OneCompliant maps directly to the frameworks CISOs and compliance teams are already accountable to. EU AI Act. NIST AI RMF. ISO 42001. GDPR. Not a new language to learn — a practical implementation of the standards you already know.
High-risk classification, conformity obligations, human oversight, and audit trail requirements
Govern, Map, Measure, and Manage functions operationalised through OASF and Aegis
AI management system requirements mapped to OneCompliant platform capabilities
Personal data protection obligations in AI contexts — data minimisation, purpose limitation, and audit rights
The CISO question is always: "How does this map to what I'm already accountable for?" OneCompliant's answer is direct — OASF is a practical implementation of NIST AI RMF and EU AI Act obligations, not a replacement framework. The controls you implement with OneCompliant are the evidence your regulator requires.
The EU AI Act creates binding obligations for providers and deployers of AI systems — particularly high-risk AI. OneCompliant maps directly to the key operative requirements that regulated enterprises must evidence.
| EU AI Act Requirement | What It Requires | OneCompliant Capability |
|---|---|---|
| Article 9 — Risk Management | Ongoing risk identification, analysis, and mitigation for high-risk AI systems | OASAT assessment provides the risk identification and scoring. Aegis Risk module provides ongoing governance scoring and reporting. |
| Article 10 — Data Governance | Appropriate data governance practices for training, validation, and testing data | OASF data governance domain defines data handling controls. Aegis Guard inspects and protects sensitive data at runtime. |
| Article 12 — Record Keeping | Automatic logging of events throughout the AI system's lifecycle | Aegis Audit provides complete, tamper-evident interaction logging for every AI event — who, what, when, which model, what was redacted. |
| Article 13 — Transparency | AI systems must be designed to enable deployers to interpret outputs and use them appropriately | Aegis routing transparency — every model selection and policy decision is logged with rationale. |
| Article 14 — Human Oversight | High-risk AI systems must allow effective human oversight and intervention | Aegis Policy enforces human oversight requirements — blocking or flagging interactions that require human review before proceeding. |
| Article 17 — Quality Management | Documented quality management system covering design, testing, risk management, and post-market monitoring | OASF provides the governance framework documentation. Aegis provides the operational evidence of controls in place. |
The NIST AI Risk Management Framework defines four core functions: Govern, Map, Measure, and Manage. OneCompliant operationalises each function through its platform components — moving the NIST AI RMF from a document into enforced operational controls.
| NIST AI RMF Function | What It Requires | OneCompliant Capability |
|---|---|---|
| GOVERN | Policies, processes, and accountability structures for AI risk management across the organisation | OASF defines the governance framework — policy domains, control categories, accountability boundaries, and decision authorities. |
| MAP | Identify and classify AI risks in context — use cases, stakeholders, data, and impact | OASAT assessment maps all AI usage, classifies risk by domain and business unit, and contextualises against regulatory obligations. |
| MEASURE | Analyse, assess, and track AI risks using quantitative and qualitative methods | OASAT provides risk scoring and maturity measurement. Aegis Risk provides continuous governance measurement through live usage data. |
| MANAGE | Prioritise and respond to AI risks — implement controls, monitor continuously, and escalate incidents | Aegis provides runtime management — policy enforcement, prompt inspection, model routing, and continuous audit logging. |
ISO 42001 is the international standard for AI management systems — defining requirements for organisations that develop, provide, or use AI. OneCompliant maps to the key clauses that regulated enterprises must address.
| ISO 42001 Clause | Requirement | OneCompliant Capability |
|---|---|---|
| Clause 6 — Planning | AI risk and opportunity identification, AI objectives, and planning to achieve them | OASAT assessment provides the risk identification and opportunity mapping required for ISO 42001 planning obligations. |
| Clause 8 — Operation | Operational planning and control, including AI system lifecycle management | OASF and Aegis provide the operational controls for AI system use — access management, data governance, policy enforcement. |
| Clause 9 — Performance Evaluation | Monitoring, measurement, analysis, and evaluation of the AI management system | Aegis Audit and Aegis Risk provide the continuous monitoring and measurement evidence required for ISO 42001 evaluation. |
| Clause 10 — Improvement | Nonconformity, corrective action, and continual improvement of the AI management system | OASAT provides periodic reassessment capability. Aegis governance reporting identifies policy violations and control gaps for remediation. |
| Annex A — AI Controls | Specific AI controls covering impact assessment, data quality, human oversight, transparency | OASF control domains map directly to ISO 42001 Annex A controls — providing the documented control evidence required for certification. |
GDPR does not have an AI exemption. When personal data is processed through AI systems — including being sent to external LLMs — all GDPR obligations apply. Most enterprises have significant unaddressed GDPR risk in their AI workflows.
| GDPR Principle | AI Context Risk | OneCompliant Control |
|---|---|---|
| Data Minimisation | Employees routinely include more personal data in AI prompts than necessary for the task | Aegis Guard inspects prompts and redacts excessive PII before transmission — enforcing data minimisation at runtime. |
| Purpose Limitation | Personal data collected for one purpose is being processed through AI systems for different purposes | OASF policy engine defines permitted AI use cases per data category. Aegis enforces those boundaries at the point of every interaction. |
| Accountability | Organisations cannot demonstrate what personal data was processed by which AI system, when, and why | Aegis Audit provides the complete processing record — every interaction logged with data classification, model used, and policy outcome. |
| Third Country Transfers | Sending personal data to US-based LLM providers may constitute a third-country transfer under GDPR | Aegis Routing can enforce data residency constraints — routing sensitive data only to EU-hosted or approved model providers. |
An OASAT Assessment maps your current AI usage against EU AI Act, NIST AI RMF, ISO 42001, and GDPR obligations — and produces a prioritised remediation roadmap. Fixed price. Delivered in weeks.