Skip to main content
Compliance turns governance work into framework-specific status you can put in front of an auditor. Each framework’s requirements are pre-mapped to Observatory controls; the controls evaluate continuously against your telemetry, evidence, and assessments.

Frameworks covered

EU AI Act

18 requirements mapped, with scope by risk tier (minimal / limited / high).

NIST AI RMF

16 requirements across Govern, Map, Measure, Manage.

ISO 42001

12 requirements for AI management systems.

Gap analysis & heatmap

Cross-framework view with prioritised remediation.

How a control becomes a status

Each requirement maps to one or more controls. Each control draws on the same operational inputs (telemetry, policies, evidence, assessments). Status is one of:
  • Met — sufficient approved evidence within freshness window
  • Partial — some evidence but gaps remain
  • Gap — no current evidence
  • Out of scope — risk tier doesn’t trigger this requirement

When to use the compliance views


Cross-framework mapping

Many requirements overlap. Observatory’s mapping engine recognises this — closing a gap in one framework often resolves a gap in another:
  • EU AI Act Article 9 (risk management) overlaps with NIST RMF Govern-1.1 and ISO 42001 6.1.
  • EU AI Act Article 12 (record-keeping) overlaps with NIST RMF Map-3.3 and ISO 42001 8.5.
The heatmap shows these overlaps; the gap analysis prioritises remediation by impact across frameworks.

Evidence

Where the artefacts that satisfy controls live.

AI Registry

Risk tier in the registry determines which requirements apply.
Last modified on June 1, 2026