OAIES Standards Crosswalks
Version: 1.0.1
Date: 2026-07-16
Status: Informative
Purpose
These crosswalks show where OAIES machine-readable artifacts can support evidence collection for external AI, security, software supply-chain, protocol, and observability standards. They give engineering and assurance teams one traceable implementation index without reproducing copyrighted standards.
Why
Control mappings are useful only when they distinguish evidence reuse from control equivalence. OAIES records technical facts and decisions; external frameworks may additionally require an organization-wide management system, legal interpretation, independent assessment, stakeholder consultation, or outcomes that a JSON artifact cannot prove.
Mapping method
Each mapping is based on the normative or authoritative source linked in the document and uses one relationship:
| Relationship | Meaning | Permitted conclusion |
|---|---|---|
evidence-supports |
The OAIES artifact may supply evidence relevant to part of the referenced requirement | An assessor may consider the evidence after scope, design, operation, and authenticity checks |
partial |
The artifact addresses only a limited evidence element | Additional controls, procedures, outcomes, and evidence are mandatory |
no-mapping |
OAIES does not address the requirement | Implement an external control |
The unit of mapping is an OAIES artifact and its required fields, not a claim that an entire external requirement is satisfied.
OAIES control families
| Family | Scope | Primary contracts |
|---|---|---|
GOV |
Policy, accountability, applicability, exceptions | AI System Manifest, Control Catalog, Statement of Applicability, Exception |
RSK |
Risk and impact management | Risk Register, AI System Manifest |
SYS |
System inventory and lifecycle | AI System Manifest |
PRM |
Prompt lifecycle | Prompt Release |
MOD |
Model governance | Model Record |
TOL |
Tool behavior and authority | Tool Contract, MCP Server Record |
AGT |
Agent autonomy and coordination | Agent Definition |
CTX |
Context provenance and trust | Context Manifest |
EVAL |
Measurement and release gates | Evaluation Result |
SUP |
Software and AI supply chain | Model Record, Evidence Bundle |
OPS |
Runtime operation and telemetry | Incident, Evidence Bundle |
IR |
Incident response and improvement | Incident, Risk Register |
EVD |
Evidence integrity and retention | Evidence Bundle |
Crosswalk index
| Document | External sources covered |
|---|---|
| ISO AI management, risk, and impact | ISO/IEC 42001, ISO/IEC 23894, ISO/IEC 42005 |
| NIST AI risk | NIST AI RMF 1.0, NIST AI 600-1 |
| OWASP AI security | OWASP Top 10 for LLM Applications, OWASP Top 10 for Agentic Applications |
| Secure software and supply chain | NIST SSDF SP 800-218, NIST SP 800-53 Rev. 5, SLSA, OpenSSF |
| Protocols and observability | MCP authorization, A2A, OpenTelemetry GenAI semantic conventions |
How to use
- Freeze the exact external publication/version and OAIES schema version in the assessment scope.
- Determine applicability using the external source, counsel, and the organization’s risk method.
- Select mappings marked
evidence-supportsorpartial; never infer control satisfaction from similar words. - Validate each referenced artifact, digest, time period, system boundary, and approval.
- Record uncovered requirements in the Statement of Applicability and Risk Register.
- Have a qualified assessor decide sufficiency against the licensed or authoritative source.
Equivalence and certification limits
These crosswalks are not legal advice, an accreditation instrument, a conformity assessment, or a certification claim. OAIES is not certified, endorsed, or approved by ISO, IEC, NIST, OWASP, OpenSSF, the MCP project, the A2A project, or OpenTelemetry. A mapping does not establish one-to-one equivalence; it indicates potential evidence alignment only. Certification to ISO/IEC 42001 requires an auditable AI management system and, when certification is claimed, assessment by an appropriately accredited certification body.
Tradeoffs
| Benefit | Cost |
|---|---|
| Reuses engineering evidence across assurance programs | Requires version-specific assessor review |
| Makes evidence gaps explicit | Does not replace licensed standards text |
| Connects runtime artifacts to governance | Artifact validity cannot prove operational effectiveness |
Anti-patterns
- Control laundering: treating an
evidence-supportsmapping as proof of control satisfaction. - Version drift: mapping against a web page that changed after the assessment scope was frozen.
- Citation without evidence: naming a framework while omitting artifact URI, digest, period, and owner.
- Self-certification language: using “ISO certified,” “NIST compliant,” or equivalent without a valid basis.
Enterprise considerations
The control owner must approve mappings, Legal must determine regulatory implications, and Internal Audit must preserve independence. Store licensed standards outside this repository under license controls. Evidence bundles must enforce retention, legal hold, tenant isolation, and access logging.
Checklist
- Exact external source version and access date recorded
- System and organizational boundaries match the referenced evidence
- Relationship type and rationale reviewed by the control owner
- Partial and missing coverage has an accountable remediation record
- Evidence authenticity, period, and retention are verified
- No equivalence, endorsement, or certification claim is implied
Changelog
1.0.1 — 2026-07-16
- Replaced broad relationship labels with conservative evidence-support mappings.
1.0.0 — 2026-07-16
- Added the initial OAIES crosswalk method, limits, and index.