This document describes how the SimpleAudit project is governed — who maintains it, how decisions are made, and how to participate. It complements the Code of Conduct, the Security Policy, and the contribution guidance in the README.
SimpleAudit is an open-source (MIT) AI safety auditing framework and a verified Digital Public Good. It is stewarded by Simula Research Laboratory (Simula) and SimulaMet, and developed in collaboration with the Norwegian Directorate of Health.
SimpleAudit follows a maintainer-led model with institutional stewardship. Day-to-day direction rests with a small group of maintainers drawn from the stewarding institutions; anyone may contribute. There is currently no separate board or steering committee — decisions are made by the maintainers, in the open, on GitHub. This document is the source of truth for that model and is versioned with the project.
Sets overall direction, has the final say where consensus cannot be reached, and is the primary point of contact.
- Michael A. Riegler (Simula) —
@kelkalot· michael@simula.no
Review and merge contributions, triage issues, cut releases, and uphold the Code of Conduct. Maintainers have write access to the repository.
- Sushant Gautam (SimulaMet)
- Finn Schwall (Simula)
- Annika Willoch Olstad (Simula)
- Klas H. Pettersen (SimulaMet)
- Sunniva Bjørklund (Hdir)
Provide expert review for specialised content — clinical/health scenarios, Norwegian public-sector and youth domains, and safety policy — advising on correctness and appropriateness within their domain.
- Sunniva Bjørklund, Maja Gran Erke, Hilde Lovett (Norwegian Directorate of Health) — health / clinical content
- Tor-Ståle Hansen (Ministry of Defence, Norway) — safety / public-sector
Anyone who opens an issue or pull request. Contributors do not need write access; their changes are merged after maintainer review.
- Routine changes (bug fixes, documentation, new scenario packs or judge configs, dependency bumps): handled through pull requests. A PR may be merged once it has at least one approving review from a maintainer (or the relevant code owner) and CI passes. Small, low-risk changes may use lazy consensus — if no maintainer objects within a reasonable window, the change proceeds.
- Significant changes (breaking API changes, methodology changes, new external dependencies, or anything affecting data provenance or safety posture): proposed and discussed in a GitHub Issue or PR before merging, so maintainers and affected domain advisors can weigh in. The goal is consensus among active maintainers.
- Tie-breaking: where maintainers cannot reach consensus, the lead maintainer makes the final decision, recorded in the relevant issue or PR.
- Transparency: substantive decisions are made and recorded in public issues and pull requests.
- For non-trivial changes, open an issue to discuss first (optional for small fixes).
- Submit a pull request and ensure CI (tests) passes.
- Reviews are requested automatically from the relevant owners via
CODEOWNERS; at least one maintainer / code-owner approval is required to merge. - Health/clinical, Norwegian-domain, and other safety-sensitive changes should additionally be reviewed by a relevant domain advisor.
See the README "Contributing" section for current areas of interest.
Contributors who have made sustained, high-quality contributions and shown good judgement may be invited to become maintainers by consensus of the existing maintainers. Maintainers who become inactive may move to emeritus status, with write access adjusted accordingly. Changes to the maintainer list are made via a pull request to this document.
SimpleAudit uses semantic versioning, is published to
PyPI, and tags releases on GitHub. Any
maintainer may cut a release once main is green.
All participation is governed by the Code of Conduct. Security vulnerabilities are handled per the Security Policy.
Changes to governance are proposed via pull request and require approval from the lead maintainer plus at least one other maintainer. The change history is tracked in version control.