Risk & mitigation register.

An Islamic-finance product is deployed without proper Shariah board review or with a structurally non-permissible mechanic.

Mitigations

• Mandatory Shariah board approval gate on every contract schema
• shariah-reviewer agent pre-screens against AAOIFI SS-8/9/12/13/17/26/39
• Annual Shariah audit cycle with public fatwah register
• Cerbos policy denies any contract creation without shariahApproved=true

Operational treasury account inadvertently accrues interest, violating riba prohibition.

Mitigations

• Account-type schema enforces no-interest flag on all customer-facing accounts
• Automated daily Shariah audit on all operating ledgers
• Treasury rail rejects any inbound interest credit at protocol level
• Annual Shariah board sign-off on cleansing flow for any received interest

PSD3 / PSR final rules diverge materially from the designed-for profile, requiring re-engineering of open-finance connectors.

Mitigations

• Designed-for status clearly labelled (not certified) until in force
• Profile maintained as draft OSCAL artefact until rules locked
• Active monitoring of EU institutional output (Council, Parliament, EBA)
• Quarterly regulator-liaison-agent briefings to leadership

OFAC / EU / UN / UK sanctions lists update mid-day, exposing the platform to delayed enforcement.

Mitigations

• ComplyAdvantage + World-Check live feeds with sub-minute SLA
• fincrime-screening-agent surfaces new alerts for human review
• Cerbos policies block transactions on flagged parties immediately
• Daily reconciliation against authoritative sources

Customer accidentally exposes a tier-1 secret (KMS key, signing cert) when self-hosting via Helm / Docker / Terraform.

Mitigations

• BYOC bundles ship with .gitignore + secret-scanning hooks pre-configured
• Helm charts require sealed-secrets / SOPS / external-secrets
• Terraform modules emit secret values via output sensitive=true only
• Onboarding concierge agent guides secret rotation playbook

A policy change accidentally widens access (e.g. tenant_id condition removed) granting cross-tenant data exposure.

Mitigations

• Cerbos policy tests required on every change (CI gate)
• Default-deny baseline on every resource
• Maker-checker on policy publishing in production
• Self-Governance Engine re-evaluates 100 sample requests post-deploy

An AI system using IOF's runtime is deployed for a high-risk use case (credit scoring, employment decisions) without full conformity assessment.

Mitigations

• AI runtime gates on Annex III classification at request time
• human-oversight-auditor agent verifies oversight is operational
• post-market-monitor agent tracks Art. 72 + 73 obligations
• FRIA + DPIA bridge produced automatically for high-risk + personal-data flows
• AI Systems Compliance Card public surface for transparency

An atomic settlement across two ledgers fails part-way, leaving funds in an inconsistent state.

Mitigations

• TigerBeetle transfers are 2-phase + idempotent + atomic by design
• settlement-reconciliation-agent triages T+0/T+1 failures
• All sensitive recovery actions require 4-eyes (treasury + ops)
• Daily nostro/vostro reconciliation with auto-flag on drift

Documentation, inventory MD files, or dashboards drift from the actual deployed engine count, rail count, or service count.

Mitigations

• Cohesive 2-way drift mechanism (15 facts) auto-detects + auto-fixes
• Pre-commit gate blocks merge if any drift detected
• Knowledge engine + memory engine indexed every session
• Universal SSOT in @iof/ui-core for theme + footer + brand

A DORA-classified critical third-party (e.g. KYC, ledger, AI runtime) suffers extended outage.

Mitigations

• Multi-vendor strategy on every critical capability
• Connector abstraction layer makes providers swap-in/swap-out
• Quarterly DORA resilience tests with documented switchover RTO
• Real-time vendor health probes feeding the Self-Audit Engine