> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowx.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance

> EU AI Act, NIST AI RMF, and ISO 42001 mapped to your runtime — controls evaluated continuously, gaps surfaced automatically.

Compliance turns governance work into framework-specific status you can put in front of an auditor. Each framework's requirements are pre-mapped to Observatory controls; the controls evaluate continuously against your telemetry, evidence, and assessments.

***

## Frameworks covered

<CardGroup cols={2}>
  <Card title="EU AI Act" icon="building" href="./eu-ai-act">
    18 requirements mapped, with scope by risk tier (minimal / limited / high).
  </Card>

  <Card title="NIST AI RMF" icon="flag" href="./nist-ai-rmf">
    16 requirements across Govern, Map, Measure, Manage.
  </Card>

  <Card title="ISO 42001" icon="globe" href="./iso-42001">
    12 requirements for AI management systems.
  </Card>

  <Card title="Gap analysis & heatmap" icon="grid" href="./gap-analysis-heatmap">
    Cross-framework view with prioritised remediation.
  </Card>
</CardGroup>

***

## How a control becomes a status

```mermaid theme={"system"}
flowchart LR
    Framework[Framework requirement] --> Controls[Mapped Observatory controls]
    Controls --> Inputs{Inputs}
    Inputs --> Telemetry[Telemetry]
    Inputs --> Policy[Policy evaluations]
    Inputs --> Evidence[Approved evidence]
    Inputs --> Assessment[Assessment answers]
    Telemetry & Policy & Evidence & Assessment --> Status[Per-control status]
    Status --> Roll[Framework score]
```

Each requirement maps to one or more controls. Each control draws on the same operational inputs (telemetry, policies, evidence, assessments). Status is one of:

* **Met** — sufficient approved evidence within freshness window
* **Partial** — some evidence but gaps remain
* **Gap** — no current evidence
* **Out of scope** — risk tier doesn't trigger this requirement

***

## When to use the compliance views

| Audience                          | Page                                                       |
| --------------------------------- | ---------------------------------------------------------- |
| Auditor preparing a review        | The framework page they care about + the heatmap export    |
| GRC team planning sprints         | Gap analysis sorted by severity                            |
| Security team checking posture    | Heatmap, scoped by risk tier                               |
| Engineering team during a release | Requirement detail for the one control that flipped to Gap |

***

## Cross-framework mapping

Many requirements overlap. Observatory's mapping engine recognises this — closing a gap in one framework often resolves a gap in another:

* EU AI Act Article 9 (risk management) overlaps with NIST RMF Govern-1.1 and ISO 42001 6.1.
* EU AI Act Article 12 (record-keeping) overlaps with NIST RMF Map-3.3 and ISO 42001 8.5.

The heatmap shows these overlaps; the gap analysis prioritises remediation by impact across frameworks.

***

## Related resources

<CardGroup cols={2}>
  <Card title="Evidence" icon="folder-open" href="../governance/evidence">
    Where the artefacts that satisfy controls live.
  </Card>

  <Card title="AI Registry" icon="server" href="../governance/ai-registry">
    Risk tier in the registry determines which requirements apply.
  </Card>
</CardGroup>