Risk and Compliance
DraftStatus: Draft
Version: 0.1.0
Last Updated: 2026-05-16
Owner: Axodus Business
Purpose
Business creates risk when requests become commitments without adequate review. Risk management protects clients, DAOs, Axodus Core, product nuclei, treasury, users, governance legitimacy, brand trust, and long-term sustainability.
This document is not legal advice and does not claim legal compliance.
Scope
This page defines Business risk categories, compliance-oriented guardrails, risk review flow, severity levels, accountability records, required records by request type, incident types, and anti-patterns.
Risk Categories
- Scope risk: deliverables, boundaries, or acceptance are unclear.
- Delivery risk: resources, dependencies, or timeline feasibility are weak.
- Governance risk: DAO policy, plugins, federation, or governance are affected without review.
- Treasury risk: capital, revenue distribution, or financial reporting are affected.
- Tokenomics risk: rewards, utility, unlocks, or token claims are affected.
- Trading risk: strategy access, API keys, or user financial exposure are involved.
- Security risk: contracts, API keys, data, permissions, or infrastructure are involved.
- Compliance uncertainty: financial advertising, data, consumer protection, or regulated topics may be implicated.
- Communication risk: public or client-facing claims may be false, exaggerated, or unverified.
- Reputation risk: poor delivery or misleading claims damages trust.
- ACS risk: agent output is treated as commitment or authority.
- Marketplace risk: payment, fee, refund, or seller rules are unclear.
- Academy risk: reward farming, tutor quality, or certification claims are unclear.
Guardrails
- Do not claim guaranteed financial outcomes.
- Do not claim audits unless real, named, and verifiable.
- Do not imply partnerships unless confirmed.
- Do not claim legal compliance without qualified review.
- Describe
$Neuronsas utility, reward, access, coordination, or governance participation infrastructure, not as an investment. - Do not claim DAO, product, or federation status without a governance record.
- Do not execute contracts, treasury actions, Trading actions, or ACS sensitive permissions without review.
- Include risk disclosures for Trading, DeFi, tokenomics, treasury, API key, and financial-exposure topics.
Risk Review Flow
- Request is received.
- Risk flags are identified.
- ACS assists analysis.
- Business owner validates.
- Domain owner reviews when needed.
- Governance, Security, Treasury, or legal review is triggered when required.
- Mitigation is defined.
- Scope is updated.
- Requester is informed.
- Review record is archived.
Severity Levels
- Low: simple documentation, design, or copy updates; Business owner review may be enough.
- Medium: client service scope, non-sensitive integration, or Marketplace listing; domain review and clear scope are needed.
- High: DAO plugins, token reward policy, trading products, smart contract work, or public financial claims; ACS, human, governance, or security review may be needed.
- Critical: treasury actions, production contract upgrades, sensitive ACS permissions, or regulated campaigns; formal authority review and no autonomous execution are required.
Required Records
Low-risk services require at least intake, scope, and acceptance records. DAO services may require DAO authority context and governance review. Plugin requests require ACS analysis, governance review, security review plan, technical scope, and execution or activation receipt. BBA campaigns require campaign scope, claim review, approval record, and performance or delivery report. Trading services require risk disclosures and API key safety guidance when applicable. Tokenomics services require policy review and contract-behavior validation notes where relevant.
Incident Types
Business incidents may include scope disputes, misleading claims, governance bypass, security-sensitive access issues, client expectation failure, and ACS output errors. Responses should be recorded and routed to the correct review layer.
Anti-Patterns
Avoid no written scope, no change log, claims without evidence, governance-sensitive delivery without record, acceptance by silence, and knowledge that exists only privately.
