Section 08 · Standards Crosswalk
Audit-defensible. Not audit-driven.
This crosswalk maps the Secure-by-Design Operating Model to major regulatory and standards regimes, without turning the framework into a compliance-heavy artifact. The core stays operational. The overlay enables audit defensibility, regulatory readiness, enterprise adoption acceleration, and adaptability across industries.
Stance
Compliance by design, not retrofit. The framework is standards-aligned because the underlying operating model is sound, not because alignment was bolted on after the fact.
NIST AI RMF
The framework operationalizes NIST AI RMF inside the SDLC rather than leaving it abstract. Each RMF function maps to specific sections of the operating model.
RMF Function
Govern
- Section 01: Operating Model
- Section 02: Risk Tiering
RMF Function
Map
- Section 03: Threat Modeling
- Section 02: Risk Dimensions
RMF Function
Measure
- Section 05: Monitoring & Drift
RMF Function
Manage
- Section 04: Secure SDLC
- Section 06: Incident Response
EU AI Act
The Tier model maps naturally to EU AI Act risk categories. For Tier 3–4 systems, the framework already includes risk documentation, monitoring, incident reporting, and governance review, making compliance achievable without redesign.
| EU AI Act | Framework Tier | Operational Note |
|---|---|---|
| Minimal Risk | Tier 1 | Lightweight controls |
| Limited Risk | Tier 2 | Threat model required |
| High Risk | Tier 3 | Formal review and red team testing |
| High Risk + Critical Automation | Tier 4 | Executive visibility, documented risk acceptance, regulatory reporting playbook |
SOC 2 Trust Services Criteria
AI-specific impacts touch Security, Availability, Processing Integrity, Confidentiality, and Privacy. Mapping examples:
| SOC 2 Area | Framework Component |
|---|---|
| Logical Access | Section 04: SDLC controls (intake, registry, deployment) |
| Change Management | Model versioning and rollback (Sections 04, 06) |
| Monitoring | Section 05: four-layer monitoring model |
| Incident Response | Section 06: AI incident taxonomy and response workflow |
| Vendor Management | Section 04 vendor AI due diligence checklist, plus Section 02 vendor opacity dimension |
ISO 27001
AI governance primarily intersects with five Annex A control families. The AI system registry becomes an asset class, risk tiering aligns with risk assessment requirements, and the vendor AI checklist satisfies supplier oversight.
Annex A
A.5 Information Security Policies
Policy framing in Sections 01–02
Annex A
A.8 Asset Management
AI system registry as a distinct asset class
Annex A
A.12 Operations Security
Monitoring and drift governance (Section 05)
Annex A
A.15 Supplier Relationships
Vendor AI due diligence checklist (Section 04)
Annex A
A.16 Incident Management
Section 06: AI incident taxonomy and response phases