Accountable AI & Governance

Transparent reporting and governance.

Coa builds governance, accountability, and traceability into every AI product we ship, so executives and program leaders can measure efficacy, drift, and performance. We can help you do the same. The approach is laid out below.

Operating principles

The five rules the AI works within.

Each rule is enforced in code and configuration — not prompt text — and holds across every product and every model.

  • AI proposes. People decide.

    Every output is a proposal a person accepts, edits, or rejects. The model never acts on its own.

    Application: Every proposal arrives with its basis; a rejection is recorded with its reasoning, not discarded.

  • Layered guardrails on every model.

    Every prompt and every response is screened — grounding, prompt attacks, harmful content, sensitive data — before anyone acts on it.

    Application: The same checks run whichever model does the work (e.g. Amazon Bedrock Guardrails).

  • Secure by design, isolated by default.

    Encrypted in transit and at rest, least-privilege, scoped per case. Your data stays inside your boundary.

    Application: Per-tenant and per-case isolation, AWS KMS encryption, private connectivity — and customer data never trains a shared model.

  • Everything on the record.

    Every action is logged — the model, the inputs, the confidence, and what the person did with it. Reversible, reconstructable.

    Application: An append-only history replays any action exactly as it happened.

  • Configurable and self-hostable.

    Which model does the work is a setting. Managed, self-hosted, on-prem, or GovCloud — sensitive data never leaves to be read.

    Application: Your model or ours, chosen per deployment and per task.

Forward-based engineering

How we design, build, and run the system.

AI does the slow parts of building software; engineers own every line. Automated gates catch regressions, bugs are fixed continuously, the running system is monitored, and what we learn in production feeds the next feature.

Catch ambiguity before code

Doc-driven design

We write the feature as a specification and a real, interactive mockup before any code is committed. Design tokens and a binding reference spec keep every surface consistent and accessible by construction.

  • One shared design system across product, docs, and site
  • Mockups are the UI source of truth; the app is coded to match them
  • Accessibility considered at design time, not bolted on

AI weaknesses & guardrails

Failure modes and the controls that contain them.

For each known LLM failure mode, we show the standard that names it, the control that addresses it, the enterprise service that implements the control, and what Coa adds on top.

On hallucination. Grounding reduces hallucination but does not eliminate it — the consensus across the field and in Anthropic’s own guidance. It confirms an answer is supported by the record, not that it is correct, so a person reviews every output before it takes effect.
Hallucination / fabricated facts OWASP LLM09 · NIST MEASURE
Control

A contextual grounding check scores grounding and relevance against the source on a configurable 0–0.99 threshold and blocks answers the source does not support; every answer must carry citations. Grounding proves an answer is supported by the record, not that the conclusion is correct.

Enterprise service

Amazon Bedrock Guardrails (contextual grounding blocks; automated reasoning checks are detect-only); Bedrock Knowledge Bases

Coa’s mechanism

Every output is grounded to page-level source chips, and nothing becomes final until a reviewer accepts it. Grounding catches unsupported claims; the legal conclusion rests with the adjudicator and is measured against known-correct outcomes in evaluation, never assumed from a fluent answer.

Prompt injection / jailbreak OWASP LLM01
Control

Prompt-attack detection runs on both input and output, the guardrails apply independently of which model is used, and tools are granted only least-privilege scopes.

Enterprise service

Amazon Bedrock Guardrails (prompt-attack filter); ApplyGuardrail API

Coa’s mechanism

The AI has no autonomous authority, so an injected instruction can only propose something for a person to review rather than carry it out. Isolating each case keeps any damage contained to that one case.

Sensitive-data / PII disclosure OWASP LLM02
Control

PII is detected and masked in the model’s input and output, with data encrypted in transit and at rest and the case kept inside the deployment’s account and region. Masking only covers what the model sees, so logs and traces, which can retain raw text, are protected separately by data-protection policies and least-privilege access.

Enterprise service

Bedrock Guardrails (sensitive-information filter); Amazon Comprehend; Amazon Macie; CloudWatch Logs data protection; AWS KMS

Coa’s mechanism

Retrieval is scoped to the case in front of the reviewer and customer data is never used to train or fine-tune a shared model; the case never leaves the deployment to be read, and for strict regimes a self-hosted or GovCloud option keeps it inside your own boundary.

Overreliance / automation bias OWASP LLM09 · NIST MANAGE
Control

Each proposal leads with its evidence and a confidence so the reviewer engages with the basis; high-impact steps require explicit confirmation; and accept / edit / override rates are monitored so rubber-stamping is detectable.

Enterprise service

Amazon Augmented AI (A2I) human-review workflows

Coa’s mechanism

The reviewer decides on the evidence, not the suggestion. Every proposal opens with its sources and confidence, and we watch edit and override rates per feature and reviewer; an unusually low rate flags possible over-trust and triggers review, rather than assuming the human caught everything.

Excessive agency OWASP LLM06
Control

Least-privilege permissions, narrowly scoped tools, and explicit human approval before any outbound action.

Enterprise service

AWS IAM least-privilege; Amazon A2I approval steps

Coa’s mechanism

The AI proposes tasks and a person executes them, so every outbound action waits on a reviewer’s explicit approval.

Bias / inconsistent outcomes NIST MEASURE (bias)
Control

Supports disparate-impact testing across veteran cohorts via cohort-stratified evaluation and golden sets, with fairness metrics and periodic equity audits configured per deployment; rule changes are tested before they apply.

Enterprise service

Bedrock Model Evaluation + golden sets, with Coa adding cohort stratification and equity audits; model cards; SageMaker Clarify for tabular signals

Coa’s mechanism

Rules are applied consistently and tested via scaled dry-run before they take effect; outcomes can be analyzed for disparate impact across cohorts and roll up by issue type, and the adjudicator decides each case. Equity is measured on outcomes, not inferred from a feature-importance chart.

Model / data drift & degradation NIST MEASURE → MANAGE
Control

LLM output quality and drift are tracked by the evaluation harness and reviewer acceptance; tabular and feature drift by Model Monitor; regression evaluations run on every change, with alarms on degradation.

Enterprise service

Bedrock Model Evaluation + golden sets and acceptance telemetry (LLM output); SageMaker Model Monitor for tabular/feature drift; Amazon CloudWatch alarms

Coa’s mechanism

Continuous monitoring runs alongside an evaluation harness on every change, and a scaled dry-run runs before any rollout reaches live work.

Supply chain / model provenance OWASP LLM03
Control

Models come from a vetted, managed catalog with known provenance, and dependencies and artifacts are reviewed.

Enterprise service

Amazon Bedrock (managed model catalog); SageMaker Model Registry

Coa’s mechanism

The model is a configuration choice drawn from vetted providers, our engineers own every line of code, and a security review runs in the pipeline on every change.

Improper output handling OWASP LLM05
Control

Every model output is treated as untrusted: generated content is validated and never auto-executed.

Enterprise service

Bedrock Guardrails output filters

Coa’s mechanism

Outputs arrive as proposals rendered as reviewable data rather than executed actions, and their citations are verified against the record.

Unbounded consumption / cost & DoS OWASP LLM10
Control

Rate limits, per-tenant quotas, and throughput controls cap usage, and alarms fire on abnormal demand.

Enterprise service

Amazon Bedrock throughput controls; CloudWatch alarms

Coa’s mechanism

Per-tenant quotas and continuous monitoring cap usage, and abnormal demand trips an alarm before it becomes an incident.

Accuracy over time

How accuracy is measured and stays high.

Six mechanisms measure accuracy — per response, per change, per release, and continuously — and flag it when it slips.

  • Golden evaluation sets

    Per release

    Curated cases with known-correct answers; every model or prompt change is re-scored against them. Regressions surface before release, not in production.

    Watches: Correctness vs. known-good answers

  • Contextual grounding + citation check

    Per response

    Every answer is scored against its retrieved source, and every citation is checked against the record. Unsupported output is flagged or blocked before anyone relies on it.

    Watches: Is each output supported by its cited source?

  • Scaled dry-run / diff

    Per change

    A change runs across many cases in read-only mode and shows up as a before→after diff — you see exactly what it would do before it touches live work.

    Watches: What a change would do, before it applies

  • Human acceptance telemetry

    Continuous

    Accept, edit, and reject rates, tracked per feature and per reviewer. Rising edits flag a model that needs attention; suspiciously few flag rubber-stamping.

    Watches: Accept / edit / override rates (over- and under-trust)

  • Drift & quality monitoring

    Continuous

    Inputs and outputs are watched for drift from the validated baseline, and an alarm fires the moment a metric crosses its threshold.

    Watches: Drift & quality degradation vs. baseline

  • Red-team / adversarial testing

    Per release

    Prompt injection, jailbreaks, and edge cases, thrown at the system on purpose — we find the failure modes before real inputs or bad actors do.

    Watches: Prompt injection & failure modes

Metric guardrails. Live accuracy figures depend on the deployment and its data. This section shows the assurance machinery — grounding checks, golden-set evaluations, scaled dry-runs, acceptance telemetry, and drift monitoring — not invented numbers.

Standards & governance alignment

Mapping to recognized frameworks.

Each control maps to a recognized AI risk framework or to current federal guidance, so an evaluator can trace it back to the standard that calls for it.

  • NIST AI Risk Management Framework AI RMF 1.0 · 2023

    Our controls map to the framework’s four functions and its Generative AI Profile (NIST AI 600-1, 2024). NIST AI RMF is a voluntary framework; mapping to it shows alignment, not certification.

    GovernMapMeasureManageGenAI Profile (600-1)
  • OWASP Top 10 for LLM Applications 2025

    Each guardrail in the matrix above maps to the specific LLM application risk it addresses, so you can see which control answers which weakness.

    LLM01 Prompt InjectionLLM02 Sensitive-Info DisclosureLLM05 Improper Output HandlingLLM06 Excessive AgencyLLM09 MisinformationLLM10 Unbounded Consumption
  • Federal AI policy OMB M-25-21 / M-25-22

    Built to current federal guidance on agency AI use and acquisition, OMB M-25-21 and M-25-22 (both Apr 3, 2025), under EO 14179. Whether a deployment satisfies it is the agency CAIO’s determination.

    Chief AI OfficerHigh-impact AI practicesHuman oversight & appealsModel & data portability
  • VA Trustworthy AI Framework 2023

    Aligns with VA’s six trustworthy-AI principles. Claims processing is a named VA AI operational area, and VA has adopted OMB’s high-impact-AI definition.

    PurposefulEffective & SafeSecure & PrivateFair & EquitableTransparent & ExplainableAccountable & Monitored

Mapping to OMB M-25-21’s minimum practices for high-impact AI

OMB M-25-21 §4(b) defines minimum practices for high-impact AI, a category that adjudication decisions can fall into, and our controls map to each one. Whether a given deployment is high-impact, and whether it satisfies the memo, remains the agency CAIO’s determination.

Pre-deployment testing
Evaluation harness, golden sets, and a scaled dry-run before any change applies
AI impact assessment
Grounded, auditable proposals and outcomes by issue type provide the evidence a written impact assessment draws on
Ongoing monitoring
Drift and accuracy monitoring plus accept / edit / reject telemetry
Human training & assessment
Role-specific guidance for adjudicators on what the AI does, its limits, and how to override it
Human oversight & accountability
The AI proposes and a reviewer decides, accepting, editing, or rejecting every output and signing the work
Remedies / appeals
The veteran keeps the full statutory appeal path (higher-level review, the Board, CAVC); AI involvement is disclosed so the decision stays contestable
End-user & public feedback
Reviewer and end-user feedback is collected and folded into evaluation and threshold tuning
Vendor-lock-in protection (M-25-22)
Configurable by model and provider, self-hostable, and portable
What alignment means here. Mapping to these voluntary frameworks shows alignment, not certification. Coa deploys on authorized infrastructure (self-hosted or AWS GovCloud), but those authorizations belong to AWS — Adjudicate holds no FedRAMP authorization or ATO today. Production pursues its own agency-sponsored ATO, de-risked by shadow and pilot runs before the AI affects any live decision.

See it on your deployment

AI proposes. People decide.