Skip to content

SPEC: AIGP Vendor Adoption Program — Wave Delivery Plan

SPEC: AIGP Vendor Adoption Program — Wave Delivery Plan

Source

  • Date: 2026-06-08
  • Status: Planning
  • Goal: Move AIGP from “protocol ready” to “vendors adopting”

Strategy

Demand (buyers ask for it) → Supply (vendors can produce it easily) → Credibility (proof it works)

Wave 1 — Create Demand (Buyer Artifacts)

Objective: Give enterprise buyers ready-made language to require AIGP-style evidence from vendors.

Timeline: Produce first, everything else depends on this.

Deliverables

# Artifact File Description
1.1 AIGP Procurement Questionnaire buyer/questionnaire.md 20 questions enterprise buyers ask AI vendors, mapped to which AIGP artifact answers each one
1.2 Executive One-Pager buyer/executive-brief.md Non-technical: what is AIGP, why require it, what you get. One page. For CISOs, CPOs, boards
1.3 Sample RFP Language buyer/rfp-language.md Copy-paste paragraphs for procurement RFPs requiring machine-readable AI governance evidence
1.4 Framework Crosswalk buyer/crosswalk/ NIST AI RMF → AIGP, ISO 42001 → AIGP, EU AI Act → AIGP mapping tables

Acceptance Criteria

  • Questionnaire covers: model use, data boundaries, training, oversight, audit, incident response, temporal patterns
  • One-pager is ≤1 page, no jargon, answers “why should I care”
  • RFP language is legally neutral (not prescriptive to one vendor)
  • Crosswalk maps at minimum: NIST AI RMF (Map/Measure/Manage/Govern), EU AI Act Art 9-15, ISO 42001 clauses 5-10

Wave 2 — Remove Friction (Vendor Tooling)

Objective: Make it trivially easy for a vendor to become AIGP Observable in <30 minutes.

Timeline: After Wave 1 (demand must exist first, but can overlap).

Deliverables

# Artifact File/Repo Description
2.1 aigp-evidence library lib/aigp-evidence/ Python package: wrap any model call (Bedrock, OpenAI, etc.) → emit VENDOR_RECORD + TRACE. Minimal deps (boto3 optional)
2.2 CLI validator lib/aigp-cli/ aigp validate manifest.json — validates any AIGP artifact against schema. Single binary or pip install
2.3 Conformance badge assets/badges/ SVG badges: “AIGP Observable” / “AIGP Governable” / “AIGP Enforceable” for vendor READMEs and trust pages
2.4 GitHub Action .github/actions/aigp-validate/ CI step: validate vendor package on push, post badge status

aigp-evidence library design

from aigp_evidence import AigpVendor
vendor = AigpVendor(
vendor_id="my-saas",
tenant_id="customer-123",
manifest_path="./manifest.json"
)
# Wrap any model call
record = vendor.govern(
capability_id="summarize_v1",
model_call=lambda: bedrock.converse(modelId=MODEL, messages=msgs),
user_id="hashed:abc123",
policy_mode="REPORT"
)
# record contains: VENDOR_RECORD, TRACE spans, output
print(record.evidence) # JSON evidence record
print(record.trace) # Trace waterfall data
print(record.output) # Model response

Acceptance Criteria

  • aigp-evidence: pip installable, zero config for basic use, <500 lines core
  • CLI: validates manifest, BOM, policy-binding, vendor-record, temporal-chain schemas
  • Badge: SVG with level name + version, visually clear
  • GitHub Action: runs on PR, fails if schema invalid

Wave 3 — Prove It Works (Reference Implementation)

Objective: Show the full loop: vendor emits → buyer sees. End-to-end proof.

Timeline: After Wave 2 library exists.

Deliverables

# Artifact File/Repo Description
3.1 Mock Governance Authority lib/aigp-authority/ FastAPI server: receives RECORD/TRACE/TEMPORAL_CHAIN, stores in SQLite, exposes simple dashboard
3.2 Vendor Demo Script vendor/demo/ End-to-end: vendor emits evidence → authority receives → dashboard shows. 5-minute setup
3.3 RFC-011 Formal Spec spec/RFC-011-AIGP-Vendor-Trust-Package.md Full specification prose (builds on Notes.md.spec)
3.4 Conformance Test Suite lib/aigp-conformance/ Automated tests: “is this vendor package valid at Level 1/2/3?”

Mock Authority design

aigp-authority/
├── server.py ← FastAPI: POST /record, POST /trace, GET /sessions/{id}/chain
├── storage.py ← SQLite: records, traces, chains
├── dashboard.py ← HTML dashboard: recent records, trace waterfall, chain timeline
└── Dockerfile ← docker run -p 8080:8080 aigp-authority

Vendor runs: docker run aigp-authority → points aigp-evidence at localhost:8080 → sees evidence flowing in browser.

Acceptance Criteria

  • Authority: single docker run, receives records, shows dashboard
  • Demo: vendor starts authority + runs notebook → sees evidence in dashboard in <5 minutes
  • RFC-011: complete specification covering all 7 vendor package components
  • Conformance: programmatic level check (aigp conformance check ./my-package/ --level 2)

Wave 4 — Market Activation (Adoption Push)

Objective: Get first real adoption — 2-3 buyers requiring it, 2-3 vendors implementing it.

Timeline: After Waves 1-3 are solid.

Deliverables

# Artifact Description
4.1 Pilot Program Guide How to run a 30-day AIGP pilot with one buyer + one vendor
4.2 Case Study Template “Vendor X reduced procurement cycle by Y weeks using AIGP”
4.3 Community Spec Process How external contributors propose changes to the spec (RFC process)
4.4 aigp.dev website Landing page: “What is AIGP” + links to vendor folder, buyer folder, spec

Acceptance Criteria

  • Pilot guide: step-by-step for both buyer and vendor side
  • At least 1 real pilot initiated
  • Public repo with contribution guidelines

Dependency Graph

Wave 1 (Demand) Wave 2 (Tooling) Wave 3 (Proof) Wave 4 (Adoption)
───────────────── ───────────────── ────────────── ─────────────────
Questionnaire ──────────→ aigp-evidence lib ──────→ Mock Authority ────────→ Pilot Program
Executive Brief CLI validator Vendor Demo Case Study
RFP Language Badges RFC-011 Website
Framework Crosswalk GitHub Action Conformance Suite Community Process

Wave 1 and Wave 2 can partially overlap. Wave 3 requires Wave 2 library. Wave 4 requires all prior.


What exists today

Artifact Status
RFC-010 (base protocol) ✅ Complete
RFC-010 Temporal Chaining extension ✅ Complete
Notes.md (vendor package design) ✅ Complete
Notes.md.spec (spec extraction) ✅ Complete
vendor/ folder (templates + notebooks) ✅ Scaffolded
Notebooks 01-04 + 02b (Bedrock + trace) ✅ Complete
Examples (saas-copilot, paas-model-api, agentic) 🟡 Placeholder READMEs
JSON Schemas (vendor-manifest, BOM, etc.) 🔴 Not yet
aigp-evidence library 🔴 Not yet
Buyer artifacts (questionnaire, one-pager, RFP) 🔴 Not yet
Framework crosswalk 🔴 Not yet
CLI validator 🔴 Not yet
Mock governance authority 🔴 Not yet
RFC-011 formal spec 🔴 Not yet

Start with:

  1. Procurement Questionnaire — creates immediate demand-side value
  2. Executive One-Pager — gives the questionnaire a “why” document to travel with

These two artifacts together are what a CISO hands to their procurement team and says: “Add this to our AI vendor reviews.”