The Enterprise AI Governance Buyer's Guide

This record contains Version 3.2 of The Enterprise AI Governance Buyer's Guide together with the companion document Enterprise AI Governance – Procurement Fast Path v3.1. The two documents are designed to be used jointly to support rigorous, evidence-based evaluation of AI governance claims in regulated and high-stakes enterprise environments. The Buyer's Guide presents a vendor-neutral evaluation framework that distinguishes between three governance problems: Visibility (logging, monitoring, and observability), Alignment (model- and application-layer safety techniques such as RLHF, guardrails, and content filtering), and Authorization (pre-execution governance capable of producing replayable, independently verifiable evidence that a specific action was permitted). It formalizes the distinction between probabilistic governance ("likely compliant") and deterministic governance ("provably compliant"), emphasizing fail-closed enforcement, non-delegable authorization, and post-incident verifiability. The guide introduces the Four Tests Standard (4TS): Reproducibility, Verifiability, Completeness, and Boundedness, along with concrete due-diligence questions, failure-mode analysis, and an illustrative proof-carrying decision artifact mapped to common regulatory requirements (e.g., audit trails, electronic records, signature controls, and retention obligations). Version 3.2 operationalizes the Authorization Artifact Test (Meyman, 2026; DOI 10.5281/zenodo.20013582) for procurement and vendor evaluation. It advances the corpus Doctrine to v1.1 with two canonical statements: observability explains what happened, enforcement determines what is allowed to happen; and enforcement is realized through a non-bypassable authorization boundary that emits a proof-carrying decision prior to execution. The Completeness test now requires explicit pre-execution emission of the verdict. A new regulatory mapping identifies where the ex-ante authorization requirement is lodged across the major regimes (EU AI Act Article 14, GDPR Article 22, HIPAA §164.312(a), DFARS 252.204-7012, and NIST AI RMF GOVERN). The Baseline Qualification Gate is framed as the operational verification companion to the Test's structural prongs. The companion Procurement Fast Path is reissued as v3.1 in the same cycle, with the Authorization Artifact Test cited as the structural anchor and an observability-class rejection added to the anti-laundering register. Version 3.1 added a formal Doctrine (v1.0) statement that locked the enforcement boundary across the FERZ governance corpus: observability governs accounts of action; authorization governs permission to act; SDLC controls constrain deployment (not individual runtime decisions); signed artifacts protect history while signed authorizations govern the future; and authorization governance requires a non-bypassable runtime gate that fails closed when governance conditions fail or required evidence is missing. Version 3.0 extended the framework with semantic completeness: governed state is incomplete unless each decision is cryptographically bound to the immutable semantic definitions in effect at decision time (e.g., ontology terms, constraint sets, and inference regime). This prevents "definition laundering," where semantic drift retroactively alters the compliance status of past decisions and breaks audit replay without visible failure. The Procurement Fast Path distills the framework into a short, operational checklist intended for real-world procurements. It establishes a baseline qualification gate requiring third-party offline replay of a historical governance decision from an exported Evidence Package, and applies additional anti-laundering tests (exportability, offline replay, state completeness, fail-closed behavior, and mutation/drift resistance) to rapidly disqualify marketing-only or trust-based governance claims before full scoring. Together, the documents are intended for use by procurement teams, risk officers, General Counsel, auditors, technical evaluators, regulators, and boards seeking evidentiary assurance that AI governance controls can be independently verified at the moment a specific AI decision was made. While developed by FERZ AI, the framework is architecture-agnostic and may be applied to any AI governance solution. The documents are conformant with the AI Governance Taxonomy v1.5 (DOI: 10.5281/zenodo.18275969) and the Authorization Artifact Test (DOI: 10.5281/zenodo.20013582), and are designed to support defensible governance evaluation in sectors such as healthcare, financial services, government, defense, and other regulated domains.