Skip to main content

Mima AI Governance SDK — runtime attestation, GRC evidence, and compliance testing for AI systems

Project description

mima-governance

Attest AI executions, push GRC evidence records, and run governance policy tests — one call maps to EU AI Act, ISO 42001, SOC 2, and NIST AI RMF simultaneously.

Four frameworks, one attestation call

Framework What it covers
EU AI Act Art. 9–15 (risk management through accuracy), Art. 17 (quality management system), Art. 26 (deployer obligations), Art. 72–73 (post-market monitoring, incident reporting)
ISO 42001 AI management system controls — A.6.x risk treatment, A.9.x performance evaluation
SOC 2 CC3.x risk assessment, CC5.x control activities, CC7.x–CC8.x change and incident management
NIST AI RMF GOVERN, MAP, MEASURE, MANAGE functions

One @mima.attest() call earns controls across whichever frameworks apply — no per-regulation wiring, no separate pipelines. human_oversight earns EUAIA_ART14, EUAIA_ART13, ISO42001_A.6.6, and NIST_AIRF_GOV_1 in a single write. Your readiness score updates across all four.

What mima does not cover: EU AI Act Art. 1–5 (scope and prohibited practices — legal determinations), Art. 51–56 (GPAI obligations — foundation model providers only, not application builders), and Art. 57–101 (regulatory apparatus, conformity assessment, EU database registration). Those require lawyers, structural decisions, or third-party conformity bodies — not SDK calls. mima covers the articles that require technical evidence from code.

No account needed to start

pip install mima-governance
mima init .                             # scan codebase, generate tests/test_governance.py
mima test tests/test_governance.py      # run immediately — no API key, no network

mima scan and mima test are fully local. A Mima account unlocks mima push (evidence records), mima status (readiness scores), and the compliance dashboard.

Install

pip install mima-governance

Quick Start — SDK attestation

from mima_governance import MimaGovernance

mima = MimaGovernance(
    api_key="mima_ext_...",
    system_name="my-ai-pipeline",
)
# workspace_id is resolved automatically from the API key.

# Decorator — wraps a function; every call writes a GRC evidence record
# and maps to applicable controls across EU AI Act, ISO 42001, SOC 2, NIST AI RMF
@mima.attest(tool_name="generate_report")
def generate_report(data):
    return call_llm(data)

Each @mima.attest() call writes a row to v2.grc_evidence_records with source = 'sdk'. The cross-framework control mapping is automatic — the same record that evidences EUAIA_ART13 also earns ISO42001_A.6.2 and the relevant NIST AI RMF function. That compounding is what makes mima different from a per-regulation tool.

Framework Integrations

LangChain

from mima_governance.integrations import MimaLangChainCallback

chain = my_chain.with_config(callbacks=[MimaLangChainCallback(mima)])
# Every LLM call, tool invocation, and chain step is auto-attested

LlamaIndex

from mima_governance.integrations import MimaLlamaIndexHandler
import llama_index.core

llama_index.core.global_handler = MimaLlamaIndexHandler(mima)

Sync vs Batch

# Sync (default) — immediate push, blocks ~50ms
@mima.attest(tool_name="credit_decision")
def decide(app): ...

# Batch — buffered, flushed every 30s or 100 items
@mima.attest(tool_name="classify_email", mode="batch")
def classify(email): ...

Ed25519 Signing

Records are stored as append-only rows in Postgres. Workspace admins can purge records via the dashboard. To detect deletion or tampering in a signed chain, use Ed25519 signing:

from nacl.signing import SigningKey

key = SigningKey.generate()

mima = MimaGovernance(
    api_key="...",
    system_name="...",
    signing_key=key.encode(),  # 32-byte seed
)
# Attestations are cryptographically signed → trust_tier: "verified"
# A deleted or modified record breaks the chain and is detectable

Keep the private key outside the Mima account (local HSM or secrets manager). The signature is stored alongside the record; Mima cannot forge or reconstruct it.

Delegation Chain

from mima_governance import MimaGovernance, AuthorisedBy

mima = MimaGovernance(
    ...,
    authorised_by=AuthorisedBy(
        identity="analyst@corp.com",
        role="credit-analyst",
        session_id="sso_abc123",
    ),
)
# Every attestation records WHO authorised the agent to act

How inferred evidence works

The Mima platform runs a nightly job (03:45 UTC) that reads AI system classifications already in the estate — from cloud integrations and CMDB data you have already connected — and converts them into evidence records with source = 'estate_auto'. No network scanning. No discovery beyond what's already in your connected estate.

What inferred evidence is: the AI risk classification process (tier determination, prohibited-use check) is itself a real risk assessment. It honestly evidences EUAIA_ART9, EUAIA_ART11, and related controls.

What it is not: proof that anyone evaluated model accuracy, governed training data, or operated a human oversight mechanism. The bridge explicitly does not generate model_evaluation, training_data_governance, or human_oversight records — auto-generating those would produce false evidence.

Inferred records are marked "indicative only" in the dashboard until a workspace admin validates the control list. SDK-attested records (source = 'sdk') carry higher weight and are required for formal audit submissions.

Scan limitations

mima scan uses AST-based analysis (with a tokenizer fallback for files that can't be parsed). It correctly detects:

  • Direct usage: openai.chat.completions.create()
  • Aliased imports: from openai import OpenAI; client = OpenAI(); client.chat.completions.create()
  • Constructor-assigned handles: client = OpenAI()client.chat.completions.create()
  • Function-scope attestation: @mima.attest() covers every AI call in the decorated function body, not just the nearest lines

It does not detect:

  • Wrapper abstractions: my_llm.generate() where my_llm is not a direct AI constructor assignment
  • Runtime-constructed calls or non-Python code

When mima scan reports zero unattested calls, the AST scanner found none in reachable call sites — not that none exist. Use --strict as a CI gate; complement with code review for deep wrapper abstractions it cannot reach.

Readiness score — how it's calculated

overall_pct is the minimum across all frameworks with defined controls (weakest-link). If SOC 2 is at 80% and EU AI Act is at 30%, overall_pct is 30. A certification chain is only as strong as its weakest framework; averaging would overstate readiness.

Per-framework score_pct = controls_covered / controls_required × 100.

Credential storage

mima login saves your API key to ~/.mima/config.json with 0o600 permissions (owner read/write only). The file is plaintext — keep your home directory encrypted (FileVault on macOS, LUKS on Linux) if this is a shared or managed machine.

For CI/CD, use environment variables instead of the config file:

export MIMA_API_KEY=mima_ext_...
export MIMA_WORKSPACE_ID=ws-...
mima push change_event \
  --by ci-bot@company.com \
  --description "Deploy v1.2.3" \
  --environment production \
  --system api-service \
  --no-delta   # skip readiness fetch in CI

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mima_governance-0.3.0.tar.gz (135.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mima_governance-0.3.0-py3-none-any.whl (96.3 kB view details)

Uploaded Python 3

File details

Details for the file mima_governance-0.3.0.tar.gz.

File metadata

  • Download URL: mima_governance-0.3.0.tar.gz
  • Upload date:
  • Size: 135.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for mima_governance-0.3.0.tar.gz
Algorithm Hash digest
SHA256 bad9b76016581aebe416123cad6b4c2801d03978fe81ae2d2253e748d4845d0a
MD5 eda23e711fa1e3afcfa672a0381d4a5a
BLAKE2b-256 05bcbfd07f63fa64fa3e1277080d91b2598546d01c5bc608c608474fd8581cdf

See more details on using hashes here.

File details

Details for the file mima_governance-0.3.0-py3-none-any.whl.

File metadata

File hashes

Hashes for mima_governance-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6b90939cc2a5f31445c59a3ab2c93625d5e8474739271b0680742dc4cd2b1266
MD5 95867d1e1b5b76903406283d07fa0c99
BLAKE2b-256 ce7555301fea2a8f3ab36cf4002ec184c68d62f61986f219d37132562ef647e9

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page