Open Source Policy Frameworks

🔊 I am excited to share my New America #ShareTheMicInCyber final report, which introduces Governance Schema (GovSCH)! Translating complex cybersecurity and AI policies into actionable implementation is a persistent challenge. Policymakers, regulatory framework authors, compliance operators and engineering teams often lack a unified, machine-readable format for high-level governance documents, leading to misinterpretations and delays. This report introduces GovSCH, an open-source interoperable schema designed to standardize the authoring and translation of cybersecurity and AI governance documents into a consistent, machine-readable format. This interoperable schema was created by analyzing prior executive orders, regulatory frameworks, and policies to identify common structures and authoring practices. The goal is to bridge the gap between policy intent and technical execution, improving transparency and accelerating the implementation of regulations. Looking forward to hearing your thoughts and feedback. You can read the report and explore the schema here: - Report: https://lnkd.in/e3SqU9Dk - GitHub Project (Schema): https://lnkd.in/ex32id36 -- 🙏🏾 This work would not have been possible without the guidance and support of many. My sincere thanks to Christina Morillo, Lauren Zabierek, Camille Stewart Gloster, Esq Peter W. Singer, Bridget C., OLATUNJI OSUNJI, D.Sc., the exceptional teams (pubs, media, editors, visuals, tech etc.) at New America and my entire 2025 #STMIC cohort: Mason Darryl Gunter, Seungmin (Helen) Lee, J Haro, Nina-Simone Edwards, JD, Chanwool L., Adriana S, and Jocelyn Woolbright.

The AI Policy Guide and Template, published by the Australian Government (industry.gov.au/NAIC), provides a practical framework for organizations to design, implement, and maintain effective AI governance. It serves as both a policy model and an operational guide to ensure that AI systems are developed and deployed responsibly, transparently, and in alignment with ethical and legal expectations. What the guide outlines • Every organization using AI should have a clear, written AI policy that defines how AI is adopted, managed, and governed. • It aligns with Australia’s AI Ethics Principles and the Voluntary AI Safety Standard to ensure responsible, human-centered use of AI across all sectors. • The policy template includes model statements that organizations can adapt to their own values, risks, and operating structures. Why this matters • AI is becoming central to business and public sector operations, but without policy, even well-intentioned systems can cause unintended harm. • A documented AI policy protects stakeholders, supports ethical decision-making, and demonstrates readiness for emerging regulation. • Building trust in AI requires consistent governance, transparency, and accountability at every stage of the AI lifecycle. There’s a saying in governance: “Policy before practice.” In AI, this means setting expectations and accountability before algorithms start making decisions. Key principles and practices • Risk and impact assessment: Systems must undergo structured risk and impact evaluations before deployment, especially where they may affect vulnerable groups. • Quality, reliability, and security: AI must be rigorously tested before release and continuously monitored for performance, bias, and emerging risks. • Fairness and inclusion: Systems should reinforce diversity and inclusion, avoiding bias or discrimination in decision-making. • Transparency and contestability: AI use must be transparent, with mechanisms allowing individuals to understand or challenge outcomes. All deployed systems should be logged in an AI register. • Human oversight and control: Humans must always have the ability to intervene, pause, or deactivate systems. Manual fallback processes should be maintained for critical operations. Who should act • AI policy owner: A senior leader responsible for championing responsible AI use and ensuring ongoing compliance. • Policy approvers: Executives or boards formally approving and updating the AI policy. • Compliance monitors: Teams that audit AI documentation, verify risk assessments, and report on policy adherence. Action items • Maintain a comprehensive AI register to track deployed systems and their oversight requirements. • Review and update the AI policy annually, or after any significant incident, regulatory change, or new AI capability. • Provide regular staff training on responsible AI use, transparency, and risk reporting.

Over the past few months, we’ve been working quietly on something that’s now ready to share: the Open Source Policy Collection, part of our work at the Code for Development Initiative by the Inter-American Development Bank.   It’s a curated (and growing!) list of policies from around the world showing how governments are embracing open source — not just as a technical choice, but as a strategic commitment to transparency, collaboration, and reuse in the public sector.   👉 https://lnkd.in/ebMJe8ZU   This is not an exhaustive list — and it’s open to contributions. You’ll find everything on our GitHub, so if you know of a relevant policy, case, or country we’ve missed, we’d love your input.   A big shout out to Julia Vieira de Andrade Dias Emendabili, Luis A. Sanchez and Daeun Kang for co-piloting this. Spanish and Portuguese versions are on the way.   If you’re working on open gov, digital transformation, or just believe public code should be public — take a look and let us know what you think!   #CodeForDevelopment #OpenSource #PublicCode #GovTech #DigitalGovernment #Policy #LatinAmerica

Open source is no longer a side detail in how we build software. It is the software supply chain. Most teams depend on dozens or hundreds of third party libraries, yet few have a clear stance on what is acceptable to use, how far behind they can drift, or what signs actually matter when choosing a dependency. As a result, the attack surface keeps growing. #OWASP #SPVS calls this out early. V1.3.3 focuses on establishing a Secure OSS policy during planning, and V2.1.1 asks whether that policy is enforced as part of secure coding practices in the pipeline. These controls exist because supply chain risk cannot be managed after the fact. A simple OSS policy can go a long way when it is explicit. Things like which licenses are acceptable, how often dependencies must be upgraded, how far teams are allowed to drift from current versions such as an N minus 3 rule, and what health signals matter in a third party library. That might include the number of active contributors, how frequently releases happen, and whether security fixes show up quickly when issues are reported. With Software Supply Chain Failures now ranked number three in the OWASP Top 10 for 2025, this is no longer an edge case. It is a shared problem the community has to take seriously. How explicit is your team about the open source risk it is willing to carry? #Cybersecurity #DevSecOps #CICD #SupplyChainSecurity