## Run Locally (Windows)

```powershell
$env:PYTHONPATH = "$PWD"
jupyter notebook
```

## 1. Purpose

**What Shifts:**
- From: M4.1 — Model Cards & AI Governance
- To: M4.2 — Vendor Risk Assessment

**Why This Bridge Matters:**
M4.1 established your internal AI governance infrastructure (model documentation, bias detection, HITL systems, governance committees). Now you need to extend governance **outward** to evaluate third-party vendors in your RAG stack. M4.2 introduces systematic vendor evaluation frameworks to assess security, privacy, compliance, and reliability of external dependencies like OpenAI, Pinecone, AWS, and Datadog.

**Bridge Type:** Readiness Validation

## 2. Concepts Covered

**New Concepts in M4.2:**
- **Vendor Evaluation Matrix** — 5-category weighted scoring system for systematic vendor assessment
- **Security Risk Scoring** — SOC 2 compliance, penetration testing, incident history assessment
- **Privacy Risk Scoring** — GDPR compliance, data handling practices, subprocessor management
- **Compliance Category Scoring** — Certifications, regulatory alignment, audit trail maintenance
- **Reliability Metrics** — Uptime SLA tracking, disaster recovery capabilities, support responsiveness
- **Data Residency Assessment** — Multi-region support, jurisdiction compliance verification
- **Automated DPA Review Tool** — Validates 12 essential GDPR Article 28 clauses in Data Processing Agreements
- **Subprocessor Registry** — Tracks vendor dependency chains and vendor-of-vendor relationships
- **Continuous Vendor Monitoring** — Automated tracking of certification expiration, uptime, incidents, term changes

**Building On:**
- M4.1 established: Internal governance (model cards, bias detection, HITL, committees)
- M4.2 extends: External governance (vendor evaluation, DPA review, continuous monitoring)

## 3. After Completing This Bridge

**You Will Be Able To:**
- ✓ Verify completion of M4.1 internal governance artifacts (model cards, governance docs)
- ✓ Confirm understanding of governance frameworks (NIST AI RMF, EU AI Act)
- ✓ Validate environment readiness for vendor risk assessment workflows
- ✓ Identify gaps between internal governance and external vendor evaluation needs

**Pass Criteria:**
- All 4 checks pass (✓)
- No critical gaps (✗)
- Ready for M4.2 content (vendor evaluation frameworks)

## 4. Context in Track

**Position:** Bridge L3.M4.1 → L3.M4.2

**Learning Journey:**
```
L3.M4.1 ────────[THIS BRIDGE]────────→ L3.M4.2
Internal Governance    Validation    Vendor Risk Assessment
(Model Cards, HITL)                  (Vendor Eval, DPA Review)
```

**Time Estimate:** 15-30 minutes

## Recap: What You Built in M4.1

In M4.1, you established comprehensive **internal AI governance infrastructure** for your RAG systems:

**Key Deliverables:**
- **Model Card System** — Documented model metadata, performance metrics, bias assessment, and intended use cases
- **Bias Detection Pipeline** — Implemented demographic parity checks, equalized odds testing, and fairness metrics
- **Human-in-the-Loop (HITL) Workflows** — Built review queues for low-confidence predictions with PostgreSQL-backed task management
- **Governance Committee Structure** — Established cross-functional oversight (Legal, Engineering, Product, Compliance)
- **Compliance Framework Alignment** — Mapped controls to NIST AI Risk Management Framework and EU AI Act requirements

**What This Means:**
You now have internal controls for **your own AI systems**. M4.2 extends this governance to **third-party vendors** powering your RAG stack (LLMs, vector databases, cloud infrastructure).

## Readiness Check #1: Model Card Artifacts

**What This Validates:** Completion of M4.1 model documentation system

**Pass Criteria:**
- ✓ Model card file exists in expected location
- ✓ Card contains required sections (metadata, performance, bias assessment, intended use)
- ✓ Bias metrics are documented
- ✓ Governance approval is recorded

In [None]:
# Check #1: Model Card Artifacts
from pathlib import Path
import json

model_card_path = Path("model_cards/rag_model_card.json")
required_sections = ["metadata", "performance", "bias_assessment", "intended_use"]

if not model_card_path.exists():
    print(f"✗ Check #1 FAILED: Missing model card")
    print(f"   Expected: {model_card_path}")
    print(f"   Fix: Complete M4.1 model card exercise")
else:
    with open(model_card_path) as f:
        card_data = json.load(f)
    
    missing = [s for s in required_sections if s not in card_data]
    if missing:
        print(f"✗ Check #1 FAILED: Missing sections {missing}")
    else:
        print("✓ Check #1 PASSED: Model card complete")

# Expected: ✓ Check #1 PASSED: Model card complete

## Readiness Check #2: Governance Framework Documentation

**What This Validates:** Governance committee structure and compliance framework from M4.1

**Pass Criteria:**
- ✓ Governance committee charter exists
- ✓ Committee includes cross-functional roles (Legal, Engineering, Product, Compliance)
- ✓ NIST AI RMF mapping document exists
- ✓ EU AI Act alignment document exists

In [None]:
# Check #2: Governance Framework Documentation
from pathlib import Path

required_docs = {
    "governance/committee_charter.md": "Governance committee charter",
    "governance/nist_ai_rmf_mapping.md": "NIST AI RMF mapping",
    "governance/eu_ai_act_alignment.md": "EU AI Act alignment"
}

all_passed = True
for doc_path, doc_name in required_docs.items():
    if not Path(doc_path).exists():
        print(f"✗ Missing: {doc_name}")
        print(f"   Expected: {doc_path}")
        all_passed = False

if all_passed:
    print("✓ Check #2 PASSED: Governance framework complete")
else:
    print("\n✗ Check #2 FAILED")
    print("   Fix: Complete M4.1 governance documentation")

# Expected: ✓ Check #2 PASSED: Governance framework complete

## Readiness Check #3: Conceptual Understanding

**What This Validates:** Understanding of M4.1 governance concepts before extending to vendors

**Pass Criteria:**
- ✓ Can explain purpose of model cards
- ✓ Can describe bias detection metrics (demographic parity, equalized odds)
- ✓ Can explain HITL workflow components
- ✓ Can articulate difference between NIST AI RMF and EU AI Act

In [None]:
# Check #3: Conceptual Understanding
readiness_questions = [
    "Q1: What sections must a model card include for AI governance?",
    "Q2: What is demographic parity in bias detection?",
    "Q3: What triggers a prediction to enter the HITL review queue?",
    "Q4: How does NIST AI RMF differ from EU AI Act requirements?",
]

print("Verify your M4.1 understanding by answering these:\n")
for q in readiness_questions:
    print(f"   {q}")

print("\n✓ Check #3 PASSED if you can clearly answer all questions")
print("\n✗ If uncertain, review M4.1 conceptual materials before M4.2")

# Expected: Clear answers to all 4 questions
# Example answers:
# Q1: metadata, performance, bias_assessment, intended_use, limitations
# Q2: Equal positive outcome rates across demographic groups
# Q3: Confidence score below threshold (e.g., <0.75)
# Q4: NIST = risk management framework; EU AI Act = regulatory requirements

## Readiness Check #4: Environment Setup for M4.2

**What This Validates:** Python environment is ready for vendor risk assessment tools

**Pass Criteria:**
- ✓ Python 3.9+ installed
- ✓ Required packages available (pandas, requests, json)
- ✓ Jupyter environment functional
- ✓ File I/O permissions verified

In [None]:
# Check #4: Environment Setup
import sys
from pathlib import Path

print(f"Python version: {sys.version}")

required_packages = ["pandas", "json", "pathlib"]
all_available = True

for pkg in required_packages:
    try:
        __import__(pkg)
        print(f"✓ {pkg} available")
    except ImportError:
        print(f"✗ {pkg} missing")
        print(f"   Fix: pip install {pkg}")
        all_available = False

# Test file I/O
test_file = Path("test_write.tmp")
test_file.write_text("test")
test_file.unlink()
print("✓ File I/O functional")

if all_available:
    print("\n✓ Check #4 PASSED: Environment ready for M4.2")

# Expected: ✓ Check #4 PASSED: Environment ready for M4.2

## Call-Forward: What's Next in M4.2

**Module M4.2 Will Cover:**

**1. Vendor Evaluation Matrix**
- Weighted scoring across 5 categories: Security (30%), Privacy (25%), Compliance (20%), Reliability (15%), Data Residency (10%)
- Assess vendors like OpenAI, Pinecone, AWS, Datadog against enterprise risk criteria
- Generate executive-ready risk scores for vendor approval decisions

**2. Automated DPA Review Tool**
- Validate 12 essential GDPR Article 28 clauses in Data Processing Agreements
- Check for: subprocessor approval, data deletion procedures, security measures, breach notification timelines, audit rights
- Flag missing or non-compliant clauses automatically

**3. Subprocessor Tracking System**
- Map complete vendor dependency chains (vendor-of-vendor relationships)
- Alert on unauthorized subprocessor additions
- Maintain compliance documentation for audit trails

**4. Continuous Vendor Monitoring Dashboard**
- Track SOC 2 certification expiration dates
- Monitor uptime SLA compliance
- Alert on security incidents and compliance changes
- Detect Terms of Service modifications affecting data handling

---

**Why You're Ready:**
- ✓ You understand internal governance (M4.1 model cards, bias detection, HITL)
- ✓ You recognize governance extends beyond your own systems to third-party vendors
- ✓ You have the conceptual foundation to evaluate external risk systematically

**What to Expect:**
- **Duration:** 2-3 hours (hands-on vendor evaluation exercises)
- **Complexity:** Intermediate (scoring frameworks, DPA parsing, monitoring automation)
- **Key Deliverables:**
  - Vendor risk scorecard for your RAG stack vendors
  - DPA compliance report
  - Subprocessor registry
  - Monitoring dashboard prototype

---

**If You're Not Ready:**
- Review M4.1 materials (model cards, governance frameworks)
- Complete failed checks above
- Reach out for support: support@techvoyagehub.com

**Next Steps:**
1. Ensure ALL 4 checks passed (✓)
2. Proceed to **M4.2: Vendor Risk Assessment**
3. Reference this bridge if you need to validate M4.1 prerequisites