Reference statement of limitations, not a complete enumeration. Adopters are responsible for their own validation, controls testing, and counsel review. See repo-root
DISCLAIMER.md.
The nine patterns in this repository are a useful starting point for AI-governance discipline in CRE operating companies. They are not a sufficient program on their own. This document enumerates the most material limitations so adopters can scope additional controls.
The proxy-detection check in FairHousingPreflightGate compares input feature names against a configurable lexical blocklist. It does NOT detect:
- Learned proxies in embedding space. A deep model can encode protected-class information in latent features even when the named feature is excluded (Dwork et al. 2012; Datta et al. 2017; Selbst et al. 2019 Fairness and Abstraction in Sociotechnical Systems).
- Behavioral-signal proxies. Browser fingerprints, application-session timing patterns, language patterns (Buolamwini & Gebru 2018 Gender Shades).
- Geospatial-granularity proxies finer than zip code. Census-tract-level, block-group-level, or precinct-level proxies require finer-grained detection than this gate provides.
Detection of those classes requires upstream training-time controls (differential privacy on training data, adversarial debiasing, counterfactual fairness audits — Kusner et al. 2017 Counterfactual Fairness) — out of scope for v0.2.0. The mutual-information-threshold learned-proxy detector for Pattern 8 is tracked as a v0.2.1 deliverable (not yet landed).
2. Tamper-detection within the trust boundary by default; tamper-evidence requires the witness pattern (Pattern 3 / ADR-0003 + ADR-0012 + ADR-0013)
The hash-chained Audit Ledger detects modification by an honest holder of the chain head. Adversarial integrity against an attacker with full ledger-host write access requires anchoring the chain head to an external witness register.
v0.2.1 ships the witness-anchor pattern (ADR-0012 § Seam 3 — RekorWitness for Sigstore, OpenTimestampsWitness, and anchor_to_witness() that binds the receipt back into the same chain). Scheduling the anchor cron is the deployer's responsibility. v0.2.1 also ships the MI Proxy (ADR-0013) so the verifier itself is tamper-detecting: AuditLedger.verify_chain(mi_proxy=...) fails closed via IntegrityVerificationError when the verifier's own attestation does not check.
Out-of-band external attestation backends (SLSA / in-toto / Sigstore cosign) are tracked behind the future [attestation] extra.
3. Pluggable persistence shipped in v0.2.1; production substrate is the deployer's choice (Pattern 3 / ADR-0003 + ADR-0012)
v0.2.0's reference AuditLedger stored entries in an in-memory list[AuditEntry]. v0.2.1 introduces the LedgerStore Protocol (ADR-0012 § Seam 1) with three stdlib reference backends (InMemoryLedgerStore, SqliteLedgerStore, JsonlLedgerStore). Production deployments wire their own backend against the Protocol — Postgres + WAL with row-level-immutability constraints, append-only S3 + Object Lock, or DynamoDB with conditional writes — to satisfy SOX 404 ITGC retention or FFIEC Audit booklet expectations. The package does not pull driver libraries; the Zero-Deps badge is intact.
4. RFC 3161 trusted timestamps shipped in v0.2.1; signature-chain verification on the v0.2.1 follow-up backlog (Pattern 3 / ADR-0003 + ADR-0012)
v0.2.0 used datetime.now(timezone.utc) for AuditEntry.timestamp — local system clock. v0.2.1 introduces the TimestampSource Protocol (ADR-0012 § Seam 2) with LocalClockTimestampSource (default) and RFC3161TimestampSource (stdlib http.client + hand-rolled DER ASN.1 codec). The TSR token is opaque-stored verbatim so any RFC 3161-aware verifier can validate the TSA chain later.
Signature-chain re-verification of stored TSR tokens (rfc3161_verify.py behind the audit-verify extra, using pyca/cryptography) is the remaining v0.2.1 deliverable on this seam.
The disparate-impact check uses the standard four-fifths-rule selection-rate comparison. It does NOT engage the fairness-metric pluralism / impossibility-result literature:
- Kleinberg, Mullainathan & Raghavan (2016) Inherent Trade-Offs in the Fair Determination of Risk Scores — calibration vs balance for negative class vs balance for positive class are mutually inconsistent except in degenerate cases
- Chouldechova (2017) Fair prediction with disparate impact — the impossibility result for criminal-justice risk scores
- Kasy & Abebe (2021) Fairness, Equality, and Power in Algorithmic Decision-Making — the distributive-justice critique of group-fairness metrics
Adopters owning a regulator-facing fairness defense should choose their fairness metric in consultation with counsel and document the choice. The four-fifths-rule is the standard regulatory benchmark under HUD 24 C.F.R. § 100.500 and Uniform Guidelines on Employee Selection Procedures (29 C.F.R. § 1607.4(D)); adopting it is defensible-but-not-uniquely-defensible.
6. Vendor-mediated AI captured via VendorScoreGate in v0.2.1 (Pattern 11 / ADR-0011 + FAILURE-MODES.md Row 8)
Most CRE operators do not run their own tenant-screening, lease-abstraction, or pricing models. They consume vendor outputs. ADR-0011 documents the design for the VendorScoreGate adapter; v0.2.1 ships the concrete implementation:
- The ADR-0011 design + interface sketch (v0.2.0)
- The
docs/vendor-clauses/{screening,abstraction,pricing}.mdprocurement-side companion (v0.2.0) - The
VendorScoreGateProtocol +InMemoryVendorScoreGatedefault backend (v0.2.1) — emits every vendor-scoring event to the audit chain with full provenance (vendor_id,input_hash,score,model_version) - Score-drift detection (v0.2.1) — same
input_hash+ samemodel_version+ differentscoresurfaces as a flaggeddecision_type="vendor_score_drift"chain entry; default posture raisesVendorScoreDriftDetectedso the pipeline halts rather than silently absorbing the change (raise_on_drift=Falseavailable for shadow-mode rollouts)
A SafeRent-shaped synthetic vendor-output fixture is the remaining v0.2.1 deliverable on this seam — currently tracked as a follow-up alongside the fair-housing MI-threshold detector.
The compliance-rules YAML covers federal regulations + Colorado AI Act + the federal-floor source-of-income ordinance jurisdictions (CA, CT, DC, MA, MN, NJ, NY, OR, VT, WA). State-by-state mapping at the deployer-obligation level is partial — five state-mapping issues (TX, NY, CA, WA, FL) are open as v0.2.0 good-first-issues, with primary-source citation required per PR.
Selbst et al. 2019 Fairness and Abstraction in Sociotechnical Systems — fairness is sociotechnical, not technical. This stack governs how AI is deployed by an operator inside an operating workflow. Training-time controls (training-data hygiene, model architecture choices, hyperparameter selection) are out of scope. Adopters whose AI exposure runs through vendor-supplied models have additional vendor-side training-time controls to require through procurement (see vendor-clauses).
The repository is a reference architecture published as a v0.2.0 first public release. It has not been deployed in a production environment by the author or by any named adopter. The author's prior experience operating governance programs informs the patterns, but the patterns themselves have not been battle-tested at production scale in CRE. Adopters own validation in their environments.
The MIT license disclaims warranty. This LIMITATIONS.md extends that posture to the non-software components (regulatory characterizations, control descriptions, vendor-clause templates, due-diligence checklists, deployment-cadence walkthroughs). See DISCLAIMER.md for the full statement.
v0.2.1 released 2026-05-28 — 4 of 7 deferred items closed (DOI 10.5281/zenodo.20434575)
- ✅ Pluggable persistence backend for
AuditLedger— shipped (ADR-0012 § Seam 1) - ✅ RFC 3161 trusted-timestamp integration — shipped (ADR-0012 § Seam 2)
- ✅ OpenTimestamps / Sigstore Rekor witness-anchor reference integration — shipped (ADR-0012 § Seam 3)
- ✅
VendorScoreGateconcrete implementation — shipped (ADR-0011 update) - ✅ Full failure-modes appendix — shipped (
FAILURE-MODES.mdmatrix + drift-detection test) - ✅ (added in PR 3) ADR-0013 MI Proxy — shipped (verifier chain-of-custody)
- ✅ (added in PR 3) Consolidated
AuditConsumerbase — shipped
- ✅ MI-threshold learned-proxy detection in
fair_housing_preflight.py— shipped (ADR-0008 update; mutual-information detector +FHA-MI-PROXYveto code). Distinct from the Module Integrity Proxy (ADR-0013, v0.2.1). - ✅
audit-verifyextra — shipped (rfc3161_verify.pybehind[audit-verify]extra;cryptography>=42) - ❌ Named-GC reference quotes — research outside engineering scope; remains open
- Full per-pattern subordinate-clause-level ISO/IEC 42001 mapping (v0.2.0 ships pattern-level mappings)
- Five state regulatory mappings (TX, NY, CA, WA, FL) — community good-first-issues
agents/subpackage: prune the unused stubs (strategy,risk,domain_intelligence) and promoteorchestratorto a functional implementation. TheAuditConsumerbase shipped in v0.2.1 already consolidated the seams forauditandmonitor.- Docker compose for 60-second zero-pip-install demo
- LangChain + CrewAI adapter modules
- Terraform module sketch for the IdP-bypass-authority resolver integration
- External-attestation backends for the MI Proxy (SLSA / in-toto / Sigstore cosign) behind the
[attestation]extra
- Does not enumerate every possible adversarial input or threat model
- Does not address vertical-specific regulatory regimes outside CRE (PCI DSS, HIPAA, DORA, etc.)
- Does not replace a security-review or threat-modeling engagement
If you identify a limitation worth adding to this list, please open an issue at https://github.com/linus10x/cre-agent-audit/issues with the description and (where possible) a citation.