# AI RMF Crosswalk Tool

> Free interactive compliance crosswalk tool mapping NIST AI Risk Management Framework (AI RMF 1.0) to ISO/IEC 42001:2023, EU AI Act articles, and OWASP Top 10 for LLM Applications. Built for AI governance practitioners, compliance teams, and security professionals.

## What This Tool Does

This tool provides authoritative, searchable crosswalk mappings between major AI governance frameworks. Users can:

- Map any NIST AI RMF requirement (Govern, Map, Measure, Manage) to its ISO 42001 equivalent control
- View corresponding EU AI Act articles for each NIST requirement
- Identify relevant OWASP LLM Top 10 security risks per requirement
- Search and filter across 71+ requirements simultaneously
- Export full crosswalk data as CSV or PDF for compliance documentation

## Frameworks Covered

### NIST AI Risk Management Framework (AI RMF 1.0)
Published by the National Institute of Standards and Technology. Organized into four core functions:
- **Govern** (19 subcategories): Cultivate responsible AI risk management culture
- **Map** (18 subcategories): Understand context and identify AI risks
- **Measure** (23 subcategories): Assess, analyze, and track AI risks
- **Manage** (11 subcategories): Prioritize and act on identified risks

### ISO/IEC 42001:2023
International standard for AI management systems. Key sections:
- Clauses 4–10: Core ISMS-style management requirements
- Annex B controls (B.2–B.10): AI-specific controls for responsible development and deployment

### EU AI Act (Regulation 2024/1689)
EU regulation on artificial intelligence. Key articles mapped:
- Art. 9: Risk management system
- Art. 10: Data and data governance
- Art. 11: Technical documentation
- Art. 12: Record-keeping and logging
- Art. 13: Transparency requirements
- Art. 14: Human oversight
- Art. 15: Accuracy, robustness and cybersecurity
- Art. 17: Quality management system
- Art. 26: Obligations of deployers
- Art. 72: Post-market monitoring
- Art. 73: Reporting of serious incidents

### OWASP Top 10 for LLM Applications
- LLM01: Prompt Injection
- LLM02: Insecure Output Handling
- LLM03: Training Data Poisoning
- LLM04: Model Denial of Service
- LLM05: Supply Chain Vulnerabilities
- LLM06: Sensitive Information Disclosure
- LLM07: Insecure Plugin Design
- LLM08: Excessive Agency
- LLM09: Overreliance
- LLM10: Model Theft

## Who Uses This

- **Chief Information Security Officers (CISOs)**: Planning AI governance programs
- **Compliance managers**: Preparing for ISO 42001 certification while meeting NIST requirements
- **AI governance teams**: Dual-framework compliance and gap analysis
- **Auditors**: Mapping controls across AI standards
- **EU market entrants**: Understanding how NIST AI RMF maps to EU AI Act obligations

## Related Tools

- [AI Risk Assessment Tool](https://airiskassess.com/) — Full NIST AI RMF + ISO 27001 assessment platform
- [DevSecOps SDLC Tool](https://devsecops.vibehack.dev/) — Secure software development lifecycle guidance
- [Prompt Engineering Tool](https://prompts.cyberagent.exchange/) — LLM prompt library for security practitioners

## Standards References

- NIST AI RMF 1.0: https://www.nist.gov/artificial-intelligence/ai-risk-management-framework
- ISO/IEC 42001:2023: https://www.iso.org/standard/81230.html
- EU AI Act: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
- OWASP LLM Top 10: https://owasp.org/www-project-top-10-for-large-language-model-applications/

## Organization

**AI Risk Assessment | Quantum Security AI**
Contact: info@quantumsecurity.ai
Website: https://airiskassess.com/
Tool URL: https://compliance.airiskassess.com/

## License

Content available under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). Attribution required when citing.