kolm / compliance

The receipt is the evidence.

Every framework that governs AI in production asks for the same three things: what model ran, what it did, did it stay inside its lane. A .kolm answers all three by construction: artifact CID, input/output hashes, K-score and gate, HMAC chain, replay months later. This page maps that to the frameworks themselves.

Frameworks mapped

NIST AI RMF 1.0 + GenAI Profile live

GOVERN · MAP · MEASURE · MANAGE. 31 subcategories mapped to specific fields in the .kolm manifest, receipt JSONL, and kolm CLI verbs. Reviewed against the July 2024 GenAI profile.

nist-ai-rmf 1.0 + nist-ai 600-1view mapping →

HIPAA Safe Harbor + Privacy Rule live

The HIPAA compliance pack (/compliance-packs) ships 18-identifier Safe Harbor verifier, BAA workflow, and the receipt schema covered counsel actually accepts.

45 CFR §164.514(b) Safe Harborhealthcare overview

SR 11-7 + OCC 2011-12 Model Risk live

Receipts as the model log: conceptual soundness from provenance, performance monitoring from K-score per-month, replay from input_sha + output_sha. See the bank case study for what an examiner actually accepted.

Federal Reserve SR 11-7case study →

ISO/IEC 42001 (AI management) in progress

Clause-by-clause mapping is on the May calendar. The AI management system requirements (planning, support, operation, performance evaluation, improvement) map cleanly to the kolm runtime and audit log; we are writing the table now.

ISO/IEC 42001:2023ETA: late May 2026

EU AI Act (high-risk systems) in progress

Article 12 (record-keeping), Article 13 (transparency), Article 15 (accuracy + robustness + cybersecurity), Article 17 (quality management). Same receipt+manifest spine, restated against the high-risk obligations. Drafting against the final consolidated text.

Regulation (EU) 2024/1689ETA: June 2026

SOC 2 + ISO 27001 (controls cross-walk) in progress

Not AI-specific, but every buyer's procurement reviewer asks. We are pulling the relevant CC + A.5 / A.8 / A.12 / A.14 controls and pointing at the corresponding kolm artifacts. SOC 2 Type II is on the company itself at /soc2.

AICPA TSC + ISO/IEC 27001:2022ETA: July 2026

How the mapping works

Each mapping table answers the same shape for every control:

id — the control or subcategory identifier (GV-1.1, MS-2.3, §164.514(b)).
control text — what the framework asks for, abbreviated.
evidence in .kolm — the exact manifest field, receipt field, or CLI verb that satisfies it.

If a control is not covered by the artifact spine, we say so explicitly. Examples: human-in-the-loop oversight (MG-3.x) is governance you implement, not something a manifest field can satisfy. We do not claim otherwise.

What we are not

We do not certify your compliance. We do not write your policies. We do not stand between you and your auditor.

What we do: ship the artifacts that turn "did the model behave" from an asserted answer into a replayable one. Your compliance team and your auditor decide whether the evidence satisfies the framework. We give them something to point at that is not vibes.

compliance@kolm.ai if you want a framework added to this page.