Governance Map
Your Brain Has Rights.
Here's How We Protect Them.
GRC (Governance, Risk, and Compliance) was retrofitted onto IT security decades after the internet shipped. The result: compliance that lags threats. We are building governance into BCI security from day one.
Ethical Foundations
Governance of neurotechnology doesn't start from scratch. It stands on 47 years of biomedical ethics, extended by neurorights scholars when existing principles proved insufficient for technology that interfaces with cognition itself.
Principles of Biomedical Ethics
Beauchamp & Childress established four principles that became the operating system for medical ethics: autonomy (patient decides), beneficence (do good), non-maleficence (don't harm), and justice (be fair). Every IRB, clinical trial, and medical ethics committee runs on this framework.
Beauchamp TL, Childress JF. Principles of Biomedical Ethics, 8th ed. Oxford University Press, 2019.
Neurorights
Ienca & Andorno and Yuste et al. independently argued that the four principles alone can't protect patients when technology interfaces with cognition itself. Autonomy assumes you can think freely before deciding — but a BCI that modifies cognition breaks that assumption. New rights were needed: mental privacy, cognitive liberty, mental integrity, and psychological continuity. Chile enshrined them in its constitution in 2021 — the first country to do so.
Ienca & Andorno, Life Sciences, Society and Policy, 2017 · Yuste et al., Nature 551, 2017 · Farahany, The Battle for Your Brain, 2023 · UNESCO Recommendation on the Ethics of Neurotechnology, 2025
QIF Technical Controls
Rights without enforcement are aspirational. QIF provides the technical implementation: NISS quantifies neural harm (non-maleficence, measurable), the TARA Atlas catalogues 161 threat techniques, the Neural Impact Chain traces attacks to clinical outcomes, and signal integrity analysis (future work) will detect provenance violations in real time.
From Principle to Protocol
Each ethical principle extends into a neuroright, which QIF operationalizes through a technical control.
| Ethical Principle | Neuroright | QIF Control | Why Extension Was Needed |
|---|---|---|---|
| Autonomy | Cognitive Liberty | Consent framework, governance layer | Autonomy assumes free thought. BCIs can compromise the thinking itself |
| Non-maleficence | Mental Integrity, Mental Privacy | NISS scoring, signal integrity analysis (future work) | Neural harm can be invisible, irreversible, and undetectable by the patient |
| Beneficence | Therapeutic dual-use boundary | 78/135 dual-use mapping | Same mechanism treats Parkinson's and causes involuntary activation. Boundary is consent, not mechanism |
| Justice | Equitable access (governance principle) | Open-source framework, Apache 2.0 | BCI safety cannot be proprietary. Equitable access is a governance commitment, not a separate neuroright — it is implied by treating the four rights as universal |
The Institutional Landscape
23 frameworks from 12+ institutions worldwide converge on the same four themes. Every one answers why or what. None answer how.
Columbia
NeuroRights Foundation
Stanford
Law & Biosciences
UPenn
Neuroscience & Society
ETH Zurich
Health Ethics & Policy
UNESCO
194 member states
OECD
38 member states
WHO
Global health body
QIF
First HOW layer
The Principles-to-Protocol Gap
47 years of neuroethics. 23 frameworks. 12 institutions. 4 ethical principles (Beauchamp & Childress). Zero technical security specifications. Like having fire safety principles without fire codes, sprinkler specs, or building inspectors. See the full landscape survey.
Proposed Neurorights
Two independent academic proposals in 2017 argued that existing human rights are insufficient to protect cognition when technology interfaces directly with the brain. Neither framework has been adopted as a binding standard. Both informed Chile's 2021 constitutional amendment and UNESCO's 2025 Recommendation.
No unified, internationally agreed-upon set of neurorights exists as of 2026. These are the two most influential proposals.
Ienca & Andorno
Life Sciences, Society and Policy, 13(1):5
Cognitive Liberty
The right to freedom of thought and to accept or refuse neurotechnology. Protects the mental sphere from unauthorized external influence.
Mental Privacy
Protection of brain data from unauthorized collection, storage, use, or deletion. Neural information should not be accessed without consent.
Mental Integrity
Protection from non-consensual modification of brain activity or mental processes by third parties through neurotechnology.
Psychological Continuity
Protection of personal identity from unauthorized alterations to neural substrates that could change personality, preferences, or sense of self.
Approach: Grounded in existing international human rights law (ICCPR, ECHR). Most-cited paper in neurorights scholarship. Directly cited in Chile's 2021 constitutional reform.
Yuste et al. (25 authors)
Nature, 551:159–163
Privacy & Consent
Neural data should be kept private. Consent protocols for brain data should be at least as strict as those for organ donation.
Agency & Identity
Individuals must retain ultimate control over their own neural activity. Neurotechnology must not compromise the user's sense of self or decision-making.
Augmentation
Guidelines should ensure equitable access to cognitive enhancement. Neural augmentation should not deepen social inequalities.
Bias
Counter-measures should be built to prevent algorithmic bias in neurotechnology from perpetuating discrimination.
Approach: Framed as ethical priorities, not formal rights. Published in Nature with 25 co-authors. Launched the NeuroRights Foundation at Columbia University. Drove Chile's legislation and UNESCO's process.
DOI: 10.1038/551159a
Yuste, Genser & Herrmann
Horizons, 18:154–164 · NeuroRights Foundation
Mental Privacy
Brain data protected from unauthorized access
Personal Identity
Sense of self cannot be altered without consent
Free Will
Autonomous decision-making must be preserved
Fair Access
Equitable access to cognitive augmentation
Bias Protection
Algorithmic discrimination must be prevented
How the Two Frameworks Map to Each Other
| Ienca & Andorno (2017) | Yuste et al. (2017 → 2021) | Overlap |
|---|---|---|
| Cognitive Liberty | Free Will | Same concept |
| Mental Privacy | Mental Privacy | Direct match |
| Mental Integrity | Personal Identity | Partial overlap |
| Psychological Continuity | — | Unique to Ienca |
| — | Fair Access to Augmentation | Unique to Yuste |
| — | Protection from Algorithmic Bias | Unique to Yuste |
Neither taxonomy has been adopted by any standards body. Bublitz (2022) argues existing rights suffice; Kellmeyer (2022) notes "mental privacy" and "mental integrity" lack agreed operational definitions. QIF uses the Ienca & Andorno framework for engineering operationalization because its rights map more directly to measurable signal properties.
Proposed Neuroethics Principles
Five proposed principles for equitable neurotechnology, bridging existing neurorights scholarship with the technical realities of BCI vision restoration, digital accessibility, and the enhancement trap.
DRAFT v0.2 — Proposed by Kevin Qi, March 2026. Not peer-reviewed, not institutionally endorsed. Subject to revision after advisor feedback and institutional review.
Equity Before Enhancement
Those who need neurotechnology most should not be last in line.
Clinical restoration carries a moral priority over elective enhancement — grounded in Beauchamp and Childress's principle of justice (2019), Yuste's "fair access to cognitive augmentation" (2021), and the UN CRPD (Art. 9). The obligation is already written into the instruments we have signed. What they lack is the enforcement mechanism and the will to sequence.
Digital Accessibility Is a Neurorights Obligation
If blind people are starting to see, how do we let them see the world AND the internet clearly?
BCI-restored vision produces discrete phosphenes — not continuous imagery (Brindley & Lewin, 1968; Fernandez et al., 2021). No device produces controlled color (PMC11221215, 2024). Current accessibility standards (WCAG 2.2, ADA Section 508) assume you either see or you don't. We have created a third perceptual paradigm and built zero infrastructure for it. The starting point may be the hardest: rendering legible text through a sparse phosphene array. If that can be solved, the rest of the digital world can build around it using existing technologies (OCR, scene understanding, vector-based rendering). Under the CRPD and UNESCO's 2025 Recommendation, the obligation to address this already exists. (See full working paper for a theoretical technical note on this direction.)
Perceptual Sovereignty
Whoever controls the rendering pipeline controls reality.
No entity should have unilateral control over the content rendered to a BCI patient's visual cortex without informed, ongoing, and revocable consent. This extends existing neurorights — cognitive liberty, mental privacy, and mental integrity — to the input channel: the content delivered to the brain, not just the signals altered within it. This distinction requires further philosophical and legal analysis to determine whether it constitutes a genuinely new concept or is derivable from existing mental integrity frameworks (Kellmeyer, 2022).
The Right to Remain Unaugmented
Equal access means the option is available. It does not mean the option is mandatory.
If neurotechnology confers cognitive or sensory advantages beyond baseline, economic and social pressure could push adoption from voluntary to effectively compulsory. Ienca and Andorno's Cognitive Liberty protects the decision to refuse — but not the person from the consequences of that decision in a world that has moved on. No individual should face discrimination for choosing not to adopt neurotechnology. Bublitz (2022) warns against rights inflation; this protection may be derivable from Cognitive Liberty if properly interpreted. The point is to operationalize what the existing principle implies but does not yet enforce.
From Protection to Obligation
Security without ethics is surveillance. Ethics without security is aspiration. You need both, or you have neither.
Existing neurorights proposals are defensive: do not read, do not write, do not coerce, do not alter. If neurotechnology can restore lost function, and if the instruments we have signed commit us to equity and accessibility, then there is a constructive obligation: ensure the benefits reach those who need them. Not as charity. As a design requirement built in from day one. The CRPD, the UDBHR, the UNESCO Recommendation, and Chile's Law 21.383 already contain this obligation. The question is whether we act on it before the technology outpaces the governance.
These principles draw on Beauchamp & Childress (2019), Ienca & Andorno (2017), Yuste et al. (2017/2021), the UN CRPD, UNESCO's 2025 Recommendation, Chile's Law 21.383, and Morse's neuromodesty framework (2006). Cross-AI reviewed against neuroethics guardrails (11/11 checks passing). 20 citations in full document.
Read the full working paper with references and methodologyQIF Operationalization
QIF operationalizes the Ienca & Andorno (2017) framework because its four rights map to measurable signal properties. Two rights — Mental Privacy and Mental Integrity — have engineering-level specifications derived from 161 attack techniques. The other two are mapped but not yet operationalized.
The distinction that matters
We are building systems that can inject, simulate, or reshape neural signals. Our governance models must distinguish between "unaltered" (was the signal tampered with?) and "self-originating" (was the signal generated by the user's brain?). Current neurorights frameworks protect against modification but not adversarial substitution. QIF closes this gap.
Mental Privacy (MP) protects against reading your neural data — exfiltration, surveillance, and re-identification across datasets. QIF extends MP with data-lifecycle protections: cross-modal re-linking, anonymization failure, and informational disassociation.
Mental Integrity (MI) protects against writing into your neural signals — injection, implanted thoughts, confusion of agency, and signal dynamics disruption. QIF maps this to the CIA triad: MP = Confidentiality (don't read), MI = Integrity (don't write). QIF extends MI with two engineering primitives: modification detection (was the signal tampered with?) and provenance verification (did the signal originate from the user's brain?). Signal integrity analysis (future work) will operationalize provenance by measuring whether a signal's statistical properties match the user's baseline neural signature. An injected signal that passes integrity checks but was never generated by the user violates MI's provenance guarantee — attacks like gradual drift (T0062) and baseline adaptation poisoning (T0071) exploit exactly this gap.
Why extension, not a new right? Early QIF work explored proposing Cognitive Authenticity as a distinct neuroright covering signal provenance. Cross-framework analysis (Ienca & Andorno, Yuste, Chile NeuroDerechos, UNESCO, Farahany, Bublitz) showed that provenance is not a philosophically distinct right — it is an engineering property required to operationalize Mental Integrity in BCI systems. Multiplying rights without philosophical warrant risks rights inflationism (Bublitz, 2022). QIF chose depth over breadth: extending MI with verifiable mechanisms rather than adding a category that existing rights already cover in principle.
Click any card below to see the highest-impact threats for each right.
How We Protect Them
Governance
Neurorights policies, informed consent frameworks, ethics alignment. The rules that define what's allowed before the first electrode touches tissue.
Risk
161 threat techniques scored with NISS. Physics-derived severity, DSM-5-TR diagnostic category references for threat modeling, dual-use risk-benefit analysis.
Compliance
FDORA/FDA crosswalk, NIST SP 800-53 controls, ISO 27001 mapping, UNESCO alignment. Machine-verifiable where possible.
How Security GRC Works
This cycle drives IT security. For BCIs, it breaks at step 1: the external forces barely exist.
1. External Forces Set Requirements
HIPAA, PCI-DSS, SOX, GDPR, NIST CSF, ISO 27001, SOC 2
2. GRC Translates Into Policy
Maps requirements to controls, writes policies, maintains risk register
3. Security Engineering Implements
Firewalls, encryption, access management, monitoring, detection
4. GRC Audits Adherence
Evidence collection, gap analysis, audit prep, remediation tracking
The BCI Security Delta
| GRC Step | IT Security (Mature) | BCI Security (Today) | Gap |
|---|---|---|---|
| Requirements | HIPAA, PCI-DSS, GDPR, FedRAMP | FDA 510(k) covers safety, not neural cybersecurity. FDORA Sec. 3305 is closest. | No neural-specific regulations |
| Policy | NIST CSF, ISO 27001, CIS Controls | Generic controls exist but lack neural metrics (tissue damage, cognitive integrity) | No neural-aware frameworks |
| Implementation | Firewalls, IDS/IPS, SIEM, IAM | No commercial BCI security tools, neural firewalls, or BCI encryption protocols | Everything built from scratch |
| Audit | SOC 2 auditors, PCI QSAs, HIPAA assessors | No BCI security auditors, no certifications, no audit criteria | No one to audit against nothing |
Three Domains, One Gap
BCI security sits at the intersection of three regulatory domains that do not talk to each other. Each covers part of the problem. None covers the center.
A BCI manufacturer can be FDA-cleared, HIPAA-compliant, and ISO 27001-certified and still lack specific protections against adversarial neurostimulation, neural signal tampering, or cognitive state inference. That center gap is what neurosecurity GRC fills.
The Convergence Gap
25 organizations mapped across security and neuroethics. Color-coded by how much each engages with the other domain. The pattern: deep expertise on one side, blind spots on the other.
No single organization currently bridges neurotechnology security and neuroethics governance. Security frameworks lack neural endpoints. Neuroethics frameworks lack technical controls. QIF proposes an integrated framework bridging both.
| Organization | Domain | Neurotech | Security | Bridge |
|---|---|---|---|---|
| NIST | security | None | Comprehensive | high |
| ISO/IEC | security | None | Comprehensive | medium |
| IEEE SA | security | Indirect | Comprehensive | high |
| MITRE | security | None | Comprehensive | high |
| FIRST/CVSS | security | None | Comprehensive | high |
| OWASP | security | None | Comprehensive | medium |
| IEC 62443 | security | None | Comprehensive | medium |
| CISA | security | None | Comprehensive | medium |
| ENISA | security | Minimal | Comprehensive | medium |
| ISC2 | security | None | Comprehensive | low |
| ISACA | security | None | Comprehensive | low |
| PCI SSC | security | None | Comprehensive | low |
| UNESCO | neuroethics | Comprehensive | None | high |
| OECD | neuroethics | Direct | Indirect | high |
| Neurorights Foundation | neuroethics | Comprehensive | None | medium |
| International Neuroethics Society | neuroethics | Comprehensive | None | medium |
| BCI Society | neuroethics | Comprehensive | Minimal | medium |
| Berman Institute (JHU) | neuroethics | Direct | None | medium |
| FDA/CDRH | medical | Direct | Indirect | high |
| EU MDR/EMA | medical | Indirect | Indirect | medium |
| Chile (Law 21.383) | policy | Comprehensive | None | medium |
| Colorado/California | policy | Direct | None | low |
| IEEE Brain Initiative | security | Direct | Indirect | high |
| DARPA | security | Comprehensive | Comprehensive | high |
| EFF | policy | Minimal | Direct | medium |
Lessons from IT Security Adoption
Four frameworks that achieved industry-wide adoption. Each offers a pattern neurosecurity can follow.
PCI DSS
Prescriptive controls with compliance levels scaled by transaction volume drove universal adoption in payment card security, even without government mandate.
BCI parallel: Neurosecurity needs prescriptive controls scaled by device invasiveness. An EEG headband has different requirements than an intracortical implant, just as a small merchant has different PCI requirements than a payment processor.
MITRE ATT&CK
A community-driven, free, open taxonomy became the universal language for threat intelligence because it described what adversaries actually do, not what vendors sell.
BCI parallel: TARA follows the same model: MITRE-compatible IDs, open taxonomy, technique-level granularity. The BCI security community needs a shared vocabulary before it can coordinate defense.
NIST CSF
A voluntary framework achieved near-universal adoption through market pressure (customers, insurers, investors required it) rather than legal mandate.
BCI parallel: Neurosecurity GRC will likely follow the same path: voluntary adoption driven by institutional review boards, insurers, and research ethics committees before any government mandate exists.
IEC 62443
The zones/conduits model successfully bridged IT and OT security by defining trust boundaries at physical interfaces rather than network layers.
BCI parallel: QIF's hourglass model applies the same principle: define security boundaries at the physical neural interface (I0) rather than at arbitrary network layers. Biology-first segmentation.
Gap Derivation Methodology
Every component of the QIF framework was derived from the same process: take what exists, find what it misses for BCIs, and build the extension.
Exists
CVSS v3.1
Industry-standard vulnerability scoring. 8 metrics across base, temporal, and environmental groups.
Gap
No neural dimensions
Cannot score biological impact, cognitive integrity loss, consent violation, reversibility, or neuroplasticity risk.
Extension
NISS
5 neural-specific metrics added. Every TARA technique scored on dimensions CVSS cannot express.
Exists
MITRE ATT&CK
Hundreds of techniques across 14 enterprise tactics. The gold standard for IT threat modeling.
Gap
No BCI tactics or techniques
No neural injection, cognitive exfiltration, or neurostimulation manipulation in any MITRE matrix.
Extension
TARA
161 BCI techniques across 15 tactics. MITRE-compatible IDs. Dual-use therapeutic mappings.
Exists
IEC 62443 Zones/Conduits
Segments OT systems into security zones. Closest architectural parallel to BCI security.
Gap
No biological endpoints
Threat models assume industrial processes. No guidance for when a security incident causes neurological harm.
Extension
QIF 11-Band Hourglass
Neural (N7-N1), Interface (I0), Synthetic (S1-S3). Every band validated. Biology-first security.
Exists
TLS 1.3
Standard transport security. Confidentiality and integrity for data in transit.
Gap
No post-quantum, no neural validation
Vulnerable to harvest-now-decrypt-later. Neural data has decades-long sensitivity. No signal authenticity layer.
Extension
NSP
ML-KEM + ML-DSA post-quantum. 6-layer validation stack. Physics-based signal authenticity.
Exists
Ienca & Andorno Neurorights
Four rights: MP, CL, MI, PC (Ienca & Andorno, 2017). Philosophical foundation for neural governance.
Gap
No provenance verification
MI protects against modification but not adversarial substitution. No mechanism to verify a signal originated from the user's brain.
Extension
QIF MI Extension
Provenance verification via signal integrity analysis (future work). Distinguishes "unaltered" from "self-originating." Depth over inflation.
Exists
IDS/IPS (Snort, Suricata)
Network intrusion detection. Signature and anomaly-based pattern matching.
Gap
No neural signal monitoring
Network IDS cannot detect spectral anomalies, phase variance injection, or coherence degradation in EEG.
Extension
Neurowall
Real-time coherence monitoring. Spectral peak detection, CUSUM change-point analysis. 9/9 attacks detected at 30s.
The Hourglass Model
Each neuroright maps to specific bands in the QIF security model. The hourglass traces signals from the brain (N7) through the neural interface (I0) to external systems (S3). Every band is an attack surface.
See the Full Picture
This page maps neurorights to brain regions. To see the individual attack techniques behind each threat count — with NISS severity scores, therapeutic analogs, and DSM-5-TR diagnostic category references — explore the TARA Atlas.
TARA is the full registry: 161 techniques scored across four projections (security, clinical, diagnostic, governance). Each technique traces through the Neural Impact Chain from physical mechanism to clinical outcome. The neurorights shown here are the governance layer that sits on top.
This map is open. Help us stress-test it.
The QIF framework, TARA registry, and neuroright mappings are all published under Apache 2.0. We need clinicians, ethicists, and security researchers to challenge every assumption.