For Non-technical adopter · the method
How we solve it.Piece by piece, with provenance.
How plain-English answers stay honest — where the checklist comes from, and how the explainer answers without inventing.
Piece 1
The checklist
Inputs
- The curated threat guide — each entry carries a plain-language "your part" line where one exists
Mechanism
- The four safe-use habits are distilled from the threats a daily AI user can actually influence; threats only a security team can own say so honestly instead of assigning you homework
Outputs
- Four habits in plain English, plus a per-threat "your part" line
Provenance: lib/threat-guide.ts — the same single source the threat cards render.
1 deeper item · owner-gated · shown in a walkthrough
Piece 2
The everyday risks
Inputs
- 25 threats curated from OWASP LLM Top 10 (2025), MITRE ATLAS, NIST AI 100-1, the EU AI Act, and CSA AICM
Mechanism
- Each threat is named twice — plain English first, the technical name second — with one fitted control, an owner, and severity explicitly labeled illustrative
Outputs
- A guide a non-specialist can read end to end without a glossary
Provenance: Sources cited on the page footer; severity never presented as measured.
1 deeper item · owner-gated · shown in a walkthrough
Piece 3
Ask it anything
Inputs
- A retrieval corpus of 20,475 chunks across the CSA standards, each chunk carrying framework, version, and clause id
Mechanism
- Your question retrieves the governing passage; the answer is composed only from that passage — no blending across frameworks or versions
- If the corpus does not carry the answer, the explainer abstains and routes you to the policy owner
- Eight languages, with English as the trust anchor alongside every translation
Outputs
- A plain answer, spoken if you want, with the exact clause it came from — every time
Provenance: The corpus manifest is provenance-guarded at build; verbatim CSA text is itself owner-gated.
3 deeper items · owner-gated · shown in a walkthrough
Piece 4
The stack & instruments
Inputs
- 15 published instruments in three lanes — 13 testers, 3 corpora, 5 controls — validated at every build
- Python 3 stdlib-only tooling — nothing to install to reproduce a claim
Mechanism
- The explainer’s corpus is generated and provenance-guarded by the same tooling discipline — every chunk carries framework, version, and clause id before it is allowed to answer you
- Lane integrity is machine-enforced: an instrument never grades its own lane, and nothing on this site says "tested" without a named instrument behind it
Outputs
- A named, reproducible instrument behind every tested claim you read here
Provenance: lib/tools-registry.ts, guarded by validate-tools in the prebuild chain; instrument detail renders in the /controls drill.
2 deeper items · owner-gated · shown in a walkthrough
The exhibits
The working surfaces behind the answer.
Responsible AI, without the poster
Responsible AI is a short list of promises — fairness, transparency, human oversight, accountability — that frameworks like NIST’s AI rulebook and the ISO management standard turn into checklists. Every promise maps to the harms it prevents and the controls that keep it.
See every harm, its owner, and its control→How a company gets organized: the Center of Excellence
Not a big department on day one. One team measures where it stands, fixes a few things, proves the numbers moved — then the next team repeats it. That loop, growing one team at a time, is the whole model.
See how the build path works→The AI-first mindset
Using AI a lot is not the same as using it well. AI-first means someone decided, on purpose, which parts of the work the AI owns and which parts a person owns — and can show the checks kept up. Heavy use without that decision is just speed.
Read the playbook→Canonical surfaces