Governance

Governance controls how much oversight is applied to agent decisions. It adds structured checkpoints without slowing down simple tasks.

Three governance levels

Level	When to use	Overhead
none	Solo developer, prototyping, hackathons	No checkpoints
standard	Small teams, startups, normal development	Decision gates at key transitions
strict	Enterprise, regulated industries, production systems	Full audit trail, RBAC, NIST mapping

Configuration

governance: standard  # none | standard | strict

Level: none (default)

No governance overhead. Agents work freely. Suitable for:

Personal projects
Prototyping
Hackathons
Trusted solo development

Level: standard

Adds structured decision gates based on task complexity.

Decision gates

Complexity	Gate	Action
TRIVIAL	None	Agent acts autonomously
MODERATE	Deliverable review	Produce deliverable, user validates before next step
COMPLEX	Phased approval	spec.md, plan.md, tasks.md — each requires approval

Risk assessment

Before executing a workflow, Jarvis assesses risk:

Risk	Workflows	Controls
LOW	`/bugfix`, `/review`, `/docs`	Agent acts, summary post-action
MEDIUM	`/feature`, `/sprint`, `/refactor`	Plan required, user validates
HIGH	`/release`, `/hotfix`, `/mvp`, `/upgrade`	Risk assessment + rollback plan + approval

For HIGH risk workflows, Jarvis produces risk-assessment.md with:

Identified risks and their probability
Impact assessment for each risk
Mitigation strategies
Rollback plan

Quality checkpoints

At the end of every COMPLEX workflow (4+ steps), Jarvis produces _quality.md:

Delivered: list of all produced deliverables
Validated: what was reviewed and approved by the user
Risks remaining: open risks, known limitations, tech debt introduced
Lessons learned: what worked well, what should improve
Metrics: lead time, steps executed, agents involved

Level: strict

Everything in standard, plus:

Audit trail

Every agent action is logged in _audit.md:

## Audit Trail

| Timestamp | Agent | Action | Decision | Rationale |
|-----------|-------|--------|----------|-----------|
| 2026-03-21T10:00:00Z | @professor-x | Write spec | APPROVED | User validated requirements |
| 2026-03-21T10:15:00Z | @tony-stark | Architecture decision: PostgreSQL | APPROVED | Matches team expertise |

Role-based access control (RBAC)

Sensitive agents require explicit authorization:

Agent	Sensitivity	Requires
`@punisher`	HIGH	Security clearance
`@microchip`	CRITICAL	Red team authorization
`@doctor-doom`	HIGH	Explicit invocation only
`@thor`	MEDIUM (for production deploys)	Deploy authorization

NIST AI RMF mapping

For regulated industries, strict governance maps agent decisions to NIST AI Risk Management Framework categories:

Govern: Policies and accountability for AI decisions
Map: Context and risk identification
Measure: Metrics and monitoring
Manage: Risk mitigation and response

Combining with YOLO mode

Governance and YOLO are complementary controls:

YOLO controls speed — how much agents ask before acting
Governance controls oversight — what checkpoints are required

They work together:

# Fast within phases, structured transitions
yolo: true
governance: standard

With this configuration, agents execute autonomously within each workflow phase, but formal decision gates still apply between phases (spec, plan, tasks, implement).

Choosing a governance level

Your situation	Recommendation
Solo developer, prototyping	`governance: none`
Small team, normal development	`governance: standard`
Enterprise, regulated industry	`governance: strict`
Open-source project	`governance: standard`
Production deployment	`governance: standard` or `strict`