Identity & Trust
AI Governance LATAM — CultureTech Playbook
ai governance security latam
Context
AI regulation in LATAM is emerging. Chile has its AI Framework Law in discussion. Brazil has PL 2.338/2023. The EU has the AI Act in force and starts affecting LATAM companies that operate or export to Europe.
Meanwhile, engineering teams are deploying agents in production without a governance framework, assuming “it’s just another LLM endpoint.” It isn’t.
The 4 dimensions every organization must cover
1. Cryptographic identity of the agent
Each deployed agent must have verifiable cryptographic identity, not a shared API key. Recommended pattern:
- SPIFFE/SPIRE for issuance and rotation of identities.
- mTLS between agent and consumed services.
- JWT signed by SPIRE for per-action audit.
Anti-pattern: agents using the same OPENAI_API_KEY across multiple deployments. Impossible to audit “which agent did what”.
2. Inference traceability
Every inference must be logged with:
- Complete prompt (or hash if it contains PII).
- Model used + version.
- Complete output.
- Tools invoked during inference (MCP, function calling, etc.).
- Latency and cost.
Without this record, no audit is possible. And without audit, the day regulators ask “why did the agent make this decision?”, the answer is “we don’t know.”
3. Continuous evaluation in production
Evaluating in QA isn’t enough. The distribution of inputs in production differs, drift occurs, and a model good on benchmark can be unsafe on real data.
Three types of evaluation to have in pipeline:
- Refusal rate — what percentage of queries the agent rejects (ideally low for legitimate queries, high for problematic ones).
- Hallucination rate — what percentage of outputs contain claims not supported by context.
- Bias indicators — demographic distribution of outputs, if applicable.
4. Explicit regional compliance
Map applicable restrictions:
| Regulation | Applies to | Key point |
|---|---|---|
| AI Framework Law Chile (in discussion) | Any AI system used in Chile | Risk classification, transparency |
| PL 2.338/2023 Brazil | AI systems with effects in Brazil | Affected party rights, accountability |
| EU AI Act | Companies exporting or processing EU data | High-risk systems, conformity assessment |
| CMF Chile (banking) | AI in credit decisions | Explainability, non-discrimination |
How CultureTech addresses it
Aether Telemetry has semantic contracts for AI that evaluate in real time whether an agent is violating declared policies (bias, hallucination, refusal). Themis consumes that signal and can intervene (pauses the agent, escalates to human).
Cryptographic identity comes from SPIFFE/SPIRE integrated in the agent runtime.
Pre-production checklist
Before pushing an agent to production:
- The agent has unique, rotatable SPIFFE identity.
- Every inference is logged with prompt, output, tools.
- There’s a continuous evaluation pipeline measuring refusal + hallucination + bias.
- A runbook exists to “pause the agent in production” — and the oncall person knows how to execute it.
- Applicable regulation is mapped in a doc + assigned owner.
- There’s a human-in-the-loop feedback mechanism for critical cases.
If any box isn’t checked, the agent isn’t production-ready — no matter how impressive the demo.
Need help?
If your organization is deploying agents and this checklist feels impossible: 30-minute Assessment, free.