EU AI Act articles mapped to ISO 42001 and NIST AI RMF frameworks. A technical reference for compliance implementation.
The EU AI Act (Articles 9-15) establishes risk management, data governance, documentation, human oversight, and security requirements for AI systems. AIR Blackbox provides controls that map directly to these articles and align with ISO 42001 (AI Management System) and NIST AI RMF (AI Risk Management Framework) standards.
This document shows how each EU AI Act article relates to specific ISO 42001 controls and NIST AI RMF categories. It serves as a bridge between regulatory requirements and technical implementation.
| EU AI Act Article | ISO 42001 Controls | NIST AI RMF Functions | Coverage |
|---|---|---|---|
| Article 9 | A.5.1-A.5.4 | GOVERN-1, MAP-1, MAP-2, MEASURE-1 | Full Coverage |
| Article 10 | A.7.1-A.7.3, A.6.2 | GOVERN-1, MAP-1, MEASURE-2 | Full Coverage |
| Article 11 | A.6.2, A.8.1 | GOVERN-1, MAP-1, MAP-3 | Full Coverage |
| Article 12 | A.8.2-A.8.3, A.9.1-A.9.2 | GOVERN-1, MEASURE-3, MANAGE-1 | Partial Coverage |
| Article 14 | A.9.1-A.9.2, A.6.1 | GOVERN-3, MEASURE-4, MANAGE-2 | Full Coverage |
| Article 15 | A.5.4, A.7.1, A.8.1 | GOVERN-1, MEASURE-2, MEASURE-4, MANAGE-2 | Full Coverage |
Risk classification of tool calls (LOW → CRITICAL). Enforcement of risk-based blocking policies. Systematic identification and mitigation of AI system risks.
PII redaction across recruiting, finance (PCI-DSS), healthcare (HIPAA), and legal domains. GDPR Article 30 processing manifests. Data erasure support.
Structured audit logging of full call graphs: chain → LLM → tool → result. Complete technical documentation of AI system operation.
HMAC-SHA256 tamper-evident chains. Cryptographically signed and linked event logs. Partial coverage: retention policies and long-term archive strategies require organizational process enhancements.
Exception-based blocking for critical operations. Humans remain in the decision loop. Full audit trails enable post-hoc review and human accountability.
Injection detection (15+ weighted patterns). RAG write gates with source allowlists and content filtering. Real-time drift detection for retrieval anomalies. Defense-in-depth against adversarial attacks.
AIR Blackbox provides comprehensive controls that fully satisfy the article's requirements. Regulatory compliance is achievable through proper implementation and configuration of the technical controls provided.
AIR Blackbox provides core technical controls, but the article also requires organizational governance, policy, or process enhancements beyond the software. Technical controls alone are insufficient; complementary business processes must be established.