AI COMPLIANCE · NIST AI RMF · ISO/IEC 42001 · EU AI ACT
One record of what your AI did. Three frameworks.
Every guardrail decision, approval and override is recorded once — with timestamp, actor, system and outcome — and mapped to NIST AI RMF, ISO/IEC 42001 and EU AI Act policy bundles. Evidence comes out the way each framework's assessor expects to read it.
An AI compliance platform turns the day-to-day operation of AI systems into auditable evidence against the frameworks regulators and auditors actually ask for. Without one, the evidence lives in tickets, emails and spreadsheets — assembled by hand, weeks before every audit.
Kosmoy keeps one underlying record. The registries and risk classification supply the inventory side; the AI Gateway and Action Capsules supply the runtime side — every call, guardrail event, approval and override. Each framework is a policy bundle on top: a control mapping, a guardrail set tuned to its requirements, and an export laid out for that framework’s assessor. Adopting a new framework means adding a bundle, not re-instrumenting the platform.
What it does.
One event record
Every guardrail decision, approval and override recorded with timestamp, actor, system and outcome.
NIST AI RMF bundle
Govern, Map, Measure, Manage — each function mapped to registry, gateway and supervision evidence.
ISO/IEC 42001 bundle
The AI management system: policy and roles, risk assessment, lifecycle states, monitoring — exported on the 42001 structure.
EU AI Act bundle
Risk classification per system — minimal, limited, high, prohibited — obligations per role, and the technical-documentation dossier.
Evidence exports
Choose the framework; the export lays out the registries, the event log and the risk classification the way that assessor expects.
Risk classification workflow
Qualification → system info → operator role → risk class → obligations. Built on the EC AI Office compliance checker structure.
Module questions, answered straight.
What is an AI compliance platform?
An AI compliance platform turns the day-to-day operation of AI systems into auditable evidence against the frameworks regulators and auditors actually ask for — an inventory of systems with risk classification, a record of every call and policy decision, and exports laid out the way each framework's assessor expects to read them.
Which AI compliance frameworks does Kosmoy support?
Three policy bundles ship today: NIST AI RMF, ISO/IEC 42001 and the EU AI Act. All three read from the same underlying record — the registries, the risk classification and the event log — so adding a framework changes the report, not the plumbing.
How does Kosmoy classify AI systems under the EU AI Act?
Through a five-step flow built on the structure of the EC AI Office compliance checker: qualification, system information, operator role, risk class (minimal, limited, high, prohibited), and the obligations that follow. The classification lives in the registry and feeds the technical-documentation dossier.
Can the same evidence serve multiple frameworks?
Yes — that is the design. One set of registries, one risk classification and one event log feed every bundle. A guardrail decision recorded once appears in the NIST AI RMF export, the ISO/IEC 42001 export and the EU AI Act dossier.
Does Kosmoy replace our GRC tool?
No. Kosmoy is the AI-specific evidence substrate — it records what your AI actually did and maps it to the framework. The exports feed your GRC system and your auditors; the management system itself stays yours.
See the compliance evidence end to end.
From a registered use case to a framework-ready export — NIST AI RMF, ISO/IEC 42001 or the EU AI Act.