Baseline
Name the surface, the decision it affects, the current behavior, the available evidence, and the human owner. No score before the starting point exists.
A demo tells you the system can work once. The Receipt Ladder tells you what it does now, who owns it, what can stop it, and what evidence survives after the meeting.
Name the surface, the decision it affects, the current behavior, the available evidence, and the human owner. No score before the starting point exists.
Write down what the system may read, decide, change, and send. Separate a recommendation from an action. Put high-impact action behind a person.
Define what must pass before release: required evidence, refusal conditions, escalation paths, and the exact owner of an exception.
Do not let the builder grade its own output. Use separate evidence and planted failures to prove the check can say no.
Keep the input, rule, time, outcome, and source needed to reproduce the decision. Re-run after material change and record drift instead of overwriting it.
We map owners and evidence to selected outcomes across the voluntary NIST AI RMF 1.0 Core. A use-case profile still has to fit the organization, risk tolerance, and resources.
Boundaries and checks are set against agent-goal hijack, tool misuse, identity and privilege abuse, insecure communication, cascading failures, and the rest of OWASP's agentic threat taxonomy.
The owner, monitoring, review, and continual-improvement rungs are informed by ISO's public description of an AI management system. This mapping does not establish conformity with the standard.
For covered direct-interaction systems, disclosure is a user-visible requirement: clear, accessible, and delivered by the first interaction or exposure unless the AI nature is obvious in context.
A mapping is not NIST approval, OWASP endorsement, ISO conformity, legal advice, or a promise of security. It is a disciplined way to find missing evidence and make ownership explicit.