Compliance turns governance work into framework-specific status you can put in front of an auditor. Each framework’s requirements are pre-mapped to Observatory controls; the controls evaluate continuously against your telemetry, evidence, and assessments.Documentation Index
Fetch the complete documentation index at: https://docs.flowx.ai/llms.txt
Use this file to discover all available pages before exploring further.
Frameworks covered
EU AI Act
18 requirements mapped, with scope by risk tier (minimal / limited / high).
NIST AI RMF
16 requirements across Govern, Map, Measure, Manage.
ISO 42001
12 requirements for AI management systems.
Gap analysis & heatmap
Cross-framework view with prioritised remediation.
How a control becomes a status
Each requirement maps to one or more controls. Each control draws on the same operational inputs (telemetry, policies, evidence, assessments). Status is one of:- Met — sufficient approved evidence within freshness window
- Partial — some evidence but gaps remain
- Gap — no current evidence
- Out of scope — risk tier doesn’t trigger this requirement
When to use the compliance views
| Audience | Page |
|---|---|
| Auditor preparing a review | The framework page they care about + the heatmap export |
| GRC team planning sprints | Gap analysis sorted by severity |
| Security team checking posture | Heatmap, scoped by risk tier |
| Engineering team during a release | Requirement detail for the one control that flipped to Gap |
Cross-framework mapping
Many requirements overlap. Observatory’s mapping engine recognises this — closing a gap in one framework often resolves a gap in another:- EU AI Act Article 9 (risk management) overlaps with NIST RMF Govern-1.1 and ISO 42001 6.1.
- EU AI Act Article 12 (record-keeping) overlaps with NIST RMF Map-3.3 and ISO 42001 8.5.
Related resources
Evidence
Where the artefacts that satisfy controls live.
AI Registry
Risk tier in the registry determines which requirements apply.