Agentic-Reliability-Framework-API / docs /regulatory-mapping.md
petter2025's picture
Upload folder using huggingface_hub
d9fbb47 verified
|
Raw
History Blame
24.5 kB

ARF Comprehensive Regulatory Alignment & Compliance Handbook

NIST AI RMF 1.0, EU AI Act, ISO/IEC 42001, SOC 2, GDPR, and More

Document Version: 2.0
ARF Version: v4.3.2
Date: July 8, 2026
Classification: Proprietary – Access‑Controlled


1. Introduction

The Agentic Reliability Framework (ARF) is a governance control plane for AI‑driven infrastructure operations. This document provides an exhaustive, auditable mapping between ARF's capabilities and the requirements of global regulatory frameworks applicable to high‑risk AI systems in critical infrastructure.

It is intended for:

  • Design partners evaluating ARF for regulated deployments.
  • Compliance officers preparing for certification audits.
  • Independent auditors verifying the platform's claims.
  • Regulators assessing the adequacy of ARF’s governance controls.

Every mapping includes a code reference, audit evidence location, and verification procedure so that claims can be tested without relying on vendor assertions.


2. Framework Overview

ARF addresses the following frameworks:

Framework Jurisdiction Status ARF Alignment
NIST AI RMF 1.0 United States Active (revision underway) Full – Govern, Map, Measure, Manage
EU AI Act European Union In force Full – Articles 9–16, Annex IV
ISO/IEC 42001:2023 International Published Full – AI management system
SOC 2 (Trust Services Criteria) International (AICPA) Widely adopted Security, Availability, Confidentiality
GDPR European Union In force Data protection by design, right to explanation
NIST SP 800‑53 United States Active Security and privacy controls
OWASP Top 10 for LLM Applications International Best practice Prompt injection, supply chain

3. Detailed Framework Mappings

3.1 NIST AI RMF 1.0

The NIST AI RMF is organized into four core functions: Govern, Map, Measure, and Manage. ARF addresses each function with specific technical controls.

3.1.1 Govern

NIST Subcategory ARF Capability Code Reference Audit Evidence Verification Procedure
GOV‑1: Policies, processes, and procedures Policy algebra (TLA⁺ verified); criticality parameter; pre‑built policy packs policies.py (PolicyAlgebra), gates.rs (dynamic thresholds), policy_engine.py (healing policies), policy_packs/ Policy tree definitions stored in ConfigMap; every decision logs which policies were checked. 1. Export the active policy tree from the ConfigMap. 2. Run TLC on PolicyAlgebra.tla to verify algebraic laws. 3. Verify that 100% of decisions in the audit log include policy violation lists.
GOV‑2: Roles, responsibilities, and delegated authority Gateway RBAC via API key tiers; internal API key protects governance endpoints; human‑override fields in HealingIntent. auth/apikey.go (gateway), deps.py (verify_internal_key), healing_intent.py (human_overrides, approvals) Gateway access logs show per‑key requests; audit log entries record approver identity for overridden decisions. 1. Attempt to call the API directly without X‑Internal‑Key; confirm 401. 2. Call the API with a read‑only tier key; confirm that outcome recording fails. 3. Inspect the audit log for any decision with status=approved_with_overrides and verify the approved_by field is populated.
GOV‑4: AI risk management integration with organizational risk Bayesian risk scores feed into CVaR loss minimization; stability and drift flags provide continuous risk signals. risk_engine.py, governance_loop.py (CVaR, stability, drift) Every HealingIntent carries a risk score, epistemic breakdown, and stability/drift metadata. 1. Query the audit log for any decision where risk_score > 0.8 and verify that the action was DENY or ESCALATE. 2. Verify that lyapunov_stable and temporal_drift_detected are present in every HealingIntent.metadata.
GOV‑5: Continuous improvement Conjugate Beta updates, online recalibration, memory‑weight optimization, and causal effect re‑estimation after every outcome. risk_engine.py (update_outcome, _maybe_recalibrate), memory_weight_optimizer.py, causal_effect_estimator.py Outcome log shows feedback loop; recalibration events are logged. 1. Record a sequence of outcomes; verify that the conjugate α and β values change as expected. 2. Verify that after 100 outcomes, the risk_engine recalibrates if ECE exceeds 0.1.

3.1.2 Map

NIST Subcategory ARF Capability Code Reference Audit Evidence Verification Procedure
MAP‑1: Context and intended use InfrastructureIntent carries provenance, environment, requester identity; context_hash cryptographically binds all inputs. intents.py (InfrastructureIntent), healing_intent.py (context_hash), governance_loop.py (context extraction) HealingIntent.context_hash is a SHA‑256 of the canonical context; auditor can recompute and verify. 1. For any decision in the audit log, retrieve the stored context and recompute SHA‑256(canonical_json(context)). 2. Assert equality with the stored context_hash.
MAP‑2: AI system categorization RiskEngine categorizes every intent into action categories (database, network, compute, security) with category‑specific priors. risk_engine.py (categorize_intent, PRIORS) The risk_score explanation string includes the category; audit log records the category. 1. Submit intents of each type (ProvisionResource, GrantAccess, DeployConfiguration). 2. Verify that the risk explanation string contains the correct category.
MAP‑3: AI capabilities, limitations, and appropriate use Skill registry tracks per‑skill reliability; skill gate blocks unreliable skills; counterfactual explanations describe limitations. skill_registry.py, gates.rs (SkillGate), causal_effect_estimator.py (generate_counterfactual) Skill alpha/beta values are logged; counterfactual text is included in every HealingIntent. 1. Register a new skill with no history. 2. Submit an intent with that skill; verify that the SkillGate blocks it (P(θ>0.5) < 0.95). 3. Submit an intent with a well‑established skill (α=20, β=3); verify that the SkillGate passes.
MAP‑4: Risk mapping to AI system lifecycle Time‑decayed risk and temporal drift detection monitor risk evolution over time. governance_loop.py (time‑decayed risk, temporal drift), temporal_reliability.py HealingIntent.metadata.decayed_risk, .temporal_drift_detected 1. Run 100 decisions with a fixed risk score; verify that decayed_risk converges to the input risk. 2. Inject a sudden risk spike; verify that temporal_drift_detected becomes True within the CUSUM threshold.

3.1.3 Measure

NIST Subcategory ARF Capability Code Reference Audit Evidence Verification Procedure
MEASURE‑1: Risk measurement methodologies Bayesian risk fusion (conjugate + hyperprior + HMC), CVaR, epistemic uncertainty decomposition (CUDL Shapley values). risk_engine.py (calculate_risk), governance_loop.py (CVaR, epistemic), research/cudl/ HealingIntent contains risk score, epistemic breakdown, and Shapley attribution. 1. Submit an intent with known risk factors; verify that risk_factors sum to the risk_score. 2. Enable epistemic probing; verify that epistemic_breakdown contains hallucination, forecast, and sparsity components.
MEASURE‑2: Evaluation of trustworthiness characteristics Lyapunov stability monitoring, CUSUM drift detection, Expected Calibration Error (ECE) recalibration, E‑value sensitivity analysis. stability_controller.py, temporal_reliability.py, risk_engine.py (ECE), causal_effect_estimator.py (E‑value) HealingIntent.metadata.lyapunov_stable, .temporal_drift_detected; E‑values reported with ATE estimates. 1. Run two consecutive decisions with increasing risk; verify that lyapunov_stable becomes False. 2. Compute the E‑value for a known ATE; verify that it matches the formula RR + sqrt(RR(RR‑1)).
MEASURE‑3: Mechanisms for tracking and responding to emergent risks Passive Lyapunov check triggers active stability override; CUSUM drift triggers recalibration; skill gate blocks unproven skills. governance_loop.py (active stability response), gates.rs (StabilityGate, SkillGate) Gate failure reasons are logged; stability override events are recorded. 1. Artificially destabilize the Lyapunov monitor by alternating risk/psi; verify that the active stability response overrides the decision to ESCALATE. 2. Inject a skill with α=3, β=3; verify that the SkillGate fails with a message containing "Bayesian confidence low".

3.1.4 Manage

NIST Subcategory ARF Capability Code Reference Audit Evidence Verification Procedure
MANAGE‑1: Risk treatment strategies Three‑action decision (approve, deny, escalate) based on posterior expected loss minimization; human‑in‑the‑loop overrides. governance_loop.py (decision rule), healing_intent.py (human_overrides) HealingIntent.action and .status fields; audit log records the final decision and any overrides. 1. Submit an intent with policy violations; verify action is DENY. 2. Submit an intent with high epistemic uncertainty; verify action is ESCALATE. 3. Submit an intent with low risk and no violations; verify action is APPROVE.
MANAGE‑2: Documentation and reporting Immutable, hash‑chained audit log; every decision carries full trace (risk score, justification, counterfactual, metadata). routes_governance.py (write_audit_log), models_intents.py (DecisionAuditLogDB) The decision_audit_log table is queryable by tenant and timestamp; hashes are cryptographically verifiable. 1. Query the audit log for a specific tenant and date range; verify that all decisions are present and ordered. 2. Select two consecutive entries; verify that the hash chain is intact.
MANAGE‑3: Stakeholder communication Plain‑language justification; counterfactual explanation; advisory‑only status for OSS edition. healing_intent.py (justification, metadata.counterfactual) Every decision response includes a human‑readable explanation. 1. Call the /intents/evaluate endpoint; verify that the response includes a justification field with a plain‑language explanation. 2. Verify that when a causal model is available, the response includes a counterfactual field.
MANAGE‑4: Post‑deployment monitoring Outcome feedback loop updates conjugate posteriors, memory weights, and causal estimates; usage tracker provides quota visibility. outcome_service.py, risk_engine.py (update_outcome), usage_tracker.py Outcome log shows feedback events; usage tracker shows remaining quota. 1. Record an outcome via the /intents/outcome endpoint; verify that the risk engine's conjugate parameters have changed. 2. Call the /auth/info endpoint via the gateway; verify that remaining decreases after each evaluation.

3.2 EU AI Act

ARF is designed to govern AI‑driven infrastructure actions, which may be classified as high‑risk under the EU AI Act when they affect critical infrastructure.

Article Requirement ARF Capability Code Reference Audit Evidence Verification Procedure
Art. 9 Risk management system CVaR expected loss minimization; StabilityGate blocks when platform is unstable; temporal drift triggers recalibration. governance_loop.py (CVaR, stability), gates.rs (StabilityGate), risk_engine.py (recalibration) Every HealingIntent contains risk score, CVaR usage flag, stability sample, and drift metadata. Same as NIST Measure‑1/Measure‑3.
Art. 10 Data governance and data quality context_hash cryptographically binds decisions to input data; provenance field in intent tracks data origin. healing_intent.py (context_hash), intents.py (provenance) Auditor can recompute context_hash from stored context; provenance chain is logged. Same as NIST Map‑1.
Art. 11 Technical documentation Immutable audit log; HealingIntent carries full decision trace including pre‑/post‑memory risk, epistemic breakdown, counterfactual. models_intents.py (DecisionAuditLogDB), healing_intent.py (to_enterprise_request) Audit log table is queryable; each entry contains the complete decision payload. Same as NIST Manage‑2.
Art. 12 Record‑keeping Every decision logged with timestamp, tenant, risk score, action, justification; logs are hash‑chained and Ed25519‑signed. routes_governance.py (write_audit_log), crypto.py (Ed25519 signing) Hash chain integrity can be verified without trusting the runtime; signatures are base64‑encoded Ed25519. 1. Export the audit log. 2. For each entry, verify the Ed25519 signature using the stored public key. 3. Verify that `SHA‑256(entry_n
Art. 13 Transparency and provision of information Plain‑language justification; counterfactual explanation; memory‑based evidence summary. healing_intent.py (justification, metadata.counterfactual) Every API response includes justification and counterfactual fields. Same as NIST Manage‑3.
Art. 14 Human oversight Escalate action; human override fields; approval tracking; gateway RBAC for human reviewers. governance_loop.py (decision rule), healing_intent.py (with_human_approval), auth/apikey.go HealingIntent.approvals records reviewer identity and timestamp; gateway enforces role‑based access. Same as NIST Govern‑2.
Art. 15 Accuracy, robustness, and cybersecurity Deterministic RNG (SHA‑256 seeded), cryptographic signatures, constant‑time API key comparison, internal API key protection. governance_loop.py (deterministic RNG), crypto.py (signatures), deps.py (constant‑time compare) All probabilistic operations are reproducible; tampering with signed intents is detected. 1. Run the governance loop twice with the same input; verify identical output. 2. Modify one field of a signed HealingIntent; verify that verify() returns False.
Art. 16 Reporting obligations Usage tracker and audit log provide quota consumption and decision history; Wilson monitor tracks Rust enforcer agreement. usage_tracker.py, models_intents.py, wilson_monitor.py Usage and audit logs are queryable; Wilson confidence interval is updated every 5 minutes. 1. Query the usage log for a given API key; verify that monthly counts match the quota. 2. Verify that the Wilson monitor emits a Prometheus metric with the current confidence interval.

3.3 ISO/IEC 42001:2023 – AI Management System

ISO/IEC 42001 provides a certifiable framework for an AI management system. ARF can serve as the technical enforcement layer for the controls required by this standard.

Clause Requirement ARF Capability Code Reference
4.1 Understanding the organization and its context InfrastructureIntent captures operational context; context_hash binds it to decisions. intents.py, healing_intent.py
5.1 Leadership and commitment Criticality parameter allows leadership to set risk appetite. infrastructure_intents.py (criticality)
6.1 Actions to address risks and opportunities Full Bayesian risk pipeline, CVaR, stability monitoring. risk_engine.py, governance_loop.py
7.5 Documented information Immutable, hash‑chained audit log. models_intents.py, routes_governance.py
8.1 Operational planning and control Policy engine enforces rules; gates block unsafe actions. policies.py, gates.rs
9.1 Monitoring, measurement, analysis, and evaluation Epistemic uncertainty, Shapley decomposition, ECE recalibration, Lyapunov stability, CUSUM drift. governance_loop.py, stability_controller.py, temporal_reliability.py
10.1 Continual improvement Conjugate updates, memory weight optimization, causal re‑estimation. risk_engine.py, memory_weight_optimizer.py, causal_effect_estimator.py

3.4 SOC 2 (Trust Services Criteria)

SOC 2 evaluates the security, availability, processing integrity, confidentiality, and privacy of a system.

Trust Service Criterion ARF Capability Code Reference
Security (CC6.1, CC6.6) Internal API key authentication, constant‑time comparison, gateway salted SHA‑256 hashing, RBAC. deps.py (verify_internal_key), auth/apikey.go
Availability (A1.1, A1.2) Kubernetes HPA (3–10 replicas), liveness/readiness probes, rolling updates. deploy/kubernetes/arf‑api/hpa.yaml, deployment.yaml
Confidentiality (C1.1) NetworkPolicy restricts API to gateway only; CORS restricted to specific origin. networkpolicy.yaml, main.py (CORS)
Processing Integrity (PI1.2, PI1.3) Deterministic policy evaluation, TLA⁺ verified algebra, property‑based testing. PolicyAlgebra.tla, test_policy_properties.py, proptest_policy.rs
Privacy (P1.1, P4.1) Tenant isolation in risk engine; API keys scoped to tenants; usage data retained per retention policy. risk_engine.py (tenant isolation), usage_tracker.py (retention)

3.5 GDPR (General Data Protection Regulation)

For deployments processing personal data, ARF provides the following controls:

GDPR Article Requirement ARF Capability
Art. 5(1)(f) Integrity and confidentiality Cryptographic signatures, hash‑chained audit log, constant‑time API key verification.
Art. 25 Data protection by design context_hash minimizes the need to store raw personal data; only hashes are retained.
Art. 30 Records of processing activities Audit log provides a complete record of all decisions, including requester identity and justification.
Art. 35 Data protection impact assessment Risk scores, epistemic uncertainty, and counterfactuals provide evidence for DPIAs.
Art. 22 Automated individual decision‑making Human‑in‑the‑loop override ensures that no solely automated decision is made without review capability.

4. Cross‑Framework Alignment Matrix

Requirement Category NIST AI RMF EU AI Act ISO 42001 SOC 2 GDPR ARF Feature(s)
Risk identification and quantification Measure‑1, Measure‑2 Art. 9 6.1 Art. 35 Bayesian risk fusion, CVaR, epistemic uncertainty, E‑value
Policy enforcement and controls Govern‑1, Manage‑1 Art. 9, Art. 14 8.1 PI1.2 Art. 22 Policy algebra, Rust gates, human override
Data provenance and quality Map‑1 Art. 10 4.1 Art. 5(1)(f) context_hash, InfrastructureIntent.provenance
Documentation and record‑keeping Manage‑2 Art. 11, Art. 12 7.5 Art. 30 Immutable audit log, Ed25519 signatures
Transparency and explainability Map‑3, Manage‑3 Art. 13 Art. 22 Plain‑language justification, counterfactuals
Continuous monitoring and improvement Map‑4, Measure‑3, Govern‑5 Art. 9, Art. 15 9.1, 10.1 Conjugate updates, stability/drift detection, recalibration
Human oversight Govern‑2, Manage‑1 Art. 14 Art. 22 Escalate action, human approval workflow, RBAC
Security and access control Art. 15 CC6.1, CC6.6, C1.1 Art. 5(1)(f) Internal API key, gateway auth, NetworkPolicy, CORS
Availability and resilience A1.1, A1.2 Kubernetes HPA, liveness/readiness probes, rolling updates
Privacy P1.1, P4.1 Art. 25 Tenant isolation, API key scoping, usage retention

5. Evidence Collection & Audit Procedure

5.1 Automated Evidence Collection

ARF provides the following automated evidence sources:

  1. Audit log (PostgreSQL): The decision_audit_log table contains every governance decision with timestamp, tenant, risk score, action, justification, and cryptographic hashes.
  2. Prometheus metrics: arf_evaluations_total, arf_rust_agreement_total, arf_evaluation_duration_seconds provide real‑time observability.
  3. OpenTelemetry traces: Every request is traced with a unique trace_id, linking gateway logs to API decisions.
  4. Usage tracker (SQLite/PostgreSQL): Provides per‑API‑key quota consumption and audit logs.

5.2 Independent Auditor Verification Checklist

Step Procedure Expected Outcome
1. Deterministic replay Run GovernanceLoop.run() twice with identical inputs. SHA‑256 of serialized HealingIntent is identical.
2. Hash chain integrity Query decision_audit_log ordered by timestamp; verify that each hash links to the previous entry. No broken chains.
3. Signature verification For any signed intent, verify the Ed25519 signature using the stored public key fingerprint. Signature verification returns True.
4. Tamper detection Modify one field of a signed HealingIntent and call verify(). verify() returns False.
5. Policy algebra Run TLC on PolicyAlgebra.tla. All invariants hold.
6. Cross‑language policy equivalence Generate random policy trees and evaluate in both Python and Rust; compare violation sets. Identical violation sets.
7. Bayesian update correctness Record a sequence of outcomes; manually compute expected α, β. BetaStore matches manual computation.
8. Skill gate Submit intents with varying skill evidence; verify gate behavior. Low‑evidence skills fail; high‑evidence skills pass.
9. Criticality‑aware gates Submit intents with criticality=1.0; verify that tolerance is zero and confidence threshold is 1.0. High‑criticality actions are blocked unless perfect.
10. Context hash verification Retrieve stored context for any decision; recompute SHA‑256. Matches stored context_hash.

6. Continuous Compliance Monitoring

ARF includes built‑in mechanisms for ongoing compliance verification:

  • Wilson confidence interval monitor: Every 5 minutes, the Wilson updater checks the Rust enforcer agreement and adjusts the canary promotion status. This provides a statistical control chart for policy enforcement consistency.
  • Expected Calibration Error (ECE): Monitored per tenant and category; triggers recalibration when exceeding 0.1.
  • Lyapunov stability window: The StabilityGate blocks execution when the recent stability record is poor, preventing the platform from operating in a degraded state.
  • Temporal drift detection: CUSUM tracks sustained drift in risk estimates; alerts when the model becomes stale.

7. References

  • NIST AI RMF 1.0: https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf
  • EU AI Act: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021PC0206
  • ISO/IEC 42001:2023: https://www.iso.org/standard/81230.html
  • SOC 2 Trust Services Criteria: https://www.aicpa.org/soc2
  • GDPR: https://gdpr-info.eu/
  • ARF Mathematical Work Journal: docs/math_journal.md
  • ARF Policy Algebra TLA⁺ Specification: agentic_reliability_framework/spec/tla/PolicyAlgebra.tla
  • ARF Pressure Test Suite: tests/pressure/test_pressure.py

This document is proprietary and access‑controlled. Distribution is limited to qualified pilots and enterprise customers under written agreement.