Impact assessment

What it is

A standardized impact case for high‑risk automation and AI: intended use → affected stakeholders → harm scenarios → mitigations → evidence pointers. It is designed to be auditable and replayable.

• Defines minimum, repeatable questions for public‑impact risk.
• Connects conclusions to controls (Verify → Permit → Gate).
• Produces receipts a reviewer can replay offline.

What it is not

This public‑safe policy is a governance artifact — not legal advice and not a certification claim.

• Non‑binding unless incorporated into a signed agreement.
• Does not disclose confidential customer data or internal personnel lists.
• Focuses on reproducible method, not marketing numbers.

Metric families (public-safe)

We publish how metrics are defined and verified. Customer‑specific values may be withheld or aggregated.

• Side‑effect prevention: unpermitted action attempts → HOLD/DENY rate.
• Audit replay success: reproducible verification success rate (offline).
• Time‑to‑approval reduction: procurement ticket completion time (method published).

Public-safe boundary

The policy and template are safe to publish; sensitive details are handled as diligence materials.

• Public: schema, minimum elements, reason‑code language, verification surfaces.
• Withheld: protected health data, customer secrets, incident specifics, private tickets.
• Escalation + stop authority: see /governance/.

Auditors should treat signed descriptors as authoritative. Web pages are display‑only.

Verify (expected once GO‑LIVE): gpg --verify mvg-impact-assessment.json.asc mvg-impact-assessment.json

Expected outputs

Same language everywhere: review tools output only one of three states.

• PASS (GO): signature + required fields are present and valid.
• HOLD: signature or required sections are intentionally missing (fail‑closed).
• FAIL: required signatures/evidence are present but invalid or inconsistent.