NIST AI RMF crosswalk to AEF

This crosswalk positions AEF as the implementation-layer evidence format for NIST AI RMF. NIST defines what organizations must govern; AEF defines how the resulting evidence is made portable, tamper-evident, and verifier-friendly.

Crosswalk

NIST AI RMF function	Required governance artifact	AEF representation	Example kinds
Govern	policy approval, accountability, risk acceptance	signed governance events in a chained ledger	`governance.approval`, `waiver.granted`, `policy.enforced`
Map	system inventory, intended use, affected people, deployment context	subject-scoped model or agent records with structured payloads	`model.proposed`, `agent.action`
Measure	evaluation outputs, threshold gates, validation evidence	immutable run + evidence-pack export records	`run.created`, `run.completed`, `evidence.pack_exported`
Manage	deployment, incidents, retirements, corrective actions	operational events and linked evidence exports	`model.deployed`, `incident.opened`, `incident.closed`, `model.retired`

Why AEF matters for NIST adoption

NIST AI RMF is intentionally technology-agnostic. Without a common evidence format, each vendor exports different JSON, different timestamps, and different hash logic. AEF closes that gap:

canonical JSON means verifier portability
hash chaining means tamper evidence
detached signatures mean cross-org attestations
public schemas mean outside auditors can validate without CloudTune

Minimal NIST-ready evidence set

A NIST-ready AEF ledger for one governed model should include at least:

model.proposed
run.created
run.completed
governance.approval
model.deployed
incident.opened / incident.closed when applicable
evidence.pack_exported for the review packet sent to internal audit or regulators

Auditor posture

An auditor should be able to:

validate every record hash using the public verifier
confirm chain continuity by previous_hash
independently check signatures on governance approvals
inspect evidence-export payloads without access to the originating control plane