NIST AI Risk Management Framework (AI RMF 1.0) Crosswalk
How Verdifax's cryptographic-attestation infrastructure maps onto the subcategories of the NIST AI Risk Management Framework version 1.0 (NIST AI 100-1), the Generative AI Profile (NIST AI 600-1), and the seven Trustworthy AI characteristics. This is a self-published mapping document. NIST does not certify products; the framework is voluntary and outcome-based. The companion PDF in the Verdifax data room covers the same material.
Verdifax is policy-as-code, not policy-as-document
The NIST AI RMF defines outcomes; Verdifax compiles those outcomes into cryptographic enforcement at the gateway. A NIST subcategory such as MEASURE 2.7 (security and resilience) becomes a runtime check executed on every governed run, not a periodic written attestation produced after the fact. This is the architectural shift the industry calls the move from policy-as-document to policy-as-code, and it is the same category as the Microsoft Agent Governance Toolkit (governing digital agents), the SINT Protocol (governing physical robotics), and the AI-SAFE2 Framework (the GRC operating-system layer). Verdifax sits inside this category as the cryptographic-attestation primitive for AI inference, which any of the above can plug into when they need third-party-verifiable evidence of what a model actually did.
What this document is, and is not
Is: a mapping showing where Verdifax materially supports each RMF subcategory.
Is not: a NIST validation. NIST does not certify products. Real third-party validation comes from accredited certifications (ISO/IEC 42001 via BSI, Schellman, etc.) or independent security audits (Trail of Bits, NCC Group). Those are separate exercises tracked outside this document.
The framework, briefly
NIST AI RMF 1.0 (NIST AI 100-1, January 2023) is voluntary, rights-preserving, and sector-agnostic. It defines:
- Four core functions: GOVERN, MAP, MEASURE, MANAGE
- Subcategories under each function (e.g. GOVERN 1.1, MEASURE 2.7) naming specific outcomes
- Seven Trustworthy AI characteristics (Section 3): valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, fair with harmful bias managed
- A separate Generative AI Profile (NIST AI 600-1, July 2024) overlaying twelve GAI-specific risk categories
The framework is a vocabulary and an architecture, not a certification. Most large-enterprise AI procurement teams use it as a checklist for governance maturity.
GOVERN function
| Subcategory | What Verdifax provides |
|---|---|
| GOVERN 1.1 (legal & regulatory understanding) | Structured LegalEvidenceArtifact per governed run, mapped to SR 11-7, EU AI Act Article 13, HIPAA Security Rule, SOX, FRE 901, eIDAS, PACE 1984 |
| GOVERN 1.2 (trustworthy AI integrated) | Verdifax is the technical integration layer; the seven characteristics map to Verdifax outputs (see Trustworthy AI section below) |
| GOVERN 1.3 and 1.4 (risk tolerance, transparent policies) | Per-project PEPG policy files encode risk tolerance; every run records the policy version (by hash) in effect at decision time |
| GOVERN 1.6 (inventory AI systems) | Sigstore Rekor anchoring creates a continuous public inventory: every sealed run is a timestamped public log entry |
| GOVERN 2.1, 2.3 (accountability, executive responsibility) | NREP (Non-Repudiation Engine Protocol) binds every signature to an actor identity via the API key; cross-tenant signatures are cryptographically distinguishable |
| GOVERN 4.2 (document risks and impacts) | The audit PDF per run is the documentation; human-readable, references regulatory clauses, lists real-backend vs development-mode adapters |
| GOVERN 4.3 (testing, incidents, information sharing) | Sigstore Rekor is the public information-sharing layer; CCV halt receipts, MACC budget breach receipts, PEPG deny receipts are sealed incident records |
| GOVERN 6.1, 6.2 (third-party risks and contingency) | AIVP wraps third-party model calls; vendor outputs bound to PIA hash, immune to retroactive vendor changes; record persists even if vendor disappears |
MAP function
| Subcategory | What Verdifax provides |
|---|---|
| MAP 1.1 (intended purposes documented) | Per-project AttestedContext carries intended-purpose, applicable regulatory framework, use-case classification; flows through the audit bundle |
| MAP 1.4 (business value/context) | AttestedContext schema is extensible; customer_segment, decision_class, risk_tier all carry through without modification |
| MAP 1.5 (risk tolerances determined) | PEPG admission-control thresholds, CCV runtime-budget thresholds, MACC cross-run thresholds; each policy file independently versioned |
| MAP 2.1 (specific tasks defined) | DKEC (Deterministic Kernel Execution Controller) names the computational kernel per run; kernel identifier embedded in the audit bundle |
| MAP 2.3 (TEVV considerations) | The AER (Attestation Execution Record) is the TEVV evidence object; per-stage attestations capture cryptographic state with hash chains |
| MAP 4.1 (third-party data/software risks) | AIVP records model vendor, version, parameters, prompt per run; license compliance recoverable per run |
| MAP 5.1 (impact magnitude documented) | LegalEvidenceArtifact carries impact-classification fields aligned with EU AI Act Article 13 risk classification |
MEASURE function
The function with Verdifax's strongest material fit.
| Subcategory | What Verdifax provides |
|---|---|
| MEASURE 1.1 (measurement approaches) | The manifest hash (SHA-256 over RFC 8785 JCS canonicalization) is the measurement primitive: a single recomputable value uniquely identifying the run, anchored to a public timestamp via Sigstore Rekor |
| MEASURE 2.1 (TEVV documentation) | Every Verdifax run is itself a TEVV record; AER per-stage attestations document which stages executed with what inputs producing what cryptographic outputs |
| MEASURE 2.3 (performance/assurance criteria) | Audit PDF includes assurance criteria values (latency, token counts, cost) per run |
| MEASURE 2.4 (production monitoring) | Every governed run is monitored end-to-end; production-time monitoring is not an add-on, it is the substrate |
| MEASURE 2.5 (valid and reliable) | Deterministic pipeline guarantees identical canonical inputs produce identical manifest hashes; 200+ test suite; production track record |
| MEASURE 2.6 (safety risks) | CCV per-run budgets, MACC cross-run cumulative budgets, PEPG admission control; budget breaches produce sealed halt receipts |
| MEASURE 2.7 (security and resilience) | HSM-KEK custody (AWS KMS, FIPS 140-2 Level 2, us-east-1), Ed25519 actor signatures, per-record AES-256-GCM envelope encryption |
| MEASURE 2.8 (transparency and accountability) | MIT-licensed verdifax-verify CLI on GitHub; transparency independent of Verdifax cooperation |
| MEASURE 2.9 (model explained, output interpreted in context) | AIVP-bound PIA hash inseparably binds model output to model identifier, prompt, and AttestedContext |
| MEASURE 2.10 (privacy risk) | CRES (Cryptographic Record Erasure System) implements GDPR Article 17 and HIPAA §164.530(j) via cryptographic data-encryption-key destruction; audit trail integrity preserved |
| MEASURE 3.1 (regularly identify and track risks) | Sigstore Rekor log is a continuous append-only public record; emergent risks become trackable via Rekor query |
| MEASURE 4.1 (measurement approaches connected to context) | The verifier is the connection-back-to-context primitive; domain experts can recompute and validate independent of Verdifax |
MANAGE function
| Subcategory | What Verdifax provides |
|---|---|
| MANAGE 1.4 (residual risks disclosed) | Every audit PDF discloses real-backend vs development-mode adapters for that specific run; no silent fallback; residual risks surfaced per run, not hidden in aggregate metrics |
| MANAGE 2.2 (sustain deployed AI value) | Cryptographic record sustains evidentiary value over the asset lifecycle; runs sealed today remain verifiable years later as long as Rekor is operational |
| MANAGE 2.3 (respond to new risks) | Hash chain of policy revisions lets auditors reconstruct which runs were governed under which policy version |
| MANAGE 2.4 (supersede, disengage, deactivate) | CCV and MACC halts are the mechanical disengage; halt receipts are auditable |
| MANAGE 3.1, 3.2 (third-party monitoring) | AIVP wraps every third-party model call; cross-run statistics on vendor behavior derivable from audit bundle archive |
| MANAGE 4.1 (post-deployment monitoring) | Verdifax is post-deployment monitoring infrastructure |
| MANAGE 4.3 (incidents communicated) | Halt receipts and PEPG deny receipts are structured, sealed, regulatory-mappable incident records |
NIST AI 600-1 Generative AI Profile
The Generative AI Profile (July 2024) overlays twelve GAI-specific risks onto the same four-function structure. Verdifax has material fit on:
| GAI risk | What Verdifax provides |
|---|---|
| Information Integrity | Core value proposition: manifest hash + Sigstore Rekor anchor guarantees recorded inference cannot be tampered with after the fact |
| Confabulation | AIVP-bound PIA hash records exact prompt, model version, and response; confabulated outputs cannot be retroactively edited |
| Data Privacy | CRES selective cryptographic erasure |
| Information Security | HSM-KEK, Ed25519, AES-256-GCM, TLS 1.3 |
| Human-AI Configuration | NREP actor signing + PEPG policy regime + AttestedContext orchestration context; fully attributable |
| Intellectual Property | Model vendor and version recorded per run; AI-Assisted Development Methodology document covers Verdifax's own IP integrity |
| Dangerous, Violent, or Hateful Content | MCD (Malicious-Content Detector) signature scanning |
| Obscene, Degrading, Abusive Content | MCD signature scanning, same mechanism |
| Value Chain and Component Integration | AER per-stage attestations include stage code-version hashes |
Out of scope for Verdifax v1 (handled elsewhere):
- CBRN information: model-vendor or specialized-policy concern
- Environmental impact at training time: on the Verdifax roadmap
- Harmful bias and homogenization: bias detection requires statistical evaluation orthogonal to cryptographic attestation; Verdifax records the inference so downstream bias tools can operate on a tamper-evident base
Trustworthy AI characteristics
| Characteristic | How Verdifax supports |
|---|---|
| Valid and Reliable | Deterministic pipeline; identical canonical inputs always produce identical manifest hashes; 200+ test suite |
| Safe | CCV per-run budgets, MACC cross-run budgets, PEPG admission control, MCD content scanning |
| Secure and Resilient | HSM-KEK at FIPS 140-2 Level 2, Ed25519 signatures, Sigstore Rekor anchoring, per-record AES-256-GCM |
| Accountable and Transparent | NREP actor signing, public Rekor log, MIT-licensed verifier |
| Explainable and Interpretable | AER per-stage attestations document the computational pathway; note Verdifax does not produce model-internal explanations (attention maps, etc.) |
| Privacy-Enhanced | CRES cryptographic erasure; GDPR Article 17 compatible |
| Fair, Harmful Bias Managed | Verdifax does not produce fairness evaluations; it records the inference in a tamper-evident form so downstream fairness tooling can operate on a stable, verifiable base |
What Verdifax does NOT provide
Honest scope. The following RMF subcategories are not materially addressed by Verdifax. Organizations adopting Verdifax should plan separate controls for these.
- GOVERN 2.2, GOVERN 3: workforce training, diversity, equity, inclusion. Organizational concerns.
- GOVERN 5: external AI actor engagement. Process concern.
- MAP 1.2: interdisciplinary diversity in AI actors. Organizational.
- MAP 3: capability benchmarking. Verdifax records outcomes; it does not benchmark them. Specialized benchmark suites (HELM, MLPerf AILuminate, vendor-internal evals) fill this gap.
- MEASURE 2.2: evaluations involving human subjects. IRB-equivalent organizational concern.
- MEASURE 2.11: fairness and bias evaluation. Orthogonal layer.
- MEASURE 2.12: environmental impact at training time. On the Verdifax roadmap; not in v1.
- MEASURE 3.3: end-user feedback and appeal processes. Process concern. Verdifax records the audit bundle that supports the appeal, but the appeal workflow itself is organizational.
- MANAGE 1.1: go-no-go deployment decisions. Verdifax records the technical state; the deployment decision is a human and organizational judgment.
These are not weaknesses. They are the boundary between cryptographic-attestation infrastructure and broader AI governance practice. The NIST AI RMF is intentionally a multi-layer framework, and Verdifax is intentionally a substrate within it, not a replacement for it.
Verifying the claims
Every technical claim above is independently verifiable.
- The MIT-licensed verifier is open source: github.com/Verdifax/verdifax-verify.
- The Sigstore Rekor log is public; manifest hashes are looked up directly.
- The orchestrator runs at api.verdifax.com/health. A read-only API credential can be issued under NDA for hands-on diligence.
- A USPTO Track One patent application has been filed. The application number and filing receipt are available under NDA.
If any claim does not survive verification, please email robert@verdifax.com. Verdifax's value proposition depends on every claim being recomputable from primary sources.
Related work, the policy-as-code peer ecosystem
Verdifax sits inside a recognizable emerging category. Cited as context, not competitors, because each addresses a different layer of the same problem.
| Project | Layer | Verdifax relationship |
|---|---|---|
| Microsoft Agent Governance Toolkit | Digital AI agents (policy engines, circuit breakers, OpenTelemetry) | Verdifax is the cryptographic-attestation primitive AGT's evidence collection can call into for tamper-evident MEASURE-function output |
| SINT Protocol | Physical robotics (Ed25519 capability tokens, ROS 2, Policy Gateway, Evidence Ledger) | Where AGT targets digital agents, SINT targets robots and actuators. Verdifax sits at a different stack layer: cryptographic substrate for AI inference itself |
| AI-SAFE2 Framework | GRC operating system (agentic AI, non-human identities, swarm governance) | Maps to ISO 42001, NIST AI RMF, SOC 2 + 10 other frameworks. Verdifax-emitted artifacts are valid evidence inputs to AI-SAFE2's Ledger pillar |
Verdifax's category position: cryptographic-attestation infrastructure for AI inference, designed to plug underneath any of the above when those systems need third-party-verifiable evidence of what the model actually did.
References
- NIST AI 100-1, AI Risk Management Framework v1.0
- NIST AI 600-1, Generative AI Profile
- Sigstore Rekor transparency log
- RFC 8785, JSON Canonicalization Scheme
- Federal Reserve SR 11-7
- Verdifax executive summary on verdifax.com with downloadable 12-page PDF