Honest per-control state. COVERED = a specific testable mechanism;
PARTIAL = mechanism exists but incomplete; ROADMAP = planned;
N/A = out of scope (with reason). EU AI Act self-classification:
High-Risk (defense-tech agentic orchestrator).
a11oy Restraint contribution (R5): the governed code-minimization / dependency-frugality ladder (/api/a11oy/v1/restraint/{evaluate,bench,info}) contributes 6 rows below — controls A.6.2, CM-7, MANAGE 2.3, SA-15, SA-8, SR-3 (NIST 800-53 SA-8/SA-15/CM-7/SR-3, NIST AI RMF MANAGE 2.3, ISO 42001 A.6.2). Less code + fewer dependencies = smaller attack / maintenance surface. Wired into Auto-Review as rule AR-006-prefer-minimal-diff. ALIGNS WITH / MAPS TO — NOT certified. open Restraint →
| Control | Framework | Title | a11oy mechanism | Coverage |
|---|---|---|---|---|
| A.2.2 | ISO 42001 | AI policy | Doctrine v11 is the published AI policy; versioned + change-controlled | ● COVERED |
| A.3.2 | ISO 42001 | AI roles & responsibilities | Operator role + clearance captured in every DSSE receipt (AC-2/AC-3) | ● COVERED |
| A.3.3 | ISO 42001 | AI risk reporting | Λ score reported per-inference; no formal periodic risk REPORT output yet | ◐ PARTIAL |
| A.4.6 | ISO 42001 | Human oversight & monitoring | human_override_required Rego gate fires before irreversible actions / low Λ | ● COVERED |
| A.5.4 | ISO 42001 | AI system risk management | 13-axis Λ score computed per inference; sealed into the DSSE receipt | ● COVERED |
| A.6.4 | ISO 42001 | Data provenance | Input hash + model version + lineage recorded in the receipt | ● COVERED |
| A.6.6 | ISO 42001 | AI system verification | Output hash + Lean-verified formula path; locked-proven = 8 @ c7c0ba17 | ◐ PARTIAL |
| A.9.3 | ISO 42001 | Human oversight (use) | Human-override gate; irreversible actions require human confirmation | ● COVERED |
| A.9.4 | ISO 42001 | Incident management | Incident receipt + tamper-evident re-verification at /cosign.pub | ◐ PARTIAL |
| A.10.4 | ISO 42001 | Supplier monitoring | Third-party model attestation; vendor DSSE receipt verification | ◐ PARTIAL |
| GOVERN 1.1 | NIST AI RMF | AI policies & processes | Doctrine v11 + policy-gate configuration inventory | ● COVERED |
| MAP 2.3 | NIST AI RMF | AI capability characterization | Λ scoring methodology + model registry classification | ● COVERED |
| MEASURE 2.8 | NIST AI RMF | Transparency / explainability | Lean-proven formula output exposed in the receipt | ● COVERED |
| MEASURE 3.1 | NIST AI RMF | Risk tracking over time | Continuous Λ score with a timestamp chain of receipts | ◐ PARTIAL |
| GOVERN 3.2 | NIST AI RMF | Workforce DEI | Out of scope for an orchestration layer (organizational control) | — NA |
| MANAGE 4.1 | NIST AI RMF | Post-incident after-action | Incident receipt replay + independent re-verification | ◐ PARTIAL |
| MEASURE 4.2 | NIST AI RMF | Measurement-effectiveness feedback | Λ-score calibration feedback loop | ○ ROADMAP |
| AU-2 | NIST 800-53r5 | Event logging | DSSE-signed audit event per inference (verdict + rule ID) | ● COVERED |
| AU-3 | NIST 800-53r5 | Content of audit records | Timestamp + input/output hash in every receipt | ● COVERED |
| AU-9 | NIST 800-53r5 | Protection of audit information | Records sealed in DSSE envelopes signed by ECDSA-P256; tamper-detectable | ● COVERED |
| CM-8 | NIST 800-53r5 | System component inventory | Model ID + version + digest recorded per inference | ● COVERED |
| RA-3 | NIST 800-53r5 | Risk assessment | 13-axis Λ trust score is the per-inference risk assessment | ● COVERED |
| SI-10 | NIST 800-53r5 | Information input validation | Input hash + classification-boundary gate | ◐ PARTIAL |
| Article 12 | EU AI Act | Record-keeping / logging | Immutable DSSE receipt per inference satisfies automatic logging | ● COVERED |
| Article 14 | EU AI Act | Human oversight | Human-in-the-loop override gate; human-on-loop for SIMULATED effectors | ● COVERED |
| Article 9 | EU AI Act | Risk management system (High-Risk) | Λ-gated policy enforcement; no formal QMS document yet | ○ ROADMAP |
| SA-8 | NIST 800-53r5 | Security engineering principles (economy of mechanism) | Restraint 6-rung frugality ladder runs before every diff; the agent emits the minimal viable code (fewest files, smallest surface); each decision is a signed DSSE receipt + Λ score (/api/a11oy/v1/restraint/evaluate) | ● COVERED |
| CM-7 | NIST 800-53r5 | Least functionality | YAGNI rung skips speculative abstractions; the ladder prefers stdlib/native over bespoke code, minimising functionality + attack surface. Auto-Review rule AR-006 (prefer-minimal-diff) narrows a bloated diff that skipped the ladder | ● COVERED |
| SA-15 | NIST 800-53r5 | Development process, standards & tools | Restraint is wired into the dev path as a pre-write reflex with a promptfoo-style two-arm benchmark (baseline vs restraint), honestly labelled MEASURED-or-SAMPLE/ROADMAP; restraint: ceiling comments name each deliberate simplification's upgrade path | ◐ PARTIAL |
| SR-3 | NIST 800-53r5 | Supply chain controls & processes | Dependency-frugality: the 'already-installed dependency' rung prefers deps already in the image and discourages adding new third-party packages, shrinking supply-chain exposure. No formal SBOM gate on the restraint path yet | ◐ PARTIAL |
| MANAGE 2.3 | NIST AI RMF | Manage residual / supply-chain risk (code & dependency frugality) | Restraint reduces residual maintenance + supply-chain risk by minimising generated code and new dependencies; the Auto-Review classifier consumes the restraint verdict as a governance signal (AR-006) and seals the rung into the signed verdict | ● COVERED |
| A.6.2 | ISO 42001 | AI system lifecycle — responsible design & development | Frugality ladder is applied in the design/development phase of the AI code agent; deliberate simplifications are documented via restraint: ceiling comments and signed receipts, supporting responsible, auditable development | ◐ PARTIAL |
Each proprietary Λ axis gets an industry-standard referent so external evaluators recognise it without a custom glossary.
| Λ axis | Trust dimension | NIST AI RMF | Credo AI / MIT | Mechanism | State |
|---|---|---|---|---|---|
| Λ1 | scoring methodology / documentation | MEASURE 2.1 | Information Integrity (methodology) | Λ 13-axis scoring rubric documented + exposed in every DSSE receipt | COVERED |
| Λ2 | factual accuracy / hallucination rate | MEASURE 2.2 | Information Integrity | Lean-proven formula verification; factuality axis scored per inference | COVERED |
| Λ3 | robustness / adversarial resistance | MEASURE 2.3 | Security (adversarial resistance) | Red-team / prompt-injection resistance score feeds the robustness axis | PARTIAL |
| Λ4 | operational resilience | MEASURE 2.4 | Security (resilience) | Resilience axis from szl_resilience degradation/fallback telemetry | PARTIAL |
| Λ5 | safety / harm avoidance | MEASURE 2.5 | Harmful Content Generation | Output content-safety classifier feeds the safety axis; gate halts on DENY | COVERED |
| Λ6 | fairness / demographic parity | MEASURE 2.6 | Fairness and Bias | Statistical bias detection on outputs feeds the fairness axis | PARTIAL |
| Λ7 | privacy / data minimization | MEASURE 2.7 | Privacy | PII detection on inputs/outputs feeds the privacy axis | PARTIAL |
| Λ8 | transparency / explainability | MEASURE 2.8 | Information Integrity (transparency) | Lean-proven formula output exposed in the DSSE receipt for every decision | COVERED |
| Λ9 | security posture score | MEASURE 2.9 | Security | SLSA build posture + signed deployment digest + sentinel rules score | PARTIAL |
| Λ10 | societal impact / mission alignment | MEASURE 2.10 | Societal Harm | Authorization-boundary + human-override gate firing rate feeds the impact axis | PARTIAL |
| Λ11 | autonomy scope / action class | MAP 2.1 | AI Agency and Autonomy | Action-class gate thresholds bound autonomous actions; irreversible → human override | COVERED |
| Λ12 | third-party / vendor risk | GOVERN 6.1 | Third-Party and Vendor Risk | Third-party model attestation + vendor DSSE receipt verification | PARTIAL |
| Λ13 | malicious-use / intent classification | MEASURE 2.5 | Malicious Use | Use-case intent classifier + policy gate; DENY on prohibited use class | PARTIAL |
Gates are published policy-as-code; the bundle is version-locked by a SHA-256 digest that every DSSE receipt cites, so a receipt proves WHICH policy version made the decision. Each receipt field maps to specific control IDs (800-53 AU/CM/RA family, EU AI Act Art. 12/14, ISO 42001 A.x). Receipts are ECDSA-P256/DSSE signed; re-verify at /cosign.pub.
sha256:4b035da9e752dcdb81c8390974752fc729da8192e60a0459de50a05d4c9563baMachine-readable OSCAL (control source = usnistgov/oscal-content SP 800-53 Rev 5
catalog), committed to the repo at
compliance/oscal/a11oy-component-definition.json and served live below.
ALIGNMENT only — never a certification artifact.
The SAME live /grc/matrix + /grc/oscal controls rendered on the shared 0-CDN
holographic kit as a floating control grid: a green sphere = COVERED (a specific
testable mechanism), amber = PARTIAL, red = ROADMAP / gap.
When a control is backed by a signed DSSE receipt, a signed evidence pulse lights its edge to the framework hub.
ALIGNS WITH / maps to the frameworks — never certified. CPU/old-GPU renders the same data on a 2D canvas
fallback; the coverage table above is the complete non-3D experience. Patterns: NIST OSCAL, Credo AI, OneTrust.
/grc/matrix + /grc/oscal endpoints. The coverage table above is always available as the fallback./grc/matrix; gaps are shown honestly. 0 runtime CDN · WebGL2 + 2D fallback · Λ = Conjecture 1 (<1.0) · trust < 100%.