> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://docs.mima.works/llms.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.mima.works/_mcp/server.

# GRC Record Types

Mima supports 11 GRC evidence record types. Each record:

1. Is written to the evidence ledger with an HMAC signature and timestamp.
2. Maps to one or more compliance controls (EU AI Act, ISO 42001, SOC 2).
3. Counts towards your posture score.
4. Can be required by gates before deploy or quarterly review.

***

## Quick reference

| Record type                | What it proves                       | Key controls earned             |
| -------------------------- | ------------------------------------ | ------------------------------- |
| `ai_risk_assessment`       | System risk classification performed | EUAIA\_ART9, ISO42001\_6\_1     |
| `model_evaluation`         | Evaluation run with accuracy metrics | EUAIA\_ART9\_4, ISO42001\_9\_1  |
| `human_oversight`          | Human reviewed an AI decision        | EUAIA\_ART14, ISO42001\_6\_1\_2 |
| `training_data_governance` | Dataset approved before training     | EUAIA\_ART10                    |
| `incident_report`          | AI incident logged and investigated  | EUAIA\_ART73, ISO42001\_10\_1   |
| `change_event`             | System change recorded               | ISO42001\_8\_4, SOC2\_CC8\_1    |
| `access_review`            | Access rights reviewed periodically  | SOC2\_CC6\_3, ISO42001\_9\_1    |
| `vendor_risk`              | Vendor assessed and tiered           | SOC2\_CC9\_2, ISO42001\_8\_4    |
| `policy_acknowledged`      | User acknowledged a policy version   | EUAIA\_ART4, SOC2\_CC9\_1       |
| `model_drift_event`        | Drift detected and logged            | EUAIA\_ART9\_4, ISO42001\_9\_1  |
| `governance_review`        | Readiness review completed           | EUAIA\_ART9, ISO42001\_9\_3     |

***

## `ai_risk_assessment`

**What it proves**: An AI system has been formally classified for risk under EU AI Act Art. 9, with the assessor, risk tier, intended purpose, and Annex III category documented.

**Required fields**

| Field                  | Type                                                 | Description                              |
| ---------------------- | ---------------------------------------------------- | ---------------------------------------- |
| `risk_level`           | `"high" \| "limited" \| "minimal" \| "unacceptable"` | EU AI Act risk tier                      |
| `risk_summary`         | string                                               | Brief use case description               |
| `intended_purpose`     | string                                               | Full Art. IV §1 purpose statement        |
| `impact_domains`       | string\[]                                            | Affected domains                         |
| `art5_self_assessment` | boolean                                              | Certifies no Art. 5 prohibited practices |

**Optional fields**: `annex_iii_category` (required if `risk_level=high`), `system_version`, `technical_doc_url`, `training_data_url`, `notes`

**Python example**

```python
mima.ai_risk_assessment(
    system_name="loan-scorer",
    risk_tier="high",
    use_case="Credit scoring for consumer loans",
    intended_purpose="Score loan applications and surface for human review",
    impact_domains=["credit", "consumer_finance"],
    art5_self_assessment=True,
    assessor="alice@example.com",
    annex_iii_category="essential_services",
)
```

**Note**: `art5_self_assessment=True` is a formal certification. Never set without a deliberate human review of Art. 5.

***

## `model_evaluation`

**What it proves**: A named model was evaluated on a named dataset with documented accuracy metrics. Satisfies Art. 9(4) requirements for performance monitoring.

**Required fields**

| Field          | Type   | Description                   |
| -------------- | ------ | ----------------------------- |
| `model_id`     | string | Model identifier              |
| `dataset`      | string | Dataset name or ID            |
| `accuracy`     | float  | Primary accuracy metric (0–1) |
| `evaluated_by` | string | Evaluator email or identifier |

**Optional fields**: `evaluation_type` (`"initial" \| "quarterly" \| "triggered"`), `bias_metrics`, `robustness_score`, `passed_threshold`, `notes`

**Python example**

```python
mima.model_evaluation(
    model_id="loan-scorer-v2.1",
    dataset="holdout-q2-2026",
    accuracy=0.94,
    evaluated_by="alice@example.com",
    evaluation_type="quarterly",
    bias_metrics={"demographic_parity": 0.02},
    passed_threshold=True,
)
```

***

## `human_oversight`

**What it proves**: A human reviewed a specific AI decision and either confirmed or overrode it. Satisfies Art. 14 requirements for human oversight mechanisms.

**Required fields**

| Field               | Type   | Description                           |
| ------------------- | ------ | ------------------------------------- |
| `decision_id`       | string | Unique identifier for the AI decision |
| `ai_recommendation` | string | What the AI recommended               |
| `human_decision`    | string | What the human decided                |
| `reviewer`          | string | Reviewer email or identifier          |

**Optional fields**: `rationale`, `model_id`, `override` (defaults to `True` when recommendation ≠ decision)

**Python example**

```python
mima.human_oversight(
    decision_id="loan-app-48291",
    ai_recommendation="approve",
    human_decision="reject",
    reviewer="bob@example.com",
    rationale="Fraud indicators not in model training data",
)
```

***

## `training_data_governance`

**What it proves**: A training dataset was reviewed, bias-checked, and formally approved before use. Satisfies Art. 10 data governance requirements.

**Required fields**

| Field                   | Type      | Description                  |
| ----------------------- | --------- | ---------------------------- |
| `model_id`              | string    | Model being trained          |
| `dataset_id`            | string    | Dataset identifier           |
| `record_count`          | integer   | Number of records in dataset |
| `bias_checks_performed` | boolean   | Whether bias checks were run |
| `approved_by`           | string    | Approver email               |
| `data_sources`          | string\[] | Data sources used            |
| `data_categories`       | string\[] | Categories of data           |

**Optional fields**: `known_limitations`, `approval_date`

***

## `incident_report`

**What it proves**: An AI incident was detected, logged, and (if required) the relevant authority was notified. Satisfies Art. 73 serious incident reporting requirements.

**Required fields**

| Field              | Type                                        | Description               |
| ------------------ | ------------------------------------------- | ------------------------- |
| `title`            | string                                      | Brief incident title      |
| `severity`         | `"critical" \| "high" \| "medium" \| "low"` | Severity level            |
| `description`      | string                                      | Full incident description |
| `affected_systems` | string\[]                                   | Systems affected          |

**Optional fields**: `detected_at`, `authority_notified_at`

***

## `change_event`

**What it proves**: A system change (deploy, config change, prompt update, model swap) was recorded with the actor, environment, and description. Satisfies change management controls.

**Required fields**

| Field         | Type   | Description                                                      |
| ------------- | ------ | ---------------------------------------------------------------- |
| `type`        | string | Change type (e.g. `"deploy"`, `"prompt_update"`, `"model_swap"`) |
| `by`          | string | Who made the change                                              |
| `description` | string | What changed                                                     |
| `environment` | string | `"production"`, `"staging"`, `"development"`                     |
| `system`      | string | System name                                                      |

**Optional fields**: `change_id`

***

## `access_review`

**What it proves**: Access rights for a named user to a named resource were reviewed periodically and a decision was made and recorded.

**Required fields**

| Field         | Type    | Description                         |
| ------------- | ------- | ----------------------------------- |
| `user`        | string  | User email                          |
| `resource`    | string  | Resource name                       |
| `granted`     | boolean | Whether access was granted/retained |
| `reviewed_by` | string  | Reviewer email                      |

**Optional fields**: `review_type` (`"periodic" \| "triggered" \| "initial"`), `reason`

***

## `vendor_risk`

**What it proves**: A third-party vendor was assessed for risk, assigned a tier, and the review is documented. Satisfies SOC 2 vendor management controls.

**Required fields**

| Field           | Type                                        | Description             |
| --------------- | ------------------------------------------- | ----------------------- |
| `vendor`        | string                                      | Vendor name             |
| `tier`          | `"critical" \| "high" \| "medium" \| "low"` | Risk tier               |
| `last_reviewed` | string                                      | ISO date of last review |

**Optional fields**: `findings` (number of open findings), `contacts`

***

## `policy_acknowledged`

**What it proves**: A named user acknowledged a specific version of a policy via a documented channel. Satisfies Art. 4 AI literacy and SOC 2 security awareness controls.

**Required fields**

| Field            | Type   | Description                      |
| ---------------- | ------ | -------------------------------- |
| `policy_name`    | string | Human-readable policy name       |
| `policy_version` | string | Version string (e.g. `"v3.1.0"`) |
| `decision`       | string | Always `"acknowledged"`          |

**Optional fields**: `acknowledgment_type` (`"initial" \| "renewal" \| "update"`), `policy_url`, `channel`, `session_id`

***

## `model_drift_event`

**What it proves**: A drift detection run found a metric outside threshold, the event was logged, and (optionally) an action was taken. Satisfies continuous monitoring requirements.

**Required fields**

| Field         | Type   | Description                             |
| ------------- | ------ | --------------------------------------- |
| `model_id`    | string | Model identifier                        |
| `metric`      | string | Metric that drifted (e.g. `"f1_score"`) |
| `baseline`    | float  | Expected value                          |
| `current`     | float  | Observed value                          |
| `threshold`   | float  | Acceptable threshold                    |
| `detected_by` | string | Detection system or person              |

**Optional fields**: `drift_type` (`"performance" \| "data" \| "concept"`), `action_taken`, `detection_date`

***

## `governance_review`

**What it proves**: A named reviewer conducted a governance readiness review across named frameworks, producing a readiness score and action item count.

**Required fields**

| Field                 | Type      | Description                           |
| --------------------- | --------- | ------------------------------------- |
| `reviewed_by`         | string    | Reviewer email                        |
| `report_type`         | string    | `"quarterly"`, `"annual"`, `"ad_hoc"` |
| `frameworks_reviewed` | string\[] | Frameworks covered                    |
| `overall_readiness`   | integer   | Score 0–100                           |

**Optional fields**: `action_items`, `review_date`, `notes`

***

## Choosing the right record type

| Situation                           | Record type                           |
| ----------------------------------- | ------------------------------------- |
| New AI system deployed              | `ai_risk_assessment` + `change_event` |
| Quarterly model performance check   | `model_evaluation`                    |
| Model performance outside threshold | `model_drift_event`                   |
| Human reviews an AI decision        | `human_oversight`                     |
| New training dataset approved       | `training_data_governance`            |
| AI-related security incident        | `incident_report`                     |
| Third-party AI vendor assessment    | `vendor_risk`                         |
| Employee reads AI policy            | `policy_acknowledged`                 |
| Access rights annual review         | `access_review`                       |
| System config or prompt changed     | `change_event`                        |
| CISO quarterly governance sign-off  | `governance_review`                   |