# Framework Mapping -- Evidence Fabric Sample Receipt

**Purpose:** Map each load-bearing receipt field to the framework controls it satisfies. One-page reference for CISOs, Chief Compliance Officers, General Counsel, and external auditors evaluating whether the Evidence Fabric maps to their compliance perimeter.

**Sample receipt:** `receipt.json` in this package (synthetic healthcare workflow).

---

## Receipt-field-to-framework mapping

| Receipt field | AIUC-1 v1.0 | NIST AI RMF 1.0 | ISO/IEC 42001 | EU AI Act (2024/1689) | HIPAA Security Rule (45 CFR 164) | SOC 2 Trust Services | Reg S-P (17 CFR 248) |
|---|---|---|---|---|---|---|---|
| `request.user_role` | A003.x (agent identity) | Govern | A.6.x (organizational roles) | -- | 164.312(a)(2)(i) (unique user identification) | CC6.1 (logical access) | 17 CFR 248.30 (safeguards) |
| `request.input_hash_sha256` | A003.3 (cryptographically verifiable agent identity) | Me 4.2 (provenance + traceability) | A.4.5 (control of documented information) | Article 50(2) (record-keeping) | 164.312(c)(1) (integrity controls) | CC4.1 (monitoring) | 17 CFR 248.30 |
| `request.data_classes_detected` | A003.x | Map | A.6.2 (information classification) | Article 50(2) | 164.514 (de-identification standard) | CC6.7 (data classification) | 17 CFR 248.30 |
| `policy.policy_version` | D-domain (auditor evidence packaging) | Govern | A.4.3 (information security policy) | Article 50(2) | 164.316(b)(1) (policies and procedures) | CC5.3 (control activities) | 17 CFR 248.30 |
| `policy.rules_fired` | D-domain | Manage | A.8.x (operational controls) | Article 50(2) | 164.308(a)(1)(ii)(D) (information system activity review) | CC4.1 (monitoring) | 17 CFR 248.30 |
| `policy.policy_hash_sha256` | A003.3 | Me 4.2 | A.4.5 | -- | 164.312(c)(1) (integrity) | CC4.1 | -- |
| `provider_routing.provider` | B008.2 (caller auth) | Measure | A.6.2 (third-party relationships) | -- | 164.314(a)(2)(i) (business associate contracts) | CC7.1 (system operations) | 17 CFR 248.30 |
| `provider_routing.baa_covered` | B008.x | Measure | A.6.2 | -- | 164.502(e) (BAA requirement) | CC9.2 (third-party relationships) | -- |
| `provider_routing.zdr_asserted` | B008.x | Manage | A.8.x | Article 50(2) | 164.502(b) (minimum necessary) | CC6.1 | -- |
| `provider_routing.region` | B008.3 (encrypted transit) | Manage | A.8.x | Article 50(1) (transparency on data location) | 164.312(e) (transmission security) | CC6.6 | -- |
| `response.response_hash_sha256` | A003.3 | Me 4.2 | A.4.5 | -- | 164.312(c)(1) | CC4.1 | -- |
| `post_processing.detokenization_applied` | D-domain | Manage | A.8.x | -- | 164.514(c) (re-identification) | CC6.7 | 17 CFR 248.30 |
| `verification.chain_prev_event_hash` | E009 (third-party access monitoring) | Me 4.2 | A.4.5 | Article 50(2) | 164.312(b) (audit controls) | CC7.2 (event monitoring) | -- |
| `verification.transparency_log_inclusion_proof` | E009 | Me 4.2 | A.4.5 | Article 50(2) | 164.312(b) | CC7.2 | -- |
| `verification.signature` | A003.3 | Me 4.2 | A.4.5 | -- | 164.312(c)(1) | CC4.1 | -- |
| `verification.signer_key_id` | A003.3 | Govern | A.8.x | -- | 164.312(c)(1) | CC5.3 | -- |

---

## How to read this table

A "--" entry means the receipt field does not directly satisfy a control in that framework. It does not mean the framework is silent on the underlying concept; only that this specific receipt field is not the artifact the framework points at.

A populated entry means that, for an organization claiming the listed control, the named receipt field is a reasonable artifact for an auditor to inspect as evidence that the control was operating at the moment of the sample.

The substantive audit opinion is the auditor's, not Vertical Edge AI's. This mapping is a navigational aid, not an attestation.

---

## What this mapping does NOT cover

- **Substantive AI evaluation controls** (bias testing, red-teaming, output filtering, model card disclosures). These are separate disciplines; the Evidence Fabric is the audit trail underneath, not a substitute.
- **Framework-specific governance documentation** (AI policies, risk registers, training records). These live outside the receipt; the Evidence Fabric records what the policy decided at request time.
- **Provider-side attestations** (whether the AI provider actually honored zero-data-retention). The receipt records the operator's assertion; vendor-side proof requires the provider's own attestation.
- **Customer-specific framework variations.** Different auditors interpret control texts differently; the mapping above is a starting point for the auditor conversation, not the conclusion of one.

---

## Synthetic-data notice

The sample receipt (`receipt.json`) is entirely synthetic. The mapping above is illustrative; in a production engagement, the mapping is generated against the operator's actual receipt schema and reviewed with the operator's auditor.

---

*Vertical Edge AI LLC, Austin TX. Last reviewed 2026-05-19. Maintained at verticaledgeai.ai/sample-package/framework_mapping.md.*