Open standards & artifacts for accountable systems.

Crosswalk

Permanent link /standards/enforceable-governance-crosswalks

Framework map for buyers and auditors

A specific, current crosswalk from Ethotechnics controls to framework obligations, buyer checks, and evidence requests.

Buyer + auditor use

Know what Ethotechnics can and cannot do.

Start with the quick scan table, then open only the framework detail card you need for evidence collection.

Start here

Start here

Plain-language guide

Use this page when you need procurement-ready or audit-ready answers without reading every standards document first.

  • This crosswalk is reviewed against current Ethotechnics controls and release evidence (updated 2026-02-22).
  • Rows separate controls that are immediately usable from controls that require local framework extensions.
  • Every framework row includes concrete buyer/auditor checks and a specific first move.

Summary

How to use this page

Pick a framework, verify the status, run the first move, then request the listed evidence artifacts.

Quick process

  1. Check whether the row is Ready now or Needs local extension.
  2. Assign the accountable owner for the first move.
  3. Request evidence artifacts before contract sign-off or audit close.

Quick scan

Framework-by-framework implementation crosswalk

This table is specific to current Ethotechnics controls and highlights what still requires local implementation work.

Framework Status Mapped control + reference What Ethotechnics covers Recommended first move Detailed links
EU AI Act (high-risk context) Ready now CTRL-03
Articles 9, 12, 14, 72, 73 		Risk management, traceability, human oversight, and post-market reporting controls with exportable evidence. Run a release-readiness review against incident reporting clocks and escalation ownership. Open control brief
Open framework details
NIST AI RMF 1.0 Ready now CTRL-02
GOV, MAP, MEASURE, MANAGE 		Operational governance controls mapped to release gates, pre-release validation, and mitigation ownership. Use the risk radar and burden modeler before every high-stakes launch decision. Open control brief
Open framework details
ISO/IEC 42001 Ready now CTRL-02
Clause 6.1, 8.1, 8.2, 9.1, 10.1 		AIMS-aligned lifecycle controls for planning, operation, monitoring, and continual improvement. Cross-check your AIMS internal-audit scope against evidence-pack artifacts and owners. Open control brief
Open framework details
ISO/IEC 27001 Needs local extension CTRL-04
Annex A control families + ISMS records 		Traceability, retention, and reconstruction controls that support ISMS evidence, but org-specific Annex A controls remain local. Map Ethotechnics decision records into your existing Annex A control matrix. Open control brief
Open framework details
SOC 2 (AICPA TSC) Needs local extension CTRL-01
CC-series (security, availability, integrity) 		Human oversight, escalation, and change-control evidence that supports common SOC 2 control expectations. Bind oversight drill records to your SOC 2 control narratives before the next audit cycle. Open control brief
Open framework details
IEC 61508 Needs local extension CTRL-01
Safety lifecycle obligations 		Stop authority and incident-route controls that support safety operations, while SIL determination and hardware safety remain implementation-specific. Use Ethotechnics controls as governance overlays inside your existing safety lifecycle artifacts. Open control brief
Open framework details

Deep dive

Framework details (expand what you need)

Each card includes concrete checks and evidence asks you can use in procurement packets or audit walkthroughs.

EU AI Act (high-risk context)

Status: Ready now

Mapped Ethotechnics controls: CTRL-01 — Maintain human oversight with real stop authority for high-risk decisions. ; CTRL-02 — Demonstrate risk management and controls before deployment and at major changes. ; CTRL-03 — Operate post-market monitoring and incident reporting with response clocks. ; CTRL-04 — Provide traceability so affected decisions can be reconstructed and contested.

Framework reference: Articles 9, 12, 14, 72, 73

Risk management, traceability, human oversight, and post-market reporting controls with exportable evidence.

Buyer/auditor checks:

  • Named owner for incident reporting clocks and regulator submissions.
  • Decision-level records retained with version context.
  • Documented stop authority and oversight rota for high-risk actions.

Evidence to request first:

  • Named on-call oversight roster
  • Stop-action drill records
  • Override event log with timestamps
  • Current risk register slice
  • Pre-release validation results
  • Mitigation owner assignment with due dates
  • Post-market monitoring dashboard export
  • Incident intake record with severity and deadline
  • Remediation and closure log
  • Decision record with model/version context
  • Appeal-event timeline
  • Retention and retrieval policy

Operational surface: Halt and escalation control panel · Release gate evidence checklist · Incident intake, triage, and regulator export workflow · Decision ledger and appeal history view

Detailed links: EU AI Act explainer · Incident lessons hub

NIST AI RMF 1.0

Status: Ready now

Mapped Ethotechnics controls: CTRL-02 — Demonstrate risk management and controls before deployment and at major changes.

Framework reference: GOV, MAP, MEASURE, MANAGE

Operational governance controls mapped to release gates, pre-release validation, and mitigation ownership.

Buyer/auditor checks:

  • Current risk register slice tied to system version and owner.
  • Validation thresholds defined before launch (not after incidents).
  • Mitigation backlog includes due dates and accountable humans.

Evidence to request first:

  • Current risk register slice
  • Pre-release validation results
  • Mitigation owner assignment with due dates

Operational surface: Release gate evidence checklist

Detailed links: NIST AI RMF implementation page · Risk radar validator

ISO/IEC 42001

Status: Ready now

Mapped Ethotechnics controls: CTRL-02 — Demonstrate risk management and controls before deployment and at major changes.

Framework reference: Clause 6.1, 8.1, 8.2, 9.1, 10.1

AIMS-aligned lifecycle controls for planning, operation, monitoring, and continual improvement.

Buyer/auditor checks:

  • Policy record references concrete operational controls and review cadence.
  • Internal audits sample real evidence artifacts, not only policy PDFs.
  • Corrective actions are linked to incident and remediation logs.

Evidence to request first:

  • Current risk register slice
  • Pre-release validation results
  • Mitigation owner assignment with due dates

Operational surface: Release gate evidence checklist

Detailed links: ISO/IEC 42001 overview · Evidence pack readiness

ISO/IEC 27001

Status: Needs local extension

Mapped Ethotechnics controls: CTRL-04 — Provide traceability so affected decisions can be reconstructed and contested.

Framework reference: Annex A control families + ISMS records

Traceability, retention, and reconstruction controls that support ISMS evidence, but org-specific Annex A controls remain local.

Buyer/auditor checks:

  • Access control and key management ownership are documented in your ISMS.
  • Retention periods in Ethotechnics records align with ISMS policy.
  • Exception handling is approved and logged with expiry dates.

Evidence to request first:

  • Decision record with model/version context
  • Appeal-event timeline
  • Retention and retrieval policy

Operational surface: Decision ledger and appeal history view

Detailed links: Governance capability explainer · Mechanisms catalog

SOC 2 (AICPA TSC)

Status: Needs local extension

Mapped Ethotechnics controls: CTRL-01 — Maintain human oversight with real stop authority for high-risk decisions.

Framework reference: CC-series (security, availability, integrity)

Human oversight, escalation, and change-control evidence that supports common SOC 2 control expectations.

Buyer/auditor checks:

  • Control owner matrix includes response-time commitments.
  • Change approvals include model-version context and rollback path.
  • Audit trail supports challenge-response testing during fieldwork.

Evidence to request first:

  • Named on-call oversight roster
  • Stop-action drill records
  • Override event log with timestamps

Operational surface: Halt and escalation control panel

Detailed links: Where this binds · Failure postmortem template

IEC 61508

Status: Needs local extension

Mapped Ethotechnics controls: CTRL-01 — Maintain human oversight with real stop authority for high-risk decisions.

Framework reference: Safety lifecycle obligations

Stop authority and incident-route controls that support safety operations, while SIL determination and hardware safety remain implementation-specific.

Buyer/auditor checks:

  • Safety-case assumptions are explicit and version-controlled.
  • Escalation paths define human authority at each hazard tier.
  • Post-incident closure includes residual risk statement.

Evidence to request first:

  • Named on-call oversight roster
  • Stop-action drill records
  • Override event log with timestamps

Operational surface: Halt and escalation control panel

Detailed links: STD-06 human-impact safety case · Incident memo template

Pair these controls with the evidence pack readiness diagnostic before launch and after any major incident.

Ops loop

Incident reporting as a first-class governance flow

Post-market work should be routable, time-bound, and exportable rather than buried in retrospectives.

  1. Intake: Capture incident class, severity, impacted parties, and owner within one clock tick.
  2. Triage: Apply stop/degrade decisions and publish expected next update time.
  3. Remediation: Link fix actions to evidence artifacts and restoration targets.
  4. Regulatory reporting: Export regulator-ready summary with timeline, controls, and attachments.
  5. Closure and learning: Record closure decision, residual risk, and prevention commitments.

Core evidence pack minimum:

  • Policy record with approver and revision date
  • Risk register slice for the affected workflow
  • Latest validator/test run with pass-fail thresholds
  • Human-oversight and escalation logs
  • Incident ledger entries and repair outcomes

Citation

Reference this crosswalk

Use the canonical permalink and version in policy, procurement, and audit artifacts.

Copy citation (APA/BibTeX)

Cite this page Formats: APA, MLA, Chicago, BibTeX, RIS

Version

v0.3.0

Last updated

Feb 22, 2026

DOI

Pending Zenodo deposit

APA

Ethotechnics Governance Council. (2026). Framework map for buyers and auditors. Ethotechnics Institute. https://ethotechnics.org/standards/enforceable-governance-crosswalks

MLA

Ethotechnics Governance Council. "Framework map for buyers and auditors." Ethotechnics Institute, 2026, https://ethotechnics.org/standards/enforceable-governance-crosswalks.

Chicago

Ethotechnics Governance Council. "Framework map for buyers and auditors." Ethotechnics Institute. Feb 22, 2026. https://ethotechnics.org/standards/enforceable-governance-crosswalks.

BibTeX

@misc{ethotechnics_standards_enforceable_governance_crosswalks,
  title={Framework map for buyers and auditors},
  author={Ethotechnics Governance Council},
  year={2026},
  howpublished={Ethotechnics Institute},
  url={https://ethotechnics.org/standards/enforceable-governance-crosswalks},
  version={v0.3.0}
}

RIS

TY  - WEB
TI  - Framework map for buyers and auditors
AU  - Ethotechnics Governance Council
PY  - 2026
UR  - https://ethotechnics.org/standards/enforceable-governance-crosswalks
ER  -

See also: Standards · Mechanisms