NIST AI RMF alignment

Operationalize Govern, Map, Measure, Manage.

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary, sector-agnostic guide to building trustworthy AI. It organizes practice into four functions — Govern, Map, Measure, Manage — and asks organizations to document how they execute each. Cortex turns those functions into a running system: governance is enforced at the gate, measurement streams from observability, and the evidence is sealed in the Trust Ledger.

Aligned with NIST AI RMF 1.0 · Govern · Map · Measure · Manage

audit/verify
#101hash ✓#102hash ✓#103hash ✓#104hash ✓#105hash ✓
head 0x9f3a…c1ok: true
verifyChain ▸ chained SHA-256 · signed receipts
What NIST AI RMF is

NIST AI Risk Management Framework, in plain language.

Unlike the EU AI Act, the NIST AI RMF is voluntary and outcome-based rather than prescriptive. It is widely adopted in the US as the de-facto baseline for trustworthy AI and is increasingly cited in procurement. The framework defines four functions and a set of trustworthiness characteristics — valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair. The companion Playbook breaks each function into actionable categories and subcategories. The hard part is producing durable evidence that you actually do these things; Cortex generates that evidence as a by-product of running agents.

applies to ▸ United States · voluntary, all sectors

The obligations — and how Cortex maps to them

Each requirement becomes an enforced, recorded control.

The AI RMF's four functions map cleanly onto the Cortex runtime. Govern and Map are configuration; Measure and Manage are continuous and produce the evidence an assessor wants to see.

Govern
  • Policy-as-Code: testable allow / deny / require_approval
  • Agent IAM assigns owners, risk tiers, and review cycles
  • Risk register documents controls per agent
  • Roles and RBAC scope who can change what
Map
  • Ontology models the business context an agent operates in
  • Each agent's purpose, scope, and allowed actions are explicit
  • Lineage maps the full context of every decision
  • Risk tiers classify impact before deployment
Measure
  • Observability scores every run for quality
  • Evaluation suites: faithfulness, citation coverage, safety
  • Reliability score gates which versions may publish
  • Simulation lab for A/B and what-if measurement
Manage
  • Control Tower to pause, gate, or kill agent activity live
  • Oversight Modes dial autonomy to the measured risk
  • Cost caps manage resource exposure (402 hard cap)
  • Action Fabric compensates / rolls back executed actions
Accountable & transparent
  • Hash-chained Trust Ledger records every gate verdict
  • Signed receipts verifiable offline by a third party
  • 10-hop lineage explains who, what, why, and who approved
  • Datapoint provenance: every fact threads to its source
The control mapping

From a written obligation to provable evidence.

Every obligation reduces to a fail-closed runtime gate whose verdict lands in a tamper-evident ledger you can hand an examiner. This is the table a Compliance Pack exports for this framework.

ObligationEnforced Cortex controlLedger evidence
Govern — policies, roles, accountability structuresPolicy-as-Code + Agent IAMrules, tests · owner per agent
Map — establish context & categorize AI riskOntology + risk registerrisk tier per identity
Measure — analyze, assess, benchmark, monitorObservability + evaluationsquality { overall: 100 }
Manage — prioritize, respond, recover, communicateControl Tower + Oversight409 pause · compensate
Accountable & transparent trustworthinessTrust Ledger + lineageverifyChain ▸ ok:true
Records are complete & tamper-evidentSigned receipts, sealed chainhashOk:false flags edits
Compliance Packs

One-click evidence export, straight from the Trust Ledger.

AI RMF assessments turn on evidence: can you show you measure and manage risk continuously? A Compliance Pack maps each function to its Cortex control and bundles the live observability scores and sealed ledger records that prove it — no screenshot archaeology before a review.

  • The NIST AI RMF control map, generated — not assembled by hand
  • Sealed run records you can verifyChain offline
  • Datapoint provenance: every fact threads back to its source
  • Honest by construction — evidence is generated, never asserted
01 · Humanrisk-ops@nw02 · AgentFraud Triage03 · Skilltriage.v404 · Promptsha 0x3a…05 · Policyapprove≥5k06 · Modelclaude-opus07 · ToollookupCase08 · Artifactmemo #447109 · Outcomeapproved10 · Approvalj.lee
Prove it — don't just claim it

The NIST AI RMF verdicts you'll see in the demo.

These are not slideware promises — they are the literal codes and receipts the runtime returns when you challenge it against this framework's controls.

gate verdicts ▸ NIST AI RMF
Per-run quality measured{ overall: 100 }enforced
Golden policy tests as a release gatepassed/totalenforced
Agent paused from Control Tower409 AGENT_PAUSEDenforced
Integrity proof over a rangeok:true · headproven
compliance-pack ▸ generated from the trust ledger · verifiable offline
Getting audit-ready

Three steps from NIST AI RMF on paper to provable.

  1. 01

    Map

    Pick NIST AI RMF. Cortex lines each obligation up against the runtime gate that enforces it — no spreadsheet archaeology.

  2. 02

    Enforce

    Every agent run passes the same fail-closed gates. A denied control returns a real code (402 / 403 / 409) — never a silent pass.

  3. 03

    Prove

    Export a Compliance Pack: the mapping table plus the sealed ledger records that show each control fired, verifiable offline.

Aligned with — never certified-claimed

The NIST AI RMF is voluntary and has no certification. Cortex is aligned with all four functions and supplies the running controls and the durable evidence; the organizational profile and risk tolerance remain yours to set.

The controls behind the mapping

The Cortex capabilities that satisfy this framework.

Each obligation above is enforced by a real capability in the runtime. Explore the ones that do the work for this framework.

Compliance framing

Built for the frameworks your auditors already cite.

The sealed ledger, signed receipts, and lineage graph map to the obligations across every regime you report against — aligned with, never claiming a certification you don't hold.

EU AI ActNIST AI RMFISO 42001SOC 2HIPAAFINRAIRS Circular 230

Turn NIST AI RMF from a burden into a button.

See how Cortex maps NIST AI RMF to enforced controls and exports auditor-grade evidence on demand.