SPEC: AIGP Vendor Adoption Program — Wave Delivery Plan
SPEC: AIGP Vendor Adoption Program — Wave Delivery Plan
Source
- Date: 2026-06-08
- Status: Planning
- Goal: Move AIGP from “protocol ready” to “vendors adopting”
Strategy
Demand (buyers ask for it) → Supply (vendors can produce it easily) → Credibility (proof it works)Wave 1 — Create Demand (Buyer Artifacts)
Objective: Give enterprise buyers ready-made language to require AIGP-style evidence from vendors.
Timeline: Produce first, everything else depends on this.
Deliverables
| # | Artifact | File | Description |
|---|---|---|---|
| 1.1 | AIGP Procurement Questionnaire | buyer/questionnaire.md |
20 questions enterprise buyers ask AI vendors, mapped to which AIGP artifact answers each one |
| 1.2 | Executive One-Pager | buyer/executive-brief.md |
Non-technical: what is AIGP, why require it, what you get. One page. For CISOs, CPOs, boards |
| 1.3 | Sample RFP Language | buyer/rfp-language.md |
Copy-paste paragraphs for procurement RFPs requiring machine-readable AI governance evidence |
| 1.4 | Framework Crosswalk | buyer/crosswalk/ |
NIST AI RMF → AIGP, ISO 42001 → AIGP, EU AI Act → AIGP mapping tables |
Acceptance Criteria
- Questionnaire covers: model use, data boundaries, training, oversight, audit, incident response, temporal patterns
- One-pager is ≤1 page, no jargon, answers “why should I care”
- RFP language is legally neutral (not prescriptive to one vendor)
- Crosswalk maps at minimum: NIST AI RMF (Map/Measure/Manage/Govern), EU AI Act Art 9-15, ISO 42001 clauses 5-10
Wave 2 — Remove Friction (Vendor Tooling)
Objective: Make it trivially easy for a vendor to become AIGP Observable in <30 minutes.
Timeline: After Wave 1 (demand must exist first, but can overlap).
Deliverables
| # | Artifact | File/Repo | Description |
|---|---|---|---|
| 2.1 | aigp-evidence library | lib/aigp-evidence/ |
Python package: wrap any model call (Bedrock, OpenAI, etc.) → emit VENDOR_RECORD + TRACE. Minimal deps (boto3 optional) |
| 2.2 | CLI validator | lib/aigp-cli/ |
aigp validate manifest.json — validates any AIGP artifact against schema. Single binary or pip install |
| 2.3 | Conformance badge | assets/badges/ |
SVG badges: “AIGP Observable” / “AIGP Governable” / “AIGP Enforceable” for vendor READMEs and trust pages |
| 2.4 | GitHub Action | .github/actions/aigp-validate/ |
CI step: validate vendor package on push, post badge status |
aigp-evidence library design
from aigp_evidence import AigpVendor
vendor = AigpVendor( vendor_id="my-saas", tenant_id="customer-123", manifest_path="./manifest.json")
# Wrap any model callrecord = vendor.govern( capability_id="summarize_v1", model_call=lambda: bedrock.converse(modelId=MODEL, messages=msgs), user_id="hashed:abc123", policy_mode="REPORT")
# record contains: VENDOR_RECORD, TRACE spans, outputprint(record.evidence) # JSON evidence recordprint(record.trace) # Trace waterfall dataprint(record.output) # Model responseAcceptance Criteria
-
aigp-evidence: pip installable, zero config for basic use, <500 lines core - CLI: validates manifest, BOM, policy-binding, vendor-record, temporal-chain schemas
- Badge: SVG with level name + version, visually clear
- GitHub Action: runs on PR, fails if schema invalid
Wave 3 — Prove It Works (Reference Implementation)
Objective: Show the full loop: vendor emits → buyer sees. End-to-end proof.
Timeline: After Wave 2 library exists.
Deliverables
| # | Artifact | File/Repo | Description |
|---|---|---|---|
| 3.1 | Mock Governance Authority | lib/aigp-authority/ |
FastAPI server: receives RECORD/TRACE/TEMPORAL_CHAIN, stores in SQLite, exposes simple dashboard |
| 3.2 | Vendor Demo Script | vendor/demo/ |
End-to-end: vendor emits evidence → authority receives → dashboard shows. 5-minute setup |
| 3.3 | RFC-011 Formal Spec | spec/RFC-011-AIGP-Vendor-Trust-Package.md |
Full specification prose (builds on Notes.md.spec) |
| 3.4 | Conformance Test Suite | lib/aigp-conformance/ |
Automated tests: “is this vendor package valid at Level 1/2/3?” |
Mock Authority design
aigp-authority/├── server.py ← FastAPI: POST /record, POST /trace, GET /sessions/{id}/chain├── storage.py ← SQLite: records, traces, chains├── dashboard.py ← HTML dashboard: recent records, trace waterfall, chain timeline└── Dockerfile ← docker run -p 8080:8080 aigp-authorityVendor runs: docker run aigp-authority → points aigp-evidence at localhost:8080 → sees evidence flowing in browser.
Acceptance Criteria
- Authority: single
docker run, receives records, shows dashboard - Demo: vendor starts authority + runs notebook → sees evidence in dashboard in <5 minutes
- RFC-011: complete specification covering all 7 vendor package components
- Conformance: programmatic level check (
aigp conformance check ./my-package/ --level 2)
Wave 4 — Market Activation (Adoption Push)
Objective: Get first real adoption — 2-3 buyers requiring it, 2-3 vendors implementing it.
Timeline: After Waves 1-3 are solid.
Deliverables
| # | Artifact | Description |
|---|---|---|
| 4.1 | Pilot Program Guide | How to run a 30-day AIGP pilot with one buyer + one vendor |
| 4.2 | Case Study Template | “Vendor X reduced procurement cycle by Y weeks using AIGP” |
| 4.3 | Community Spec Process | How external contributors propose changes to the spec (RFC process) |
| 4.4 | aigp.dev website | Landing page: “What is AIGP” + links to vendor folder, buyer folder, spec |
Acceptance Criteria
- Pilot guide: step-by-step for both buyer and vendor side
- At least 1 real pilot initiated
- Public repo with contribution guidelines
Dependency Graph
Wave 1 (Demand) Wave 2 (Tooling) Wave 3 (Proof) Wave 4 (Adoption)───────────────── ───────────────── ────────────── ─────────────────Questionnaire ──────────→ aigp-evidence lib ──────→ Mock Authority ────────→ Pilot ProgramExecutive Brief CLI validator Vendor Demo Case StudyRFP Language Badges RFC-011 WebsiteFramework Crosswalk GitHub Action Conformance Suite Community ProcessWave 1 and Wave 2 can partially overlap. Wave 3 requires Wave 2 library. Wave 4 requires all prior.
What exists today
| Artifact | Status |
|---|---|
| RFC-010 (base protocol) | ✅ Complete |
| RFC-010 Temporal Chaining extension | ✅ Complete |
| Notes.md (vendor package design) | ✅ Complete |
| Notes.md.spec (spec extraction) | ✅ Complete |
| vendor/ folder (templates + notebooks) | ✅ Scaffolded |
| Notebooks 01-04 + 02b (Bedrock + trace) | ✅ Complete |
| Examples (saas-copilot, paas-model-api, agentic) | 🟡 Placeholder READMEs |
| JSON Schemas (vendor-manifest, BOM, etc.) | 🔴 Not yet |
| aigp-evidence library | 🔴 Not yet |
| Buyer artifacts (questionnaire, one-pager, RFP) | 🔴 Not yet |
| Framework crosswalk | 🔴 Not yet |
| CLI validator | 🔴 Not yet |
| Mock governance authority | 🔴 Not yet |
| RFC-011 formal spec | 🔴 Not yet |
Recommended start: Wave 1.1 + 1.2
Start with:
- Procurement Questionnaire — creates immediate demand-side value
- Executive One-Pager — gives the questionnaire a “why” document to travel with
These two artifacts together are what a CISO hands to their procurement team and says: “Add this to our AI vendor reviews.”