Mapping AI Controls to NIST AI RMF and ISO 42001

This is a working crosswalk that maps NIST AI RMF 1.0 functions (Govern, Map, Measure, Manage) and ISO/IEC 42001:2023 controls to concrete Vaikora capabilities — policy engine, 7-factor risk scoring, SHA-256 hash-chained audit, content-free logging, and automated reporting. CISOs are increasingly asked to demonstrate AI control coverage against both frameworks; most teams find no off-the-shelf mapping. The full crosswalk is published as a downloadable XLSX so a GRC team can drop it into evidence packages and prospect deliverables. The blog version below highlights the highest-cited rows from each function and explains the design choices behind the mapping.

Why Both NIST AI RMF and ISO/IEC 42001?

NIST AI RMF 1.0 (released January 2023) is a voluntary framework structured around four functions — Govern, Map, Measure, Manage — with 72 sub-categories underneath. It is the framework most U.S. enterprise programs cite, and the framework U.S. regulators reference when articulating AI expectations. ISO/IEC 42001:2023 is the first certifiable management-system standard for artificial intelligence, with a Plan-Do-Check-Act structure and Annex A controls modeled on the ISO 27001 / 42001 lineage. It is the framework most international and certifiable programs cite.

Most enterprise AI security programs end up needing to satisfy both. The Govern function in NIST AI RMF and Clauses 4–10 in ISO 42001 cover the same governance terrain in different vocabularies; mapping the two at the control level is the highest-leverage piece of work a GRC team can do.

How the Crosswalk Was Built

• Anchor on framework function / control IDs. NIST AI RMF subcategories use IDs like GOVERN-1.1; ISO 42001 uses Annex A control IDs like A.6.2.5. The crosswalk preserves these exact IDs so an auditor can match them against the source documents.
• Map to capability, not feature. Each row in the crosswalk maps a framework requirement to a Vaikora capability — “deterministic policy enforcement,” “7-factor probabilistic risk scoring,” “SHA-256 hash-chained audit” — rather than to product menu items, so the mapping is durable across product versions.
• Distinguish full coverage from partial. Coverage is marked Full where Vaikora is the primary control owner, Partial where Vaikora supplies one part of a multi-control answer, and Reference where Vaikora produces the evidence but the control is owned elsewhere.
• Include the evidence artifact. Every row names the evidence artifact (audit log entries, redaction summaries, policy export, SIEM event stream) so a GRC team can lift the evidence directly into a NIST AI RMF profile or ISO 42001 Statement of Applicability.

NIST AI RMF 1.0 — Highlighted Crosswalk Rows

The full crosswalk in the XLSX covers all four functions across every relevant subcategory with coverage level and evidence artifact. The bullets below highlight the rows most often requested in evidence packages, grouped by function.

Govern

• GOVERN-1.1 (legal / regulatory requirements identified) — Full. Six compliance presets (standard / strict / permissive / hipaa / pci-dss / gdpr) selectable per workspace. Evidence: workspace policy export.
• GOVERN-1.4 (accountability structures) — Full. SAML SSO + SCIM-provisioned roles; the AuthN/Z layer of the reference architecture. Evidence: identity provider mapping; role assignments.
• GOVERN-1.5 (ongoing monitoring) — Full. SHA-256 hash-chained audit; SIEM connectors. Evidence: audit log export; SIEM dashboards.
• GOVERN-2.1 (roles and responsibilities documented) — Partial. Workspace-bound policy ownership; per-route compliance preset. Vaikora provides the technical control surface; documentation is owned by the program.
• GOVERN-4.1 (workforce receives training) — Reference. Owned by the program; training records are owned by the program.

Map

• MAP-1.1 (intended use defined) — Partial. Per-route compliance preset and capability scoping. Vaikora binds intended use to a workspace; the declaration of intended use is owned by the program.
• MAP-2.3 (data sources documented) — Partial. Audit log records action_type and serving provider; routing policy enumerates upstream providers. Provenance of the data itself is owned upstream.
• MAP-5.1 (risks evaluated) — Full. 7-factor probabilistic risk score on every request; risk_score field in the audit log. Evidence: risk score distribution by route.

Measure

• MEASURE-2.5 (data integrity) — Full. Reversible PII redaction (synthetic / mask / hash); 4-layer detection on tool and RAG outputs. Evidence: redaction summaries; detection event stream.
• MEASURE-2.7 (security and resilience) — Full. 12+ detection vectors / 4 layers; deterministic policy + probabilistic risk score; provider fallback. Evidence: detection event stream; fallback decisions.
• MEASURE-2.8 (privacy) — Full. content: false metadata-only logging; reversible redaction with format preservation. Evidence: audit entries showing content: false.
• MEASURE-2.11 (incident response readiness) — Full. SHA-256 hash-chained audit replayable for IR; SIEM integration. Evidence: replayed incident timeline.

Manage

• MANAGE-1.1 (risks prioritized) — Full. Risk-score distribution per workspace; route-level risk metrics. Evidence: risk dashboards per workspace.
• MANAGE-2.3 (rollback plans) — Partial. Provider fallback policy; deterministic block decisions. Vaikora handles upstream rollback; model rollback is owned by the model lifecycle.
• MANAGE-4.1 (post-deployment monitoring) — Full. Continuous detection event stream; behavioral baselines per session and agent. Evidence: behavioral detection events.

ISO/IEC 42001:2023 — Highlighted Annex A Controls

ISO 42001 Annex A enumerates controls organized by clause. The bullets below are the controls most often referenced in Statements of Applicability and certification evidence.

• 5.2 (AI policy) — Full. Per-workspace compliance preset bound to a deterministic policy engine. Evidence: policy export per workspace.
• 6.2.5 (AI system impact assessment) — Partial. 7-factor risk score; risk distribution per route. Vaikora supplies measurement input; the impact assessment is authored by the program. Evidence: risk-score histogram per route.
• 7.2 (data quality for AI systems) — Full. 4-layer detection on inputs and tool outputs; reversible PII redaction. Evidence: detection event stream; redaction summaries.
• 7.4 (privacy) — Full. content: false logging; reversible redaction with format preservation. Evidence: audit entries; redaction summaries.
• 8.2 (operational planning and control) — Full. Per-route compliance preset; provider fallback policy. Evidence: routing policy export.
• 8.3 (information security for AI) — Full. Inline AI gateway with the 5-layer reference architecture; SAML SSO + SCIM. Evidence: architecture diagram; identity provider mapping.
• 8.4 (resources for AI systems) — Full. Budget caps and rate limits per workspace and per key. Evidence: budget configuration export.
• 9.2 (internal audit) — Full. SHA-256 hash-chained audit; replayable evidence; SIEM export. Evidence: hash-chain integrity report.
• 9.3 (management review) — Partial. Periodic risk-score and detection-event reports for management. Vaikora produces the data; the management review cadence is owned by the program.
• 10.2 (continual improvement) — Partial. Detection event stream feeds policy tuning; quarterly preset review. Vaikora supplies the feedback signal; the improvement loop is owned by the program.

NIST AI RMF ↔ ISO 42001 Rosetta (Highest-Cited Pairings)

Programs that have to satisfy both frameworks find this rosetta useful — the same Vaikora capability satisfies a NIST subcategory on one side and an ISO 42001 Annex A control on the other. The full XLSX includes the complete rosetta; the highlights below are the pairings most often called out in dual-framework evidence packages.