GRC Record Types

Mima supports 11 GRC evidence record types. Each record:

  1. Is written to the evidence ledger with an HMAC signature and timestamp.
  2. Maps to one or more compliance controls (EU AI Act, ISO 42001, SOC 2).
  3. Counts towards your posture score.
  4. Can be required by gates before deploy or quarterly review.

Quick reference

Record typeWhat it provesKey controls earned
ai_risk_assessmentSystem risk classification performedEUAIA_ART9, ISO42001_6_1
model_evaluationEvaluation run with accuracy metricsEUAIA_ART9_4, ISO42001_9_1
human_oversightHuman reviewed an AI decisionEUAIA_ART14, ISO42001_6_1_2
training_data_governanceDataset approved before trainingEUAIA_ART10
incident_reportAI incident logged and investigatedEUAIA_ART73, ISO42001_10_1
change_eventSystem change recordedISO42001_8_4, SOC2_CC8_1
access_reviewAccess rights reviewed periodicallySOC2_CC6_3, ISO42001_9_1
vendor_riskVendor assessed and tieredSOC2_CC9_2, ISO42001_8_4
policy_acknowledgedUser acknowledged a policy versionEUAIA_ART4, SOC2_CC9_1
model_drift_eventDrift detected and loggedEUAIA_ART9_4, ISO42001_9_1
governance_reviewReadiness review completedEUAIA_ART9, ISO42001_9_3

ai_risk_assessment

What it proves: An AI system has been formally classified for risk under EU AI Act Art. 9, with the assessor, risk tier, intended purpose, and Annex III category documented.

Required fields

FieldTypeDescription
risk_level"high" | "limited" | "minimal" | "unacceptable"EU AI Act risk tier
risk_summarystringBrief use case description
intended_purposestringFull Art. IV §1 purpose statement
impact_domainsstring[]Affected domains
art5_self_assessmentbooleanCertifies no Art. 5 prohibited practices

Optional fields: annex_iii_category (required if risk_level=high), system_version, technical_doc_url, training_data_url, notes

Python example

1mima.ai_risk_assessment(
2 system_name="loan-scorer",
3 risk_tier="high",
4 use_case="Credit scoring for consumer loans",
5 intended_purpose="Score loan applications and surface for human review",
6 impact_domains=["credit", "consumer_finance"],
7 art5_self_assessment=True,
8 assessor="alice@example.com",
9 annex_iii_category="essential_services",
10)

Note: art5_self_assessment=True is a formal certification. Never set without a deliberate human review of Art. 5.


model_evaluation

What it proves: A named model was evaluated on a named dataset with documented accuracy metrics. Satisfies Art. 9(4) requirements for performance monitoring.

Required fields

FieldTypeDescription
model_idstringModel identifier
datasetstringDataset name or ID
accuracyfloatPrimary accuracy metric (0–1)
evaluated_bystringEvaluator email or identifier

Optional fields: evaluation_type ("initial" \| "quarterly" \| "triggered"), bias_metrics, robustness_score, passed_threshold, notes

Python example

1mima.model_evaluation(
2 model_id="loan-scorer-v2.1",
3 dataset="holdout-q2-2026",
4 accuracy=0.94,
5 evaluated_by="alice@example.com",
6 evaluation_type="quarterly",
7 bias_metrics={"demographic_parity": 0.02},
8 passed_threshold=True,
9)

human_oversight

What it proves: A human reviewed a specific AI decision and either confirmed or overrode it. Satisfies Art. 14 requirements for human oversight mechanisms.

Required fields

FieldTypeDescription
decision_idstringUnique identifier for the AI decision
ai_recommendationstringWhat the AI recommended
human_decisionstringWhat the human decided
reviewerstringReviewer email or identifier

Optional fields: rationale, model_id, override (defaults to True when recommendation ≠ decision)

Python example

1mima.human_oversight(
2 decision_id="loan-app-48291",
3 ai_recommendation="approve",
4 human_decision="reject",
5 reviewer="bob@example.com",
6 rationale="Fraud indicators not in model training data",
7)

training_data_governance

What it proves: A training dataset was reviewed, bias-checked, and formally approved before use. Satisfies Art. 10 data governance requirements.

Required fields

FieldTypeDescription
model_idstringModel being trained
dataset_idstringDataset identifier
record_countintegerNumber of records in dataset
bias_checks_performedbooleanWhether bias checks were run
approved_bystringApprover email
data_sourcesstring[]Data sources used
data_categoriesstring[]Categories of data

Optional fields: known_limitations, approval_date


incident_report

What it proves: An AI incident was detected, logged, and (if required) the relevant authority was notified. Satisfies Art. 73 serious incident reporting requirements.

Required fields

FieldTypeDescription
titlestringBrief incident title
severity"critical" | "high" | "medium" | "low"Severity level
descriptionstringFull incident description
affected_systemsstring[]Systems affected

Optional fields: detected_at, authority_notified_at


change_event

What it proves: A system change (deploy, config change, prompt update, model swap) was recorded with the actor, environment, and description. Satisfies change management controls.

Required fields

FieldTypeDescription
typestringChange type (e.g. "deploy", "prompt_update", "model_swap")
bystringWho made the change
descriptionstringWhat changed
environmentstring"production", "staging", "development"
systemstringSystem name

Optional fields: change_id


access_review

What it proves: Access rights for a named user to a named resource were reviewed periodically and a decision was made and recorded.

Required fields

FieldTypeDescription
userstringUser email
resourcestringResource name
grantedbooleanWhether access was granted/retained
reviewed_bystringReviewer email

Optional fields: review_type ("periodic" \| "triggered" \| "initial"), reason


vendor_risk

What it proves: A third-party vendor was assessed for risk, assigned a tier, and the review is documented. Satisfies SOC 2 vendor management controls.

Required fields

FieldTypeDescription
vendorstringVendor name
tier"critical" | "high" | "medium" | "low"Risk tier
last_reviewedstringISO date of last review

Optional fields: findings (number of open findings), contacts


policy_acknowledged

What it proves: A named user acknowledged a specific version of a policy via a documented channel. Satisfies Art. 4 AI literacy and SOC 2 security awareness controls.

Required fields

FieldTypeDescription
policy_namestringHuman-readable policy name
policy_versionstringVersion string (e.g. "v3.1.0")
decisionstringAlways "acknowledged"

Optional fields: acknowledgment_type ("initial" \| "renewal" \| "update"), policy_url, channel, session_id


model_drift_event

What it proves: A drift detection run found a metric outside threshold, the event was logged, and (optionally) an action was taken. Satisfies continuous monitoring requirements.

Required fields

FieldTypeDescription
model_idstringModel identifier
metricstringMetric that drifted (e.g. "f1_score")
baselinefloatExpected value
currentfloatObserved value
thresholdfloatAcceptable threshold
detected_bystringDetection system or person

Optional fields: drift_type ("performance" \| "data" \| "concept"), action_taken, detection_date


governance_review

What it proves: A named reviewer conducted a governance readiness review across named frameworks, producing a readiness score and action item count.

Required fields

FieldTypeDescription
reviewed_bystringReviewer email
report_typestring"quarterly", "annual", "ad_hoc"
frameworks_reviewedstring[]Frameworks covered
overall_readinessintegerScore 0–100

Optional fields: action_items, review_date, notes


Choosing the right record type

SituationRecord type
New AI system deployedai_risk_assessment + change_event
Quarterly model performance checkmodel_evaluation
Model performance outside thresholdmodel_drift_event
Human reviews an AI decisionhuman_oversight
New training dataset approvedtraining_data_governance
AI-related security incidentincident_report
Third-party AI vendor assessmentvendor_risk
Employee reads AI policypolicy_acknowledged
Access rights annual reviewaccess_review
System config or prompt changedchange_event
CISO quarterly governance sign-offgovernance_review