The Integrity Framework · v1.0 · Crosswalks
How this framework maps to the standards you already cite.
The Integrity Framework is not trying to replace NIST AI RMF, ISO 42001, EU AI Act conformity, CSA AICM, SOC 2, or WCAG. It sits in the gap they don't fill: integrity for AI-powered SaaS that isn't itself a compliance product. The crosswalks below let you cite the framework alongside whatever regulatory regime your buyer recognizes.
https://claritylift.ai/framework/v1/crosswalksHow to read this
Each row below maps a framework layer item to the closest equivalent control / requirement in each external regime. “Closest equivalent” is interpretive: most of these regimes have controls that span multiple framework items, and vice versa. Use these as starting points for procurement and audit conversations, not as substitutes for legal review.
N/A means the regime does not address the failure mode this framework item targets. Partial means the regime addresses part of the failure mode but not all of it. Full means a customer can rely on the regime alone for that item.
Layer 1 vetoes (pre-build)
| Framework veto | NIST AI RMF | ISO/IEC 42001 | EU AI Act | CSA AICM | SOC 2 TSC | WCAG |
|---|---|---|---|---|---|---|
| Veto 1: Artifact vs outcome | GOVERN-1.1 (mission) | Clause 4.3 scope | N/A (regulates products, not pricing models) | GOV-01 (governance framework) | CC1.1 (entity values) | N/A |
| Veto 2: Independence | GOVERN-2.3 (accountability) | Clause 5.3 roles | Article 17 (post-market monitoring) | AIM-01 (independent oversight) | CC2.1 (independence) | N/A |
| Veto 3: Verifiability | MEASURE-2 (test, evaluate) | Clause 9.1 monitoring | Article 15 (accuracy, robustness) | AIS-04 (testing) | CC7.1 (objective verification) | 4.1.2 (name, role, value) |
| Veto 4: AI accountability | GOVERN-1.5 (oversight) | Clause 7.2 (competence + review) | Article 14 (human oversight) | AIM-04 (human-in-the-loop) | CC5.1 (control activities) | N/A |
| Veto 5: Pricing-rigor alignment | GOVERN-3.1 (compliance-monitoring incentives) | Clause 4.2 (interested-party expectations) | N/A | GOV-04 (incentive structures) | CC2.2 (commitment to integrity) | N/A |
| Veto 6: TechCrunch test | MAP-2 (use-case context) | Annex A.5 (impact assessment) | Article 9 (risk management system) | GOV-03 (risk management) | CC3.1 (risk identification) | N/A |
Layer 2 architectural constraints
| Framework constraint | NIST AI RMF | ISO/IEC 42001 | EU AI Act | CSA AICM | SOC 2 TSC | WCAG |
|---|---|---|---|---|---|---|
| Evidence chain integrity | MEASURE-3 (documentation) | Clause 7.5 (documented information) | Article 12 (record-keeping) | AIS-02 (data lineage) | CC7.2 (system monitoring) | N/A |
| AI output review gates | MANAGE-2.3 (response + recovery) | Annex A.7 (human oversight) | Article 14 (human oversight) | AIM-04 (human-in-the-loop) | CC8.1 (change management) | 4.1.3 (status messages) |
| Customer self-attestation isolation | MAP-3 (data documentation) | Annex A.6 (data quality) | Article 10 (data governance) | AIS-03 (data classification) | CC6.1 (logical access) | 3.3.1 (error identification) |
| Reproducibility | MEASURE-2.5 (validity) | Clause 9.1 monitoring | Article 15 (accuracy) | AIS-04 (testing) | CC7.1 (objective verification) | N/A |
| Evidence retention independence | MANAGE-1.2 (incident response) | Annex A.8 (records management) | Article 12 (record-keeping) | GOV-02 (records management) | A1.2 (availability) | N/A |
| Independent verification hooks | GOVERN-5.1 (audit) | Clause 9.2 internal audit | Article 17 (post-market monitoring) | GOV-05 (independent audit) | CC4.1 (monitoring activities) | 5.1 conformance claims |
| Failure transparency | MEASURE-2.7 (impact assessment) | Annex A.10 (incident reporting) | Article 62 (serious-incident reporting) | AIS-05 (incident handling) | CC2.3 (information communication) | 3.3.3 (error suggestion) |
Layer 3 operational guardrails
| Framework guardrail | NIST AI RMF | ISO/IEC 42001 | EU AI Act | CSA AICM | SOC 2 TSC | WCAG |
|---|---|---|---|---|---|---|
| Refund-on-failure clause | N/A | Clause 8.3 (operational planning) | N/A (contractual) | GOV-04 (commercial alignment) | CC2.2 (commitment to integrity) | N/A |
| Public methodology page | GOVERN-1.6 (transparency) | Annex A.4 (transparency) | Article 13 (transparency to deployers) | AIM-03 (disclosure) | CC2.3 (communication) | 5.1 conformance claims |
| Annual independent audit | GOVERN-5.1 | Clause 9.2 internal + 9.3 management review | Article 17 (post-market) | GOV-05 (independent audit) | CC4.1 (monitoring) | N/A |
| Customer-side compliance owner | GOVERN-2.1 (roles) | Clause 5.3 (org roles) | Article 16 (deployer obligations) | AIM-02 (accountability) | CC1.4 (commitment to competence) | N/A |
| Whistleblower channel | MANAGE-4.3 (incident reporting) | Annex A.10 (incident reporting) | Article 62 (serious-incident reporting) | AIS-05 (incident handling) | CC2.3 (communication) | N/A |
| Accountability community | GOVERN-1.6 (transparency to stakeholders) | Clause 4.2 (interested parties) | N/A | AIM-03 (disclosure) | CC2.3 (communication) | N/A |
| Public kill criteria | MANAGE-2.4 (decommission) | Annex A.9 (lifecycle management) | Article 17 (post-market) | AIS-06 (decommissioning) | CC8.1 (change management) | N/A |
What the crosswalk doesn't tell you
The framework sits in a gap that all six regimes leave open: integrity for AI-powered SaaS that isn't itself a compliance product. NIST AI RMF and ISO 42001 govern AI systems where the AI is the product. EU AI Act governs high-risk AI products. CSA AICM is a control matrix designed for institutional adoption. SOC 2 covers organizational security. WCAG covers accessibility. None of them cover the case where AI is a feature inside a product whose primary value is something else — operations tooling, decision intelligence, accessibility documentation, organizational health.
That is the gap the framework fills. Crosswalks are how the framework borrows credibility from regimes the buyer already recognizes; they are not a replacement for the framework's own substance.