Enregistré dans:
Détails bibliographiques
Auteurs principaux: Ugarte, Rodrigo Cilla, Guisado, Miguel Ángel Patricio, de Jesús, Antonio Berlanga, López, José Manuel Molina
Format: Preprint
Publié: 2026
Sujets:
Accès en ligne:https://arxiv.org/abs/2604.13767
Tags: Ajouter un tag
Pas de tags, Soyez le premier à ajouter un tag!
_version_ 1866917410567618560
author Ugarte, Rodrigo Cilla
Guisado, Miguel Ángel Patricio
de Jesús, Antonio Berlanga
López, José Manuel Molina
author_facet Ugarte, Rodrigo Cilla
Guisado, Miguel Ángel Patricio
de Jesús, Antonio Berlanga
López, José Manuel Molina
contents AI Assurance -- producing the machine-readable evidence required to demonstrate compliance with AI governance frameworks -- has mature policy scaffolding but lacks the infrastructure to operationalize it. Organizations building high-risk AI systems under the EU AI Act face a gap: frameworks such as the EU AI Act, ISO/IEC 42001, and NIST AI RMF specify what to assure but provide no executable format for how. This paper proposes OSCAL -- the NIST standard adopted for FedRAMP cybersecurity compliance -- as a candidate interchange format for AI governance, complementing rather than replacing the emerging JTC21 standards stack. We define 16 property extensions covering lifecycle phases, enforcement semantics, risk traceability, and risk-acceptance justification, and present a three-layer Compliance-as-Code architecture (policy, evidence, enforcement) that generates assurance evidence as a byproduct of model training. The SDK produces native OSCAL Assessment Results validated against the NIST JSON schema. We test the approach on two Annex III high-risk systems: a credit scoring model and a medical imaging segmentation system. The architecture and reference implementation are open-source under Apache 2.0.
format Preprint
id arxiv_https___arxiv_org_abs_2604_13767
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Making AI Compliance Evidence Machine-Readable
Ugarte, Rodrigo Cilla
Guisado, Miguel Ángel Patricio
de Jesús, Antonio Berlanga
López, José Manuel Molina
Computers and Society
I.2; K.5; K.6.5; D.2.9
AI Assurance -- producing the machine-readable evidence required to demonstrate compliance with AI governance frameworks -- has mature policy scaffolding but lacks the infrastructure to operationalize it. Organizations building high-risk AI systems under the EU AI Act face a gap: frameworks such as the EU AI Act, ISO/IEC 42001, and NIST AI RMF specify what to assure but provide no executable format for how. This paper proposes OSCAL -- the NIST standard adopted for FedRAMP cybersecurity compliance -- as a candidate interchange format for AI governance, complementing rather than replacing the emerging JTC21 standards stack. We define 16 property extensions covering lifecycle phases, enforcement semantics, risk traceability, and risk-acceptance justification, and present a three-layer Compliance-as-Code architecture (policy, evidence, enforcement) that generates assurance evidence as a byproduct of model training. The SDK produces native OSCAL Assessment Results validated against the NIST JSON schema. We test the approach on two Annex III high-risk systems: a credit scoring model and a medical imaging segmentation system. The architecture and reference implementation are open-source under Apache 2.0.
title Making AI Compliance Evidence Machine-Readable
topic Computers and Society
I.2; K.5; K.6.5; D.2.9
url https://arxiv.org/abs/2604.13767