather than as collections of governed components.</p><p><em><strong>3- Designate a chain owner.</strong></em> Not a process manager. An accountable role whose remit is the chain as a unit &#8212; across classes. This role does not exist in most current AI governance organisation charts. It is the role the supervisor will ask for first when the cross-class examination begins.</p><div><hr></div><h3>Closing</h3><p>The frameworks are not wrong. They are addressing what they were designed to address. The gap is what runs between them &#8212; and the supervisor asking <em><strong>who decided</strong></em> will increasingly not accept four partial answers.</p><p></p><p>The mixed-environment governance gap will be named by a regulator within the next twenty-four months. The frameworks that name it will probably start in agentic-rich jurisdictions &#8212; Singapore&#8217;s IMDA, the EU&#8217;s evolving AI Act guidance, perhaps the UK&#8217;s emerging AI assurance ecosystem. The institutions that already have chain-level governance manifests will be ready. The institutions stitching frameworks at the seams will not.</p><p></p><p>Which chain in your AI portfolio currently has no chain-level accountability assigned &#8212; and what is the first cross-class handoff in it that carries no contract?</p><div><hr></div><p><em><strong>Acknowledgement: This essay draws on peer conversations in the IT GRC, ISO 42001, and ISMS communities. The structural insight that mixed-environment composition is the gap most current frameworks miss came from those exchanges and is credited generally rather than specifically out of respect for private feedback channels.</strong></em></p><p></p><p><strong>This essay accompanies the </strong><em><strong><a href="https://www.regulated-intelligence.com/p/prompt-kit-04-mixed-environment-chain">Mixed-Environment Chain Audit Prompt Kit</a> </strong></em><strong>&#8212; An interactive audit you can run against your own AI delivery pipelines, paired with &#8220;Governing the System When the System Is Not Just AI&#8221; on Regulated Intelligence.<br><br><br>Download it alongside this essay on Regulated Intelligence.</strong></p><p></p><p><strong>Regulated Intelligence &#183; TRIZ &#215; AI &#183; Regulated Markets</strong></p>]]></content:encoded></item><item><title><![CDATA[Prompt Kit 03 — Agent Chain Accountability]]></title><description><![CDATA[Four prompts to run the accountability-diffusion audit from &#8220;The Agentic AI Governance Gap Most CoEs Are About to Discover&#8221; against your own chained agentic AI workflows.]]></description><link>https://www.regulated-intelligence.com/p/prompt-kit-03-agent-chain-accountability</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/prompt-kit-03-agent-chain-accountability</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Sun, 07 Jun 2026 14:22:00 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Jegk!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F98289774-d713-4794-bf0c-361f211a1129_256x256.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Four prompts to run the accountability-diffusion audit from &#8220;<em>The Agentic AI Governance Gap Most CoEs Are About to Discover</em>&#8221; against your own chained agentic AI workflows.</p><p>Sequenced from agent chain discovery and mapping, through accountability allocation per IMDA v1.5&#8217;s five-role taxonomy (platform / system / prompt / workflow / end-user), to HITL effectiveness audit against the override-rate and response-time guidance, finishing with the vendor governance reframe that absorbs agent provenance into procurement.</p><p>Each prompt produces the operational artefact that closes a specific structural gap in agentic AI governance. Anchored on the IMDA Model AI Governance Framework for Agentic AI v1.5, section 2.2.1 (published 20 May 2026).</p><p>Designed for both technical and non-technical users.</p><p>Companion essay: [<a href="https://www.regulated-intelligence.com/p/the-agentic-ai-governance-gap-most">LINK to Essays/The Agentic AI Governance Gap Most CoEs Are About to Discover</a>]</p><div class="file-embed-wrapper" data-component-name="FileToDOM"><div class="file-embed-container-reader"><div class="file-embed-container-top"><image class="file-embed-thumbnail-default" src="https://substackcdn.com/image/fetch/$s_!0Cy0!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack.com%2Fimg%2Fattachment_icon.svg"></image><div class="file-embed-details"><div class="file-embed-details-h1">Prompt Kit 03</div><div class="file-embed-details-h2">357KB &#8729; PDF file</div></div><a class="file-embed-button wide" href="https://www.regulated-intelligence.com/api/v1/file/82bbfe38-c974-4f41-9cea-b8c61d4d91bf.pdf"><span class="file-embed-button-text">Download</span></a></div><a class="file-embed-button narrow" href="https://www.regulated-intelligence.com/api/v1/file/82bbfe38-c974-4f41-9cea-b8c61d4d91bf.pdf"><span class="file-embed-button-text">Download</span></a></div></div><p></p><p>TRIZ &#215; AI | Regulated Markets &#183; JL CREPPY</p>]]></content:encoded></item><item><title><![CDATA[The Agentic AI Governance Gap Most CoEs Are About to Discover]]></title><description><![CDATA[IMDA&#8217;s Model AI Governance Framework for Agentic AI v1.5, published 20 May 2026, names a problem most enterprise governance programs have not yet absorbed: when agents chain, accountability diffuses.]]></description><link>https://www.regulated-intelligence.com/p/the-agentic-ai-governance-gap-most</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/the-agentic-ai-governance-gap-most</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Sun, 07 Jun 2026 14:01:40 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/bb7df057-508f-45c6-a233-eeb71b269883_1456x816.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><strong>IMDA&#8217;s Model AI Governance Framework for Agentic AI v1.5, published 20 May 2026, names a problem most enterprise governance programs have not yet absorbed: when agents chain, accountability diffuses. Here is what that means in practice &#8212; and why the proportionality logic underpinning MAS and IMDA&#8217;s joint trajectory needs to extend into multi-agent workflows immediately.</strong></p><div><hr></div><p>Single-agent governance is largely a solved problem. The architecture is the same one most regulated financial institutions already operate. A risk-tiered review process. Model documentation aligned to the proportionality clause. Human-in-the-loop checkpoints at high-stakes decisions. Audit trails for individual model outputs. The system works because every AI action is traceable to a single model, and behind that model, a single accountable owner.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.regulated-intelligence.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Regulated Intelligence! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>The current frontier is not single-agent AI. It is <strong>Agentic AI</strong> &#8212; systems where one agent invokes the tools of another, where orchestrators coordinate sub-agents, where third-party agents are introduced through emerging protocols like Model Context Protocol. IMDA&#8217;s v1.5 framework names this evolution directly: &#8220;<em><strong>Compared to generative AI, AI agents can take actions, adapt to new information, and interact with other agents and systems to complete tasks on behalf of humans.</strong></em>&#8221;</p><p></p><p>The governance question that follows is not technical. It is structural: </p><h3 style="text-align: center;"><strong>when an action takes place at the end of a chain involving multiple agents, multiple platforms, and multiple human actors at different points in the value chain, who is accountable?</strong></h3><p>IMDA&#8217;s framework calls this the <strong>accountability diffusion problem</strong>. Most Centres of Excellence have not yet noticed they have it.</p><p></p><h3>TRIZ Frame &#8212; Inventive Principle #3: Local Quality</h3><p>TRIZ Inventive Principle #3 &#8212; <strong>Local Quality,</strong>  instructs the designer to make each part of an object operate under conditions optimal for its specific function, rather than under uniform conditions. Applied to agentic AI governance, the implication is direct: <strong>accountability is not uniform across an agent chain.</strong></p><p>In a chained workflow, five distinct accountabilities operate at five different links:</p><h4>The <strong>platform provider</strong></h4><p> the LLM vendor, the orchestration framework, the agent-as-a-service vendor &#8212; is accountable for model behaviour, alignment evaluation, and documentation of known failure modes. This is the layer where MAS FEAT principles and IMDA Trusted AI guidance land most directly.</p><h4>The system integrator</h4><p> the team building the chained workflow itself &#8212; is accountable for what tools each agent can invoke, how context is managed between agents, what permissions cascade through the chain, and what change-management process governs upgrades to any link in the chain.</p><h4>The prompt designer</h4><p> is accountable for how each agent&#8217;s instructions translate to actions, including reactions to adversarial or malformed inputs. This is increasingly a security discipline, not a content discipline.</p><h4>The workflow owner</h4><p> the business function deploying the agent system &#8212; is accountable for whether the chain&#8217;s outputs are appropriate for the business decision they influence. This is the layer the IMDA framework most clearly addresses in section 2.2.</p><h4>The end-user</h4><p> is accountable for how they invoke and validate the agent&#8217;s work. Here automation bias becomes the dominant risk. The IMDA framework names this explicitly: &#8220;<em><strong>human-in-the-loop has to be adapted to address automation bias, which has become a bigger concern with increasingly capable agents.</strong></em>&#8221;</p><p>Each role carries a different <strong>local quality</strong> requirement. Each accountability gap creates a different failure mode. <em><strong>Uniform agentic governance that treats the chain as a single accountable system is structurally incoherent</strong></em><strong>.</strong></p><p>This is what IMDA&#8217;s framework, particularly section 2.2.1 of v1.5, asks organisations to map explicitly. Most CoE governance documents do not currently support this mapping.</p><p></p><h3>Three Implications for Regulated Financial Services</h3><p><em><strong>First: The MAS proportionality logic must extend into the agent chain &#8212; proportionality applies to each step, not to the workflow as a whole.</strong></em> A multi-agent workflow that includes both a low-risk summarisation step and a high-risk decision step cannot inherit a single tier classification. The chain has a *risk profile*, not a tier. The MAS November 2025 *Consultation Paper on AI Risk Management for Financial Institutions* anchors proportionality firmly to single-model deployments. Applied naively to agentic AI, the proportionality clause produces incoherent classifications: either over-restricting the low-risk summarisation step (because the whole chain inherits the high-risk decisioning tier) or under-scrutinising the high-risk decisioning step (because the chain entry-point looks like a copilot use case). The fix is structural: tier the chain step-by-step, not the workflow as a whole. The institutional discipline required to do this is harder than it sounds. Most existing AI inventories cannot even *represent* a multi-agent chain in a single record.</p><p><em><strong>Second: Vendor governance must absorb agent provenance, not just model provenance.</strong></em> A traditional AI vendor governance review asks: which model is being used, what is its training-data lineage, what audit reports are available, what is the change-management process. An agentic workflow vendor governance review must additionally ask: which agents are in the chain, which tools can each agent invoke, what is the least-privilege baseline for each agent, who provides each agent (vendor, platform, in-house), and what is the change-management process when any agent in the chain is updated independently. The IMDA v1.5 framework adds explicit guidance on the distinction between platform providers and system providers in the agentic value chain &#8212; and that distinction is the load-bearing one for vendor governance. Procurement functions that have not yet absorbed this distinction are signing contracts they cannot accurately assess. The first sign of this gap: a vendor risk assessment that names a foundation-model provider but does not name the orchestration layer, the agent registry, or the tool-permissioning infrastructure as separate vendor entities.</p><p><em><strong>Third: Human-in-the-loop must be redesigned around automation bias, not around oversight theatre.</strong></em> The IMDA framework names this directly. Most existing HITL designs in regulated AI assume the human reviewer will catch errors when prompted to review an output. Empirically, this fails &#8212; particularly when reviewers face high volume, time pressure, or repeated near-identical outputs. The framework recommends monitoring *override rates and response times* as the indicator that HITL is functioning. A CoE that cannot produce these metrics for its current HITL checkpoints does not have functioning oversight &#8212; regardless of what the documentation says. The discipline is operational, not architectural: instrument the override rate, alert when it drops below a threshold, treat low override rate as the failure signal rather than the success signal. Most internal dashboards for AI governance currently report the inverse.</p><p></p><h3>What&#8217;s Worth Doing Tomorrow</h3><p>For any CoE leader reading this with an agentic AI initiative either in production or in the pipeline, three actions are worth taking before the next governance review:</p><p><em><strong>Map the agent chain</strong></em><strong>.</strong> For each workflow involving more than one agent, draw the chain on a single page. Mark which platform provides each agent, which tools each agent can invoke, what data each agent can access, and who the business owner is at each link. If the chain cannot fit on a single page, that is the first finding &#8212; the chain is more complex than the governance documentation acknowledges.</p><p><em><strong>Identify the diffusion point</strong>s.</em> For each link in the chain, ask: if this step caused material harm, who is the specific named human accountable? The answer should not be &#8220;the project sponsor.&#8221; That is decorative governance. The answer should be a specific role with a specific decision authority who can demonstrate, in writing, what they signed off on. Where the answer is unclear or shared across multiple roles, that is a diffusion point &#8212; and it requires explicit re-allocation, not implicit assumption.</p><p><em><strong>Test the human-in-the-loop</strong></em><strong>.</strong> For any HITL checkpoint in your agentic workflows, pull the override rate and response time data for the last 90 days. If you cannot pull it, the HITL is decorative. If you can pull it and the override rate is zero, the HITL is decorative. If the response time is consistently below the time required to actually review the artefact, the HITL is decorative. The fix is not adding more reviewers. It is redesigning the checkpoint so the reviewer&#8217;s role is one they can actually perform.</p><p></p><h3>A Living Document Asks for Living Work</h3><p>The IMDA v1.5 framework names itself as a living document. The expectation is that it will evolve as the technology evolves. The work the framework asks of organisations is also living. The CoE that builds an agent governance architecture aligned to v1.5 *now* is the CoE that does not need to redesign it when v1.6 lands. The CoE that waits for v2.0 is the CoE that will discover the gap during a regulatory examination, not before it.</p><p>The accountability diffusion problem is not solved by writing a longer governance document. It is solved by mapping the chain, naming the responsible humans at each link, and instrumenting the oversight that has to remain functional as the chain extends.</p><p>Which step in your most consequential agentic workflow currently has no named accountable owner?</p><div><hr></div><p><strong>This essay accompanies the </strong><em><strong><a href="https://www.regulated-intelligence.com/p/prompt-kit-03-agent-chain-accountability">Agent Chain Accountability Prompt Kit</a></strong></em><strong>&#8212; four prompts to run the accountability-diffusion audit against your own chained agentic AI workflows.<br><br>Download it alongside this essay on Regulated Intelligence.</strong></p><p></p><div><hr></div><p><strong>Regulated Intelligence &#183; TRIZ &#215; AI &#183; Regulated Markets</strong></p><p>*<strong>Source: <a href="https://www.imda.gov.sg/-/media/imda/files/about/emerging-tech-and-research/artificial-intelligence/mgf-for-agentic-ai.pdf">IMDA Model AI Governance Framework for Agentic AI v1.5</a>, published 20 May 2026, available at imda.gov.sg</strong></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.regulated-intelligence.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Regulated Intelligence! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[Your AI Centre of Excellence Is a Governance Mirage]]></title><description><![CDATA[Most AI CoEs produce frameworks nobody reads, dashboards nobody trusts, and approval gates nobody can explain. The fix is structural, not procedural.]]></description><link>https://www.regulated-intelligence.com/p/your-ai-centre-of-excellence-is-a</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/your-ai-centre-of-excellence-is-a</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Sun, 31 May 2026 15:54:27 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/e69ce164-4501-4e7d-9a61-cf5a00e9e9bb_1456x816.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Five days ago, Gartner published a prediction that should make every AI steering committee uncomfortable: by 2027, forty per cent of enterprises will demote or decommission autonomous AI agents because governance gaps were identified only after production incidents. Not before. After.</p><p>The proximate cause, according to Gartner, is uniform governance, the same controls applied to every AI agent regardless of autonomy level. Over-restrict the simple ones, you get shadow development. Under-restrict the autonomous ones, you get incidents that reach the board before the risk committee hears about them.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.regulated-intelligence.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Regulated Intelligence! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>Two months earlier, Singapore MAS concluded phase two of Project MindForge and published an AI Risk Management Toolkit with a consortium of twenty-four banks, insurers, and capital market firms. The Toolkit&#8217;s centrepiece is an Operationalisation Handbook, practical guidance for implementing the AI risk management framework MAS proposed in its November 2025 consultation paper. The implicit message: MAS does not believe the industry can operationalise AI governance from first principles alone. It commissioned the handbook because the gap between governance-on-paper and governance-in-practice was wide enough to require a structured bridge.</p><p>These two events, read together, say the same thing from different angles. <br>The governance most organisations have built for AI is not wrong in intent. <br><br>It is wrong in structure.</p><div><hr></div><h3>The differentiation</h3><p>The consensus response to AI governance gaps is predictable: more policy, more review gates, more framework documents. Every consultancy in the region is selling &#8220;AI governance maturity assessments&#8221; that produce colour-coded matrices and recommend additional layers of oversight.</p><p>This essay argues the opposite. The problem is not insufficient governance. The problem is that most AI Centres of Excellence have optimised for the appearance of governance &#8212; artefacts that satisfy audit questions &#8212; rather than for the operational capacity to make and track consequential decisions about AI in production.</p><p>The distinction matters because governance artefacts and governance capacity produce entirely different organisational behaviours. One produces documents. The other produces decisions.</p><div><hr></div><h3>Thesis</h3><p><strong>The most dangerous AI governance is the kind that looks good in a board deck but cannot answer three questions: what is in production, what risk does each carry, and who decided.</strong></p><div><hr></div><h3>What is inside</h3><p>- <strong>Why the &#8220;centre of excellence&#8221; model defaults to governance theatre</strong> &#8212; the structural incentives that make artefact-production easier than decision-making</p><p>- <strong>A three-tier operating model</strong> &#8212; what to fix on Day 1 (mandate and taxonomy), Week 1 (operating rhythm), and Month 1 (capability transfer) &#8212; with specific artefacts for each</p><p>- <strong>The proportional governance principle</strong> &#8212; why uniform controls fail and what risk-proportionate review actually looks like in a regulated environment</p><p>- <strong>A diagnostic you can run on Monday</strong> &#8212; four questions that reveal whether your AI CoE is governing or performing</p><div><hr></div><p></p><h3>The framework: Day 1 / Week 1 / Month 1</h3><h4>Day 1 &#8212; Mandate clarity and risk taxonomy</h4><p>The single highest-leverage fix for a struggling AI CoE is not a new framework. It is a clear, written mandate that answers four questions: what decisions does the CoE make (not &#8220;advise on&#8221; &#8212; *make*), what decisions require escalation, who is accountable for each decision class, and what happens when someone bypasses the process?</p><p>Most CoE charters answer none of these. They describe the CoE&#8217;s purpose in aspirational terms &#8212; &#8220;accelerate AI adoption,&#8221; &#8220;ensure responsible AI,&#8221; &#8220;drive innovation&#8221; &#8212; without specifying decision rights. A charter that says &#8220;ensure responsible AI&#8221; is a mission statement. A charter that says &#8220;the CoE approves or rejects all AI deployments that interact with customer data, with escalation to the CRO for any model that influences pricing or underwriting decisions&#8221; is a governance mandate. The difference is the difference between decoration and authority.</p><p><strong>The universal pattern.</strong> Decision rights are the irreducible foundation of governance. Without explicit decision rights, a governance function defaults to advisory &#8212; and advisory functions get bypassed the moment they slow delivery.</p><p><strong>The regulated-industries manifestation.</strong> In financial services and insurance, the MAS AI Risk Management Guidelines (proposed November 2025) expect boards and senior management to establish &#8220;frameworks, structures, policies and processes for AI risk management.&#8221; The critical word is *structures* &#8212; MAS is not asking for documents alone. It is asking for organisational design that assigns accountability. The MindForge Toolkit reinforces this: its Operationalisation Handbook walks through governance structures precisely because policy documents alone were insufficient across the twenty-four-firm consortium.</p><p><strong>Your translation.</strong> Pull your CoE charter. If it does not specify which decisions the CoE owns, which it escalates, and what the consequence of bypass is, it is not a governance document. It is a brochure. The people who need to care about this are the CoE lead, the CTO, and the CRO. If any of them cannot recite the decision rights from memory, the mandate is not operational.</p><p><strong>What to build. </strong>A one-page decision-rights matrix: rows are decision types (new deployment, model update, data source change, vendor integration, exception request), columns are CoE authority level (approve, escalate, advise, inform). Circulate it to every AI project lead. If someone is surprised by what is on it, the mandate was not previously clear.</p><div><hr></div><p></p><p>The second Day 1 action is a risk taxonomy that is actually used. Not a risk register &#8212; a taxonomy. The distinction: a risk register is a compliance artefact that catalogues individual risks. A taxonomy is a classification system that determines how every AI initiative is governed from its first week.</p><p><strong>The universal pattern. </strong>Proportional governance requires a classification scheme. Without it, every initiative receives the same scrutiny &#8212; which means either too much friction for low-risk tools or too little scrutiny for high-risk deployments. This is precisely the failure mode Gartner identified: &#8220;Enterprises are treating AI agent governance as binary &#8212; either locked down or fully trusted.&#8221;</p><p><strong>The regulated-industries manifestation.</strong> Singapore MAS&#8217;s proposed guidelines distinguish between AI used in customer-facing or regulated activities and AI used in internal operations. The former is subject to &#8220;more exacting standards around explainability, fairness, human oversight and testing.&#8221; This is not a suggestion to treat all AI the same. It is an explicit instruction to differentiate. Yet a surprising number of AI CoEs in the region apply a single review process to everything from an internal document-summarisation tool to a customer-facing underwriting model.</p><p><strong>Your translation.</strong> If your review process for a Slack bot takes the same calendar time as your review for a credit-decisioning model, your taxonomy is not functioning. The roles affected: AI project leads (who will finally understand why some projects move faster), the risk function (who gains a defensible basis for proportional review), and the CoE itself (which stops drowning in low-risk approvals).</p><p><strong>What to build.</strong> A three-tier classification: <br><strong>Tier 1 </strong>(internal, no customer data, no regulated decision &#8212; fast-track review, CoE informed), <br><strong>Tier 2</strong> (customer-adjacent or uses sensitive data &#8212; standard review, CoE approves), <strong>Tier 3</strong> (customer-facing, regulated decision, or autonomous action &#8212; full review, CRO escalation). Map every current AI initiative to a tier. The mapping exercise alone will reveal initiatives that have never been classified.</p><div><hr></div><p></p><h4>Week 1 &#8212; Operating rhythm and proportional review</h4><p>Governance without cadence is governance without memory. A CoE that meets quarterly to review AI initiatives is not governing &#8212; it is auditing, badly, with a three-month lag.</p><p><strong>The universal pattern.</strong> The operating rhythm of a governance function determines its relevance. Too infrequent, and decisions are made without it. Too frequent with too broad a scope, and it becomes a bottleneck that teams route around. The design challenge is matching cadence to decision velocity.</p><p><strong>The regulated-industries manifestation. </strong>AI deployment cycles in regulated financial services are accelerating &#8212; particularly with agentic AI, where a new agent can move from prototype to production in weeks, not quarters. A quarterly governance cadence designed for traditional model risk management cannot keep pace. The MindForge consortium&#8217;s experience underscores this: the Toolkit exists partly because the gap between deployment speed and governance speed had become a structural problem across multiple institutions.</p><p><strong>Your translation. </strong>Redesign the CoE operating rhythm around three cadences: weekly triage (fifteen minutes &#8212; new requests classified by tier, blockers surfaced), monthly deep review (Tier 2 and 3 initiatives reviewed against risk taxonomy, decisions recorded), and quarterly portfolio review (full AI portfolio mapped against strategic objectives, retirement candidates identified). The weekly triage is the critical addition. Without it, the CoE learns about new AI initiatives only when they are already in production or already in trouble.</p><p><strong>What to build. </strong>A single-page operating rhythm document specifying: who attends each cadence, what is reviewed, what decisions are made (not discussed &#8212; made), and where decisions are recorded. Publish it. If the rhythm document does not exist, neither does the rhythm.</p><div><hr></div><p>The second Week 1 action: implement proportional review that the organisation actually respects. This means review depth scaled to risk tier, with explicit cycle-time targets for each tier.</p><p><strong>The universal pattern.</strong> Proportional review fails when it exists in policy but not in practice. The most common failure: Tier 1 reviews that take three weeks because the process was designed for Tier 3. Teams learn that the CoE adds three weeks to everything, and they stop submitting. Shadow AI accelerates. The CoE&#8217;s portfolio view becomes incomplete. Governance degrades precisely because the governance process was too heavy.</p><p><strong>The regulated-industries manifestation. </strong>MAS&#8217;s expectation of board and senior management oversight does not mean every AI deployment requires board attention. It means the governance structure must ensure appropriate oversight reaches the appropriate level. A well-functioning proportional review gives the board confidence that Tier 3 initiatives are rigorously governed, while Tier 1 initiatives move at a pace that discourages bypass.</p><p><strong>Your translation. </strong>Set explicit cycle-time commitments: Tier 1 classification confirmed within 48 hours, Tier 2 review completed within two weeks, Tier 3 review completed within four weeks with CRO sign-off. Publish these targets. Measure against them. If the CoE consistently misses Tier 1 targets, the process is too heavy. If it consistently clears Tier 3 in under a week, the review is too shallow. Both are governance failures, just in different directions.</p><p><strong>What to build. </strong>A proportional review protocol with documented cycle-time targets, escalation triggers, and a bypass-reporting mechanism. The bypass report is not punitive &#8212; it is diagnostic. If teams are bypassing, the process has a design flaw. Fix the process, not the teams.</p><div><hr></div><p></p><h4>Month 1 &#8212; Capability transfer and federated enablement</h4><p>A CoE that hoards governance capability is a bottleneck by design. The Month 1 objective is building the organisational muscle for governance to operate at the edge &#8212; in the business units, in the project teams &#8212; without the CoE being in the room.</p><p><strong>The universal pattern.</strong> Centralised governance scales linearly with headcount. Federated governance scales with organisational capability. The transition from centralised to federated is the maturity move that separates CoEs that accelerate from CoEs that obstruct. But federation without standards is fragmentation. The CoE&#8217;s role shifts from gatekeeper to standard-setter and auditor.</p><p><strong>The regulated-industries manifestation. </strong>In multi-jurisdictional regulated environments &#8212; Singapore, Hong Kong, Bermuda, Dubai &#8212; the federated model is not optional. Each jurisdiction has distinct regulatory expectations. A Singapore-centric CoE that attempts to centrally govern AI deployments in Hong Kong under MAS-only standards will either slow Hong Kong delivery to a crawl or, more likely, be ignored entirely. The MindForge Toolkit, notably, was built by a multi-institution consortium &#8212; an implicit acknowledgment that governance standards must be developed collaboratively across organisational boundaries, not imposed from a single centre.</p><p><strong>Your translation.</strong> Identify two to three business units with active AI delivery. Embed a governance liaison from the CoE (or train an existing team member) who can perform Tier 1 classifications and initial Tier 2 assessments locally. The CoE retains Tier 3 authority and audit rights. This is not delegation of responsibility &#8212; it is distribution of capability with retained accountability. The CTO and business unit heads need to agree on this model explicitly, because it changes who does the work without changing who carries the risk.</p><p>**What to build.** A capability-transfer package: the risk taxonomy (from Day 1), the proportional review protocol (from Week 1), a classification decision tree (if X, then Tier Y), and a quarterly self-assessment template that each federated unit completes for CoE review. The self-assessment is not optional &#8212; it is the mechanism that prevents federation from becoming fragmentation.</p><div><hr></div><p>This framework also applies beyond financial services. Any organisation in a regulated industry &#8212; pharmaceutical, energy, telecommunications, defence, healthcare &#8212; deploying AI at scale faces the same structural tension between centralised governance and operational speed. The proportions change; the architecture does not.</p><div><hr></div><p></p><h3>A note on confidence</h3><p>The structural argument &#8212; that governance artefacts and governance capacity are different things &#8212; is confirmed by the pattern across every AI CoE engagement this author has observed and by the MindForge consortium&#8217;s decision to build an operationalisation handbook rather than another policy template. The three-tier classification scheme is a strong inference from regulatory expectations (MAS, HKMA) and Gartner&#8217;s proportional governance recommendation, but the specific tier boundaries will vary by organisation. The cycle-time targets (48 hours, two weeks, four weeks) are design hypotheses calibrated to regulated FS delivery cadences &#8212; they should be tested and adjusted, not adopted as gospel. The capability-transfer model is well-established in mature organisations but remains aspirational for most AI CoEs currently operating in the APAC region.</p><div><hr></div><h3>The diagnostic worth running</h3><p>Here is a pattern worth examining. Ask your AI CoE lead to produce, within one hour, a complete list of every AI initiative currently in production across the organisation. Not in development. In production. Classify each by risk tier. Name the individual who approved each deployment.</p><p>The result is reliably instructive. Thirty to fifty per cent of AI initiatives in production have never been formally classified. Approval records, where they exist, point to email threads rather than decision logs. And the list itself is almost always incomplete &#8212; because initiatives that bypassed the CoE are, by definition, not in the CoE&#8217;s portfolio view.</p><p>This is not an indictment of the people running the CoE. It is an indictment of the structure they were given to work with. A CoE without decision rights, without a risk taxonomy, and without an operating rhythm that matches deployment velocity will produce exactly this result &#8212; regardless of the talent operating it.</p><div><hr></div><h3>The tool that makes this operational</h3><p>Reading about governance architecture is useful. Knowing which parts of your current structure are missing is what changes what you build next week. The Prompt Kit does that work &#8212; four sequenced prompts that walk from mandate audit through risk taxonomy design, operating rhythm specification, to capability-transfer planning. Each prompt is designed to surface the specific gap in your current governance structure and produce the artefact that closes it.</p><p>The first prompt audits your existing CoE charter against the decision-rights framework described above. The fourth produces the capability-transfer package for your first federated unit. Run them in sequence. The output is not a report &#8212; it is the governance infrastructure itself.</p><div><hr></div><h3>The close</h3><p>Here is a diagnostic to run before your next steering committee. Pull up your AI CoE&#8217;s last board-ready governance report. Count the number of pages dedicated to frameworks, policies, and maturity models. Now count the number of pages that answer these three questions: what AI is in production today, what risk tier is each initiative classified under, and who specifically approved each one.</p><p>If the ratio is more than three to one in favour of frameworks over decisions, your CoE is governing the idea of AI. Not the reality of it.</p><p>The good news: the fix is structural, not cultural. Decision rights, risk taxonomy, proportional review, operating rhythm, capability transfer. Five components. Each one buildable. Each one measurable. The hard part is admitting that the current structure, however professionally it presents &#8212; is not yet doing the work it was designed to do.</p><p>That admission, in the author&#8217;s experience, is the actual Day 1.</p><div><hr></div><p></p><p><strong>This essay accompanies the </strong><em><strong><a href="https://www.regulated-intelligence.com/p/prompt-kit-02-ai-coe-governance-architecture">AI CoE Governance Architecture Prompt Kit</a></strong></em><strong>&#8212; four prompts to run the diagnostic against your own AI delivery program. <br>Download it alongside this essay on Regulated Intelligence.</strong></p><p></p><p>If you are leading an AI Centre of Excellence in a regulated environment and recognise the pattern described here &#8212; governance artefacts that satisfy audits but do not drive decisions &#8212; a structured outside read on mandate design, risk taxonomy calibration, and operating rhythm can compress months of iteration into weeks. I take one such conversation per month. Mention it in your reply.</p><p>Replies to this post reach me directly. I read all of them.</p><p></p><h5>Regulated Intelligence &#8212; TRIZ x AI | Regulated Markets. Written by JL CREPPY.</h5><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.regulated-intelligence.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Regulated Intelligence! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[Prompt Kit 02 — AI CoE Governance Architecture]]></title><description><![CDATA[Four prompts to run the diagnostic from &#8220;Your AI Centre of Excellence Is a Governance Mirage&#8221; against your own AI delivery program.]]></description><link>https://www.regulated-intelligence.com/p/prompt-kit-02-ai-coe-governance-architecture</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/prompt-kit-02-ai-coe-governance-architecture</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Sun, 31 May 2026 15:51:30 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Jegk!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F98289774-d713-4794-bf0c-361f211a1129_256x256.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p></p><p>Four prompts to run the diagnostic from &#8220;Your AI Centre of Excellence Is a Governance Mirage&#8221; against your own AI delivery program.</p><p>Sequenced from mandate audit through risk taxonomy design, operating rhythm specification, to capability-transfer planning &#8212; each prompt produces the governance artefact that closes a specific structural gap.</p><p>Designed for both technical and non-technical users.</p><p>Companion essay: <em><a href="https://www.regulated-intelligence.com/p/your-ai-centre-of-excellence-is-a?r=6divnd">Your AI Centre of Excellence Is a Governance Mirage</a></em></p><div class="file-embed-wrapper" data-component-name="FileToDOM"><div class="file-embed-container-reader"><div class="file-embed-container-top"><image class="file-embed-thumbnail-default" src="https://substackcdn.com/image/fetch/$s_!0Cy0!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack.com%2Fimg%2Fattachment_icon.svg"></image><div class="file-embed-details"><div class="file-embed-details-h1">Prompt Kit 02</div><div class="file-embed-details-h2">294KB &#8729; PDF file</div></div><a class="file-embed-button wide" href="https://www.regulated-intelligence.com/api/v1/file/17d290b3-a807-4d39-9c05-89d4141313e0.pdf"><span class="file-embed-button-text">Download</span></a></div><a class="file-embed-button narrow" href="https://www.regulated-intelligence.com/api/v1/file/17d290b3-a807-4d39-9c05-89d4141313e0.pdf"><span class="file-embed-button-text">Download</span></a></div></div><p> </p><h5><code>TRIZ x AI | Regulated Markets &#183; JL CREPPY</code></h5>]]></content:encoded></item><item><title><![CDATA[Your AI Governance Is Solving the Wrong Problem]]></title><description><![CDATA[Speed and quality look like a trade-off in regulated AI delivery. They aren't. They're a segmentation failure &#8212; and TRIZ names the resolution.]]></description><link>https://www.regulated-intelligence.com/p/your-ai-governance-is-solving-the</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/your-ai-governance-is-solving-the</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Sun, 24 May 2026 14:17:12 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/0803a96e-18f3-48e5-b3e7-e80cb3eda225_1456x816.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Speed and quality are not a trade-off in regulated AI delivery. They look like one &#8212; which is exactly why most programs spend the first year solving the wrong problem.</p><p>Every AI team in regulated financial services lives inside the same room: deliver fast enough to justify the investment, deliver carefully enough to survive the audit. Most organisations respond by applying uniform governance to everything &#8212; the same review cycle for a meeting summariser as for a pricing model. The result is predictable. Everything moves at the speed of the highest-risk use case. The organisation concludes that &#8220;AI is slow to deploy.&#8221; Leadership funds more reviewers. Delivery slows further. The story closes with a budget cut and a quiet conclusion that the technology was not yet mature.</p><p>The technology was not the problem. The segmentation was.</p><p></p><h3>The TRIZ Frame: Principle #1 &#8212; Segmentation</h3><p>TRIZ &#8212; the Theory of Inventive Problem Solving &#8212; gives this contradiction a precise name. Speed and quality of an AI deployment look like opposing parameters of one system. They are not. They are properties of three different systems being mistakenly treated as one.</p><p>Inventive Principle #1 &#8212; Segmentation &#8212; instructs you to divide an object into independent parts so that each part can be optimised for its own dominant property. Applied to AI delivery in regulated environments, the insight is structural. An AI delivery pipeline is at least three systems stacked together:</p><h5>The Experimentation Layer.</h5><p>Hypotheses are tested, prompts are iterated, models are evaluated against synthetic or anonymised data. Risk is near zero &#8212; no customer data, no production integration, no regulatory exposure. Governance should be lightweight: version control, experiment logging, peer review. Anything heavier here is theatre.</p><h5>The Integration Layer.</h5><p> A validated model connects to production data sources, APIs, downstream systems. Risk increases &#8212; data lineage matters, access controls matter, error handling matters. Governance is engineering governance: code review, integration testing, security validation.</p><h5><strong>The Deployment Layer.</strong></h5><p>Model output reaches customers, influences decisions, or generates regulatory artefacts. Risk is maximal. Governance is regulatory governance: model cards, bias testing, explainability documentation, human-in-the-loop validation, audit trails.</p><p>The contradiction dissolves when you stop treating these as one pipeline. Speed belongs to the experimentation layer. Quality belongs to the deployment layer. The integration layer is the bridge, and its governance is proportionate to its function &#8212; not inherited from the layer below it, not anticipated from the layer above it.</p><p></p><h3>Three Implications for Regulated Financial Services</h3><h5>First: Tiered governance is not regulatory arbitrage &#8212; it&#8217;s regulatory alignment. </h5><p>The Monetary Authority of Singapore&#8217;s November 2025 *Consultation Paper on Proposed Guidelines on AI Risk Management for Financial Institutions* states that controls &#8220;should be applied based on their relevance and be proportionate to the assessed risk materiality of AI usage.&#8221; It further specifies that the guidelines &#8220;may be applied in a proportionate manner &#8212; commensurate with the size and nature of FIs&#8217; activities, use of AI, and their risk profile.&#8221; That is not a softening clause. It is the operational principle. A risk-tiered delivery framework is not sidestepping compliance; it is implementing what the regulator asked for. Organisations applying uniform heavyweight governance to every AI use case are, paradoxically, less aligned with regulatory intent than those operating a tiered model. The same proportionality logic threads through MAS FEAT principles and the broader trajectory of Asian regulatory guidance on AI. Proportionality is the regulatory ask. Uniform governance is the institutional answer to a question the regulator did not ask.</p><p></p><h5>Second: Segmentation forces an explicit risk taxonomy, which is where most organisations fail.</h5><p>Uniform governance persists because it avoids the harder question: what actually makes an AI use case high-risk? Segmentation demands a taxonomy &#8212; who consumes the output, what decisions it influences, what the blast radius of failure looks like, whether the output is advisory or deterministic, whether a customer can detect the error before the firm can. Building this taxonomy is uncomfortable because it requires cross-functional agreement between technology, risk, legal, and business. It is the load-bearing work that makes everything else possible &#8212; and the work that program leaders most consistently underestimate.</p><p>A diagnostic worth running before the architecture: ask your AI risk committee to list every AI use case in production, then to risk-classify each one. The result is reliably surprising. A meaningful fraction &#8212; frequently 30&#8211;50% &#8212; turns out to be rule-based automation rebranded as AI for budget purposes, or pilot demos that never had a target deployment, or vendor tools whose actual data flows are unclear. These are not high-risk use cases. They are *unrisk-classifiable*, which is a different problem with a different fix. Most governance machines treat unrisk-classifiable as Tier 3 by default, which is exactly how you end up with the uniform-treatment failure mode the regulator did not ask for. The taxonomy work is the moment the inventory stops being a list and becomes a map.</p><p></p><h5><strong>Third: The bottleneck is almost never the model &#8212; it&#8217;s the approval chain.</strong></h5><p> In most regulated AI deployments, the model itself is validated in days or weeks. The months-long timeline comes from routing every use case through the same committee structure, the same documentation template, the same sign-off hierarchy. Segmenting the pipeline means segmenting the approval chain. A Tier 1 (internal-facing, advisory) use case should not require the same governance artefacts as a Tier 3 (customer-facing, decision-influencing) deployment. When the approval chain is uniform, the technical pipeline has nowhere to express its segmentation. Form forces function.</p><p></p><h3>The Practitioner Test</h3><p>If you lead an AI program in a regulated environment, run this diagnostic on your current pipeline.</p><p>Pick your fastest-deployed AI use case and your slowest. Map the governance steps each went through. If the steps are identical, you have a segmentation problem &#8212; not a speed problem and not a quality problem. The contradiction is artificial, and the resolution is structural.</p><p>Go further. For each governance step the slowest use case went through, ask one question: what specific risk does this step mitigate, and how would I know if the mitigation worked? If the answer is &#8220;it&#8217;s part of the process,&#8221; that step is decorative governance. It slows you down without making you safer. Multiply the time cost of every decorative step across your pipeline, and you will find the actual source of the &#8220;AI is slow&#8221; narrative. It was never the technology.</p><p>The organisations that will scale AI in regulated markets are not the ones that move fastest or govern hardest. They are the ones that know precisely which parts of the pipeline need which kind of rigour &#8212; and waste nothing applying governance where it does not reduce risk.</p><p>The argument here is anchored in financial services because that is where the regulatory pressure currently sits sharpest. But the segmentation logic is industry-agnostic. Any sector where governance is applied uniformly to a multi-layered delivery pipeline &#8212; pharma, energy, defence, healthcare, telecommunications &#8212; carries the same misdiagnosis and resolves it the same way.</p><p></p><h3>What&#8217;s Worth Doing Tomorrow</h3><p><strong>Open your AI governance documentation.</strong> Find the steps your slowest deployment passed through. For each step, write one sentence naming the specific risk it mitigates and the observable signal that the mitigation worked.</p><p><strong>The steps that resist the sentence are decorative.</strong> Most pipelines carry 30&#8211;50% decorative governance &#8212; the technical term for *work that slows delivery without reducing risk*. The number is rarely zero. It is rarely under 20%. It is most often the largest single source of the lag every program blames on the technology.</p><p><strong>You will recognise the moment you find them.</strong> They are the steps everyone privately knows are theatre but nobody removes, because nobody owns the removal.</p><p>That is the work. The TRIZ frame is the lens. The Prompt Kit is the structured method. The decision to redesign the pipeline around what actually mitigates risk is yours.</p><p></p><p><strong>This essay accompanies the </strong><em><strong><a href="https://www.regulated-intelligence.com/p/prompt-kit-01-tiered-governance-diagnostic">Tiered Governance Diagnostic Prompt Kit</a> </strong></em><strong> &#8212; four prompts to run the diagnostic above against your own pipeline. Download it alongside this essay on Regulated Intelligence.</strong></p><p></p><p><strong>If you are working through this exercise in a regulated environment and want a structured outside read &#8212; on the segmentation design, the risk taxonomy, or the approval-chain redesign that follows &#8212; mention it in your reply. I take one such conversation per month.</strong></p><p><strong>Replies to this post reach me directly. I read all of them.</strong></p><p></p><p style="text-align: center;"><em>Regulated Intelligence &#8212; TRIZ &#215; AI | Regulated Markets. Written by JL CREPPY.</em></p>]]></content:encoded></item><item><title><![CDATA[Prompt Kit 01 — Tiered Governance Diagnostic]]></title><description><![CDATA[Four prompts to run the Practitioner Test from "Your AI Governance Is Solving the Wrong Problem" against your own AI delivery pipeline.]]></description><link>https://www.regulated-intelligence.com/p/prompt-kit-01-tiered-governance-diagnostic</link><guid isPermaLink="false">https://www.regulated-intelligence.com/p/prompt-kit-01-tiered-governance-diagnostic</guid><dc:creator><![CDATA[JL CREPPY]]></dc:creator><pubDate>Sun, 24 May 2026 14:12:17 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Jegk!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F98289774-d713-4794-bf0c-361f211a1129_256x256.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Four prompts to run the Practitioner Test from "Your AI Governance Is Solving the Wrong Problem" against your own AI delivery pipeline. </p><p>Sequenced from pipeline mapping &#8594; decorative-governance diagnosis &#8594; risk taxonomy construction &#8594; approval chain segmentation. </p><p>Designed for both technical and non-technical users.</p><p>Companion essay: [<a href="https://www.regulated-intelligence.com/p/your-ai-governance-is-solving-the">Your AI Governance Is Solving the Wrong Problem</a>]</p><p></p><div class="file-embed-wrapper" data-component-name="FileToDOM"><div class="file-embed-container-reader"><div class="file-embed-container-top"><image class="file-embed-thumbnail-default" src="https://substackcdn.com/image/fetch/$s_!0Cy0!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack.com%2Fimg%2Fattachment_icon.svg"></image><div class="file-embed-details"><div class="file-embed-details-h1">Prompt Kit Post 01</div><div class="file-embed-details-h2">289KB &#8729; PDF file</div></div><a class="file-embed-button wide" href="https://www.regulated-intelligence.com/api/v1/file/27e0b601-2cd5-40d2-b06b-1e551a1ab64a.pdf"><span class="file-embed-button-text">Download</span></a></div><a class="file-embed-button narrow" href="https://www.regulated-intelligence.com/api/v1/file/27e0b601-2cd5-40d2-b06b-1e551a1ab64a.pdf"><span class="file-embed-button-text">Download</span></a></div></div><p><code>TRIZ &#215; AI | Regulated Markets &#183; JL CREPPY</code></p>]]></content:encoded></item></channel></rss>