NIST AI RMF 1:1 Mapping
Complete mapping of NIST AI Risk Management Framework controls to ABS Core SovereignAuditRecord fields. 19 controls, 12 fully covered.
NIST AI RMF 1:1 Mapping
ABS Core maps 19 NIST AI Risk Management Framework controls to specific fields in the SovereignAuditRecord (SAR). An auditor can verify compliance by inspecting the SAR field referenced by each control.
Coverage Summary
| Category | Full | Partial | Planned | Total |
|---|---|---|---|---|
| GOVERN | 4 | 1 | 0 | 5 |
| MAP | 3 | 1 | 0 | 4 |
| MEASURE | 3 | 1 | 1 | 5 |
| MANAGE | 2 | 2 | 1 | 5 |
| Total | 12 | 5 | 2 | 19 |
GOVERN Function
| Control | Title | SAR Evidence Field | Coverage |
|---|---|---|---|
| GOVERN-1.1 | Policies for AI risk management | policy_reference | FULL |
| GOVERN-1.2 | Accountability structures | agent_id, agent_oid_pubkey | FULL |
| GOVERN-1.3 | Risk management integration | decision, reason | FULL |
| GOVERN-1.4 | Organizational commitment | compliance_tags | FULL |
| GOVERN-1.5 | Ongoing monitoring | engine_latency_ms, total_latency_ms | PARTIAL |
How to verify GOVERN-1.1:
Open any SovereignAuditRecord. The policy_reference field contains the identifier of the policy that produced the decision. Cross-reference with the policy file to confirm the rule exists and is current.
MAP Function
| Control | Title | SAR Evidence Field | Coverage |
|---|---|---|---|
| MAP-1.1 | AI system purpose and context | request_hash, decision_stage | FULL |
| MAP-1.2 | Interdependency analysis | agent_id, oid_verified | FULL |
| MAP-1.5 | Impact assessment | decision, reason | FULL |
| MAP-1.6 | Data requirements | request_hash | PARTIAL |
How to verify MAP-1.1:
The request_hash provides the SHA-256 fingerprint of the exact request that was evaluated. The decision_stage shows which pipeline component made the decision. Together, they prove the context of each governance action.
MEASURE Function
| Control | Title | SAR Evidence Field | Coverage |
|---|---|---|---|
| MEASURE-1.1 | Metrics for risk measurement | engine_latency_ms, total_latency_ms | FULL |
| MEASURE-2.1 | AI system evaluation | oid_verified, oid_signature | FULL |
| MEASURE-2.3 | Independent evaluation | rfc3161_token, rfc3161_authority | FULL |
| MEASURE-2.5 | Bias assessment | compliance_tags | PARTIAL |
| MEASURE-4.1 | Feedback mechanisms | temporal_drift_ms | PLANNED |
How to verify MEASURE-2.3:
The rfc3161_token contains a Base64-encoded DER timestamp token from an independent Time Stamping Authority (rfc3161_authority). This proves the record existed at the stated time without relying on the system's own clock.
MANAGE Function
| Control | Title | SAR Evidence Field | Coverage |
|---|---|---|---|
| MANAGE-1.1 | Risk response priorities | decision (ALLOW/DENY/ESCALATE) | FULL |
| MANAGE-1.3 | Risk tolerance alignment | license_status | FULL |
| MANAGE-2.1 | Incident response | ledger_block_hash, prev_block_hash | PARTIAL |
| MANAGE-2.3 | Root cause analysis | crypto_receipt, engine_fingerprint | PARTIAL |
| MANAGE-4.1 | Regular updates | engine_fingerprint | PLANNED |
How to verify MANAGE-1.3:
The license_status field indicates whether governance was in FULL enforcement, GRACE_PERIOD, or AUDIT_ONLY mode. If any record shows AUDIT_ONLY, the organization's risk tolerance policy should document whether that gap was accepted.
SovereignAuditRecord v4.1.0 Field Reference
| SAR Field | Type | NIST Controls Served |
|---|---|---|
version | string | Schema versioning |
record_id | string (UUIDv7) | Record correlation |
timestamp | string (ISO 8601) | Temporal evidence |
agent_id | string | GOVERN-1.2, MAP-1.2 |
agent_oid_pubkey | string (hex) | GOVERN-1.2 |
oid_signature | string (hex) | MEASURE-2.1 |
oid_verified | boolean | MAP-1.2, MEASURE-2.1 |
request_hash | string (SHA-256) | MAP-1.1, MAP-1.6 |
policy_reference | string | GOVERN-1.1 |
decision | ALLOW/DENY/ESCALATE | GOVERN-1.3, MAP-1.5, MANAGE-1.1 |
reason | string | GOVERN-1.3, MAP-1.5 |
ledger_block_hash | string (SHA-256) | MANAGE-2.1 |
prev_block_hash | string (SHA-256) | MANAGE-2.1 |
crypto_receipt | string | MANAGE-2.3 |
rfc3161_token | string (Base64 DER) | MEASURE-2.3 |
rfc3161_authority | string | MEASURE-2.3 |
compliance_tags | string[] | GOVERN-1.4, MEASURE-2.5 |
license_status | FULL/AUDIT_ONLY/GRACE_PERIOD | MANAGE-1.3 |
temporal_drift_ms | number | MEASURE-4.1 |
engine_fingerprint | string (SHA-256) | MANAGE-2.3, MANAGE-4.1 |
engine_latency_ms | number | GOVERN-1.5, MEASURE-1.1 |
total_latency_ms | number | GOVERN-1.5, MEASURE-1.1 |
decision_stage | string | MAP-1.1 |
Related
- Sovereign Checklist -- Installation verification
- RFC 3161 Verification -- Temporal proof details
- Economics of Accountability -- How compliance reduces insurance costs