Definition: Standards mapping documents how Attested AI artifacts provide evidence for governance frameworks. Mechanism: Each artifact field maps to specific control requirements. Value: Auditors and governance teams can trace evidence to standards. Output: Crosswalk tables linking artifacts to controls.
Standards Mapping
How governance evidence artifacts may support audit workflows for industry standards.
Important: Attested AI artifacts may provide documentation for audit workflows related to the standards below. This documentation describes how artifacts can provide evidence for specific controls. Actual compliance depends on your implementation, operational context, and auditor assessment. This is not a certification or compliance guarantee.
NIST AI RMF 1.0
AI Risk Management Framework (NIST AI 100-1)
| Function | Category | Supporting Evidence |
|---|---|---|
| GOVERN | GV-1: Governance policies | Policy Artifact (policy_version, enforcement_mapping) |
| GOVERN | GV-3: Accountability structures | Enforcement Receipt (signer.key_id, decision.action) |
| MAP | MP-2: AI system categorization | Policy Artifact (subject.subject_type, measurement_set) |
| MEASURE | MS-1: Metrics and methods | Enforcement Receipt (measurement.composite_hash, mismatched_paths) |
| MEASURE | MS-2: Continuous monitoring | Continuity Chain (hash-linked receipts, chain_head) |
| MANAGE | MG-2: Risk response | Enforcement Receipt (decision.action: KILL/QUARANTINE) |
| MANAGE | MG-4: Documentation and reporting | Evidence Bundle (bundle_manifest, offline verification) |
NIST SP 800-53 Rev. 5
Security and Privacy Controls for Information Systems
| Family | Control | Supporting Evidence |
|---|---|---|
| AU | AU-2: Event logging | Enforcement Receipt (event_type, timestamp, decision) |
| AU | AU-9: Protection of audit info | Receipt signatures (Ed25519), hash chain integrity |
| AU | AU-10: Non-repudiation | Cryptographic signatures on all artifacts (issuer.signature, signer.signature) |
| CM | CM-2: Baseline configuration | Policy Artifact (integrity_policy, measurement_set baselines) |
| CM | CM-3: Configuration change control | Drift Detection (DRIFT_DETECTED receipts, policy versioning) |
| SI | SI-4: System monitoring | Continuous measurement (MEASUREMENT_OK receipts, schedule.interval_ms) |
| SI | SI-7: Software integrity | Subject manifest (SHA-256 digests), composite_subject_hash |
| SA | SA-10: Developer config management | Policy Artifact (config_digest, sbom_digest references) |
ISO/IEC 42001
Artificial Intelligence Management System (AIMS)
| Clause | Requirement | Supporting Evidence |
|---|---|---|
| 5.2 | AI Policy | Policy Artifact (versioned, signed governance document) |
| 6.1 | Risk assessment | Policy Artifact (drift_rules, enforcement_mapping define risk responses) |
| 7.5 | Documented information | Evidence Bundle (deterministic, versioned, offline-verifiable) |
| 8.2 | AI system lifecycle | Continuity Chain (complete lifecycle receipts from POLICY_LOADED to BUNDLE_EXPORTED) |
| 9.1 | Monitoring, measurement, analysis | Enforcement Receipts (measurement.composite_hash, continuous integrity checks) |
| 9.2 | Internal audit | Offline Verifier (deterministic audit without network dependency) |
| 10.1 | Nonconformity and corrective action | DRIFT_DETECTED + ENFORCED receipts (documented nonconformity and response) |
Artifact-to-Control Summary
Policy Artifact provides evidence for:
- Governance policies (GV-1, 5.2)
- Baseline configurations (CM-2)
- Risk assessment responses (6.1)
- System categorization (MP-2)
Enforcement Receipt provides evidence for:
- Event logging (AU-2)
- Non-repudiation (AU-10)
- Configuration change control (CM-3)
- System monitoring (SI-4)
Continuity Chain provides evidence for:
- Audit info protection (AU-9)
- Continuous monitoring (MS-2)
- AI system lifecycle (8.2)
Evidence Bundle provides evidence for:
- Documentation and reporting (MG-4)
- Documented information (7.5)
- Internal audit (9.2)