QG Invariant Governance Runtime Flow

QGI’s runtime flow shows how AI actions are governed end‑to‑end, using a personal health data case to illustrate how GSP signals, invariants, and legal checks produce a verified, compliant outcome.

A runtime flow shows how a single request involving personal health data moves through QGI, and how the Governance Signal Processor (GSP) converts that raw request into the structured signals that make deterministic governance possible.

A clinician asks an AI system to access a patient’s medical record. This request enters QGI as a decision request packet containing intent, data type, purpose, user role, and tool information.

Here is the runtime case expressed cleanly in steps, capturing the full flow from request to verified action.

Personal Health Data Request

A clinician submits an AI decision request packet asking to access a patient’s medical record (PHI).

  • Tier 4 performs a preflight check to confirm the model is allowed to handle PHI, the clinician is authenticated, the tool is permitted, and the healthcare domain is authorized.
  • If the request passes Tier 4, it enters the Governance Signal Processor (GSP), which converts the raw packet into structured governance signals such as:
    • risk_score
    • consent_valid
    • opacity_level
    • traceability_score
    • extraction_ratio
    • drift_detected
    • purpose_valid
    • data_sensitivity_level
    • tool_risk_level
  • Governance Signal Processor (GSP) extract required parameters from input data, preparing for Tier 2.
  • Tier 1 compiles a Principle Profile, tightening thresholds because the request involves sensitive health data, and may require oversight or disclosure.
  • Tier 2 evaluates the request (the parameters from GSP) against the five invariants using the structured signals and the thresholds from Tier 1.
  • If any invariant fails—such as insufficient explainability or invalid consent—the request is blocked or escalated; if all pass, it proceeds.
  • Tier 3 applies jurisdictional rules such as PIPEDA, hospital privacy policies, and sector specific obligations, enforcing data minimization, generating audit logs, and attaching required notices.

The final output is a verified action: access to the patient record is granted only with the appropriate safeguards, oversight, and compliance artifacts in place.

QGI runtime flow chart