GRC Record Types
Mima supports 11 GRC evidence record types. Each record:
- Is written to the evidence ledger with an HMAC signature and timestamp.
- Maps to one or more compliance controls (EU AI Act, ISO 42001, SOC 2).
- Counts towards your posture score.
- Can be required by gates before deploy or quarterly review.
Quick reference
ai_risk_assessment
What it proves: An AI system has been formally classified for risk under EU AI Act Art. 9, with the assessor, risk tier, intended purpose, and Annex III category documented.
Required fields
Optional fields: annex_iii_category (required if risk_level=high), system_version, technical_doc_url, training_data_url, notes
Python example
Note: art5_self_assessment=True is a formal certification. Never set without a deliberate human review of Art. 5.
model_evaluation
What it proves: A named model was evaluated on a named dataset with documented accuracy metrics. Satisfies Art. 9(4) requirements for performance monitoring.
Required fields
Optional fields: evaluation_type ("initial" \| "quarterly" \| "triggered"), bias_metrics, robustness_score, passed_threshold, notes
Python example
human_oversight
What it proves: A human reviewed a specific AI decision and either confirmed or overrode it. Satisfies Art. 14 requirements for human oversight mechanisms.
Required fields
Optional fields: rationale, model_id, override (defaults to True when recommendation ≠ decision)
Python example
training_data_governance
What it proves: A training dataset was reviewed, bias-checked, and formally approved before use. Satisfies Art. 10 data governance requirements.
Required fields
Optional fields: known_limitations, approval_date
incident_report
What it proves: An AI incident was detected, logged, and (if required) the relevant authority was notified. Satisfies Art. 73 serious incident reporting requirements.
Required fields
Optional fields: detected_at, authority_notified_at
change_event
What it proves: A system change (deploy, config change, prompt update, model swap) was recorded with the actor, environment, and description. Satisfies change management controls.
Required fields
Optional fields: change_id
access_review
What it proves: Access rights for a named user to a named resource were reviewed periodically and a decision was made and recorded.
Required fields
Optional fields: review_type ("periodic" \| "triggered" \| "initial"), reason
vendor_risk
What it proves: A third-party vendor was assessed for risk, assigned a tier, and the review is documented. Satisfies SOC 2 vendor management controls.
Required fields
Optional fields: findings (number of open findings), contacts
policy_acknowledged
What it proves: A named user acknowledged a specific version of a policy via a documented channel. Satisfies Art. 4 AI literacy and SOC 2 security awareness controls.
Required fields
Optional fields: acknowledgment_type ("initial" \| "renewal" \| "update"), policy_url, channel, session_id
model_drift_event
What it proves: A drift detection run found a metric outside threshold, the event was logged, and (optionally) an action was taken. Satisfies continuous monitoring requirements.
Required fields
Optional fields: drift_type ("performance" \| "data" \| "concept"), action_taken, detection_date
governance_review
What it proves: A named reviewer conducted a governance readiness review across named frameworks, producing a readiness score and action item count.
Required fields
Optional fields: action_items, review_date, notes
