Keys never leave your machine
← FS AI RMF overview

FS AI RMF change-control checklist

Twelve questions on the SDLC slice FS AI RMF reviewers ask when Copilot, Cursor, or agent tools merge to protected branches. Email-gated results — voluntary readiness, not certification. Feedback welcome.

Voluntary self-assessment for SDLC and audit-trail themes only — not all 230 FS AI RMF control objectives.

  1. 1. Can you attribute each merged PR to a declared human or agent actor?

  2. 2. Are agent-assisted changes to protected branches blocked when provenance is missing?

  3. 3. Can an assessor verify change evidence offline without trusting your platform?

  4. 4. Do you maintain a registry of approved agents/tools that may author production code?

  5. 5. For payments or ledger paths, are changes gated before merge?

  6. 6. Has a bank, auditor, or enterprise counterparty asked about AI-authored code evidence?

  7. 7. Can you export a machine-readable audit ledger for a review period?

  8. 8. Are post-commit edits that break envelope integrity detected in CI?

  9. 9. Is agent tool identity (Cursor, Copilot, Claude Code, etc.) captured at commit?

  10. 10. Do you map change evidence to FS AI RMF or PCI change-control language for procurement?

  11. 11. For agent payment or spend mandates, is human approval recorded with offline verification?

  12. 12. Could you run warn-mode provenance on two protected branches within 30 days?

Preview: Initial (0% of scoped slice)