OISG adequate by default
Admina is designed around the OISG paradigm — Open, Intelligent, Secure, Governed. A production-ready Admina install reaches the OISG adequate level out of the box, with the adequacy score computed automatically from the live runtime state — not a checklist, not a quarterly audit, not a PDF.
What is OISG?
OISG is a public framework for evaluating whether an AI system is adequate to be trusted in production. It defines four pillars — Open, Intelligent, Secure, Governed — each with five technical criteria. Every criterion is worth five points; the total is a 0–100 adequacy score.
0–24 Critical gaps — system is not safe to deploy 25–49 Partial coverage — significant remediation required 50–79 Good coverage — ready for constrained production 80–100 OISG adequate — ready for governed production deployment Why Admina ships OISG adequate by default
Every governance capability Admina shipped in v1.0.0 maps directly onto OISG criteria.
The adequacy score is not a marketing metric — it is a runtime read of the features you
have actually turned on. With the default Docker Compose stack plus a populated
admina.yaml, Admina scores in the OISG adequate band with no
additional configuration.
The four pillars
Open
25 / 25Auditable by design — model, governance, and protocols are public and inspectable.
- O1 Model documentation (capabilities, limitations, provenance) available to independent auditors
- O2 Governance infrastructure (policy engines, decision logic) is open and auditable
- O3 Communication protocols use open standards (MCP, OpenTelemetry, A2A)
- O4 Open projects have community stewardship (contribution process, security disclosure, governance)
- O5 Model provenance and training methodology are documented and reproducible
Intelligent
25 / 25Measurable, sovereign, traceable — reasoning can be explained, not assumed.
- I1 Model capabilities measured with benchmark results, known failure modes, confidence calibration
- I2 Infrastructure supports sovereign execution (on-premise, private cloud, air-gapped)
- I3 RAG pipelines are traceable (document version, embedding model, retrieval path)
- I4 Agent autonomy scope is explicit, machine-readable, and enforced at runtime
- I5 System can produce on demand a complete explanation of why it gave a specific response
Secure
25 / 25Defence in depth — bidirectional, cryptographic, recoverable.
- S1 Bidirectional injection defence operates on both request and response paths
- S2 Agent identities are cryptographically verifiable (DIDs, Ed25519 key pairs)
- S3 Transactional kill switch preserves forensic state and enables rollback
- S4 PII redaction is enforced at infrastructure level before model endpoints
- S5 Model supply chain integrity is verified (fingerprinting, SBOM, cryptographic provenance)
Governed
25 / 25Continuous, automated compliance — not a quarterly audit PDF.
- G1 Compliance verified automatically at runtime, not through periodic audits
- G2 Immutable forensic log (hash-chained) records all interactions and decisions
- G3 Human oversight is architecturally defined (which decisions, what info, what timeout)
- G4 End-to-end observability in place (distributed tracing, SLOs, dashboards)
- G5 Risk classification is proportional, automated, and auditable as capabilities evolve
How Admina maps onto OISG
admina.yaml, per-decision explanation.
Verify your adequacy score
Once the proxy is running, the live OISG score is available from the dashboard and via
the REST API. The result reflects the actual runtime state — flipping a
capability off in admina.yaml immediately lowers the score.
curl http://localhost:8080/api/dashboard/oisg \ -H "X-API-Key: $ADMINA_API_KEY" # { # "total": 85, # "max_total": 100, # "level": "OISG adequate", # "pillars": { "open": {...}, "intelligent": {...}, ... } # }