Tech Jacks Solutions
Agent Governance Crosswalk
NIST AI RMF ↔ ISO 42001 ↔ EU AI Act — Agent-Specific Controls
50 Control Mappings
3 Frameworks
Agent-Specific Guidance
Critical — Fundamentally different for agents
High — Substantial adaptation needed
Medium — Moderate adjustments
Recommended: Print in landscape orientation for best readability.
AI Knowledge & Agentic Hub
Govern your AI agents. The AI Agent Governance & Risk Assessment: built for autonomous/agentic systems.
Your purchase helps keep our hubs free to read.
| Control Area | NIST AI RMF | ISO 42001 | EU AI Act |
|---|---|---|---|
| Governance & Oversight | |||
| Legal & Regulatory Requirements Critical | Legal and regulatory requirements involving AI are understood, managed, and documented GV-1.1 | Understanding organizational context; AI objectives and planning 4.1, 6.2, A.2.2, A.2.4 | Classification rules for high-risk AI systems; providers must determine AI system risk category Article 6, Article 7 |
| Trustworthy AI Integration Critical | Trustworthy AI characteristics integrated into organizational policies and practices GV-1.2 | AI management system; AI policy; Objectives for responsible use; Suppliers 4.4, 5.2, A.9.3, A.10.3 | Risk management system shall be established as a continuous iterative process throughout the lifecycle Article 9(1) |
| AI System Inventory Critical | Mechanisms to inventory AI systems, resourced according to organizational risk priorities GV-1.6 | Resource documentation; Data, tooling, system/computing, and human resources A.4.2, A.4.3, A.4.4, A.4.5, A.4.6 | Providers shall register themselves and their systems in the EU database before placing on market Article 49 |
| Decommissioning Critical | Processes for decommissioning and phasing out AI systems safely GV-1.7 | AI system operation and monitoring A.6.2.6 | Deployers shall have the ability to fully understand, interrupt, or stop the system at any time Article 22 |
| Executive Accountability High | Executive leadership takes responsibility for AI risk decisions GV-2.3 | Leadership and commitment; AI policy; Management review 5.1, 5.2, 9.3.1, 9.3.2, 9.3.3 | Providers shall put a quality management system in place with documented policies approved by management Article 17(1) |
| Human Oversight | |||
| Human-AI Configuration Critical | Policies to define roles and responsibilities for human-AI configurations and oversight GV-3.2 | Competence; Processes for responsible design; Objectives for responsible use 7.2, A.6.1.3, A.9.3, A.4.6 | High-risk AI systems shall be designed to be effectively overseen by natural persons during use Article 14 |
| Knowledge Limits Critical | Information about AI system knowledge limits and human utilization is documented MP-2.2 | Technical documentation; Objectives for responsible use; System documentation A.6.2.7, A.9.3, A.8.2 | Persons assigned to oversight shall understand AI system capacities and limitations Article 14(4) |
| Oversight Architecture Critical | Processes for human oversight are defined, assessed, and documented MP-3.5 | Processes for responsible design; Technical documentation; System documentation A.6.1.3, A.6.2.7, A.8.2 | High-risk AI systems designed to be overseen by natural persons to prevent/minimize risks Article 14(1), Article 14(2) |
| Kill Switch / Override Critical | Mechanisms to supersede, disengage, or deactivate AI systems with inconsistent performance MG-2.4 | Intended use of the AI system; System documentation; Technical documentation A.9.4, A.8.2, A.6.2.7 | Ability to intervene in or interrupt the system through a stop button or similar procedure Article 14(3)(d), Article 14(3)(e) |
| Risk Management | |||
| Risk Tolerance Critical | Processes to determine needed level of risk management based on organizational risk tolerance GV-1.3 | General planning; AI risk assessment; AI risk treatment 6.1.1, 6.1.2, 6.1.3 | Risk management shall identify and analyze known and foreseeable risks to health, safety, or rights Article 9(2) |
| Intended Purpose Critical | Intended purposes, context-specific laws, norms, and deployment settings are documented MP-1.1 | AI system impact assessment; Documentation; Assessing impact on individuals and society 6.1.4, A.5.2, A.5.3, A.5.4, A.5.5 | Identify and analyze risks associated with intended purpose of the high-risk AI system Article 9(2)(a) |
| Supply Chain Risk Critical | Approaches for mapping AI technology and legal risks of components including third-party data/software MP-4.1 | Understanding organizational context; AI policy; Processes for responsible use 4.1, A.2.2, A.9.2, A.9.4 | High-risk AI systems shall be resilient against unauthorized third-party attempts to alter use or outputs Article 15(4) |
| Incident Response Critical | Procedures to respond to and recover from previously unknown risks when identified MG-2.3 | General planning; AI risk assessment; AI risk treatment; Nonconformity and corrective action 6.1.1, 6.1.2, 6.1.3, 10.2 | Providers shall ensure corrective actions without undue delay, including withdrawal or recall Article 20 |
| Transparency & Documentation | |||
| Capability Disclosure Critical | Teams document risks and potential impacts and communicate about impacts broadly GV-4.2 | Communication; AI system impact assessment; Assessing impact on individuals 7.4, 6.1.4, A.5.4, A.5.5 | Operation sufficiently transparent to enable deployers to interpret output and use appropriately Article 13 |
| AI Identification Critical | Risks associated with transparency and accountability are examined and documented MS-2.8 | Data for development; Assessing impact; Objectives for responsible development and use A.7.2, A.5.4, A.5.5 | Natural persons must be informed they are interacting with an AI system Article 50 |
| Technical Documentation (BBOM) Critical | Specific tasks and methods the AI system will support are defined MP-2.1 | Documentation of AI system design and development; Resource documentation A.6.2.3, A.4.2-A.4.6 | Technical documentation per Annex IV before placing system on market Article 11(1), Annex IV |
| Residual Risk Documentation Critical | Negative residual risks to acquirers and end users are documented MG-1.4 | Documentation of impact assessments; Technical documentation; System documentation A.5.3, A.5.4, A.6.2.7, A.8.2 | Technical documentation shall include known circumstances that may lead to risks Article 11, Article 13(3) |
| Monitoring & Logging | |||
| Continuous Monitoring Critical | Ongoing monitoring and periodic review of risk management process with defined roles GV-1.5 | AI risk assessment; AI risk treatment; AI system impact assessment 8.2, 8.3, 8.4 | Residual risk associated with each hazard is judged acceptable with combined risks considered Article 9(3) |
| Event Logging Critical | AI system functionality and behavior are monitored when in production MS-2.4 | Monitoring, measurement, analysis; AI system operation; Recording of event logs 9.1, A.6.2.6, A.6.2.8 | Automatic recording of events (logs) over the lifetime; logging shall ensure traceability Article 12 |
| Emergent Risk Tracking Critical | Approaches to regularly identify and track existing, unanticipated, and emergent AI risks MS-3.1 | AI management system; AI risk assessment; AI system impact assessment 4.4, 8.2, 8.4 | Post-market monitoring system proportionate to the AI technologies and risks Article 72 |
| Robustness & Security | |||
| Safety Evaluation Critical | AI system evaluated for safety risks; demonstrated to be safe with acceptable residual risk MS-2.6 | Verification and validation; Operation and monitoring; Recording of event logs A.6.2.4, A.6.2.6, A.6.2.8, 8.2 | Appropriate level of accuracy, robustness, and cybersecurity throughout lifecycle Article 15(1), Article 15(2) |
| Security & Resilience Critical | AI system security and resilience are evaluated and documented MS-2.7 | Data for development; AI roles; Impact assessment; Design documentation A.7.2, A.3.2, A.2.3, A.5.2 | Resilient against errors, faults, or inconsistencies from environment or human interaction Article 15(5) |
| Accountability & Third-Party Risk | |||
| Roles & Responsibilities High | Roles, responsibilities, and lines of communication for AI risk management are documented GV-2.1 | Roles, responsibilities, authorities; Resources; Competence; Communication 5.3, 7.1, 7.2, 7.3, 7.4 | Providers ensure compliance; deployers assign competent persons with necessary authority Article 16, Article 26 |
| Third-Party Supply Chain Critical | Policies for AI risks with third-party entities including IP and rights infringement GV-6.1 | Allocating responsibilities; Suppliers A.10.2, A.10.3 | Third-party integrators and product manufacturers must comply with provider obligations Article 25 |
| Third-Party Monitoring Critical | Third-party AI risks and benefits regularly monitored with risk controls applied MG-3.1 | Allocating responsibilities; Suppliers A.10.2, A.10.3 | Obligations apply to relevant third parties along the AI value chain Article 28 |
| Data Management & Privacy | |||
| Data Quality & Provenance High | Scientific integrity and TEVV considerations identified including data collection and validation MP-2.3 | Processes for responsible design; Data for development; Acquisition, quality, provenance A.6.1.3, A.6.2.7, A.7.2-A.7.6 | Training, validation, and testing data sets shall meet quality criteria Article 10 |
| Privacy Risk Critical | Privacy risk of the AI system is examined and documented MS-2.10 | Impact assessment process; Data for development; Alignment with policies A.5.2, A.7.2, A.7.3, A.2.3 | Special categories of personal data may be processed subject to appropriate safeguards Article 10(5) |
Generated from the Agentic AI Hub at
techjacksolutions.com/ai/agentic-ai/Sources: NIST AI 100-1 — AI Risk Management Framework 1.0 (January 2023) | NIST AI 600-1 — GenAI Risk Profile (July 2024) | ISO/IEC 42001:2023 — AI Management System | EU AI Act — Regulation (EU) 2024/1689 (August 2024) | NIST AI RMF to ISO/IEC 42001 Official Crosswalk | CSA AI Organizational Responsibilities (October 2024)