Compliance Mapping: NIST AI RMF & EU AI Act
How the Vorion governance stack maps to NIST AI Risk Management Framework, EU AI Act requirements, and SOC 2 controls.
Compliance Mapping Overview
The Vorion governance stack -- built on the BASIS specification, ATSF trust engine, and Cognigate enforcement engine -- was designed with regulatory compliance as a first-class concern. This guide maps Vorion capabilities to three major compliance frameworks.
NIST AI Risk Management Framework (AI RMF 1.0)
The NIST AI RMF organizes AI risk management into four core functions: Govern, Map, Measure, and Manage. Here is how the Vorion stack addresses each.
GOVERN -- Establish AI governance structures
| NIST Subcategory | Vorion Capability | |---|---| | GV-1: Policies and procedures | BASIS specification defines governance rules, trust tiers, and escalation policies | | GV-2: Accountability structures | Cognigate records every governance decision with immutable proof records | | GV-3: Workforce diversity & expertise | KYA (Know Your Agent) framework classifies agent capabilities and roles | | GV-4: Organizational risk tolerance | Configurable trust thresholds, failure thresholds, and escalation rules in ATSF |
MAP -- Contextualize AI risks
| NIST Subcategory | Vorion Capability | |---|---| | MP-2: AI system categorization | 8-tier trust model (T0--T7) classifies agents by proven capability | | MP-3: Benefits and costs assessed | Trust scoring dimensions (CT, BT, GT, XT, AC) evaluate multi-dimensional risk | | MP-5: Impact assessment | Governance decisions include risk-level classification and reasoning |
MEASURE -- Analyze and assess AI risks
| NIST Subcategory | Vorion Capability | |---|---| | MS-1: Appropriate metrics | 16-factor trust model with quantitative scoring (0--1000 scale) | | MS-2: Systems evaluated regularly | Time-based decay ensures continuous re-evaluation; idle agents lose trust | | MS-3: Tracking over time | Trust history API provides full temporal audit trail |
MANAGE -- Prioritize and act on AI risks
| NIST Subcategory | Vorion Capability | |---|---| | MG-1: Risk prioritized and managed | Graduated circuit breakers: ALLOW > DEGRADE > ESCALATE > DENY | | MG-2: Risk response planned | Recovery mechanics allow agents to rebuild trust after incidents | | MG-3: Risks monitored continuously | Real-time webhook events for trust changes, tier transitions, and alerts |
EU AI Act
The EU AI Act classifies AI systems by risk level and imposes obligations accordingly. Vorion's architecture supports compliance across all risk categories.
Risk Classification Alignment
| EU AI Act Risk Level | Vorion Trust Tier Mapping | Requirements Met | |---|---|---| | Unacceptable Risk | Systems denied at T0 (Sandbox) -- cannot operate | Prohibited system detection | | High Risk | T1--T4 agents require active governance | Conformity assessment, logging, human oversight | | Limited Risk | T5--T6 agents with transparency obligations | Audit trails, decision reasoning | | Minimal Risk | T7 agents with proven autonomy | Voluntary codes of conduct |
Article-by-Article Mapping
| EU AI Act Article | Requirement | Vorion Implementation | |---|---|---| | Art. 9 -- Risk Management | Continuous risk management system | ATSF trust engine with decay, recovery, and circuit breakers | | Art. 10 -- Data Governance | Training data quality and governance | KYA framework tracks agent provenance and data lineage | | Art. 11 -- Technical Documentation | System documentation | CAR specification provides machine-readable agent identity | | Art. 12 -- Record Keeping | Automatic logging of operations | Proof Plane creates immutable, hash-chained audit records | | Art. 13 -- Transparency | Users informed about AI interaction | Intent parsing surfaces decision reasoning to end users | | Art. 14 -- Human Oversight | Human-in-the-loop for high-risk | ESCALATE decisions route to human reviewers; kill switches available | | Art. 15 -- Accuracy & Robustness | System reliability measures | Behavioral consistency testing, adversarial sandbox suite | | Art. 17 -- Quality Management | Quality management system | CI/CD governance checks, automated compliance validation | | Art. 26 -- Obligations of Deployers | Deployer responsibilities | Cognigate enforces governance at deployment boundary |
Conformity Assessment Support
Vorion provides the technical evidence needed for EU AI Act conformity assessments:
- Immutable audit trail -- Proof chain with SHA-256 hash linking and optional Polygon anchoring
- Decision reasoning -- Every ALLOW/DENY/ESCALATE/DEGRADE includes machine-readable reasoning
- Continuous monitoring -- Real-time trust scoring with configurable alerting
- Human oversight -- Built-in escalation workflows with approval routing
SOC 2 Type II
SOC 2 is organized around five Trust Services Criteria. The Vorion stack addresses the criteria most relevant to AI governance.
Security (Common Criteria)
| SOC 2 Control | Vorion Capability | |---|---| | CC6.1 -- Logical access controls | Trust-tier-based capability gating; agents only access what their tier permits | | CC6.3 -- Access removal | Agent pause/suspend/delete via Cognigate API | | CC7.2 -- Monitoring activities | Real-time trust monitoring with webhook-based alerting | | CC8.1 -- Change management | CAR versioning tracks agent configuration changes |
Availability
| SOC 2 Control | Vorion Capability | |---|---| | A1.2 -- Recovery objectives | Trust recovery mechanics with graduated restoration |
Processing Integrity
| SOC 2 Control | Vorion Capability | |---|---| | PI1.4 -- Processing accuracy | 16-factor trust model cross-validates agent behavior | | PI1.5 -- Output completeness | Proof records ensure no governance decision is lost |
Confidentiality
| SOC 2 Control | Vorion Capability | |---|---| | C1.2 -- Confidential data disposal | Agent deletion removes trust records per retention policy |
Compliance Checklist
Use this checklist when deploying Vorion-governed AI systems:
- [ ] Configure trust thresholds appropriate to your risk tolerance
- [ ] Enable Proof Plane integration for immutable audit trails
- [ ] Set up webhook handlers for
trust.tier_changedandalert.triggeredevents - [ ] Define escalation policies for ESCALATE decisions
- [ ] Document your trust tier-to-capability mapping
- [ ] Run adversarial sandbox tests before promoting agents above T2
- [ ] Export proof chain data for compliance audits quarterly
- [ ] Review and update governance rules at least annually
Next Steps
- SDK Quickstart -- Install and configure the governance stack
- Architecture: Governance Pipeline -- Understand the full enforcement flow
- API Reference: Cognigate Endpoints -- Integrate compliance checks into your APIs