- Policy-as-Code: testable allow / deny / require_approval
- Agent IAM assigns owners, risk tiers, and review cycles
- Risk register documents controls per agent
- Roles and RBAC scope who can change what
Operationalize Govern, Map, Measure, Manage.
The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary, sector-agnostic guide to building trustworthy AI. It organizes practice into four functions — Govern, Map, Measure, Manage — and asks organizations to document how they execute each. Cortex turns those functions into a running system: governance is enforced at the gate, measurement streams from observability, and the evidence is sealed in the Trust Ledger.
Aligned with NIST AI RMF 1.0 · Govern · Map · Measure · Manage
NIST AI Risk Management Framework, in plain language.
Unlike the EU AI Act, the NIST AI RMF is voluntary and outcome-based rather than prescriptive. It is widely adopted in the US as the de-facto baseline for trustworthy AI and is increasingly cited in procurement. The framework defines four functions and a set of trustworthiness characteristics — valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair. The companion Playbook breaks each function into actionable categories and subcategories. The hard part is producing durable evidence that you actually do these things; Cortex generates that evidence as a by-product of running agents.
applies to ▸ United States · voluntary, all sectors
Each requirement becomes an enforced, recorded control.
The AI RMF's four functions map cleanly onto the Cortex runtime. Govern and Map are configuration; Measure and Manage are continuous and produce the evidence an assessor wants to see.
- Ontology models the business context an agent operates in
- Each agent's purpose, scope, and allowed actions are explicit
- Lineage maps the full context of every decision
- Risk tiers classify impact before deployment
- Observability scores every run for quality
- Evaluation suites: faithfulness, citation coverage, safety
- Reliability score gates which versions may publish
- Simulation lab for A/B and what-if measurement
- Control Tower to pause, gate, or kill agent activity live
- Oversight Modes dial autonomy to the measured risk
- Cost caps manage resource exposure (402 hard cap)
- Action Fabric compensates / rolls back executed actions
- Hash-chained Trust Ledger records every gate verdict
- Signed receipts verifiable offline by a third party
- 10-hop lineage explains who, what, why, and who approved
- Datapoint provenance: every fact threads to its source
From a written obligation to provable evidence.
Every obligation reduces to a fail-closed runtime gate whose verdict lands in a tamper-evident ledger you can hand an examiner. This is the table a Compliance Pack exports for this framework.
| Obligation | Enforced Cortex control | Ledger evidence |
|---|---|---|
| Govern — policies, roles, accountability structures | Policy-as-Code + Agent IAM | rules, tests · owner per agent |
| Map — establish context & categorize AI risk | Ontology + risk register | risk tier per identity |
| Measure — analyze, assess, benchmark, monitor | Observability + evaluations | quality { overall: 100 } |
| Manage — prioritize, respond, recover, communicate | Control Tower + Oversight | 409 pause · compensate |
| Accountable & transparent trustworthiness | Trust Ledger + lineage | verifyChain ▸ ok:true |
| Records are complete & tamper-evident | Signed receipts, sealed chain | hashOk:false flags edits |
One-click evidence export, straight from the Trust Ledger.
AI RMF assessments turn on evidence: can you show you measure and manage risk continuously? A Compliance Pack maps each function to its Cortex control and bundles the live observability scores and sealed ledger records that prove it — no screenshot archaeology before a review.
- The NIST AI RMF control map, generated — not assembled by hand
- Sealed run records you can verifyChain offline
- Datapoint provenance: every fact threads back to its source
- Honest by construction — evidence is generated, never asserted
The NIST AI RMF verdicts you'll see in the demo.
These are not slideware promises — they are the literal codes and receipts the runtime returns when you challenge it against this framework's controls.
Three steps from NIST AI RMF on paper to provable.
- 01
Map
Pick NIST AI RMF. Cortex lines each obligation up against the runtime gate that enforces it — no spreadsheet archaeology.
- 02
Enforce
Every agent run passes the same fail-closed gates. A denied control returns a real code (402 / 403 / 409) — never a silent pass.
- 03
Prove
Export a Compliance Pack: the mapping table plus the sealed ledger records that show each control fired, verifiable offline.
Aligned with — never certified-claimed
The NIST AI RMF is voluntary and has no certification. Cortex is aligned with all four functions and supplies the running controls and the durable evidence; the organizational profile and risk tolerance remain yours to set.
The Cortex capabilities that satisfy this framework.
Each obligation above is enforced by a real capability in the runtime. Explore the ones that do the work for this framework.
Map the rest of your regulatory surface.
The same enforced controls and one-click evidence export cover the other frameworks your auditors cite.
ISO/IEC 42001
Aligned with ISO/IEC 42001: an AI management system with policies, roles, records, and continual improvement — evidence exported one-click..
EU AI Act
Aligned with the EU AI Act: human oversight, logging and traceability, risk management, and audit-ready evidence packs..
SOC 2
Aligned with SOC 2 Trust Services Criteria: access controls, change management, audit logging, and tamper-evident evidence..
All frameworks
The full compliance hub — every framework Cortex maps to, with the shared control-to-evidence model.
Built for the frameworks your auditors already cite.
The sealed ledger, signed receipts, and lineage graph map to the obligations across every regime you report against — aligned with, never claiming a certification you don't hold.
Turn NIST AI RMF from a burden into a button.
See how Cortex maps NIST AI RMF to enforced controls and exports auditor-grade evidence on demand.