govrn-platform — Roadmap

2026-06-07. Separates what's BUILT (foundation) from what's NEXT, and records the architecture mandates that must be locked before contributors build heavily (from the architecture review).

Built — v0.1 foundation (this run)

  • ✅ Unified three-lens framework (docs/FRAMEWORK.md)
  • ✅ Standards gap-check, current-sourced (docs/PROTOCOLS-GAPCHECK.md)
  • ✅ Typed living data model (data/types.ts) + sample fleet (data/seed.ts)
  • ✅ Per-lens posture scoring (src/scoring.ts)
  • ✅ Dashboard skeleton — fleet inventory, three-lens posture, AI-BOM, live-monitoring panel (web/, src/server.ts)
  • ✅ Project ISA as system-of-record (ISA.md)

Architecture mandates — LOCK before contributors build heavily

These are the expensive-to-retrofit decisions surfaced in the architecture review. They are the seams; get them right now.

  1. Asset graph with lens-as-TAG, not lens-shaped tables. One fleet/asset substrate; the three lenses are tags/overlays on controls, not separate schemas. (v0.1 already models lens as a field — keep it that way.)
  2. Immutable, bitemporal facts as system of record. Append-only. Stamp every finding/signal with valid-time (validFrom/validTo — when true in the world) AND transaction-time (recordedAt — when we learned it). Snapshots are a derived read-model, never the source of truth. Do NOT build a full event-sourcing/CQRS engine — just immutable bitemporal fact tables + materialized current-state views. (v0.2 schema upgrade — the single most important retrofit-avoider.)
  3. FindingAttestation/Certification — distinct artifacts, distinct signing authority. Keep the conflict-firewall as a seam in the data model. Assess→recommend→(HITL)→remediate as a managed service is fine (client is approver-of-record); the conflict only re-enters if a self-issued score is positioned as a third-party-relied-upon certification. Modeling them separately lets certification route to an independent signer later without re-architecting. Never fuse them into one object.
  4. Hard tenant boundary + org hierarchy as first-class. tenantId on every row, enforced at the data layer (row-level security), silo-capable even if pooled by default. Model org → business-unit → asset (real-estate buyers are multi-entity/franchisee — they hit this in demo one). Split global knowledge (CVE/advisory feeds — compute once, fan out) from the per-tenant overlay (the CVE→fleet mapping is private).

Next — toward the living product

Monitoring layer (the "breathing" part)

  • Connectors (HITL-safe sources only): CVE/NVD feed, vendor security advisories, IdP/SSO logs (shadow-IT + shadow-AI discovery), DNS, AP/contract data.
  • 🚫 Scope line (Richard-confirmed 2026-06-07): monitor systems, vendors, and public product/vendor chatter — never individuals. Public social/forum signal about vendors/products/CVEs (e.g. a Reddit thread about a SaaS breach) is in scope; employee social-media surveillance is OUT (HR/works-council/privacy/defamation landmine).
  • Model signals: drift metrics, eval/red-team webhooks for the AI-governance lens.
  • Signal-to-noise: prioritization + false-positive handling from day one — noisy monitoring is worthless and is where monitoring products die.
  • Explainability: every AI-generated classification carries provenance (why it fired) — buyers will ask "if your AI flags it and I act, show the reasoning."

Go-to-market gates (CTO buyers hold a governance vendor to a higher bar)

  • Our own SOC 2 Type II + a pen test — gates serious deals, not a polish item.
  • Fleet-touch story: agentless / read-only scopes / SSO + SCIM / data residency — be ready for a real security review.
  • Run govrn on govrn — turn the AI-Governance lens on ourselves; self-governance is a credibility requirement.
  • Data portability / exit: clients can export their graph + findings.

Platform

  • Multi-tenant persistence (per mandate #4), auth, per-tenant cost attribution + quotas (LLM-classification COGS is the cost center).
  • Brand: adopt govrn brand tokens (currently brand-neutral skeleton).
  • Cross-tenant benchmarking — valuable, but decide the data-use/consent contract before training on tenant data.

Design partners

  • Grace Hill (real estate; warm CTO; confirmed no governance, actively looking) — first-mover / design partner. Multi-entity estate makes it a strong test of the org-hierarchy mandate.
  • Delta Gamma (existing MCG rationalization engagement) — the assessment→platform upsell path: deliver the engagement, then offer the living dashboard.

Honest non-goals (for now)

Full agentic auto-remediation, employee monitoring, real-time multi-region SaaS, and ISO 27090/27091 conformance claims (those standards aren't final yet) — all explicitly out until the foundation + gates are in.