Level 3 Module

Lucas Cycle

Advanced Forensics & Governance

5-6 Hours

From Detection to Enforcement

Lucas Cycle Focus: Level 3 shifts from identifying governance gaps to operationalizing forensic accountability. These modules teach the institutional practices, audit frameworks, and technical controls needed to move ESG reporting from theater to evidence.
The Story Behind the Term: The Lucas Cycle

The Pain: You have a brilliant analyst who knows every data quirk. Then she leaves. We call this the Turnover Black Hole. The data remains, but the meaning vanishes.

The Solution: You need "Selective Memory"—a way to hard-code her intuition into the system so the wisdom survives.

The Label: We call this "The Lucas Cycle."

Named after the only characters in Star Wars to witness the entire 9-film saga: R2-D2 and C-3PO. Generals died, Empires fell, but the Droids remembered. They were the continuity.

The Lesson: Most organizations rely on heroes (Jedi). But heroes retire. Droids result in audit trails. You need to build a system that remembers.

By the end of Level 3, participants can design and audit "Sociable Systems"—workflows where AI and humans have explicit, tested authority boundaries.

What You Will Build

Fairness Forensics Report

Prove algorithmic bias using statistical methods

Assurance Protocol (SOP)

Define sampling, versioning, and human sign-off

Third-Party Risk Register

Map vendor models and liability constraints

Prerequisites

  • Completion of Level 1 & 2
  • Understanding of Liability Sponge
  • Basic familiarity with audit concepts
L3-M5

Institutional Harm & Fairness Forensics

Forensics
Why It Exists

Bias in ESG isn't just about people; it's about supplier exclusion. Algorithms that penalize "missing data" systematically harm developing regions.

Core Concepts
  • Institutional Harm Pathways
  • Zero-Shot Bias (Data Availability)
  • The Appeals Process as Governance
Deliverable Fairness & Bias Stress-Test Format: Report / Simulation Acceptance Criteria
  • Tests for "Missing Data" penalty
  • Compares False Positive rates across regions
  • Documents the "Path to Appeal"
Authority Boundary

Stop-the-Line: Disparate impact > 20% variance → Pause Vendor Selection Model.

Assurance Control of the Week The "Empty Field" Test

Submit a perfect supplier profile with *one* missing non-critical field. If rejected, the model is fragile/biased.

L3-M6

Cybersecurity as Governance Credibility

Governance
Why It Exists

A breached supply chain dataset is a credibility breach. If you can't protect the data, you can't attest to the report's integrity.

Core Concepts
  • Data Integrity vs. Availability
  • The "Stop Work Authority" for Data
  • Incident Disclosure Protocols
Deliverable Data Integrity Response Protocol Format: Flowchart Acceptance Criteria
  • Defines who declares a "Data Breach"
  • Mandates notification of assurance providers
  • Includes "correction procedure" for reports
Authority Boundary

Stop-the-Line: Unverified data source injection → Immediate Report Freeze.

Assurance Control of the Week Provenance Check

Verify cryptohash or chain-of-custody log.

L3-M7

The AI Assurance Role

Strategy
Why It Exists

Preparing for the shift from "checking boxes" to "auditing code." The near-term regulatory horizon requires forensic capability.

Core Concepts
  • The AI Assurance Competency Map
  • "Training the Trainers" (Recursive Authority)
  • Sandboxes & Testing Infrastructures
Deliverable Skill Gap Analysis Format: Personal Assessment Acceptance Criteria
  • Assesses Python/SQL literacy
  • Evaluates "Skepticism" & Forensic Mindset
  • Maps current role to "AI Assurance" needs
Authority Boundary

Stop-the-Line: Assurance Lead cannot sign off if "Black Box" opacity prevents testing.

Assurance Control of the Week The "Explanation" Challenge

Can the assurance lead explain the model in plain language?

L3-M8

Operational Assurance Controls

Assurance
Why It Exists

To operationalize the "Calvin Convention" into daily audit practice. Turning "trust" into "evidence."

Core Concepts
  • Sampling Methodologies for AI Outputs
  • Reconciliation Trails
  • Change Control & Versioning
Deliverable The Assurance Protocol Format: SOP Document Acceptance Criteria
  • Defines sampling frequency (e.g., 1 in 10)
  • Requires "Human-in-the-Loop" log signatures
  • Mandates version control for all models
Authority Boundary

Stop-the-Line: Missing version history → Audit Failure.

Assurance Control of the Week Reconciliation Logic

Total Input Records == Output Records + Exceptions.

L3-M9

Model Risk & Third-Party Governance

Governance
Why It Exists

To manage the risk of "outsourced reasoning." When the vendor holds the IP, you still hold the liability.

Core Concepts
  • Vendor Due Diligence
  • IP vs. Accountability
  • Escalation Paths for Black Box Failures
Deliverable Third-Party Risk Register Format: Risk Log Acceptance Criteria
  • Lists all AI vendors & model versions
  • Identifies "Black Box" risks
  • Maps contractual liability limits
Authority Boundary

Stop-the-Line: Vendor refuses to provide "Known Failure Modes" → PO Hold.

Assurance Control of the Week The "Training Data" Check

Does the contract allow training data audit? If no, Risk = HIGH.

L3-M10

The Seil Protocol

Restoration
Why It Exists

"Seil" (Persistence) is the alternative to Bolvangar (Severance). We measure success by "Exit Readiness"—can the supplier eventually succeed without us?

Core Concepts
  • Daemon Health Index
  • Exit Readiness vs. Perpetual Monitoring
  • Rehabilitative Compliance
Deliverable Restoration Plan Format: Capstone Artifact Acceptance Criteria
  • Prioritizes data history retention
  • Defines clear "Return to Good Standing" path
  • Uses "Daemon Health" to predict risk
Authority Boundary

Constraint: No severance without a prior restoration attempt.

Learning Outcomes

Technical Competency

  • Design fairness stress-tests for algorithmic bias
  • Build audit protocols with sampling & versioning
  • Evaluate third-party models for black-box risks
  • Create data integrity protocols & incident response

Governance Competency

  • Map decision rights (RACI) to eliminate liability
  • Define "Stop-the-Line" triggers with operational teeth
  • Negotiate contracts with accountability constraints
  • Build appeals & remediation processes

Curriculum Complete

You have reached the end of the AI-ESG Integrated Strategist (AEIS) Level 3.