# Governance control matrix

Map each AI capability to the controls that make it safe to operate.

## Control rows

- Data access: source class, permission model, retention rule.
- Tool authority: allowed actions, blocked actions, approval threshold.
- Human review: reviewer role, SLA, escalation path.
- Observability: trace fields, dashboards, alert conditions.
- Incident response: containment owner, rollback mechanism, customer communication.

## Operating note

The matrix should be reviewed whenever model provider, prompt, dataset, tool scope, or user group changes.