System Cards
Identity documents for AI systems
A System Card is a machine-readable identity document for an AI system. It is modeled after the concept of "Model Cards" but applied to the entire system context. System Cards are a key input to ChooChoo's risk scoring algorithm and are referenced whenever an agent performs an action.
The System Card Schema
System cards are stored in system-cards/*.yaml within your project structure. The schema is formally specified in Schema Definitions, and files must follow the naming conventions.
Purpose
- Transparency: What is this agent? Who built it? Links back to the Agent Registry.
- Safety: What are its limitations and intended uses? Defines the boundaries (rails) the agent must operate within.
- Compliance: What frameworks or standards does it align with? Maps to compliance tags and supported standards.
Structure
systemCardSpecification: "1.0.0"
info:
id: cursor-agent
name: Cursor AI Assistant
version: "2.4.0"
owner: [email protected]
description: AI coding assistant integrated with IDE
intendedUse:
- Code generation and refactoring
- Test writing
- Documentation updates
limitations:
- No access to production environments
- Cannot modify financial data without approval
- Limited understanding of legacy systems
compliance:
frameworks: ["EU AI Act", "GDPR"]
dataResidency: ["us-east-1"]The compliance.frameworks field is used by ChooChoo to determine which compliance reporting frameworks the agent falls under. The limitations field documents known failure modes, which informs the Historical Quality (H) factor in risk scoring.
Governance Integration
When an agent performs an action, ChooChoo references its System Card to calculate the Risk Score. An agent with documented limitations and frameworks may be treated differently than an undocumented one.
Specifically, the System Card influences:
- Risk Scoring: Agents with well-documented System Cards and strong compliance alignment receive lower risk scores.
- Approval Workflows: The compliance frameworks listed in the System Card determine which approval policies apply.
- Audit Trail: Every Decision Trace references the agent's System Card, providing full traceability from action to identity.
- Security: The System Card's limitations determine PII access levels and encryption requirements.
Validation
When you run choochoo validate, System Cards are checked for:
- Schema validity against the System Card spec
- Required fields —
info,intendedUse,limitations, andcompliancemust all be present - Agent reference — the System Card should be referenced from a registered agent in
agents/AGENTS.md
Missing or invalid System Cards will produce error codes during validation and may cause exit code 1 in CI/CD.
Related
Agents
Register agents and link them to their System Cards for governance enforcement.
Agent Trace
Understand how agent actions are attributed and linked back to System Cards.
Risk Scoring
See how System Card metadata influences the risk calculation algorithm.
Compliance Reporting
Generate audit reports filtered by the compliance frameworks in your System Cards.