{
  "meta": {
    "generatedAt": "2026-06-03T23:20:56.983Z",
    "count": 4,
    "permalink": "/standards/enforceable-governance-crosswalks",
    "release": {
      "id": "2026.01",
      "label": "2026.01",
      "date": "2026-01-09",
      "permalink": "/api/v/2026.01"
    }
  },
  "controls": [
    {
      "id": "CTRL-01",
      "type": "crosswalk-control",
      "obligation": "Maintain human oversight with real stop authority for high-risk decisions.",
      "frameworks": {
        "euAiAct": "Article 14 (Human oversight)",
        "nistAiRmf": "GOV 3.2, MAP 4.1",
        "iso42001": "Clause 8.2 (Operational planning and control)"
      },
      "evidence_artifacts": [
        "Named on-call oversight roster",
        "Stop-action drill records",
        "Override event log with timestamps"
      ],
      "operational_surface": "Halt and escalation control panel",
      "href": "/standards/enforceable-governance-crosswalks",
      "refs": [
        "EU-AI-ACT",
        "NIST-AI-RMF",
        "ISO-IEC-42001"
      ],
      "deprecated_by": null,
      "supersedes": []
    },
    {
      "id": "CTRL-02",
      "type": "crosswalk-control",
      "obligation": "Demonstrate risk management and controls before deployment and at major changes.",
      "frameworks": {
        "euAiAct": "Article 9 (Risk management system)",
        "nistAiRmf": "MAP 1.4, MEASURE 2.2",
        "iso42001": "Clause 6.1 and 8.1 (Risk and operation planning)"
      },
      "evidence_artifacts": [
        "Current risk register slice",
        "Pre-release validation results",
        "Mitigation owner assignment with due dates"
      ],
      "operational_surface": "Release gate evidence checklist",
      "href": "/standards/enforceable-governance-crosswalks",
      "refs": [
        "EU-AI-ACT",
        "NIST-AI-RMF",
        "ISO-IEC-42001"
      ],
      "deprecated_by": null,
      "supersedes": []
    },
    {
      "id": "CTRL-03",
      "type": "crosswalk-control",
      "obligation": "Operate post-market monitoring and incident reporting with response clocks.",
      "frameworks": {
        "euAiAct": "Articles 72 and 73 (Post-market monitoring and incident reporting)",
        "nistAiRmf": "MANAGE 3.3, MANAGE 4.1",
        "iso42001": "Clause 9.1 and 10.1 (Monitoring and improvement)"
      },
      "evidence_artifacts": [
        "Post-market monitoring dashboard export",
        "Incident intake record with severity and deadline",
        "Remediation and closure log"
      ],
      "operational_surface": "Incident intake, triage, and regulator export workflow",
      "href": "/standards/enforceable-governance-crosswalks",
      "refs": [
        "EU-AI-ACT",
        "NIST-AI-RMF",
        "ISO-IEC-42001"
      ],
      "deprecated_by": null,
      "supersedes": []
    },
    {
      "id": "CTRL-04",
      "type": "crosswalk-control",
      "obligation": "Provide traceability so affected decisions can be reconstructed and contested.",
      "frameworks": {
        "euAiAct": "Article 12 (Record keeping)",
        "nistAiRmf": "MEASURE 2.11, GOVERN 6.1",
        "iso42001": "Clause 7.5 (Documented information)"
      },
      "evidence_artifacts": [
        "Decision record with model/version context",
        "Appeal-event timeline",
        "Retention and retrieval policy"
      ],
      "operational_surface": "Decision ledger and appeal history view",
      "href": "/standards/enforceable-governance-crosswalks",
      "refs": [
        "EU-AI-ACT",
        "NIST-AI-RMF",
        "ISO-IEC-42001"
      ],
      "deprecated_by": null,
      "supersedes": []
    }
  ]
}