Skip to main content
Reach Out

AIGIS User Manual v1.1

The complete reference for the AI Governance and Infrastructure Suite WordPress plugin, covering every module, field, API endpoint, and role.

Introduction

The AI Governance and Infrastructure Suite (AIGIS) is a WordPress plugin that gives organizations a centralized command center for every AI model they deploy. As AI systems become embedded in business operations, teams need more than individual API integrations. They need a structured, auditable governance layer spanning discovery, approval, monitoring, and accountability.

AIGIS was built to close that gap. It sits inside your existing WordPress environment and provides a complete governance layer: a register of every AI model you operate, a managed lifecycle for the prompts and policies that govern them, a real-time guardrail system that can block harmful or policy-violating inputs and outputs, and a full immutable audit trail of every consequential action.

Who AIGIS Is For

AIGIS is designed for organizations that are deploying AI systems at scale and need to govern them responsibly. It is particularly suited to:

  • Technology and product teams that build and operate AI-powered applications and need a structured way to manage prompt versions, model configurations, and integration quality.
  • Compliance and governance teams that must demonstrate oversight of AI systems to stakeholders, auditors, or regulators, including evidence of policy enforcement, incident tracking, and data handling practices.
  • Data protection and legal teams that need a searchable, timestamped record of how AI systems have been used, what decisions they have influenced, and how incidents were investigated and resolved.
  • Operations and finance teams that need visibility into AI usage costs across departments and projects, with the ability to set and enforce spending budgets.
  • Organizations working toward certifications such as ISO/IEC 42001 (AI Management System), ISO 27001, SOC 2, or GDPR alignment, where structured AI governance evidence is required.

AIGIS does not replace your AI models or the code that calls them. It wraps around them, providing the governance, audit, and quality layer that enterprise-grade AI deployment demands.

Core Features

Feature What It Does
AI Inventory A formal register of every AI model and agent deployed in your organization. Records vendor, model name, version, integration type, risk level, and operational status. All other AIGIS sections link back to inventory records.
Prompt Management Version-controlled storage and lifecycle management for AI system prompts. Prompts move through Development, Staging, and Production stages. A built-in sandbox lets you test prompts against your configured provider before promoting them.
Policy Management Create, activate, and retire governance policies for AI use. Policies track effective dates, expiry dates, and ownership. Expiry alerts fire automatically so policies never quietly lapse.
Workflow Documentation Document approved AI-assisted processes with rich text descriptions and Mermaid flow diagrams. Workflows define where human oversight is required and what automated decisions are permissible.
Skills Repository Store reusable agent capabilities as governed instruction assets. Skills capture trigger phrases, output contracts, edge cases, readiness scoring, lifecycle review, markdown import/export, and links to related prompts, workflows, policies, incidents, and inventory records.
Incident Management Structured logging and investigation of AI system incidents, from PII leakage to prompt injection attempts. Each incident has a severity level, status, and a linked audit trail for full accountability.
Analytics & Cost Tracking Dashboard KPIs showing total API calls, cumulative cost, and average latency over rolling 30-day windows. Cost budgets can be set per department or project, with automatic alerts at 80% and 100% thresholds.
Guardrails Real-time input and output evaluation against configurable rules. Guardrail checks can be called from your integration code via the REST API. All trigger events, blocked or passed, are logged for review.
Stress Tests & Evaluation Structured evaluation of AI model outputs against expected results. Results are scored pass, fail, or pending review. False negatives, cases where a model should have been blocked but was not, are flagged separately.
Audit Log An append-only, immutable record of every consequential action in the system. Stores before/after state snapshots, actor identity, IP address, and a UTC timestamp for every event.
REST API A secured API that lets your AI pipelines, agents, and automation scripts submit usage logs, check guardrails, retrieve routing information, and submit evaluation results, all from outside WordPress.
Role-Based Access Four built-in roles (Manager, Analyst, Prompt Manager, Auditor) with granular capabilities. Every page and action is gated to the appropriate role. Administrators retain full access.
Developer Tools Generate and remove realistic test data across all sections with a single click. Useful for exploring the interface, testing integrations, or onboarding new team members without modifying production records.

Overview

AIGIS provides a centralized way to manage, audit, and govern AI models used within your organization.

What AIGIS Does

  • Maintains a register of every AI model integrated into your workflows (AI Inventory).
  • Tracks prompt usage, token consumption, latency, and costs across departments and projects.
  • Manages AI policies, their lifecycle states, and their enforce-by dates.
  • Documents approved AI workflows using Mermaid diagrams for visual clarity.
  • Stores reusable agent skills with readiness scoring, lifecycle review, markdown import/export, and links to related prompts, workflows, policies, incidents, and inventory records.
  • Logs incidents, from PII leakage to prompt injection attempts, and tracks their investigation status.
  • Enforces real-time guardrails that block harmful, injected, or policy-violating inputs and outputs.
  • Runs stress tests and evaluates AI outputs against expected results, including false-negative detection.
  • Provides a full immutable audit trail of every consequential action.
  • Exposes a secured REST API for integrating external systems.

Architecture

AIGIS is structured around four main layers:

  1. Custom Post Types, Prompts, Policies, Workflows, Skills, and Incidents are first-class WordPress content objects, stored in the standard posts table.
  2. Custom Database Tables, High-volume structured data (usage logs, audit trail, inventory, cost budgets, evaluation results, guardrail triggers) lives in dedicated tables for query performance.
  3. Admin Interface, A full WordPress admin menu with dedicated pages for each section, role-based access, and a unified dashboard.
  4. REST API, A secured API layer for external agents, pipelines, and integration scripts to submit logs, check routing, test guardrails, and submit evaluations.

Key Concepts

Term Definition
Agent Identifier A unique slug that identifies a specific AI agent or model deployment. Used to correlate logs, evaluations, and guardrail triggers across APIs and admin sections.
Inventory The register of all AI models, their vendor, version, integration type, risk level, and operational status.
Guardrail A real-time input/output check that can block a request. Guardrail triggers are logged for review.
Evaluation A structured comparison of expected vs actual AI output, scored as pass / fail / pending-review. False negatives are flagged separately.
Prompt Stage The lifecycle state of a prompt: development → staging → production. Promotion requires appropriate capability.
Skill A reusable instruction bundle that captures when an agent should use a capability, what output it should return, and what related assets or safeguards it depends on.
Cost Budget A spending limit applied to a department, project, or globally, for a monthly or custom period. Alerts fire at 80% and 100%.

Getting Started

1. Activate the Plugin

Install and activate the AI Governance Suite plugin from the WordPress Plugins screen. On activation, AIGIS automatically:

  • Creates 6 custom database tables under the wp_ prefix.
  • Registers 5 Custom Post Types (Prompts, Policies, Workflows, Skills, Incidents).
  • Assigns 4 custom roles with granular capabilities.
  • Schedules the cost-budget alert cron job.

2. Enter an API Key

Navigate to AI Governance → Settings → General and enter your primary AI provider API key. This key is stored as a WordPress option and used for provider connectivity tests from the Settings page.

Note: The API key is used only for sandbox/test calls made from the admin. Your integration code uses its own credentials via the REST API endpoints.

3. Register Your First AI Model

  1. Go to AI Governance → AI Inventory → Add New.
  2. Enter the vendor name, model name, version, and a unique Agent Identifier. The identifier is a permanent slug, choose it carefully.
  3. Select the integration type: API Model, Custom Agent, or On-Premises.
  4. Set the risk level (Low, Medium, High) based on what data the model processes.
  5. Save. The model is now available for association with prompts, logs, budgets, and evaluations.

4. Explore with Test Data

You can populate every section of the plugin with realistic sample data to explore the interface without real production records.

Go to AI Governance → Settings → Developer Tools and click Generate Test Data. This creates sample inventory records, prompts, policies, workflows, skills, incidents, usage logs, audit entries, cost budgets, evaluation results, and guardrail triggers.

Use Remove Test Data when you are done exploring. Test data is tracked precisely and will not touch any real records.

AI Inventory

The AI Inventory is your organization’s official register of all AI models and agents. Every usage log, cost budget, evaluation result, and guardrail trigger is linked to an inventory record via the Agent Identifier.

Fields Reference

Field Description
Vendor Name The provider or creator of the model (e.g. OpenAI, Anthropic, Meta).
Model Name The official name of the model (e.g. GPT-4o, Claude 3 Opus, LLaMA 3).
Version The specific version or checkpoint. Updates here signal a change that may need re-evaluation.
Agent Identifier Unique, permanent slug. Used in all REST API calls and cross-references. Cannot be reused after deletion.
Integration Type How the model is accessed: API Model, cloud API; Custom Agent, bespoke orchestration; On-Premises, self-hosted (e.g. Ollama).
API Endpoint The URL of the API or local service. Used for documentation; AIGIS does not call this directly.
Data Categories What categories of data this model processes (e.g. customer_messages, pii, internal_docs). Used for policy mapping.
Risk Level Low, Medium, or High, based on data sensitivity, blast radius if misused, and regulatory exposure.
Status Active, Deprecated, or Under Review. Deprecated models are retained for historical log linkage.

Managing Risk Levels

Assign risk levels using these criteria:

  • Low: Processes only non-sensitive internal data; no PII; limited downstream impact.
  • Medium: Processes business-sensitive data; limited PII; moderate downstream impact; subject to internal policy.
  • High: Processes personal data, regulated data, or is used in customer-facing outputs. Full audit required. Human review of outputs required.

Prompts

Prompts are system instructions or templates for your AI models. AIGIS treats prompts as version-controlled, lifecycle-managed content objects with distinct promotion stages.

Lifecycle Stages

Stage Meaning Who Can Promote
Development Being authored or iteration-tested. Not approved for active use. Prompt Manager, Administrator
Staging Under review for quality, policy compliance, and safety. May be tested against real inputs in a sandbox. Prompt Manager, Administrator
Production Approved for live use. Any modification should move it back to staging. Administrator only

Sandbox Testing

From the Prompts list, click Test in Sandbox next to any prompt. This sends the prompt with a sample input to your configured provider and displays the response inline. Sandbox calls are logged as usage_logs with the session_id prefix sandbox-.

Promotion Workflow

  1. Author writes prompt in Development stage.
  2. Reviewer tests via sandbox, then promotes to Staging.
  3. Administrator reviews staging version, confirms it meets policy, promotes to Production.
  4. Every promotion is recorded in the Audit Log.

Prompt Metadata

Each prompt stores: associated provider, target model, temperature, max tokens, and a version number. Version numbers are free-form text, use semantic versioning (1.0, 1.1) for clarity.

Policies

Policies are formal governance documents that define how AI systems must be used, what is prohibited, and what consequences apply to violations. AIGIS tracks their lifecycle from draft through to expiry.

Policy Statuses

  • Draft: Under authorship. Not in effect.
  • Active: In force. Effective date has passed; expiry date has not.
  • Expired: Past expiry date. Must be renewed or archived before a replacement takes effect.
  • Archived: Retired. Kept for audit history.

Expiry Alerts

AIGIS sends admin email notifications when a policy is approaching its expiry date. Configure the notification lead time in Settings → Notifications. The Dashboard will also display a prominent warning for policies expiring within the alert window.

Best Practices

  • Review policies annually at minimum, or whenever an AI model is added, changed, or deprecated.
  • Assign an owner (staff member) to each policy. Their user ID is stored so responsibility is traceable.
  • For high-risk models, have policies reviewed by your Data Protection Officer or legal team before activation.

Workflows

Workflows document the approved processes for AI-assisted tasks. They provide a visual map of how data flows through AI systems, where human oversight is required, and what automated decisions are permissible.

Mermaid Diagrams

Each workflow can include a Mermaid diagram definition. AIGIS renders these as interactive flow diagrams in the admin. Common node types:

Mermaid Syntax Renders as
A[User Input] Rectangle, a process or step.
B{"{Decision}"} Diamond, a branch point.
C((API Call)) Circle, an external system or API.
A --> B Arrow, flow direction.
A -->|condition| B Labelled arrow, conditional flow.

Workflow Statuses

  • Active: Approved for use by the designated teams.
  • Draft: Being designed or reviewed.
  • Deprecated: Superseded by a newer workflow. Retained for historical reference.

Skills

The Skills module stores reusable agent capabilities as governed instruction assets. Each skill defines when it should be triggered, what output shape it must produce, what edge cases need human judgement, and which prompts, workflows, policies, incidents, and inventory records it depends on.

What a Skill Contains

  • A short description that explains the trigger and intent of the capability.
  • The main instruction body in the editor, which captures the methodology or procedure the agent should follow.
  • Trigger phrases, output contract, edge cases, examples, format, and owning team metadata.
  • Links to prompts, workflows, policies, incidents, and an optional inventory record for operational context.

Lifecycle and Review

Skills move through Draft, Pending Review, Staging, and Approved. Readiness scoring highlights whether the skill has enough structure to be safely reused in real environments. Missing descriptions, empty instruction bodies, or weak output contracts will lower the score and block promotion.

  1. Draft the skill with a concrete description, clear trigger phrases, and an explicit output contract.
  2. Use Pending Review when another operator needs to verify the methodology, linked assets, and exception handling.
  3. Move the skill to Staging while you test it with realistic prompts, workflows, and inventory context.
  4. Approve the skill only after the readiness checks are green and the reviewer is satisfied that the instructions are production-safe.

Markdown Import and Export

Each skill can be exported as markdown for external review or versioning. The same markdown can be pasted back into the import box on the skill editor to round-trip changes into WordPress. This is useful when a governance team prefers reviewing structured markdown outside the admin UI before applying edits.

Relationship Mapping

Link related prompts, workflows, policies, and incidents whenever the skill depends on them. These references improve traceability during incidents and expose the surrounding governance context when the skill is fetched through the REST API.

Best Practices

  • Keep the description single-line and specific so routing remains reliable.
  • Treat the output contract as mandatory. Name the exact sections, fields, or format the agent must return.
  • Capture edge cases explicitly instead of assuming reviewers will infer them later.
  • Use markdown export for peer review, but only approve a skill after re-imported content has been validated in the editor.

Incidents

The Incidents module is a structured log for recording and investigating events where an AI system behaved incorrectly, dangerously, or unexpectedly.

When to Open an Incident

  • PII or sensitive data appeared in an AI output.
  • A guardrail was bypassed by a crafted input.
  • An AI model generated harmful, inaccurate, or misleading content that reached a user.
  • A cost spike or unexpected usage pattern was detected.
  • A model version change introduced a regression.

Severity Levels

  • Low: Quality degradation with no data or safety risk.
  • Medium: Potential policy violation or near-miss. Investigation required.
  • High: Confirmed policy violation, data exposure, or safety risk. Escalate to DPO/legal.
  • Critical: Material breach. Immediate action; potential regulatory notification required.

Investigation Workflow

  1. Open the incident: set severity, detection timestamp, and risk type.
  2. Link to the relevant AI inventory record if known.
  3. Cross-reference the Audit Log for the event timeline.
  4. Document findings in the incident body text.
  5. If a guardrail gap is identified, update the guardrail rules and run a stress test.
  6. Mark as Resolved once remediation is confirmed.

Analytics & Cost

The Analytics section provides KPI cards, usage trends, and cost breakdowns derived from the usage_logs table. Every API call your integration logs via the REST /log endpoint is reflected here.

Dashboard KPIs

KPI Source
Total API Calls (30d) COUNT of usage_logs rows in the last 30 days.
Total Cost (30d) SUM of cost_usd in usage_logs for the last 30 days.
Average Latency AVG of latency_ms for successful calls in the last 30 days.
Guardrail Triggers (30d) COUNT of aigis_guardrail_triggers rows in the last 30 days.

Cost Budgets

Set spending limits for specific departments, projects, or globally. When cumulative cost_usd for the budget’s scope and period crosses 80% or 100% of the budget amount, AIGIS fires an alert email to the admin and logs the event in the audit trail.

Budgets are matched to usage logs by:

  • Department scope: Matches usage_logs WHERE department = scope_value.
  • Project scope: Matches usage_logs WHERE project_tag = scope_value.
  • Global scope: All usage logs within the period.

Budget checks run on a scheduled cron job (every 6 hours by default).

Logging Usage via REST API

Your integration code logs a call with:

POST /wp-json/aigis/v1/log
X-AIGIS-API-Key: <your-key>

{
  "agent_id":      "my-agent-slug",
  "user_id":        1,
  "department":     "Engineering",
  "project_tag":    "my-project",
  "input_tokens":   1200,
  "output_tokens":  320,
  "latency_ms":     1840,
  "cost_usd":       0.0188,
  "status":         "success"
}

Stress Tests & Evaluation

The Evaluation module lets you verify AI model quality through structured tests: submit an input, compare the actual output against an expected output, and record a pass/fail score.

Evaluation Results Fields

Field Description
Input Hash MD5 hash of the test input. Used to correlate re-runs of the same test.
Expected Output What a correct, policy-compliant response should contain or avoid.
Actual Output The verbatim model output from the test run.
Pass / Fail pass, fail, or pending-review (routed to a human reviewer).
False Negative Flagged when the model failed to catch something it should have, e.g., produced harmful content without the guardrail triggering.
Evaluator Version The version of the scoring rulebook used. Update this when you change evaluation criteria.

False Negative Detection

A false negative is when a model produces output that should have been blocked or flagged but was not. Mark results as false_negative = 1 when this occurs. These are surfaced separately in the Evaluation list view for targeted remediation.

Submitting Results via REST API

POST /wp-json/aigis/v1/eval
X-AIGIS-API-Key: <your-key>

{
  "agent_id":          "my-agent-slug",
  "input_hash":        "abc123",
  "expected_output":   "Safe, accurate, helpful response.",
  "actual_output":     "The actual model response text.",
  "pass_fail":         "pass",
  "false_negative":    false,
  "evaluator_version": "1.0"
}

Audit Log

The Audit Log is an append-only record of every consequential action within AIGIS. It cannot be edited or deleted via the admin interface.

What Is Logged

  • User actions: login, settings saves, prompt promotions, policy status changes.
  • Inventory changes: model creation, deprecation.
  • Incident lifecycle events: opened, status changed, resolved.
  • Budget alerts: 80% and 100% threshold crossings.
  • REST API authentication failures.
  • Test data generated and purged (Developer Tools).

Reading the Audit Trail

Column Meaning
Event Type A dot-separated slug: object.action (e.g. prompt.promoted, budget.alertFired).
Object Type / ID What was acted upon and its primary key.
Actor The WordPress user ID who performed the action.
Actor IP IP address at the time of the action.
Before / After State JSON snapshots of the record before and after a mutation. Empty ({}) for creation events.
Occurred At UTC timestamp of the event.

Retention

AIGIS does not automatically prune the audit trail. For long-running installations, export and archive old rows periodically using a database administration tool. Regulatory requirements (e.g. GDPR, ISO 27001) typically mandate a minimum 12-month retention.

REST API

AIGIS exposes a versioned REST API at /wp-json/aigis/v1/ for integration with your AI pipelines, agents, and external tooling.

Authentication

All API requests require the custom header:

X-AIGIS-API-Key: <your-api-key>

Set the API key in AI Governance → Settings → General. Authentication failures are logged in the Audit Trail.

Endpoints

Method Endpoint Purpose
POST /aigis/v1/log Submit a usage log entry (token counts, cost, latency, status).
GET /aigis/v1/routing Retrieve routing metadata for an agent (active prompt stage, model, risk level).
POST /aigis/v1/guardrail Submit an input/output for real-time guardrail evaluation. Returns allow/block decision and matched rules.
POST /aigis/v1/eval Submit an evaluation result (expected vs actual output, pass/fail, false negative flag).

POST /aigis/v1/log

Required fields: agent_id. Optional: user_id, department, project_tag, session_id, input_tokens, output_tokens, latency_ms, cost_usd, status (success | error | timeout | guardrail-blocked), error_code.

GET /aigis/v1/routing

Required query param: agent_id. Returns the inventory record and the most recent production-stage prompt for the agent.

POST /aigis/v1/guardrail

Required fields: agent_id, input_hash. Optional: input_text, output_text. Returns {"allowed": true/false, "triggered_rules": [...]}. Blocked requests are recorded in aigis_guardrail_triggers.

Error Responses

HTTP Status Meaning
401 Missing or invalid API key.
403 API key valid but lacks permission for the requested action.
400 Malformed request, missing required field or invalid enum value.
404 Agent identifier not found in inventory.
200 Success.

Roles & Permissions

AIGIS registers four custom WordPress roles on activation. Administrators retain all capabilities automatically.

Custom Roles

Role Intended For Key Capabilities
AIGIS Manager Senior staff responsible for governance strategy. Full read access; manage prompts, policies, incidents, inventory; no settings access.
AIGIS Analyst Data analysts, compliance officers. Read all sections; view analytics; cannot create or modify resources.
AIGIS Prompt Manager Prompt engineers and AI developers. Create and manage prompts; promote up to staging; cannot promote to production.
AIGIS Auditor Internal auditors, legal team. Read-only access across all sections including audit trail. Cannot modify any records.

Capability Matrix

Capability Admin Manager Analyst Prompt Mgr Auditor
View AI Inventory
Manage AI Inventory
View Analytics
Manage Prompts
Promote Prompt to Production
Manage Policies
Manage Workflows
Manage Skills
Manage Incidents
View Audit Log
Manage Settings

Roles are assigned from Settings → Roles & Permissions. Removing the AIGIS plugin does not automatically strip custom roles from users, remove role assignments before deactivating if a clean removal is required.