Solutions Aegis Industries Insights Pricing Company Request Assessment
Compliance Hub

Speak the language of the regulator.

OneCompliant maps directly to the frameworks CISOs and compliance teams are already accountable to. EU AI Act. NIST AI RMF. ISO 42001. GDPR. Not a new language to learn — a practical implementation of the standards you already know.

Framework Coverage

Every major AI governance obligation — covered.

Aligned

EU AI Act

High-risk classification, conformity obligations, human oversight, and audit trail requirements

Aligned

NIST AI RMF

Govern, Map, Measure, and Manage functions operationalised through OASF and Aegis

Mapped

ISO 42001

AI management system requirements mapped to OneCompliant platform capabilities

Mapped

GDPR + AI

Personal data protection obligations in AI contexts — data minimisation, purpose limitation, and audit rights

The CISO question is always: "How does this map to what I'm already accountable for?" OneCompliant's answer is direct — OASF is a practical implementation of NIST AI RMF and EU AI Act obligations, not a replacement framework. The controls you implement with OneCompliant are the evidence your regulator requires.

EU AI Act

EU AI Act — Operational Mapping

The EU AI Act creates binding obligations for providers and deployers of AI systems — particularly high-risk AI. OneCompliant maps directly to the key operative requirements that regulated enterprises must evidence.

EU AI Act RequirementWhat It RequiresOneCompliant Capability
Article 9 — Risk ManagementOngoing risk identification, analysis, and mitigation for high-risk AI systemsOASAT assessment provides the risk identification and scoring. Aegis Risk module provides ongoing governance scoring and reporting.
Article 10 — Data GovernanceAppropriate data governance practices for training, validation, and testing dataOASF data governance domain defines data handling controls. Aegis Guard inspects and protects sensitive data at runtime.
Article 12 — Record KeepingAutomatic logging of events throughout the AI system's lifecycleAegis Audit provides complete, tamper-evident interaction logging for every AI event — who, what, when, which model, what was redacted.
Article 13 — TransparencyAI systems must be designed to enable deployers to interpret outputs and use them appropriatelyAegis routing transparency — every model selection and policy decision is logged with rationale.
Article 14 — Human OversightHigh-risk AI systems must allow effective human oversight and interventionAegis Policy enforces human oversight requirements — blocking or flagging interactions that require human review before proceeding.
Article 17 — Quality ManagementDocumented quality management system covering design, testing, risk management, and post-market monitoringOASF provides the governance framework documentation. Aegis provides the operational evidence of controls in place.
NIST AI RMF

NIST AI RMF — Function Mapping

The NIST AI Risk Management Framework defines four core functions: Govern, Map, Measure, and Manage. OneCompliant operationalises each function through its platform components — moving the NIST AI RMF from a document into enforced operational controls.

NIST AI RMF FunctionWhat It RequiresOneCompliant Capability
GOVERNPolicies, processes, and accountability structures for AI risk management across the organisationOASF defines the governance framework — policy domains, control categories, accountability boundaries, and decision authorities.
MAPIdentify and classify AI risks in context — use cases, stakeholders, data, and impactOASAT assessment maps all AI usage, classifies risk by domain and business unit, and contextualises against regulatory obligations.
MEASUREAnalyse, assess, and track AI risks using quantitative and qualitative methodsOASAT provides risk scoring and maturity measurement. Aegis Risk provides continuous governance measurement through live usage data.
MANAGEPrioritise and respond to AI risks — implement controls, monitor continuously, and escalate incidentsAegis provides runtime management — policy enforcement, prompt inspection, model routing, and continuous audit logging.
ISO 42001

ISO 42001 — AI Management System Mapping

ISO 42001 is the international standard for AI management systems — defining requirements for organisations that develop, provide, or use AI. OneCompliant maps to the key clauses that regulated enterprises must address.

ISO 42001 ClauseRequirementOneCompliant Capability
Clause 6 — PlanningAI risk and opportunity identification, AI objectives, and planning to achieve themOASAT assessment provides the risk identification and opportunity mapping required for ISO 42001 planning obligations.
Clause 8 — OperationOperational planning and control, including AI system lifecycle managementOASF and Aegis provide the operational controls for AI system use — access management, data governance, policy enforcement.
Clause 9 — Performance EvaluationMonitoring, measurement, analysis, and evaluation of the AI management systemAegis Audit and Aegis Risk provide the continuous monitoring and measurement evidence required for ISO 42001 evaluation.
Clause 10 — ImprovementNonconformity, corrective action, and continual improvement of the AI management systemOASAT provides periodic reassessment capability. Aegis governance reporting identifies policy violations and control gaps for remediation.
Annex A — AI ControlsSpecific AI controls covering impact assessment, data quality, human oversight, transparencyOASF control domains map directly to ISO 42001 Annex A controls — providing the documented control evidence required for certification.
GDPR + AI

GDPR in AI Contexts — Data Protection Obligations

GDPR does not have an AI exemption. When personal data is processed through AI systems — including being sent to external LLMs — all GDPR obligations apply. Most enterprises have significant unaddressed GDPR risk in their AI workflows.

GDPR PrincipleAI Context RiskOneCompliant Control
Data MinimisationEmployees routinely include more personal data in AI prompts than necessary for the taskAegis Guard inspects prompts and redacts excessive PII before transmission — enforcing data minimisation at runtime.
Purpose LimitationPersonal data collected for one purpose is being processed through AI systems for different purposesOASF policy engine defines permitted AI use cases per data category. Aegis enforces those boundaries at the point of every interaction.
AccountabilityOrganisations cannot demonstrate what personal data was processed by which AI system, when, and whyAegis Audit provides the complete processing record — every interaction logged with data classification, model used, and policy outcome.
Third Country TransfersSending personal data to US-based LLM providers may constitute a third-country transfer under GDPRAegis Routing can enforce data residency constraints — routing sensitive data only to EU-hosted or approved model providers.

Know your compliance gaps before the regulator does.

An OASAT Assessment maps your current AI usage against EU AI Act, NIST AI RMF, ISO 42001, and GDPR obligations — and produces a prioritised remediation roadmap. Fixed price. Delivered in weeks.

Request Assessment View Solutions