From framework to enforceable control
Each obligation maps to a concrete deterministic capability — enforcement, reproducibility, or evidence — not a policy PDF.
From framework to enforceable control
Each obligation below maps to a concrete deterministic capability — enforcement, reproducibility, or evidence — not a policy PDF. The same primitives (a pre-execution gate, a signed decision record, and offline replay) satisfy obligations across every framework; only the policy expressed in them changes.
| Framework | Obligation | Deterministic capability |
|---|---|---|
| EU AI Act | Art. 9 risk management · Art. 12 record-keeping · Art. 14 human oversight | Pre-execution enforcement, signed decision records, and HITL escalation. |
| SR 11-7 | Model risk management — effective challenge & ongoing monitoring | Policy decoupled from the model; independent, reproducible verification of every decision. |
| HIPAA | Minimum necessary & access controls for PHI in AI workflows | Confidentiality guards that block disclosure before it happens, with an audit trail. |
| ECOA / Reg B | Fair lending — adverse action reasons, non-discrimination | Reason-coded decisions and an evidence pack proving how each applicant was treated. |
| NIST AI RMF | Govern · Map · Measure · Manage | A governance control plane spanning enforcement, measurement, and signed evidence. |
Informational mapping, not legal advice. EVE Governance supports your compliance program; it does not replace counsel.
The evidence pack behind every verdict
Record-keeping and oversight obligations all reduce to one question: can you show, later, exactly what was decided and why? Every governed decision emits the same self-contained record.
Signed & tamper-evident
An Ed25519 signature over the decision content. An examiner re-verifies it offline, years later, with no EVE service in the loop — proving the record was not altered.
Replay-reproducible
The same inputs against the same policy version reconstruct the identical content hash and verdict. "Reproduce it for me" has a literal, deterministic answer.
Reason-coded
The named rule and reason code that fired travel with the record — so adverse-action explanations and oversight reviews read from fact, not reconstruction.
Policy-versioned
Each record pins the exact policy version that governed it. When the model updates, you can show what changed in governance — and what didn't.
Oversight-ready
High-stakes or low-confidence decisions route to a human before execution, and that escalation is itself recorded — satisfying meaningful human-oversight requirements.
Measurable
Every verdict is a structured event, so allow/block rates, escalations, and policy coverage are measurable and monitorable — the Measure and Manage functions, by construction.
How the mapping holds, framework by framework
EU AI Act
For high-risk systems, Article 9 expects risk controls operating across the lifecycle, Article 12 expects automatic record-keeping of events, and Article 14 expects effective human oversight. A deterministic gate enforces the control before output, the signed record is the Article 12 log by default, and confidence-gated HITL escalation is the oversight hook — each captured as evidence rather than asserted in a binder.
SR 11-7 (Model Risk)
Effective challenge and ongoing monitoring assume you can independently verify what a model did. Because governance policy is decoupled from the model weights, the control surface does not silently shift when the model is retrained, and every decision is independently reproducible — giving model-risk teams a verification path that does not depend on the model vendor.
HIPAA
Minimum-necessary and access expectations for PHI in AI workflows are enforced as pre-execution confidentiality guards: disclosure is blocked before it happens, not flagged after, and each block leaves an auditable record of what was withheld and under which rule.
ECOA / Regulation B
Fair-lending obligations require specific adverse-action reasons and non-discrimination. Reason-coded decisions give each applicant a concrete, recorded basis, and the per-decision evidence pack lets you demonstrate — applicant by applicant — how the decision was reached and that the same policy applied to everyone.
NIST AI RMF
Govern, Map, Measure, and Manage are not a product — they are functions a control plane performs. Enforcement covers Govern and Manage, the structured decision stream covers Measure, and the signed evidence trail makes the whole loop demonstrable to a third party.
Mappings are illustrative of how deterministic controls support these obligations and are not a certification or attestation of compliance. Confirm applicability with your own counsel and examiners.
Book a Governance Assessment
A working session mapping your highest-risk AI workflows to deterministic controls and the evidence your examiners will ask for.