Compliance Mapping

EU AI Act, ISO 42001, NIST AI RMF, SOC 2 — Directive 0418

EU AI Act (2024/1689) Mapping

Article	Requirement	ETHRAEON Control	Status
Art. 9	Risk Management System	CDASA 6-dim scoring + mutation gate thresholds	MET
Art. 10	Data Governance	DELTASUM canonical hashes, PROMOTION_ONLY policy	MET
Art. 11	Technical Documentation	CONSTITUTION.md, MANIFEST.yaml, CDASA_MANIFEST.yaml	MET
Art. 12	Record Keeping	Evidence Graph (EDG), DIRECTIVE_LEDGER, events.jsonl	MET
Art. 13	Transparency	Trust snapshot, assurance.html, architecture diagram	MET
Art. 14	Human Oversight	AC-1 authority hierarchy, CANON_MUTATION requires manual approval	MET
Art. 15	Accuracy, Robustness, Cybersecurity	27 SSA tests, sovereign mode, tamper detection, SBOM	MET
Art. 17	Quality Management System	T5-RIGID governance, validate_canon_pack.js, full_estate_validate.sh	MET
Art. 52	Transparency for AI interaction	All AI agents declared in AGENT.md, evidence-mandatory	MET
Art. 72	Post-market monitoring	Nightly chron, monitoring dashboard, health.json	MET

ISO/IEC 42001:2023 (AI Management System) Mapping

Clause	Requirement	ETHRAEON Control	Status
4.1	Context of the Organization	CONSTITUTION.md defines organizational purpose and AI principles	MET
5.1	Leadership & Commitment	AC-1 authority, Founder's Law, immutable governance docs	MET
5.2	AI Policy	T5-RIGID policy, PROMOTION_ONLY, FAIL-CLOSED	MET
6.1	Risk Assessment	CDASA scoring dimensions: regulatory, ethical, IP, temporal, sovereign	MET
7.2	Competence	Authority level matrix (AC-1 through AC-4), CODEOWNERS	MET
7.5	Documented Information	420+ evidence directives, SHA-256 receipts, DIRECTIVE_LEDGER	MET
8.1	Operational Planning & Control	Deployment scripts, CI pipelines, estate validation harness	MET
8.4	AI System Impact Assessment	CDASA mutation gate, canon threshold enforcement	MET
9.1	Monitoring & Measurement	status.html, health.json, metering pipeline, nightly chron	MET
10.1	Continual Improvement	Directive wave system, promotion-only expansion	MET

NIST AI Risk Management Framework (AI RMF 1.0) Mapping

Function	Category	ETHRAEON Control	Status
GOVERN	1.1 Legal & regulatory compliance	Entity tracker, compliance mapping, AI Act alignment	MET
GOVERN	1.3 Organizational AI policies	CONSTITUTION.md, PROMOTION_ONLY, T5-RIGID	MET
MAP	2.1 Context of use documented	CDASA_MANIFEST.yaml, system registry, architecture diagrams	MET
MAP	2.3 Scientific integrity	Canonical hashes, evidence trails, peer-review ready artifacts	MET
MEASURE	3.1 Appropriate metrics used	6-dimension scoring, threshold constants, classification bands	MET
MEASURE	3.3 Tracked, documented, auditable	EDG nodes, evidence directives, trust snapshots	MET
MANAGE	4.1 Risk prioritized & managed	Mutation gate thresholds, canon candidate escalation	MET
MANAGE	4.2 Actionable plans maintained	OPERATIONS_RUNBOOK.md, key rotation playbook, deploy scripts	MET

SOC 2 Trust Service Criteria Mapping

Criteria	Principle	ETHRAEON Control	Status
CC6.1	Security	SECURITY.md, CODEOWNERS, branch protection, key rotation, sovereign mode	MET
CC7.2	Availability	Health monitoring, status page, deploy bundle validation, CF Pages	MET
CC8.1	Processing Integrity	DELTASUM hashes, canon pack validation, estate validation harness	MET
PI1.3	Processing Integrity	CDASA mutation gate -- no unscored data enters canon	MET

Cross-Framework Coverage

ETHRAEON System	Frameworks Addressed
CONSTITUTION.md	EU AI ActISO 42001NIST RMF
CDASA Scoring	EU AI ActISO 42001NIST RMF
DELTASUM Hashes	EU AI ActSOC 2
Evidence Graph	EU AI ActISO 42001NIST RMFSOC 2
Sovereign Mode	EU AI ActSOC 2
Mutation Gate	ISO 42001NIST RMFSOC 2
Key Rotation	SOC 2
SBOM	EU AI ActSOC 2