Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Agent Governance Crosswalk — Tech Jacks Solutions

Agent Governance Crosswalk

NIST AI RMF ↔ ISO 42001 ↔ EU AI Act — Agent-Specific Controls

50 Control Mappings 3 Frameworks Agent-Specific Guidance
Critical — Fundamentally different for agents
High — Substantial adaptation needed
Medium — Moderate adjustments

Recommended: Print in landscape orientation for best readability.

Control Area NIST AI RMF ISO 42001 EU AI Act
Governance & Oversight
Legal & Regulatory Requirements Critical Legal and regulatory requirements involving AI are understood, managed, and documented GV-1.1 Understanding organizational context; AI objectives and planning 4.1, 6.2, A.2.2, A.2.4 Classification rules for high-risk AI systems; providers must determine AI system risk category Article 6, Article 7
Trustworthy AI Integration Critical Trustworthy AI characteristics integrated into organizational policies and practices GV-1.2 AI management system; AI policy; Objectives for responsible use; Suppliers 4.4, 5.2, A.9.3, A.10.3 Risk management system shall be established as a continuous iterative process throughout the lifecycle Article 9(1)
AI System Inventory Critical Mechanisms to inventory AI systems, resourced according to organizational risk priorities GV-1.6 Resource documentation; Data, tooling, system/computing, and human resources A.4.2, A.4.3, A.4.4, A.4.5, A.4.6 Providers shall register themselves and their systems in the EU database before placing on market Article 49
Decommissioning Critical Processes for decommissioning and phasing out AI systems safely GV-1.7 AI system operation and monitoring A.6.2.6 Deployers shall have the ability to fully understand, interrupt, or stop the system at any time Article 22
Executive Accountability High Executive leadership takes responsibility for AI risk decisions GV-2.3 Leadership and commitment; AI policy; Management review 5.1, 5.2, 9.3.1, 9.3.2, 9.3.3 Providers shall put a quality management system in place with documented policies approved by management Article 17(1)
Human Oversight
Human-AI Configuration Critical Policies to define roles and responsibilities for human-AI configurations and oversight GV-3.2 Competence; Processes for responsible design; Objectives for responsible use 7.2, A.6.1.3, A.9.3, A.4.6 High-risk AI systems shall be designed to be effectively overseen by natural persons during use Article 14
Knowledge Limits Critical Information about AI system knowledge limits and human utilization is documented MP-2.2 Technical documentation; Objectives for responsible use; System documentation A.6.2.7, A.9.3, A.8.2 Persons assigned to oversight shall understand AI system capacities and limitations Article 14(4)
Oversight Architecture Critical Processes for human oversight are defined, assessed, and documented MP-3.5 Processes for responsible design; Technical documentation; System documentation A.6.1.3, A.6.2.7, A.8.2 High-risk AI systems designed to be overseen by natural persons to prevent/minimize risks Article 14(1), Article 14(2)
Kill Switch / Override Critical Mechanisms to supersede, disengage, or deactivate AI systems with inconsistent performance MG-2.4 Intended use of the AI system; System documentation; Technical documentation A.9.4, A.8.2, A.6.2.7 Ability to intervene in or interrupt the system through a stop button or similar procedure Article 14(3)(d), Article 14(3)(e)
Risk Management
Risk Tolerance Critical Processes to determine needed level of risk management based on organizational risk tolerance GV-1.3 General planning; AI risk assessment; AI risk treatment 6.1.1, 6.1.2, 6.1.3 Risk management shall identify and analyze known and foreseeable risks to health, safety, or rights Article 9(2)
Intended Purpose Critical Intended purposes, context-specific laws, norms, and deployment settings are documented MP-1.1 AI system impact assessment; Documentation; Assessing impact on individuals and society 6.1.4, A.5.2, A.5.3, A.5.4, A.5.5 Identify and analyze risks associated with intended purpose of the high-risk AI system Article 9(2)(a)
Supply Chain Risk Critical Approaches for mapping AI technology and legal risks of components including third-party data/software MP-4.1 Understanding organizational context; AI policy; Processes for responsible use 4.1, A.2.2, A.9.2, A.9.4 High-risk AI systems shall be resilient against unauthorized third-party attempts to alter use or outputs Article 15(4)
Incident Response Critical Procedures to respond to and recover from previously unknown risks when identified MG-2.3 General planning; AI risk assessment; AI risk treatment; Nonconformity and corrective action 6.1.1, 6.1.2, 6.1.3, 10.2 Providers shall ensure corrective actions without undue delay, including withdrawal or recall Article 20
Transparency & Documentation
Capability Disclosure Critical Teams document risks and potential impacts and communicate about impacts broadly GV-4.2 Communication; AI system impact assessment; Assessing impact on individuals 7.4, 6.1.4, A.5.4, A.5.5 Operation sufficiently transparent to enable deployers to interpret output and use appropriately Article 13
AI Identification Critical Risks associated with transparency and accountability are examined and documented MS-2.8 Data for development; Assessing impact; Objectives for responsible development and use A.7.2, A.5.4, A.5.5 Natural persons must be informed they are interacting with an AI system Article 50
Technical Documentation (BBOM) Critical Specific tasks and methods the AI system will support are defined MP-2.1 Documentation of AI system design and development; Resource documentation A.6.2.3, A.4.2-A.4.6 Technical documentation per Annex IV before placing system on market Article 11(1), Annex IV
Residual Risk Documentation Critical Negative residual risks to acquirers and end users are documented MG-1.4 Documentation of impact assessments; Technical documentation; System documentation A.5.3, A.5.4, A.6.2.7, A.8.2 Technical documentation shall include known circumstances that may lead to risks Article 11, Article 13(3)
Monitoring & Logging
Continuous Monitoring Critical Ongoing monitoring and periodic review of risk management process with defined roles GV-1.5 AI risk assessment; AI risk treatment; AI system impact assessment 8.2, 8.3, 8.4 Residual risk associated with each hazard is judged acceptable with combined risks considered Article 9(3)
Event Logging Critical AI system functionality and behavior are monitored when in production MS-2.4 Monitoring, measurement, analysis; AI system operation; Recording of event logs 9.1, A.6.2.6, A.6.2.8 Automatic recording of events (logs) over the lifetime; logging shall ensure traceability Article 12
Emergent Risk Tracking Critical Approaches to regularly identify and track existing, unanticipated, and emergent AI risks MS-3.1 AI management system; AI risk assessment; AI system impact assessment 4.4, 8.2, 8.4 Post-market monitoring system proportionate to the AI technologies and risks Article 72
Robustness & Security
Safety Evaluation Critical AI system evaluated for safety risks; demonstrated to be safe with acceptable residual risk MS-2.6 Verification and validation; Operation and monitoring; Recording of event logs A.6.2.4, A.6.2.6, A.6.2.8, 8.2 Appropriate level of accuracy, robustness, and cybersecurity throughout lifecycle Article 15(1), Article 15(2)
Security & Resilience Critical AI system security and resilience are evaluated and documented MS-2.7 Data for development; AI roles; Impact assessment; Design documentation A.7.2, A.3.2, A.2.3, A.5.2 Resilient against errors, faults, or inconsistencies from environment or human interaction Article 15(5)
Accountability & Third-Party Risk
Roles & Responsibilities High Roles, responsibilities, and lines of communication for AI risk management are documented GV-2.1 Roles, responsibilities, authorities; Resources; Competence; Communication 5.3, 7.1, 7.2, 7.3, 7.4 Providers ensure compliance; deployers assign competent persons with necessary authority Article 16, Article 26
Third-Party Supply Chain Critical Policies for AI risks with third-party entities including IP and rights infringement GV-6.1 Allocating responsibilities; Suppliers A.10.2, A.10.3 Third-party integrators and product manufacturers must comply with provider obligations Article 25
Third-Party Monitoring Critical Third-party AI risks and benefits regularly monitored with risk controls applied MG-3.1 Allocating responsibilities; Suppliers A.10.2, A.10.3 Obligations apply to relevant third parties along the AI value chain Article 28
Data Management & Privacy
Data Quality & Provenance High Scientific integrity and TEVV considerations identified including data collection and validation MP-2.3 Processes for responsible design; Data for development; Acquisition, quality, provenance A.6.1.3, A.6.2.7, A.7.2-A.7.6 Training, validation, and testing data sets shall meet quality criteria Article 10
Privacy Risk Critical Privacy risk of the AI system is examined and documented MS-2.10 Impact assessment process; Data for development; Alignment with policies A.5.2, A.7.2, A.7.3, A.2.3 Special categories of personal data may be processed subject to appropriate safeguards Article 10(5)