Risk-classified AI systems · Annex III high-risk · GPAI · post-market monitoring · serious-incident reporting · FRIA · transparency Art 50/53
Frameworks
13 frameworks shipped in V1 — every one declared as a dictionary so a single classification engine, evidence matcher, and obligation tracker work across all of them. New frameworks land monthly.
AIMS structure · risk treatment · impact assessment · operational planning · supplier requirements · monitoring + measurement · improvement
Annex A controls (93) · ISMS scope · risk treatment · management review · continual improvement · Annex SL aligned
PII processor + controller · 6.x extension to ISO 27001 · privacy by design · data subject rights
Lawful basis · Art 22 automated decisions · Art 25 by-design · Art 28 processors · Art 35 DPIA · Art 32 security · breach notification
Administrative · physical · technical safeguards · BA agreements · breach notification · individual rights · accounting of disclosures
CC1-CC9 · A1 availability · C1 confidentiality · PI1 processing integrity · P1-P8 privacy · 12-month observation period
Controls relevant to financial reporting at user entities · 6-12 month testing · ISAE 3402 alignment
12 requirements · cardholder-data protection · network segmentation · access control · vulnerability management · monitoring
Govern · Map · Measure · Manage · trustworthy AI characteristics · profiles for use cases
Govern · Identify · Protect · Detect · Respond · Recover · 6 functions · Implementation Tiers · Profiles
ICT risk management · ICT incident reporting · digital operational resilience testing · ICT third-party risk · information sharing
Consumer rights · sensitive personal info · service-provider obligations · automated decision-making opt-out · risk assessments
Custom frameworks
On the Enterprise plan, bring us any regulation, standard, or internal control catalog and we'll model it as a dictionary entry within 30 days. Includes clauses, controls, evidence types, and crosswalks to the 13 built-in frameworks.
Request a framework →