HOME | AFTER THE DIAGNOSTIC
The diagnostic tells you what is missing.
The Remediation Pathway Document tells the organization how to build it.
A diagnostic finding is a structural map — where authority gaps exist, where evidence trails break down, where oversight is symbolic rather than operational. The practitioner issues a Remediation Pathway Document specifying exactly what each absent condition requires. The organization builds. The practitioner returns for a re-audit. Only then is certification issued.
THE FOUR PHASES
From diagnostic finding
to certified governance record.
Every HSRL certification follows the same sequence. The practitioner is present in phases 1 and 3, absent in phase 2. That separation is not procedural — it is why the certification is credible.
Phase 1 — Diagnostic
Five conditions scored.
Gaps identified.
Pathway issued.
The HSRL practitioner scores each condition — present, partial, or absent — produces a GPWS rating, surfaces matched cases from the 380-case library, and issues a Remediation Pathway Document specifying exactly what each absent condition requires. The diagnostic is the only document the practitioner produces before re-audit.
Practitioner present · GCR-001 (DANGER or CAUTION) issued · Remediation Pathway Document issued for all absent conditions
Phase 3 — Re-Audit
Organization signals ready.
Practitioner returns
and verifies.
When the organization has built what it believes meets each condition, it initiates the re-audit. The practitioner returns and verifies each condition against the evidence. Conditions that don't meet the standard are returned with specific findings. The organization revises and resubmits. No condition is certified until it meets the standard. This is a separate engagement from Phase 1.
Practitioner present · Separate engagement from Phase 1 · Iterative until all conditions verified
Phase 2 — Organization Builds
The organization builds its own governance infrastructure.
Using the Remediation Pathway Document as their guide, the organization builds what each absent condition requires — naming owners, engaging validators, establishing monitoring protocols, drafting accountability documents, and creating protected reporting channels. The practitioner is not involved in the build. The organization owns what it builds.
Practitioner not present · Organization works independently · Timeline set in Remediation Pathway Document
Phase 4 — Certification
All five conditions verified.
GCR issued.
Record filed.
When all five conditions pass re-audit, the practitioner issues a GCR-001 CLEAR — a SHA-256 signed governance record documenting the verified state. The certification is credible because the practitioner did not build what they certified. The Governance Maintenance Plan establishes the schedule and triggers for keeping the certification current.
Practitioner present · Output: GCR-001 CLEAR + Governance Maintenance Plan + re-audit schedule
Why the organization builds alone in Phase 2
Governance infrastructure that an external practitioner installs does not have organizational roots. When the vendor renegotiates the contract, when the department head changes, when budget pressure arrives — governance conditions a consultant built are the first things to go, because no one inside the organization built them or has professional identity tied to their continuance. The organization that builds its own governance understands why it is structured the way it is and can defend and maintain it. That is the only governance that survives contact with organizational reality.
REMEDIATION PATHWAY DOCUMENT - EXAMPLES
Two systems. Both below threshold.
Different gaps. Different timelines.
Same standard.
The Remediation Pathway Document tells the organization exactly what CAUTION and CLEAR require for each absent condition — the specific actions, the evidence the practitioner will audit at re-audit, the timeline, and the blocker that will fail the condition at re-audit regardless of other progress. The organization takes this document and builds. The practitioner is not involved again until re-audit is initiated.
REMEDIATION SAMPLE DOC COMING SOON
GCR RECORD TYPES
The Structural Governance Ledger.
SHA-256 signed.
Immutable. Pre-harm.
A Governance Condition Record is a SHA-256 signed, immutable document that captures the verified governance state of an automated system at the time it is issued. It is filed to the Structural Governance Ledger — a permanent record that cannot be amended retroactively.
The value of a GCR is almost entirely pre-harm. Once harm occurs, the record of what was known — and what was absent — already exists and cannot be altered. That is its purpose.
There are five GCR record types. Each captures a different governance event. GCR-001 is the foundational record — the pre-deployment certification that everything else builds from. GCR-003 is issued only after harm occurs, and only by the HSRL founding director.
GCR-001
Pre-Deployment Governance Record
Issued after the initial diagnostic and, if applicable, after successful re-audit. Five condition scores, evidence citations, domain irreversibility designation, signed deployment date declaration, reaction window estimate on DANGER findings. SHA-256 signed before go-live. Includes the Remediation Pathway Document for any absent conditions.
$2,500–$12,000
GCR-RAD
Re-Audit & Certification
Separate engagement from the initial diagnostic. After the organization has built its governance infrastructure using the Remediation Pathway Document, the practitioner returns to verify each condition against the evidence. Conditions that don't meet the standard are returned with specific findings for revision. When all conditions are verified, a GCR-001 CLEAR certification is issued.
Contact
for pricing
GCR-002
Annual Governance Maintenance
Annual re-certification confirming all conditions current. Verifies no population scope change or jurisdiction expansion since last record. Named owner re-confirmed in role. Validation cycle status checked against re-validation trigger criteria. Issued on the anniversary schedule established in the Governance Maintenance Plan.
$1,500–$3,500
GCR-003
Post-Incident Governance Record
Links a harm event to the pre-deployment governance state at the time of deployment. Structured laundering pattern checklist (L0–L4, L13). Documents the gap between governance state at deployment and governance state at the time of harm. Issued only by the HSRL founding director. Retained permanently.
$5,000–$15,000
GCR-AMD
Amendment Record
Material change mid-cycle: new C1 owner, population scope change, jurisdiction expansion, vendor contract renewal, model update, or a C4 accountability protocol that was not invoked after a harm event. Amends the current GCR record and triggers re-audit schedule review.
$750–$2,000
WHY IMMUTABILITY MATTERS
The record of what
was known before harm
cannot be changed after it.
Every GCR is SHA-256 signed at the moment of issuance. The hash captures the exact state of the governance record — every condition score, every evidence citation, every timestamp. If the record is altered in any way after signing, the hash no longer matches. That discrepancy is detectable.
This matters because the most common pattern in documented governance failures is not that organizations didn't know there were problems — it is that the record of what they knew was reconstructed after harm occurred to minimize liability. The SGL's value is specifically preventing that reconstruction.
When a harm event is logged against an active SGL record, the governance state at that moment is locked. What was known is on record. What was absent is on record. The gap between when the WARNING was first logged and when harm occurred is on record. That is the document that determines what is defensible and what is not.
The Agency SGL extends this to continuous monitoring — the governance state is tracked live, and every degradation event is logged with a timestamp before any harm occurs.
SGL LE=FRT-01 EVENT LOG SAMPLE
GCR-001 SHA-256 Signature Block Sample
GOVERNANCE MAINTENANCE PLAN
Certification is not permanent.
These are the events that require a new record.
The Governance Maintenance Plan issued with every GCR-001 CLEAR defines the schedule and triggers that keep the certification current. A certification that lapses without renewal degrades to the last known governance state — which may have changed materially.
Annual Trigger
Annual Governance Maintenance Review
Every 12 months from the certification date: named owner re-confirmed in role, validation currency checked against 24-month maximum and re-validation triggers, monitoring reviewer re-confirmed, all five condition states re-attested. Any degradation triggers an Amendment Record.
GCR-002 issued on renewal · $1,500–$3,500
System Trigger
Model Update or Vendor Change
System retrained, reconfigured, or materially updated. Vendor contract renewed under materially different terms. New vendor engaged. Any of these events triggers a C2 re-validation requirement and an Amendment Record before continued operation. The original validation is no longer current.
GCR-AMD required + C2 re-validation · Timeline per C2 requirements
Incident Trigger
C4 Not Invoked After Harm Event
A harm event occurs but the C4 accountability protocol is not invoked within the documented timeline. This constitutes a C4 degradation — the condition that was certified PRESENT is now PARTIAL at best. Amendment Record required within 14 days of the harm event being identified.
GCR-AMD required · $750–$2,000 · Possible GCR-003
Personnel Trigger
Named Owner Change
C1 named owner departs, is promoted out of role, or has their authority scope changed. Amendment Record required within 30 days of change. New C1 owner must be named in writing and confirm obligations before the record is updated. The certification is in an indeterminate state until the amendment is filed.
GCR-AMD required · $750–$2,000
Scope Trigger
Population or Jurisdiction Expansion
System deployed to a new geographic area, new demographic group, new use context, or new incident type. Expansion without re-audit voids the specificity of the current C2 validation, which was conducted against the original deployment population only. Expansion to a new context requires new validation.
GCR-AMD required + re-audit of C2 · Contact for scope assessment
Suppression Trigger
C5 Channel Compromised
Protected reporting channel found routing through vendor or dependent supervisory chain. Staff no longer aware the channel exists. Documented retaliation against someone who used the channel. Any of these events constitutes a C5 degradation and requires immediate Amendment Record and remediation.
GCR-AMD required · Immediate re-audit recommended
Ready to run the diagnostic
and get the record?
The diagnostic is free and takes 15 minutes. For a verified finding, a Remediation Pathway Document, and a SHA-256 signed GCR-001 issued to the Structural Governance Ledger — contact an HSRL-certified practitioner or request a GCR-001 assessment directly.
GCR-001 pre-deployment · GCR-RAD re-audit & certification · GCR-002 annual maintenance · GCR-003 post-incident · GCR-AMD amendments