Institutional Style Profiles: Ein gestuftes Governance-Modell Institutional Style Profiles: A Tiered Governance Model Institutional Style Profiles: Um Modelo de Governanca em Niveis
Entwicklung eines gestuften Dokumenten-Governance-Modells fur KI-unterstutzte institutionelle Veroffentlichung Development of a Tiered Document Governance Model for AI-Assisted Institutional Publication Desenvolvimento de um Modelo de Governanca de Documentos em Niveis para Publicacao Institucional Assistida por IA
Document Metadata
Author: Jober Mogele Correa, Chief Governance Officer
System: WINDI — We Invite New Decision Intelligence
Status: Production (Strato DE Infrastructure)
Classification: PUBLIC
Date: 02 February 2026
Zusammenfassung Abstract Resumo
Dieser Bericht dokumentiert das Design, die Implementierung und das Deployment des WINDI Institutional Style Profile (ISP) Registry — ein Governance-Framework, das institutionelle Dokumentenanforderungen in drei Stufen (HIGH, MEDIUM, LOW) klassifiziert, basierend auf regulatorischem Risiko, Identitatsempfindlichkeit und forensischen Prufungsanforderungen. Das Register umfasst derzeit acht institutionelle Profile aus Finanzregulierung, Bundesregierung, Sozialdienstleistungen, offentlichen Unternehmen, Kammern und technischer Prufung — ein Querschnitt der deutschen institutionellen Landschaft. This report documents the design, implementation and deployment of the WINDI Institutional Style Profile (ISP) Registry — a governance framework that classifies institutional document requirements into three tiers (HIGH, MEDIUM, LOW) based on regulatory risk, identity sensitivity, and forensic audit requirements. The registry currently comprises eight institutional profiles spanning financial regulation, federal government, social services, public enterprise, professional chambers, and technical inspection — representing a cross-section of the German institutional landscape. Each profile encodes organisation-specific templates, governance constraints, and compliance metadata, enabling AI-assisted document generation that respects institutional identity without substituting human decision-making. The system is deployed on German-jurisdiction infrastructure and aligned with EU AI Act requirements for human oversight in AI-assisted processes. Este relatorio documenta o design, implementacao e implantacao do WINDI Institutional Style Profile (ISP) Registry — um framework de governanca que classifica os requisitos de documentos institucionais em tres niveis (HIGH, MEDIUM, LOW) com base em risco regulatorio, sensibilidade de identidade e requisitos de auditoria forense. O registro atualmente compreende oito perfis institucionais abrangendo regulacao financeira, governo federal, servicos sociais, empresas publicas, camaras profissionais e inspecao tecnica.
Kennzahlen Key Metrics Metricas Principais
Abschnitt I: Das Governance-Stufenmodell Section I: The Governance Level Model Secao I: O Modelo de Niveis de Governanca
Das WINDI Governance Level Model adressiert eine grundlegende Herausforderung bei der KI-gestutzten Dokumentenerstellung: Verschiedene institutionelle Kontexte erfordern unterschiedliche Ebenen von Aufsicht, Identitatsschutz und Prufbarkeit. Eine Logistikbenachrichtigung der Deutschen Bahn erfordert eine andere Governance als eine Aufsichtsbewertung der BaFin. The WINDI Governance Level Model addresses a fundamental challenge in AI-assisted document generation: different institutional contexts require different levels of oversight, identity protection, and auditability. A logistics notification from Deutsche Bahn requires different governance than a supervisory assessment from BaFin. The model operationalises this insight through three tiers, each with distinct technical enforcement mechanisms. O Modelo de Niveis de Governanca WINDI aborda um desafio fundamental na geracao de documentos assistida por IA: diferentes contextos institucionais requerem diferentes niveis de supervisao, protecao de identidade e auditabilidade.
HIGH — Regulatory / Forensic
Hochste Anforderungen an Nachvollziehbarkeit und Dokumentenintegritat. Forensic Ledger, Manipulationsnachweis, Beweismittelkette, Vier-Augen-Prinzip, No-Downgrade-Policy, SHA-256-Hash-Kette. Highest requirements for traceability and document integrity. Forensic ledger, tamper evidence, chain of custody, four-eyes principle, no downgrade policy, SHA-256 hash chain. Requisitos mais altos para rastreabilidade e integridade de documentos. Livro-razao forense, evidencia de adulteracao, cadeia de custodia, principio dos quatro olhos, politica de nao rebaixamento, cadeia de hash SHA-256.
MEDIUM — Institutional / Identity-Sensitive
Schutz der institutionellen Identitat gegen Missbrauch und Falschung. Identity License System, automatische Disclaimer, Logo-Nutzungskontrollen, institutionelle Referenzprufung, dreisprachige Unterstutzung. Protection of institutional identity against misuse and falsification. Identity License System, automatic disclaimers, logo usage controls, institutional reference audit, trilingual support. Protecao da identidade institucional contra uso indevido e falsificacao. Sistema de Licenca de Identidade, avisos automaticos, controles de uso de logotipo, auditoria de referencia institucional, suporte trilingue.
LOW — Operational / Sectoral
Standardisierte Vorlagen mit grundlegender Governance fur den taglichen Betrieb. Template-Validierung, Metadaten-Durchsetzung, Stil-Konsistenz, grundlegender Audit-Trail, Governance-Quittung. Standardized templates with basic governance for daily operations. Template validation, metadata enforcement, style consistency, basic audit trail, governance receipt. Modelos padronizados com governanca basica para operacoes diarias. Validacao de modelo, aplicacao de metadados, consistencia de estilo, trilha de auditoria basica, recibo de governanca.
Das zentrale architektonische Prinzip ist die strikte Trennung der Belange: Das Template entscheidet nie uber die Governance-Stufe — die API entscheidet; das Template manifestiert nur. Dies stellt sicher, dass die Governance-Durchsetzung nicht durch Template-Manipulation umgangen werden kann. The core architectural principle is strict separation of concerns: the template never decides the governance level — the API decides; the template merely manifests. This ensures that governance enforcement cannot be bypassed through template manipulation, a design pattern aligned with the EU AI Act's requirement for meaningful human oversight (Article 14). O principio arquitetonico central e a separacao estrita de responsabilidades: o modelo nunca decide o nivel de governanca — a API decide; o modelo apenas manifesta. Isso garante que a aplicacao da governanca nao possa ser contornada por manipulacao de modelo.
"KI verarbeitet. Mensch entscheidet. WINDI garantiert." "AI processes. Human decides. WINDI guarantees." "IA processa. Humano decide. WINDI garante."
WINDI Governance Principle — Invariant I1: SovereigntyAbschnitt II: Die institutionelle Pyramide Section II: The Institutional Pyramid Secao II: A Piramide Institucional
Das ISP-Register modelliert einen reprasentativen Querschnitt der deutschen institutionellen Landschaft. Die Auswahl folgt einer bewussten strategischen Logik: Regulierungsbehorden an der Spitze, Regierungs- und Sozialinstitutionen in der mittleren Ebene und operative/sektorale Organisationen an der Basis. The ISP Registry models a representative cross-section of the German institutional landscape. The selection follows deliberate strategic logic: regulatory authorities at the apex, government and social institutions at the middle tier, and operational/sectoral organisations at the base. Together, these profiles demonstrate that the governance model scales across institutional contexts with materially different risk profiles. O Registro ISP modela uma secao transversal representativa da paisagem institucional alema. A selecao segue uma logica estrategica deliberada: autoridades regulatorias no apice, instituicoes governamentais e sociais no nivel medio e organizacoes operacionais/setoriais na base.
HIGH — Regulatory
BIS Regulatory Authority (regulatory_authority)
BaFin (federal_regulatory_authority)
International and national financial supervision — Forensic audit mandatory
MEDIUM — Institutional
Bundesregierung (government_institutional)
Bundesagentur fur Arbeit (social_sensitive_institutional)
Federal government and social services — Identity License required
LOW — Operational
Deutsche Bahn AG (public_enterprise)
Industrie- und Handelskammer (public_law_chamber)
Handwerkskammer (public_law_chamber)
Technischer Uberwachungsverein (TUV) (technical_inspection_org)
Transport, commerce, crafts, and technical inspection — Standard governance
Die Auswahl umfasst Institutionen, die zusammen mit praktisch jedem Unternehmen und Burger in Deutschland interagieren: IHK und HWK zusammen umfassen die gesamte gewerbliche Wirtschaft, BaFin beaufsichtigt ca. 6.700 Finanzunternehmen, TUV-Zertifizierungen werden in uber 160 Landern anerkannt. The selection covers institutions that collectively interact with virtually every enterprise and citizen in Germany: IHK and HWK together span the entire gewerbliche economy, BaFin supervises approximately 6,700 financial entities, TUV certifications are recognised in over 160 countries, and the Bundesagentur fur Arbeit serves as the primary interface between citizens and the labour market. A selecao abrange instituicoes que interagem coletivamente com praticamente todas as empresas e cidadaos na Alemanha: IHK e HWK juntas abrangem toda a economia comercial, BaFin supervisiona aproximadamente 6.700 entidades financeiras, certificacoes TUV sao reconhecidas em mais de 160 paises.
Abschnitt III: Profilkatalog — ISP Registry v2.5.0 Section III: Profile Catalog — ISP Registry v2.5.0 Secao III: Catalogo de Perfis — ISP Registry v2.5.0
| Institution | Level | Type | Templates | Sector |
|---|---|---|---|---|
| BIS Regulatory Authority | HIGH | regulatory_authority | 8 | International Finance |
| BaFin Bundesanstalt fur Finanzdienstleistungsaufsicht |
HIGH | federal_regulatory_authority | 12 | Financial Supervision |
| Bundesregierung Bundesrepublik Deutschland |
MEDIUM | government_institutional | 10 | Federal Government |
| Bundesagentur fur Arbeit | MEDIUM | social_sensitive_institutional | 12 | Social Services |
| Deutsche Bahn AG | LOW | public_enterprise | 6 | Transport Infrastructure |
| Industrie- und Handelskammer | LOW | public_law_chamber | 8 | Commerce & Industry |
| Handwerkskammer | LOW | public_law_chamber | 10 | Crafts & Trades |
| TUV Technischer Uberwachungsverein |
LOW | technical_inspection_org | 12 | Technical Certification |
Table 1 — Complete ISP Registry with governance classification and template counts
Abschnitt IV: Profilubersicht — Institutionelle Kontexte Section IV: Profile Overview — Institutional Contexts Secao IV: Visao Geral dos Perfis — Contextos Institucionais
HIGH-Level Profile — Regulatorische Aufsicht HIGH-Level Profiles — Regulatory Oversight Perfis de Nivel ALTO — Supervisao Regulatoria
BIS Regulatory Authority
regulatory_authority | international | HIGH
International regulatory reporting model for statistical and supervisory publications. Establishes the baseline for highest-level governance enforcement with mandatory forensic audit trail.
8 templates: Statistical reports, supervisory publications, regulatory analyses
BaFin
federal_regulatory_authority | national | HIGH
Germany's financial supervisory authority covering banking, insurance, securities, and payment services. Supervises ~6,700 entities. Profile includes KI-Risikobewertung templates aligned with DORA and EU AI Act requirements. Published KI-Orientierungshilfe on 18.12.2025.
12 templates: SREP/ORSA, Sanktionsbescheid, KI-Risikobewertung, Geldwasche-Meldung, DORA IKT-Bericht
MEDIUM-Level Profile — Institutionelle Identitat MEDIUM-Level Profiles — Institutional Identity Perfis de Nivel MEDIO — Identidade Institucional
Bundesregierung
government_institutional | federal | MEDIUM
Federal government of Germany. Documents require identity protection through WINDI's Identity License System — ensuring institutional references include appropriate disclaimers and preventing unauthorized logo usage in AI-generated content.
10 templates: Regierungserklarung, Gesetzentwurf, Kabinettsbeschluss, Pressemitteilung
Bundesagentur fur Arbeit
social_sensitive_institutional | federal | MEDIUM
Germany's federal employment agency. Handles socially sensitive data requiring enhanced identity governance. Documents interface with citizens in vulnerable situations, demanding particular care in AI-assisted generation.
12 templates: Bewilligungsbescheid, Eingliederungsvereinbarung, Arbeitsmarktbericht, Grundungszuschuss
LOW-Level Profile — Operative Sektoren LOW-Level Profiles — Operational Sectors Perfis de Nivel BAIXO — Setores Operacionais
Deutsche Bahn AG
public_enterprise | transport | LOW
Germany's national railway and first ISP profile developed. Operational logistics documentation with standard governance. Established the baseline template architecture for the entire ISP system.
6 templates: Fahrplanauskunft, Verspatungsmeldung, Baustelleninfo, Servicemitteilung
IHK — Industrie- und Handelskammer
public_law_chamber | commerce | LOW
Chamber of commerce and industry. Public-law body covering all non-craft commercial enterprises. Together with HWK, spans the entire German gewerbliche economy.
8 templates: Ursprungszeugnis, Handelsregisterauszug, Ausbildungsvertrag, Sachverstandigen-Bestellung
HWK — Handwerkskammer
public_law_chamber | crafts | LOW
Chamber of crafts and trades. Governs the Handwerksordnung with Meisterpflicht in 53 trades. HWK Schwaben operates a Bildungs- und Technologiezentrum (BTZ) in Kempten.
10 templates: Handwerksrolle, Meisterprufung, Gesellenprufung, Existenzgrundungsberatung, ULU-Bescheinigung
TUV — Technischer Uberwachungsverein
technical_inspection_org | certification | LOW
Germany's most iconic quality brand. Combined ecosystem: ~74,000 employees, ~EUR7.8B revenue. Operates TUV AI.Lab (est. 2021) and is preparing Notified Body status for EU AI Act conformity assessment.
12 templates: HU/AU, Managementsystem-Zertifizierung, GS-Zeichen, KI-Konformitatsbewertung, Cybersecurity-Prufung
Abschnitt V: Innovation — Das Identity License System Section V: Innovation — The Identity License System Secao V: Inovacao — O Sistema de Licenca de Identidade
Ein wichtiger methodischer Beitrag des ISP-Frameworks ist das Identity License System, das fur die MEDIUM-Level-Governance entwickelt wurde. Das System adressiert eine neuartige Herausforderung bei der KI-gestutzten Dokumentenerstellung: wie institutionelle Sprachmuster erlaubt werden konnen, ohne Identitatsfalschung zu ermoglichen. A key methodological contribution of the ISP framework is the Identity License System, developed for MEDIUM-level governance. The system addresses a novel challenge in AI-assisted document generation: how to permit institutional language patterns without enabling identity falsification. Uma contribuicao metodologica chave do framework ISP e o Sistema de Licenca de Identidade, desenvolvido para governanca de nivel MEDIO. O sistema aborda um desafio novo na geracao de documentos assistida por IA: como permitir padroes de linguagem institucional sem permitir falsificacao de identidade.
Die Entdeckung entstand aus empirischen Tests — ein uber das WINDI-System generierter Brief der Banco do Brasil zeigte, dass die Simulation institutioneller Identitat in KI-generiertem Text Governance-Anforderungen aktiviert, die bei generischen Dokumenten nicht entstehen. The discovery emerged from empirical testing — a Banco do Brasil letter generated through the WINDI system demonstrated that simulating institutional identity in AI-generated text activates governance requirements that do not arise with generic documents. This insight, documented as WINDI Key Discovery, led to a formal identity governance layer with five license states: A descoberta surgiu de testes empiricos — uma carta do Banco do Brasil gerada atraves do sistema WINDI demonstrou que simular identidade institucional em texto gerado por IA ativa requisitos de governanca que nao surgem com documentos genericos.
{
"identity_license": {
"states": ["authorized", "model_only", "pending", "expired", "revoked"],
"enforcement": {
"logo_usage": "blocked unless authorized",
"disclaimer": "automatic insertion for model_only",
"audit_trail": "all institutional references logged"
}
}
}Dieser Mechanismus stellt sicher, dass KI-generierte Dokumente institutionelle Kommunikationsstile fur legitime Zwecke (Schulung, Simulation, Entwurfshilfe) ubernehmen konnen, wahrend klare Herkunft aufrechterhalten und Fehldarstellung verhindert wird. This mechanism ensures that AI-generated documents can adopt institutional communication styles for legitimate purposes (training, simulation, drafting assistance) while maintaining clear provenance and preventing misrepresentation — a requirement particularly relevant under the EU AI Act's transparency obligations (Article 50). Este mecanismo garante que documentos gerados por IA possam adotar estilos de comunicacao institucional para propositos legitimos (treinamento, simulacao, assistencia de redacao) mantendo procedencia clara e prevenindo declaracoes falsas.
Abschnitt VI: Regulatorische Einordnung — EU AI Act Section VI: Regulatory Classification — EU AI Act Secao VI: Classificacao Regulatoria — EU AI Act
Die ISP-Governance-Stufen bilden direkt den risikobasierten Ansatz ab, der durch den European AI Act (Verordnung (EU) 2024/1689) etabliert wurde. Das System bietet dokumentierte Governance-Prozesse, auf die Organisationen bei der Demonstration der Einhaltung von Human-Oversight-Anforderungen verweisen konnen. The ISP governance tiers map directly to the risk-based approach established by the European AI Act (Regulation (EU) 2024/1689). The system provides documented governance processes that organisations can reference when demonstrating compliance with human oversight requirements. Os niveis de governanca ISP mapeiam diretamente para a abordagem baseada em risco estabelecida pelo European AI Act (Regulamento (EU) 2024/1689). O sistema fornece processos de governanca documentados que organizacoes podem referenciar ao demonstrar conformidade com requisitos de supervisao humana.
Art. 14 — Human Oversight / Menschliche Aufsicht
WINDI's architectural principle "the API decides, the template manifests" ensures that governance level enforcement is not delegable to the AI system. Every document generation passes through a decision layer where human-set governance policies determine the applicable constraints.
Art. 50 — Transparency Obligations / Transparenzpflichten
The Identity License System ensures that AI-generated documents referencing institutional identities carry appropriate disclaimers and provenance metadata. The forensic ledger at HIGH level provides tamper-evident documentation of the complete generation process.
DORA (Regulation (EU) 2022/2554) — ICT Risk Management
The BaFin ISP profile includes dedicated templates for DORA IKT reporting and KI-Risikobewertung, providing governance-controlled document generation for financial entities' ICT risk management obligations.
Abschnitt VII: Deployment-Chronologie Section VII: Deployment Chronology Secao VII: Cronologia de Implantacao
Das ISP-Register wurde iterativ auf Produktionsinfrastruktur (Strato DE, deutsche Jurisdiktion) zwischen 31. Januar und 2. Februar 2026 entwickelt und bereitgestellt. Jedes Deployment folgte einem Zero-Violence-Protokoll: Backup, Erstellen, Deployen, Validieren, Verifizieren. The ISP Registry was developed and deployed iteratively on production infrastructure (Strato DE, German jurisdiction) between 31 January and 2 February 2026. Each deployment followed a zero-violence protocol: backup, create, deploy, validate, verify. O Registro ISP foi desenvolvido e implantado iterativamente em infraestrutura de producao (Strato DE, jurisdicao alema) entre 31 de janeiro e 2 de fevereiro de 2026. Cada implantacao seguiu um protocolo de zero violencia: backup, criar, implantar, validar, verificar.
First institutional profile. Established base architecture for ISP system including template schema, governance metadata, and style configuration.
First HIGH-level profile. Introduced forensic ledger requirements and regulatory metadata constraints.
First MEDIUM-level profiles. Activated Identity License System with disclaimer enforcement and institutional reference auditing.
Commerce and industry chamber. Established public_law_chamber type classification.
Crafts chamber. Complementary to IHK — together covering the entire gewerbliche economy. Documented HWK Schwaben BTZ Kempten connection.
National financial supervisor. Most dense profile: 12 templates, 7 supervision areas, KI-Risikobewertung aligned with DORA + EU AI Act. Four-eyes principle enforced.
Technical inspection ecosystem. Largest profile (23KB). Includes unique ai_governance_context section documenting TUV AI.Lab and EU AI Act Notified Body preparation.
Fig. 3 — Deployment timeline: 7 profiles in 36 hours, from v1.0.0 to v2.5.0
Abschnitt VIII: Technische Architektur Section VIII: Technical Architecture Secao VIII: Arquitetura Tecnica
Jedes ISP-Profil wird als eigenstandiges JSON-Dokument im ISP-Verzeichnis des Servers gespeichert. Das Register verwaltet ein zentrales governance_levels.json-Manifest, das Institutionen auf Governance-Stufen und Dokumenttyp-Klassifikationen abbildet.
Each ISP profile is stored as a self-contained JSON document in the server's ISP directory. The registry maintains a central governance_levels.json manifest that maps institutions to governance tiers and document type classifications. Profile loading, validation, and governance enforcement are handled by the WINDI engine at runtime.
Cada perfil ISP e armazenado como um documento JSON autocontido no diretorio ISP do servidor. O registro mantem um manifesto central governance_levels.json que mapeia instituicoes para niveis de governanca e classificacoes de tipo de documento.
# Server directory structure (Strato DE)
/opt/windi/isp/
|-- governance_levels.json # Central registry (v2.5.0)
|-- ARCHITECTURE.md
|-- README.md
|-- isp_loader.py # Profile loader module
|-- _base/profile.json # Base template schema
|-- deutsche-bahn/profile.json
|-- bundesregierung/profile.json
|-- agentur-fuer-arbeit/profile.json
|-- ihk/profile.json
|-- hwk/profile.json
|-- bafin/profile.json # HIGH: 24KB, 12 templates
|-- bis-style/profile.json
+-- tuev/profile.json # LOW: 23KB, 12 templatesJedes Profil kodiert vier Governance-Dimensionen: Organisationsmetadaten (rechtlicher Name, Typ, Sektor), Template-Definitionen (Dokumenttypen mit Feldschemas und Validierungsregeln), Governance-Constraints (ebenespezifische Durchsetzungsrichtlinien) und Erkennungsschlusselworter. Each profile encodes four governance dimensions: organisational metadata (legal name, type, sector), template definitions (document types with field schemas and validation rules), governance constraints (level-specific enforcement policies), and detection keywords (for the Identity Detector module to recognise institutional references in free text). Cada perfil codifica quatro dimensoes de governanca: metadados organizacionais (nome legal, tipo, setor), definicoes de modelo (tipos de documento com esquemas de campo e regras de validacao), restricoes de governanca (politicas de aplicacao especificas por nivel) e palavras-chave de deteccao.
Abschnitt IX: Ausblick — Nachste Schritte Section IX: Outlook — Next Steps Secao IX: Perspectivas — Proximos Passos
Das aktuelle Register demonstriert den Proof of Concept uber drei Governance-Stufen und acht institutionelle Kontexte. Geplante Entwicklung umfasst Katalogkonsolidierung (Schema-Validierungswerkzeuge und standardisierte Feldanforderungen), Erweiterung auf Gesundheitssektor-Profile (Bundesarztekammer, GKV/Krankenkassen) und zusatzliche technische Prufstellen (DEKRA). The current registry demonstrates proof of concept across three governance tiers and eight institutional contexts. Planned development includes catalog consolidation (schema validation tooling and standardised field requirements), expansion into health sector profiles (Bundesarztekammer, GKV/Krankenkassen) and additional technical inspection bodies (DEKRA), as well as an academic/university profile type relevant to the Hochschule environment where this research is conducted. O registro atual demonstra prova de conceito atraves de tres niveis de governanca e oito contextos institucionais. O desenvolvimento planejado inclui consolidacao do catalogo (ferramentas de validacao de esquema e requisitos de campo padronizados), expansao para perfis do setor de saude (Bundesarztekammer, GKV/Krankenkassen) e organismos de inspecao tecnica adicionais (DEKRA).
Das strategische Ziel ist nicht erschopfende institutionelle Abdeckung, sondern ein ausreichend diverser Katalog, der die Anwendbarkeit des Governance-Modells uber materiell verschiedene Risikokontexte validiert — von der Finanzregulierung bis zum offentlichen Verkehr, von der Bundesregierung bis zum Handwerk. The strategic objective is not exhaustive institutional coverage, but rather a sufficiently diverse catalog that validates the governance model's applicability across materially different risk contexts — from financial regulation to public transport, from federal government to craft trades. O objetivo estrategico nao e cobertura institucional exaustiva, mas sim um catalogo suficientemente diverso que valide a aplicabilidade do modelo de governanca atraves de contextos de risco materialmente diferentes — da regulacao financeira ao transporte publico, do governo federal ao comercio artesanal.
"KI verarbeitet. Mensch entscheidet. WINDI garantiert." "AI processes. Human decides. WINDI guarantees." "IA processa. Humano decide. WINDI garante."
WINDI Handshake Protocol v1.1 | Marco Zero: 19 January 2026