User Guide
Getting started
Go to autogovern.io/app — the Governance Workbench. No sign-up is required for any tool there; it's free to use and runs immediately. A short onboarding flow asks three quick questions (what kind of AI system, what area it operates in, what you want to do first) and jumps you straight to the most relevant tool. You can always skip it and browse all 22 tools yourself.
The four Workbench journeys
The 22 tools are grouped into four outcome-oriented journeys in the left-hand nav, in the order most people actually use them:
1. Assess & approve an AI system
Start here for any single system you're evaluating. System Intake classifies its EU AI Act risk tier and maps the exact obligations that apply; Fairness Scanner, Drift & Data Quality, and the Doc Gap Scanner each analyze real data or documentation you provide (entirely in your browser); LLM Safety Check probes for prompt-injection weaknesses; the Governance Copilot answers questions about your results; and Reg Timeline, Art. 50 Transparency, Model Risk Mgmt, Fair Lending, and FS AI RMF & Resilience cover specific regulatory angles depending on your sector.
2. Build my governance program
Once you're assessing more than one system, these tools build reusable, org-wide artifacts: AI Org Governance generates a full governance charter and working plan; Model Card Gen produces Annex IV documentation; Compliance Crosswalk lets you answer a control question once and see it satisfy every framework it maps to; Vendor Answer Pack does the same for vendor due-diligence questionnaires, so you fill it out once and reuse it everywhere.
3. Continuously govern production AI
For systems already live: the Governance Agent runs an autonomous Observe→Think→Act→Evaluate remediation loop; the Agent Control Plane governs runtime actions in real time (allow/review/deny, with a tamper-evident, hash-chained ledger and a kill switch); Incident Intelligence matches your system's profile against a database of real, documented AI failures; and Regulatory Watch surfaces candidate regulatory changes for you to review and approve into your Regulatory Horizon.
4. Prepare for audit or executive review
The Compliance Dossier compiles everything into a single exportable report with a prioritized remediation roadmap; the AI Registry lists every system, deadline, and control across your program; Regulatory Horizon shows what's changing that affects you, with countdowns and concrete next actions.
Data-flow badges
Every tool is tagged with exactly where its data goes — hover any badge in the Workbench for the full detail. See the Methodology page for which specific tools fall into each category:
Local-only means the analysis runs entirely in your browser — nothing is uploaded. AutoGovern-hosted means the result is saved to our database (so you can revisit or export it). Third-party AI processing (Governance Copilot, Governance Agent) means your question or assessment context is sent to a configured LLM provider to generate a response. Air-gapped / CLI-only applies to the downloadable Aegis and Pulse scanners — see §6.
Organization accounts
Every free tool works with zero sign-up. Creating an account at /account is entirely optional, for teams who want:
- A shared organization that multiple people can belong to
- Member roles (owner, admin, member, viewer)
- An audit log of sign-ins and account activity
To create one: go to /account, choose "Create Account", and enter an organization name, your email, and a password (at least 10 characters). You're automatically made the organization's owner. Sign in any time afterward from the same page, or from the "Account" link in the header.
As an owner or admin, you can invite teammates from the same page: enter their email and a role (member, admin, or viewer) and send. They get a link to accept — if they already have an autogovern.io account they just sign in; if not, they set a password to create one. If you belong to more than one organization, a switcher appears automatically so you can move between them.
Anything you save while signed in — a registered AI system, a saved assessment, a Compliance Crosswalk report, or a Vendor Answer Pack — is tagged to your organization and listed on the account page. A registered AI system is additionally kept out of the public Workbench registry that unregistered visitors see (assessments, crosswalk reports and vendor packs were never public either way — they're only ever reachable by their private share link).
Owners and admins can change any other member's role or remove them from the member list; only an owner can promote someone to owner, change another owner's role, or remove an owner. An organization always keeps at least one owner. Anyone can leave an organization themselves at any time.
AI Inventory & relationships
From the account page, signed-in members can register the models, agents, prompts, tools, MCP servers, datasets, vendors, business processes, and deployments their systems actually use, then link a system to each one it depends on. This lets you trace any registered system to its full dependency graph — its models, tools, prompts, and datasets — from one place, rather than keeping that knowledge in someone's head. Registering an asset with a name that closely matches an existing one of the same kind is flagged (not blocked) so you can catch accidental duplicates — the same check applies to systems in the AI Registry.
A relationship isn't limited to system→asset — either side of the "Link" form can be a system or an asset, so you can also link two assets directly (an agent that delegates to another agent, a tool that's provided by a vendor, and so on), building out a fuller dependency graph than just what each system touches.
Systems now support the full lifecycle (proposed → experiment → design → development → testing → validation → awaiting approval → approved → production → suspended → retired), and any system registered without an owner email is flagged with a warning on the account page so it doesn't get lost.
The Workbench's background reassessment process — which already re-checked regulatory obligations and evidence coverage on a schedule — now also watches for drift in a system's own details (vendor, geography, autonomy, jurisdictions, lifecycle stage) and in the assets linked to it (a model's version changing, a tool or dataset's configuration changing). Anything it finds shows up in that system's reassessment history in the Workbench.
Owners and admins can export their organization's entire inventory (every system, asset, and relationship) as a single file from the account page, and import one back in — including into a different organization, which always creates fresh records rather than overwriting anything.
Controls Register & evidence packages
Open any system in the Workbench's AI Registry (Tool 21) and scroll to Controls Register to define what should be tested, how often, and who gets escalated to if it fails — a control's title, category (model/LLM, agentic, data, or operational), a test cadence in days, and an optional escalation email. Run the relevant Workbench tool yourself (the Fairness Scanner for a bias control, Drift & Data Quality for a drift control, LLM Safety Check for a prompt-injection/jailbreak control, and so on) and log what it found with one click — Log pass or Log fail.
A control that's logged as failing, or that's gone past its own test cadence without a fresh result (overdue), elevates that system's residual risk — shown as a banner at the top of the system record, recomputed automatically every time the background reassessment daemon runs (every 6 hours), not just when you happen to look. A failing control also raises the reassessment alert level to critical, which — if the system has an owner email or the control has an escalation contact — sends a one-time email the moment it newly becomes critical (it won't re-send on every run while the issue is still open).
Click Generate evidence package to compile a system's obligations, evidence coverage, controls register, and recent reassessment history into one signed bundle — cryptographically signed with the same key that signs Trust Passports, so anyone can fetch it back by its link and see it re-verify the signature, not just trust that the JSON hasn't been edited.
Trust Passport
Once you've saved a Compliance Dossier, you can mint a Trust Passport — a cryptographically signed, publicly verifiable summary of your system's risk tier, readiness score, and governance checks. Anyone with the link (or the embeddable badge) can verify it was genuinely issued by autogovern.io and hasn't been altered, without needing an account of their own. Issue one from the Compliance Dossier panel; verify any passport at /passport/:id.
Aegis & Pulse (free downloads)
Aegis is a free, standalone security scanner (macOS/Windows/Linux) that finds real misconfigurations on your machine — fully offline, air-gapped by default. Pulse is a free command-line tool that re-ranks your existing vulnerability report (or scans a path directly) against live CISA-KEV and EPSS exploit data, so you can tell which CVEs are actually being exploited. Both are downloadable from the homepage (Aegis, Pulse) with no account required.
Learn more
- Methodology & Scoring — the exact formulas behind every score and classification.
- Privacy Policy, Data Processing Addendum, Terms of Service.
- Questions: governance@autogovern.io.