Home Use Cases Applications Methodology About Contact
AI Governance & Trust

AI in VIGIL —
what it does,
what it cannot.

VIGIL uses artificial intelligence as a precision instrument — structured, bounded, and fully auditable. This policy explains the role of AI in the platform, the architecture that governs it, what it is explicitly prevented from doing, and who is accountable for its outputs.

Effective: 01 July 2026 Last Reviewed: July 2026 Version: 1.0 Owner: ARRC Global
Foundational Position

AI in VIGIL is a structured scoring engine, not a generative oracle. It does not speculate. It does not hallucinate. It derives outputs from evidence anchors selected by trained assessors, weighted by a published methodology, against sources rated for authority and recency. Every output is traceable to its inputs. Every weight is cited to a standard or documented expert panel. That is what responsible AI looks like in a high-stakes assessment context.

01What AI Means in VIGIL

Defining the term accurately

The term "AI" is used broadly across the technology industry — often loosely. This policy uses it precisely. In VIGIL, artificial intelligence refers to the following specific capabilities, and no others:

  • Structured scoring engine. An algorithmic framework that derives quantitative scores (MSI, MCI, MRI) from assessor-selected evidence anchors, applying mission-specific weights documented in the platform's Weight Justification Register.
  • Source intelligence processing. Automated ingestion, classification, and quality rating of open-source intelligence feeds, government data, geopolitical indices, climate datasets, and regional information sources across 400+ monitored sources in 85+ cities. Each source is rated for authority, recency, geographic relevance, and potential bias before it reaches the assessment engine.
  • Pattern recognition for risk trajectory. Longitudinal analysis of site risk environments to calculate Mission Risk Index (MRI) — the 20-year trajectory of the risk landscape around a site. This involves identifying directional trends across threat, infrastructure, climate, and geopolitical data.
  • Automated alert generation. Detection of material changes in a site's monitored risk environment that cross defined thresholds, triggering alerts to platform users without requiring manual review of every data point.

VIGIL does not use large language models (LLMs), generative AI, or probabilistic text generation in any part of its assessment or intelligence pipeline. The distinction matters: generative AI produces plausible outputs. VIGIL's engine produces derived outputs — traceable to specific, named evidence.

02Governing Principles

The rules that govern AI in VIGIL

01
Evidence, not opinion
Every AI-derived output in VIGIL is anchored to named, dated, rated sources. No score is generated without a traceable evidence chain. If the evidence is insufficient, the MCI reflects that — it does not fill gaps with inference.
02
Human accountability
The platform generates scores. Assessors select evidence anchors. Clients make decisions. At every step, a human is accountable. AI in VIGIL augments professional judgement — it does not replace it, and it does not make autonomous decisions.
03
Explainability by design
Every score produced by VIGIL can be decomposed into its component indicators, source weights, and evidence selections. An assessor — or a client's board — can follow the reasoning from finding to evidence in full. There are no black-box outputs.
04
Bounded scope
VIGIL's AI operates within a defined, audited framework of 114 indicators across 6 domains. It does not extrapolate beyond its scope, generate open-ended analysis, or produce outputs outside the structured assessment architecture.
05
No third-party processing
Client data is never transmitted to external AI systems. All processing occurs on ARRC Global's own infrastructure. This is an architectural commitment, not a policy preference — it is built into the platform at the infrastructure level.
06
Honest uncertainty
When evidence is incomplete, VIGIL says so. The Mission Confidence Index exists precisely to make uncertainty visible — a low MCI is not a failure of the system. It is the system working correctly. We do not suppress uncertainty to produce cleaner outputs.
03Architecture — How It Works

The processing pipeline

Understanding how VIGIL's AI components fit into the broader assessment architecture is important for clients who need to evaluate it for procurement or regulatory purposes.

VIGIL AI Processing Architecture — Overview
Layer 1 · Sources
400+ monitored sources — open-source intelligence, government data, geopolitical indices, climate datasets, regional feeds. All hosted and processed on VIGIL infrastructure. No external AI involved.
Layer 2 · Transparency Coefficient Engine ← AI
Rates each source across five dimensions: authority, recency, geographic relevance, independence, and known bias. Produces a source quality weight. Operates fully in-house.
Layer 3 · Assessor Input
Human assessor selects the evidence-backed anchor statement for each of 114 indicators. The assessor observes — the framework scores. No assessor enters a number directly.
Layer 4 · Scoring Engine ← AI
Applies mission-specific weights (from the Weight Justification Register) to anchor selections. Derives MSI, MCI, and MRI indices. All weights cited to published standards or documented expert panels. No black-box calculation.
Layer 5 · MRI Trajectory Engine ← AI
Analyses longitudinal patterns across monitored site environments to project risk trajectory over a 20-year asset lifecycle. Operates on historical and current data held within VIGIL infrastructure.
Layer 6 · Output & Evidence Trail
Structured finding with full decomposition: MSI score and rating, MCI confidence score, MRI trajectory band, domain sub-scores, indicator-level evidence, source citations with dates and quality ratings. Every output is fully auditable.
← AI components highlighted. All processing occurs on ARRC Global's own infrastructure in Germany (Hetzner). No client data leaves this environment.
04What AI Does in VIGIL

Defined functions — exhaustive list

The following is the complete list of functions performed by AI components within the VIGIL platform. AI is used for these functions and no others.

  • Source quality rating. Automated assessment of each intelligence source against five quality dimensions, producing a source weight used in the Transparency Coefficient calculation.
  • Score derivation from anchor selections. Application of methodology weights to assessor-selected evidence anchors to produce numerical scores for each of 114 indicators, six domain scores, and the three composite indices (MSI, MCI, MRI).
  • Mission-specific weight application. Selection and application of the appropriate weight set for the mission type under assessment (data centre, critical infrastructure, commercial, supply chain, etc.).
  • Risk trajectory analysis. Pattern recognition across longitudinal site environment data to calculate the MRI trajectory band and supporting trend indicators.
  • Threshold-based alert generation. Monitoring of site risk environments against defined thresholds; automated alert generation when material changes are detected.
  • Source feed ingestion and classification. Automated processing and categorisation of incoming intelligence feeds by source type, geographic relevance, and thematic domain.
  • Risk register population. Auto-population of the risk register from validated assessment findings, mapped to failure mechanisms and consequence chains.
05What AI Does Not Do

Explicit exclusions

The following functions are explicitly outside the scope of AI in VIGIL. These exclusions are architectural — they are built into how the platform works, not just stated as policy.

  • AI does not select evidence anchors. The assessor selects the anchor statement that matches the observed condition for every indicator. AI applies the weight to that selection — it does not make the selection.
  • AI does not generate narrative text. Assessment reports, condition descriptions, and recommendation narratives are not AI-generated. They are structured outputs derived from assessor selections and framework logic.
  • AI does not make autonomous decisions. No AI component in VIGIL produces a binary go / no-go recommendation without human review. Final assessment verdicts require assessor confirmation before being finalised.
  • AI does not fill evidence gaps with inference. When a data point is unavailable or unverified, the MCI reflects that incompleteness. VIGIL does not substitute inference for missing evidence to produce cleaner scores.
  • AI does not profile individuals. VIGIL is a site assessment platform. Its AI components analyse site environments, not individuals. No AI function in VIGIL produces outputs about the behaviour, characteristics, or risk profile of any individual person.
  • AI does not process data on external systems. No AI function in VIGIL transmits client data, site data, or assessment inputs to any external AI system, cloud AI service, or third-party processing engine.
  • AI does not learn from client data. VIGIL's AI components do not use client-uploaded data or assessment inputs as training data. Client data is used to produce the client's assessment outputs — nothing else.

On hallucination risk. Generative AI systems produce plausible outputs — they can generate confident-sounding findings that are factually incorrect. VIGIL's scoring engine cannot hallucinate: it can only derive outputs from inputs supplied to it. If inputs are incomplete, the MCI scores low. The architecture eliminates the hallucination risk by design, not by instruction.

06No Third-Party AI

An architectural commitment

VIGIL's AI processing is entirely in-house. This is not a preference — it is an infrastructure decision made deliberately and maintained as a core platform requirement.

What this means in practice:

  • No client data, site intelligence, assessment input, or any other data processed by VIGIL is transmitted to OpenAI, Google, Anthropic, Microsoft Azure AI, Amazon Bedrock, or any other external AI provider
  • No VIGIL assessment function relies on an API call to an external AI service
  • All model components, scoring engines, and intelligence processing algorithms are developed, maintained, and operated by ARRC Global on its own infrastructure
  • This commitment applies to all current platform functionality and to all future feature development — any change to this architecture would require explicit policy update and client notification

Why this matters to enterprise clients. Enterprise security buyers increasingly require contractual assurance that their sensitive site and intelligence data is not processed by third-party AI systems — particularly in regulated sectors, government-adjacent work, and critical infrastructure contexts. VIGIL's in-house architecture provides that assurance at the infrastructure level. It is verifiable, not just declarable.

Clients requiring contractual confirmation of this commitment may request the relevant clause in the Data Processing Agreement. Contact contact@arrcglobal.com.

07Human Accountability

Who is responsible for what

AI-generated outputs in VIGIL do not carry autonomous authority. Accountability is structured across three levels:

Level Actor Accountability AI Involved?
Methodology ARRC Global Design of the assessment framework, indicator definitions, weight justification, source quality standards. Annual review and update cycle. No
Evidence selection Assessor (human) Selection of the anchor statement that matches the observed site condition for each of 114 indicators. The assessor is accountable for the accuracy of their observations. No
Score derivation VIGIL engine Mathematical application of weights to anchor selections. Deterministic — same inputs always produce the same output. Fully auditable via Weight Justification Register. Yes
Source rating VIGIL engine Automated quality rating of intelligence sources. Ratings are visible within assessments and can be reviewed and challenged by assessors. Yes
Finding interpretation Client (human) Reading, interpreting, and acting on assessment outputs. Clients are responsible for decisions made on the basis of VIGIL findings. The platform supports decisions — it does not make them. No

VIGIL outputs are analytical findings, not autonomous decisions. No output produced by the VIGIL platform constitutes a professional opinion, legal advice, investment advice, or regulatory determination. Responsibility for decisions made using VIGIL outputs rests with the user and their organisation.

08Bias & Fairness

How we address bias in assessment outputs

All assessment systems — automated or manual — carry the risk of bias. VIGIL's architecture addresses this through structural design rather than post-hoc correction.

  • Methodology bias. Indicator weights are cited to published industry standards, government frameworks, or documented expert panels. No weight is assigned arbitrarily. The Weight Justification Register is the audit trail for every weighting decision. Where weights reflect a particular methodological school, this is documented.
  • Source bias. The Transparency Coefficient engine rates sources for known bias as one of five quality dimensions. State-controlled media is weighted differently from peer-reviewed academic datasets. News sources with documented editorial positions are flagged. Source ratings are visible within assessments.
  • Geographic bias. VIGIL's source library is constructed to provide meaningful coverage across all operating geographies — Asia Pacific, Middle East, South Asia, and Europe. Assessments of sites in markets with lower data availability receive lower MCI scores reflecting that reduced coverage, not artificially inflated scores that conceal the gap.
  • Assessor consistency. The anchor statement methodology is designed to produce consistent results across assessors. Two trained assessors working independently on the same site against the same evidence base will produce the same score. This eliminates the assessor-dependent variability that is the primary source of bias in conventional consulting assessments.

ARRC Global reviews the methodology annually for structural bias and updates weights, indicator definitions, and source ratings where evidence warrants. Clients who identify a potential bias in VIGIL's outputs are encouraged to raise it directly — we treat such challenges seriously and will investigate and respond formally.

09Auditability & Explainability

Following the reasoning from output to evidence

VIGIL's governance position on AI is that every output must be fully explainable — to the assessor, to the client, to a board, to a regulator, and to an insurer — without requiring access to proprietary algorithms or black-box systems.

Every VIGIL assessment output includes:

  • Composite indices — MSI, MCI, and MRI values with rating bands and interpretive labels
  • Domain sub-scores — breakdown across the six assessment domains (Mission Alignment, Environmental, Supply & Infrastructure, Security & Threat, Legal & Regulatory, Lifecycle Resilience)
  • Indicator-level detail — the specific anchor statement selected for each of 114 indicators, with the associated score and weight
  • Source citations — named sources supporting each indicator, with dates, quality ratings, and geographic relevance scores
  • Weight justification references — citations to the published standard or expert panel documentation underpinning each weight
  • MCI decomposition — the specific sources that were verified, unverified, or flagged, explaining why the MCI scored as it did

This evidence trail is the complete audit record of the assessment. When a finding is challenged — by a board, an insurer, a regulator, or a counter-party — the response is not a restatement of the score. It is the evidence itself.

10Data Used to Train & Operate

What data the AI uses and how

Training data. VIGIL's AI components were developed and trained using publicly available datasets, licensed data sources, proprietary ARRC Global research, and anonymised historical assessment data from ARRC Global's consulting practice. No client data submitted through the VIGIL platform has been or will be used as training data.

Operational data. In live operation, VIGIL's AI components process the following data types:

  • Open-source intelligence feeds from monitored public sources
  • Licensed data from geopolitical risk, climate, and infrastructure providers
  • Assessor-selected evidence anchors for the current assessment session
  • Historical site environment data stored within the platform for MRI trajectory calculation

Client data isolation. Client-uploaded data — site documents, internal intelligence, proprietary information — is used exclusively to produce outputs for that client's assessment. It is not used to train or improve any AI component, shared across client boundaries, or retained beyond the periods specified in the Data Processing Agreement.

Model updates. When VIGIL's AI components are updated or retrained, ARRC Global will communicate material changes to registered clients through the platform and update this policy accordingly. Clients will be notified of any change that affects the scoring architecture or could produce materially different outputs from the same inputs.

11Regulatory Alignment

How VIGIL's AI governance maps to applicable frameworks

VIGIL's AI governance approach is designed to be compatible with the major AI regulatory frameworks that apply to enterprise technology operating in ARRC Global's markets. This is a design objective, not a certification claim.

Framework Jurisdiction VIGIL's Position
EU AI Act European Union VIGIL's assessment functions are structured algorithmic tools, not general-purpose AI or prohibited AI systems. The platform is designed to be compatible with transparency, human oversight, and explainability requirements applicable to high-risk AI systems in relevant sectors.
India DPDP Act 2023 India VIGIL does not conduct automated profiling of individuals. AI functions process site environment data, not personal data. The platform's data minimisation and human accountability architecture supports DPDP compliance.
NIST AI RMF United States (reference) VIGIL's governance structure maps to the NIST AI Risk Management Framework's four functions: Govern, Map, Measure, Manage. Applicable for clients in US-adjacent regulatory environments or those applying NIST frameworks voluntarily.
Singapore MAS TRM Singapore For financial sector clients in Singapore, VIGIL's explainability, human oversight, and data governance architecture is designed to support MAS Technology Risk Management guideline compliance for AI-assisted decision support tools.
ISO/IEC 42001 International AI Management System standard. VIGIL's governance framework is designed to be compatible with ISO 42001 requirements. Formal certification is on the roadmap as part of Phase 4 of the security assurance programme.

Clients operating in regulated sectors — financial services, critical national infrastructure, government — who require formal mapping of VIGIL's AI governance to a specific regulatory framework should contact us to discuss their requirements. We will provide written documentation of VIGIL's AI architecture relative to the applicable framework.

12Governance & Review

How this policy is maintained

  • Owner. This policy is owned by Anshin Risk and Resilience Consulting Private Limited (ARRC Global) and is the direct accountability of the founding practitioner.
  • Review cycle. This policy is reviewed annually and updated whenever a material change to VIGIL's AI architecture, methodology, or applicable regulatory framework requires it. The version number and review date at the top of this page reflect the most recent revision.
  • Client notification. Material changes to this policy — particularly changes to the AI architecture, data usage, or accountability framework — will be communicated to registered clients by email at least 14 days before taking effect.
  • Methodology review. The VIGIL assessment methodology — including indicator definitions, weight justifications, and source quality standards — is reviewed annually by ARRC Global and updated to reflect changes in risk environments, published standards, and expert panel guidance. Methodology version history is maintained internally.
  • External audit. VIGIL's AI components and governance framework are subject to periodic review as part of the platform's broader security assurance programme, including VAPT and, in due course, ISO 27001 and ISO 42001 audit processes. Audit findings relevant to the AI governance framework will be reflected in policy updates.
  • Feedback and challenge. Clients, assessors, and researchers who identify concerns about VIGIL's AI governance, bias in outputs, or discrepancies between this policy and observed platform behaviour are encouraged to raise them directly. All challenges will receive a substantive written response.
13Contact

Questions about AI governance in VIGIL

For questions about how AI operates in VIGIL, regulatory mapping requests, contractual confirmation of AI architecture commitments, or challenges to AI outputs, contact us directly.

AI Governance Enquiries
Email contact@arrcglobal.com
Subject AI Governance — [your enquiry topic]
Entity Anshin Risk and Resilience Consulting Private Limited · Trading as ARRC Global
Response Substantive response within 10 business days. Regulatory mapping requests may require up to 20 business days.

For privacy and data handling enquiries, refer to our Privacy Policy. For platform terms, refer to our Terms of Use. For security vulnerabilities, refer to our Responsible Disclosure Policy.