Compliance
Control Mapping
How Decision Receipt helps your organization meet NIST SP 800-171, CMMC Level 2, NIST AI RMF, EO 14110, and EU AI Act requirements.
This describes capability mapping, not certification. Compliance depends on your complete security posture. Decision Receipt provides technical evidence artifacts that support a comprehensive compliance program.
NIST SP 800-171 Rev 2
3.3 — Audit and Accountability
| Control | How Decision Receipt Addresses It | Evidence Artifact |
|---|
| 3.3.1 | Every autonomous action generates a signed receipt with timestamp, actor, evidence digest, policy evaluation, and verdict. Receipts are append-only and hash-chained. | receipt.json (signed, chained) |
| 3.3.2 | Each receipt records originating agent, human requestor, repository, PR number, and commit SHA. | receipt.json → actor, origin |
| 3.3.5 | Receipt chains enable cross-action correlation. Analytics API provides trend analysis and violation frequency. | Trust Pack; analytics |
| 3.3.8 | Ed25519-signed at creation. Hash chain ensures insertion or deletion is detectable. Verification requires only the public key. | signature + hash chain |
3.1 — Access Control
| Control | How Decision Receipt Addresses It | Evidence Artifact |
|---|
| 3.1.1 | Enforces authorization at the point of autonomous action. No action proceeds without a receipt proving all policy gates passed. | verdict: REJECTED |
| 3.1.5 | Deny-by-default posture. No action has implicit authorization. | posture: deny-by-default |
Additional Families
| Control | How Decision Receipt Addresses It |
|---|
| 3.4.1 (CM) | Replay verification compares execution against baseline. Divergence flagged as NON_DETERMINISTIC. |
| 3.4.4 (CM) | Security signals (CI, scans, reviews) evaluated before admission. |
| 3.11.1 (RA) | Continuous risk signal: acceptance trends, violation frequency, per-agent profiles. |
| 3.12.3 (CA) | 100% of autonomous actions evaluated in real time. No sampling. |
| 3.14.1 (SI) | Policy rules require passing CI, static analysis, and dependency checks. |
NIST AI Risk Management Framework
| Function | How Decision Receipt Supports It |
|---|
| GOVERN | Policy rules encode regulatory requirements. Evaluation records demonstrate per-action assessment. |
| MAP | Risk tolerances encoded as explicit thresholds. Replay provides TEVV mechanism. |
| MEASURE | Quantified metrics: acceptance rate, violation frequency, replay divergence, evidence completeness. |
| MANAGE | Verdicts are real-time risk responses. Blocked actions are immediate mitigations. |
EU AI Act (High-Risk Systems)
| Article | Requirement | Decision Receipt |
|---|
| Art. 12 | Record-keeping | Tamper-evident hash-chained receipt logging. |
| Art. 14 | Human oversight | ESCALATED verdict routes to human reviewers. |
| Art. 15 | Accuracy, robustness | Replay verifies consistency. Signatures provide integrity. |
| Art. 17 | Quality management | Each receipt is a quality record. Trends measure quality. |
| Art. 61 | Post-market monitoring | Continuous receipt generation as real-time monitoring. |