Adaca RED
An open-source platform for managing AI risk. Register use cases, map controls against each one, and score how effectively each control addresses the risk it targets.
RED is based on five years of monitoring and evaluation systems built for the United Nations, the World Food Programme, and the Swiss Agency for Development and Cooperation.
Most organisations have AI running before AI risk is under control.
Shadow models, ungoverned data flows, and controls that exist on paper but have never been assessed against the risks they target. RED gives each use case a structured score across three dimensions, with a dated record that builds as controls are reassessed.
Five years in sensitive field environments.
RED began as monitoring and evaluation infrastructure: the systems used to assess whether a field intervention was relevant to the problem, reaching enough of the affected population, and sustained long enough to have an effect.
We built these systems over five years for the United Nations, the World Food Programme, and the Swiss Agency for Development and Cooperation. Adaca RED generalises that scoring model so any operations team can apply it to initiatives, risks and incidents.
Relevance, Extent and Duration.
RED grades one relationship, how well an initiative mitigates a risk, across three dimensions, each scored 0 to 4.
Relevance
Whether the initiative addresses the risk it targets. A control aimed at the wrong failure mode scores low, however well it is built. A policy covering general data handling does not address a model trained on customer records. Relevance distinguishes the two.
Extent
Whether it reaches enough of what is exposed. Covering three of thirty affected systems is a low Extent, regardless of execution quality. A control that governs one deployed model while five others run unassessed scores low on Extent.
Duration
Whether the effect is sustained. A control that holds for a fortnight and then lapses scores low on Duration. A control that held during a pilot but is not maintained once a model reaches production scores low on Duration.
How well does this initiative mitigate the risk?
Illustrative composite. In Adaca RED, Relevance, Extent and Duration are assessed and trended per dimension, each on its own 0 to 4 scale.
Each dimension is scored independently and dated. Re-scoring an initiative over time produces a trend; across a risk's mitigating initiatives, the scores combine into an overall coverage estimate.
How initiatives, risks and incidents connect.
For each AI use case, Adaca RED holds the risk, the controls mapped against it, and a dated RED score for each control. Incidents are recorded when controls fail. The record builds with each reassessment.
Adaca RED holds three node types (initiatives, risks and incidents) in a single graph. RED is scored on one relationship only, where an initiative mitigates a risk. The other relationships, an incident realising a risk and an initiative remediating an incident, carry no score, which prevents a single mitigation being counted twice.
A methodology, an application, and a design system.
The RED rubric
Relevance, Extent and Duration, documented as a specification you can apply with or without the application.
A definitions-driven graph
Entity types and fields are defined as data, so the schema extends without code changes. Postgres with row-level security and full revision history.
The editorial canvas
The design system the application is built from, also used to render this page.
Screens from the application.
Adaca RED keeps initiatives, risks and incidents in linked registers, with RED scoring and reporting built in. The screens below show the register, a RED score, the risk matrix and a RED trend.
| Title | Status | RED |
|---|---|---|
| LLM access policy rollout | Active | R4 E3 D3 10/12 |
| Shadow model audit | Active | R3 E2 D2 7/12 |
| Third-party API data flow review | Blocked | R3 E1 D1 5/12 |
| Prompt injection controls | Proposed | R4 E1 D1 6/12 |
Likelihood →
Composite (0–12, stacked)
A definitions-driven data model.
Three node types (initiative, risk and incident) and three edges are described in a definitions registry. Adding a field or a new entity type is a change to that registry, applied as data.
Definitions-driven
Forms, filters and validation are generated from one definitions registry. New fields are added as data.
Typed graph
Containment (parent and child) and association (the graph) are modelled separately.
RED on the edge
RED is stored on the initiative-to-risk relationship, with its history kept per assessment.
Revision history
Every node and edge change is recorded. The RED trend is built from that history.
Row-level security
Postgres row-level security, with role-based access enforced in the database.
Soft delete
Deletes are reversible; any record can be restored.
Running it yourself.
Adaca RED runs on Supabase (Postgres and Auth) and deploys to Cloudflare Workers. Clone the repository, point it at your own Supabase project, apply the schema, and run it.
# clone and install $ git clone https://github.com/adacahq/adaca-red.git $ cd adaca-red && npm install # configure Supabase (Postgres + Auth) and Microsoft SSO $ cp .env.example .env # apply the database schema to your project $ supabase db push # run locally $ npm run dev # http://localhost:3000 # deploy to Cloudflare Workers $ npm run deploy
Status and what is next.
The platform is built. The current focus is proving it with a small number of lighthouse customers across distinct industries, before extending the feature set.
FAQs
Is it free?
Yes. Adaca RED is open source under the MIT licence. Use it, fork it, or run it commercially. There are no paid tiers.
Can I use just the methodology?
Yes. RED is documented as a standalone specification and can be applied in any tool.
Is it production-ready?
The platform is complete and in early adoption. We are onboarding a small number of lighthouse customers before broadening availability.
What does it run on?
vinext (the Next.js App Router on Vite), Supabase (Postgres and Auth) with Microsoft SSO, and Cloudflare Workers.
Can I contribute?
Yes. Issues and pull requests are welcome on GitHub once the repository is public.
The team behind Adaca RED.
Adaca RED is built and maintained by Adaca, an Australian technology company supported by 150+ engineers across Sydney, Melbourne, Auckland and Manila.
Lambros Photios
Founded Adaca in 2015 and scaled it to a 150-person engineering firm.
Ben Pinkerton
20+ years in enterprise architecture and digital transformation across ANZ and ASEAN.
Fredy Lievano
AWS-certified, 16+ years across AI, cloud and software architecture.
Open source under MIT.
Adaca RED is released under the MIT licence. A risk governance tool needs to be inspectable. The source is available to read, audit, and modify. Your risk records stay yours.