Project Overview

Projects are the unit of execution in Modulos. A project defines a governance scope and contains the frameworks, controls, evidence, and monetary risk quantification needed to make that scope auditable.

What this is

A project is a boundary that keeps governance work consistent:

• one scope statement an auditor can understand
• one set of frameworks and requirements that apply to that scope
• one audit trail for controls, evidence, reviews, and risk decisions

Project types

Modulos supports two project types that map to how compliance and audits work in practice.

AI system projects

Use an AI system project to govern a specific AI system in its real deployment context. In the UI, this project type is labeled AI Application.

An AI system is not just a model. It includes the full socio-technical system that produces and uses AI outputs.

What counts as an AI system

Model or models

Foundation model, fine-tune, classifier

Data

Training data, input data, labels, feedback

Inference and orchestration

Prompting, retrieval, routing, post-processing

Interfaces

API, UI, integrations

Infrastructure and vendors

Cloud, third parties, model provider

AI system

Outputs influence real decisions

Humans in the loop

Operators, reviewers, escalation paths

Downstream decisions

Business process, automation, approvals

Monitoring

Drift, quality, incidents

Documentation and controls

Policies, evals, evidence

Technical

Operational

An AI system includes the model, the surrounding pipeline, the human processes, and the environment where outputs drive decisions.

AI system definitions

EU AI Act definition:

"AI system" means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

NIST AI RMF definition, adapted from OECD:

The AI RMF refers to an AI system as an engineered or machine-based system that can, for a given set of objectives, generate outputs such as predictions, recommendations, or decisions influencing real or virtual environments. AI systems are designed to operate with varying levels of autonomy.

AI system projects are the default choice for frameworks that are system-scoped, such as the EU AI Act.

Organization projects

Use an organization project for organization-wide governance programs and management systems:

• policies and processes that apply across teams
• shared controls that support multiple compliance programs
• certification-style audits where scope is the organization, not one system

Most organizations only need one organization project.

Organization projects are the default choice for management-system frameworks such as ISO 42001 and ISO 27001.

Where in Modulos

• Projects to view all projects and create a new one
• Project → Dashboard to see progress and signals for one project
• Project → Requirements, Controls, Evidence, Risks, Testing to execute work inside a project
• Project → Settings to configure frameworks, user access, and sources

Who can do what

Permissions

• Project Owners configure the project, assign project roles, and manage settings.
• Editors implement controls, attach evidence, and keep work items up to date.
• Reviewers approve or reject review requests for status changes.
• Auditors have read-only access focused on traceability.

Organization admins typically have full administrative access across projects in the organization. Use project roles to grant the minimum needed access to non-admins and to preserve separation of duties.

How it works

Projects unify execution across governance areas: governance, risk quantification, and testing all live inside the same scope boundary.

Project boundary

Project

Governance

Frameworks

Requirements

Controls

Evidence

Reviews

Risk

Risks

Threat vectors

Quantification runs

Treatment decisions

Testing

Sources

Metrics

Tests

Results

Audit trail

Projects keep scope, execution, and traceability in one place so audits can follow decisions back to evidence.

That shared structure is what allows traceable exports and audit-ready reviews.

What lives in a project

Depending on your organization setup, a project may include:

• frameworks, requirements, controls, and evidence
• risks and monetary quantification runs
• testing sources, tests, schedules, and results
• assets and supporting documents
• notifications and object-level comments and logs

How to use it

1

Pick the right project type

Use AI system projects for system-scoped compliance and organization projects for management systems

2

Write a scope statement

Describe what is in scope in plain language an auditor can validate

3

Add frameworks

Select the regulations and standards that apply to this scope

4

Assign roles

Set owners, editors, reviewers, and auditors early to preserve separation of duties

5

Execute and monitor

Implement controls, attach evidence, quantify top risks, and run testing over time

Important considerations

• Keep AI system projects narrow. One AI system or one use case per project keeps evidence and risk quantification defensible.
• Treat the project description as your scope statement. It should survive staff turnover and audit scrutiny.
• Use organization projects sparingly. Most organizations only need one to host shared controls and policies.

Related pages

Create a Project

Scope a project and assign roles and frameworks

Project Dashboard

Interpret progress signals and what is blocking completion

Project Settings

Configure frameworks, access, EU AI Act scoping, and sources