ComplianceUpdated 2026-04-02

NIST AI RMF Mapping

How Vorion maps to the four NIST AI Risk Management Framework functions: GOVERN, MAP, MEASURE, and MANAGE.

NIST AI RMF Mapping

The NIST AI Risk Management Framework (AI RMF 1.0) organizes AI risk management into four core functions: GOVERN, MAP, MEASURE, and MANAGE. Vorion implements these functions through its six-layer governance stack: INTENT, BASIS, ENFORCE, COGNIGATE, PROOF, and TRUST ENGINE.

This guide walks through each function, shows what Vorion covers today, identifies gaps, and explains how to validate coverage with the platform's 160+ compliance-specific tests.

Coverage Summary

| Function | Coverage | Key Components | |----------|----------|----------------| | GOVERN | ~90% | BASIS rule engine, RBAC (R_L0-R_L8), RLS, Proof Plane, ADR process | | MAP | ~85% | Intent system, 8-tier trust model, ceiling enforcement, CAR identity | | MEASURE | ~90% | Trust scores (0-1000), 16-factor model, dual-hash proof chain, 182-day decay | | MANAGE | ~80% | Tier demotion, Cognigate enforcement, webhooks, gaming detection |

Overall estimated coverage: ~86%.

GOVERN -- Cultivate a Culture of Risk Management

The GOVERN function addresses organizational governance structures, policies, and processes for managing AI risks throughout the AI lifecycle.

GV-1: Policies and Procedures

BASIS (packages/basis/) encodes trustworthy AI characteristics -- fairness, accountability, transparency -- as declarative governance policies. Policy versioning uses an immutable policy_versions table with no UPDATE or DELETE allowed (enforced by RLS). Every change creates a new version with full traceability.

// Policy versioning is append-only by design
// packages/contracts/src/db/policy-versions.ts
export const policyVersions = pgTable('policy_versions', {
  id: uuid('id').primaryKey(),
  version: text('version').notNull(),
  createdBy: text('created_by').notNull(),
  createdAt: timestamp('created_at').defaultNow(),
  previousVersionId: uuid('previous_version_id'),
  // RLS enforces INSERT-only -- no UPDATE, no DELETE
});

GV-1.1: Legal and Regulatory Requirements

Vorion maintains a compliance documentation suite in docs/compliance/:

NIST AI RMF mapping (this document)
NIST COSAiS SP 800-53 overlay
ISO 42001 gap analysis
EU AI Act alignment
OWASP ASI mapping

A governance matrix in compliance/governance-matrix.yaml tracks NIST 800-53, SOC 2, GDPR, ISO 27001, FedRAMP, and CMMC frameworks.

GV-1.3: Risk Management Processes

Every agent action passes through the governance pipeline:

Agent Action Request
  -> INTENT (parse action, classify risk)
  -> BASIS (validate manifest, trust tier, capabilities)
  -> ENFORCE (evaluate policies, determine ALLOW/DENY/ESCALATE)
  -> COGNIGATE (human-in-the-loop for escalations)
  -> PROOF (SHA-256 + SHA3-256 dual-hash audit record)
  -> TRUST ENGINE (update scores, apply decay)

No execution occurs without governance evaluation. This is documented across 18 Architecture Decision Records in docs/adr/.

GV-2: Accountability Structures

RBAC with 8 role levels (R_L0 through R_L8) defines who can do what. The Proof Plane records every governance decision with cryptographically chained records. Ed25519 signatures provide non-repudiation.

GV-3.2 & GV-5.1: Human Oversight and Monitoring

Trust tier T5+ requires human gate approval (ADR-002). Trust scores are computed at runtime with a 182-day stepped decay half-life. Real-time dashboards surface trust state, anomalies, and compliance posture. OpenTelemetry instrumentation provides distributed observability.

MAP -- Contextualize Risks

The MAP function covers identification and documentation of AI system context.

MP-2.1: System Categorization

Vorion classifies agents using the 8-tier trust model (T0-T7), defined in canonical.ts:

| Tier | Name | Score Range | Description | |------|------|-------------|-------------| | T0 | Sandbox | 0-199 | No external effects | | T1 | Observed | 200-349 | Read-only, monitored | | T2 | Provisional | 350-499 | Limited write, scoped tools | | T3 | Monitored | 500-649 | Standard operations, audit | | T4 | Standard | 650-799 | Full operational capability | | T5 | Trusted | 800-875 | Cross-system operations | | T6 | Certified | 876-950 | Multi-agent coordination | | T7 | Autonomous | 951-1000 | Full autonomous operation |

MP-2.2: Specific Risks Identified

CAR (Categorical Agentic Registry) strings encode agent type, capabilities, and risk profile: registry.org.class:DOMAINS-Ln@version. The CAR spec (@vorionsys/car-spec v1.1.0) is published on npm.

MP-4.1: Deployment Risks

Observation tier ceilings restrict maximum trust based on inspectability:

| Observation Tier | Ceiling | Max Trust Tier | |-----------------|---------|----------------| | BLACK_BOX | 600 | T3 | | GRAY_BOX | 750 | T4 | | WHITE_BOX | 900 | T6 | | ATTESTED_BOX | 950 | T6 | | VERIFIED_BOX | 1000 | T7 |

A proprietary API model (BLACK_BOX) can never exceed T3 regardless of behavioral performance. Only a fully verified model (TEE + zkML + interpretability) can reach T7.

MP-5.1: Risk Likelihood

Trust score decay quantifies inactivity risk. The stepped decay model uses a 182-day half-life with 9 milestones. Agents that stop operating gradually lose trust, preventing stale high-trust entities from retaining elevated privileges.

MEASURE -- Analyze and Assess Risks

The MEASURE function addresses analysis, assessment, and tracking of AI risks.

MS-1.1: Risk Metrics

The 16-factor trust model evaluates agents across 5 groups:

Foundation (9 factors): Competence, Reliability, Observability, Transparency, Accountability, Safety, Security, Privacy, Identity
Agency (3 factors): Human Oversight, Alignment, Context Awareness
Maturity (1 factor): Stewardship
Evolution (2 factors): Adaptability, Continuous Learning
Maturity (1 factor): Humility

Each factor is weighted (Foundational, Operational, or Sophisticated) and has a required-from tier. Higher tiers demand higher minimums across more factors.

MS-2.1: Regular Evaluation

The automated test suite validates compliance continuously:

# Run compliance-specific tests
pnpm test -- --filter compliance

# Output: 160+ tests covering:
#   - Trust tier boundary enforcement
#   - Risk accumulator thresholds
#   - Circuit breaker state transitions
#   - Proof chain integrity
#   - Policy versioning immutability

Stryker mutation testing validates test effectiveness. CI includes typecheck, lint, build, test, SAST (Semgrep), and secrets scan (gitleaks) as blocking quality gates.

MS-3.1: Tracking Over Time

The Proof Plane maintains a tamper-evident record via SHA-256 + SHA3-256 dual hashing with linear chain linking. Every trust score change is logged as a TRUST_DELTA event with previousScore, newScore, previousBand, newBand, and reason. Merkle tree aggregation enables efficient batch verification.

MANAGE -- Prioritize and Act on Risks

The MANAGE function addresses risk treatment strategies.

MG-1.2: Risk Treatment Plans

Trust threshold breaches trigger automatic demotion with corresponding privilege reduction. The graduated circuit breaker enforces three states:

Normal: Score >= 200. Full operation.
Degraded: Score < 200. Gains frozen, losses still apply.
Tripped: Score < 100. Fully blocked.

The risk accumulator runs on a 24-hour rolling window with three thresholds:

| Level | Threshold | Action | |-------|-----------|--------| | Warning | 60 | Increased monitoring | | Degraded | 120 | Gains frozen | | Circuit breaker | 240 | Full stop, human reinstatement required |

MG-2.1: Risk Response Implementation

Cognigate (packages/cognigate/) provides real-time policy enforcement. Every action is evaluated against the current trust score, applicable policies, and ceiling caps before execution is permitted. The decision model has four outcomes: ALLOW, DENY, ESCALATE, DEGRADE.

MG-2.2: Third-Party Risk

Agent SDKs for TypeScript, Go, and Python enforce governance checks at the SDK boundary. API key management and service accounts provide controlled access for third-party integrations.

Gaps and Remediation

| Gap | Controls Affected | Remediation | Target | |-----|-------------------|-------------|--------| | External blockchain anchoring | MS-3, MG-3 | Schema ready. Ethereum/Polygon or RFC 3161 TSA integration planned. | Q3 2026 | | ZK proof system | MS-1, MG-4 | Schnorr prototype complete. Production SNARK (Circom/Groth16) planned. | Q2-Q3 2026 | | TEE integration | GV-2, MG-2 | Interfaces defined. SDK integration for hardware-backed key management. | Q3 2026 | | Formal third-party audit | GV-6, MS-2 | SOC 2 Type II audit planned. ISO 42001 gap analysis complete. | Q4 2026 |

Running Compliance Validation

# Full compliance test suite
pnpm turbo test --filter=@vorionsys/atsf-core --filter=@vorionsys/proof-plane

# NIST-specific coverage report
pnpm test -- --reporter=verbose 2>&1 | grep -i "nist\|compliance\|rmf"

# Proof chain integrity check
pnpm -F @vorionsys/proof-plane test -- --grep "chain"

The test suite covers all four RMF functions with 160+ targeted assertions. Enterprise soak testing validated the governance pipeline with 200K signals across 10,000 concurrent agents without a single dropped proof record.

Next Steps

SP 800-53 Coverage -- Detailed control family mapping
EU AI Act Mapping -- Cross-framework compliance
Building Compliance Reports -- Automated evidence generation

All Documentation