Governance truly begins after a product ships.
A lifecycle proposal that takes the product deployment version as the unit of governance, extending the mature approval logic of medical devices and aviation to the GenAI and agent product layer. Status: concept paper in preparation, planned for Zenodo archiving with a DOI.
The space between three layers
The organization layer has ISO/IEC 42001. The model layer has the capability threshold frameworks of the AI labs. The regulatory layer has EU AI Act conformity assessment. After reverse-checking 45 factual claims, no governance mechanism was found that takes the deployment configuration of an individual GenAI or agent product as its unit.
A ten-node governance lifecycle
What can be claimed after verification
The deployment candidate
A configuration-frozen version as the regulatory anchor. Six frozen elements: base model and fine-tuned weights, system prompts and persona, tool permissions, RAG sources, memory configuration, interaction optimization targets.
Five-level update grading
From low-risk updates to emergency safety patches, covering AI-native change types: changes to memory, persona and interaction optimization targets are high-risk triggers.
Cognitive risk in the loop
User-side cognitive and contextual risk enters the mandatory governance loop: pre-deployment review dimensions, update triggers, post-market indicators.
One small, hard original point
Who approved, on what basis, who dissented, and which version an incident links back to.
Existing frameworks keep traceability at the technical and documentation layers. No framework requires traceability at the governance decision layer, and dissent records have no counterpart in any framework verified.
Reordering when rules are written
Layering itself has precedents. The value is in delaying layer two until capabilities can be observed, answering the practical problem that legislation written in advance cannot keep up.
Whose shoulders this stands on
Traceability as a precondition of accountability was formalized by Kroll (FAccT 2021). What this proposal does on top of that premise is institutional design.
Upstream and downstream
USCP describes user-side risk. It sits upstream. This proposal designs the institutional response. It sits downstream. The two cite each other and are not written as one thing.
How this proposal was checked
Where this stands
The concept paper is in preparation, planned for Zenodo archiving with a DOI. This page is a proposal and not a finished document.