u/Capable_Influence157

What it is: A small CLI (infrarails, Apache-2.0) that reads your Terraform and tells you which EU AI Act, NIST AI RMF, and ISO 42001 controls are passing, failing, or unverifiable -specifically for AWS Bedrock infrastructure. Runs in CI like any other linter, outputs terminal / HTML / PDF / JSON / SARIF.

Why I built it: I work on AI systems and kept noticing during audits that a lot of the auditor observations were things that could have been caught at PR time - missing model invocation logging, log retention too short for post-market monitoring, audit trail buckets without versioning. All declarative, all sitting in Terraform, all verifiable before merge. There are plenty of tools for the broader AI governance picture (model cards, evals, lineage), but I couldn't find one that lived inside the deployment pipeline itself and mapped checks back to the actual framework articles auditors open. So I started building one on weekends.

The interesting design problem: The hardest call wasn't the rules - it was making "we couldn't verify" a first-class verdict alongside PASS / FAIL. Logging often lives in a separate stack, behind a remote module, or in a var with no default. A static scanner that confidently says PASS when it actually has no idea is worse than no scanner. So the third bucket (INCONCLUSIVE, with a machine-readable reason code) became the whole personality of the tool. Strict mode treats it as blocking; --no-strict lets it pass.

What I'd love feedback on:

• Whether the rule severities feel right (FAIL vs WARN vs INCONCLUSIVE)
• Whether the framework mappings hold up — anyone here familiar enough with NIST AI RMF or ISO 42001 to spot stretches?
• Other AI/ML platforms worth adding next (Vertex AI, Azure OpenAI, Sagemaker?)
• General "this is a weird side project to spend weekends on" reactions welcome too

Honest scoping note: a passing scan is necessary but not sufficient. Infra is maybe 30% of what these frameworks ask for — governance, data quality, human oversight aren't in Terraform. But automating the 30% felt worth the weekends.

Repo: github.com/policyrails/infrarails
npm: npm install -g infrarails

I work on AI systems and we want AI governance baked in from day one, not bolted on, genuine commitment to AI safety, not a checkbox exercise. There's no shortage of tools tackling broader AI governance, but very few that enforce it inside the development and deployment process itself and even fewer that map their checks back to the actual frameworks (EU AI Act, NIST AI RMF, ISO 42001) auditors and regulators are working from. That gap is where engineers live, and it's where shift-left has to land.

So I spent a few weekends writing a small open-source static scanner (Apache-2.0) to do exactly that. The hardest design call wasn't the rules - it was making "we couldn't verify" a first-class verdict alongside PASS/FAIL. Compliance tooling that overclaims is worse than no tooling.

Caveat: a passing scan is necessary but not sufficient. Infra is maybe 30% of what these frameworks ask. Governance, data quality, human oversight - none of that lives in Terraform. But clearing the 30% automatically frees your humans for the parts that actually need judgment.

How others here are handling shift-left for compliance?