Governance frameworks¶
Voluntary frameworks Regulus maps to. Activation:
The composite of active frameworks produces a single set of FrameworkBindings
the evidence pipeline writes into every audit event.
Shipped frameworks¶
| Framework id | Name | Kind | Notes |
|---|---|---|---|
nist-ai-rmf |
NIST AI Risk Management Framework 1.0 | Voluntary | US reference; GOVERN/MAP/MEASURE/MANAGE |
nist-ai-rmf-600-1 |
NIST AI 600-1 Generative AI Profile | Voluntary | 12 GAI-specific risks (Jul 2024) |
nist-ai-rmf-agent-interop |
NIST AI RMF Agent Interoperability Profile | Voluntary | Planned Q4 2026; placeholder IDs |
iso-42001 |
ISO/IEC 42001 — AI Management System | Certifiable | Same shape as ISO 27001; SoA mandatory for cert |
iso-23894 |
ISO/IEC 23894 — AI risk management | Standard | Companion to 42001 |
iso-23053 |
ISO/IEC 23053 — AI/ML framework | Standard | Reference architecture for AI/ML |
Which frameworks to pick¶
Common combinations:
| Your context | Recommended set |
|---|---|
| US-anchored AI program | nist-ai-rmf, nist-ai-rmf-600-1 |
| Selling into regulated buyers (cert-driven) | iso-42001, iso-23894 |
| Both regions, mature program | nist-ai-rmf, nist-ai-rmf-600-1, iso-42001 |
| Anticipating the Q4 2026 NIST agent profile | + nist-ai-rmf-agent-interop |
When in doubt: pick more. Frameworks compose multiplicatively; no contradictions can arise because each framework's control ids are scoped to the framework. Evidence emission produces one envelope per matching binding, so the same audit event can satisfy multiple framework citations at once.
What's not a framework in Regulus¶
EU AI Act, GDPR, FCA SYSC, NHS DSPT, EHDS, etc. live in Compliance. They're regulations.
The line: cited via a numbered standard or function → framework. Cited via a statute or regulation → regulation. See Concepts → Frameworks vs regulations.