$vibefixing// enterprise · nist-rmfcontact sales
← compliance overview

enterprise resource · crosswalk

NIST AI Risk Management Framework — Vibefixing crosswalk

A mapping between NIST AI RMF 1.0 functions (Govern, Map, Measure, Manage) and the artifacts Vibefixing produces today. Intended for security questionnaires and conversations between your compliance team and the engineers integrating the supervisor.

scope of this document

This crosswalk maps Vibefixing artifacts to NIST AI RMF sub-categories. It is not a certification. It does not constitute legal advice. Vibefixing does not hold a SOC 2 Type II report on the supervisor itself; the artifacts described below are intended to be consumed inside your organization's existing audit programs.

GGovern

3 sub-categories mapped

MMap

3 sub-categories mapped

SMeasure

3 sub-categories mapped

NManage

3 sub-categories mapped

G

function

Govern

Culture, accountability structures, and policies that make AI risk management a managed activity, not a side effect.

GOVERN 1.1Policies, processes, procedures, and practices across the organization are documented.
supported

vibefixing artifact

Versioned YAML policies under packages/policies/. Each policy is a file with a semantic version; every change ships through git review.

evidence

Policy files in source control with author, timestamp, and review trail. Policy version is stamped on every supervisor decision.

GOVERN 1.2Accountability structures for AI risk are clear and documented.
supported

vibefixing artifact

Per-action ownership is encoded in the action_type registry: each action type names a responsible policy and a default enforcement mode (shadow / enforce).

evidence

/v1/action-types lists every action the supervisor knows about with its current policy_ref.

GOVERN 4.1Organizational practices are in place to ensure diverse perspectives in AI design.
not addressed

vibefixing artifact

Not addressed.

evidence

This is an organizational practice, not an artifact a runtime supervisor can produce. We do not claim coverage.

M

function

Map

Establish the context: what the AI system does, what it is used for, what its capabilities and limitations are, and what risks it could create.

MAP 2.2Information about the AI system's knowledge limits and the conditions under which the system may fail are documented.
supported

vibefixing artifact

Each action_type ships intercepted_signals (the inputs the policy can decide on) and the sample_payload that triggered evaluation. Gaps in coverage are visible by inspection.

evidence

action_type.intercepted_signals enumerates the supervisor's decision inputs. Anything outside that list is, explicitly, out of policy scope.

MAP 3.1Potential benefits and costs of the AI system are characterized.
partial

vibefixing artifact

The action_type registry assigns each action to a tier (security / reliability / efficiency / quality) and ships a one-liner explaining the business outcome being protected.

evidence

/v1/action-types responses include title, one_liner, and the policy_ref so the cost-of-violation is traceable.

MAP 4.1Approaches for mapping AI technology and use cases to legal and regulatory requirements are documented.
supported

vibefixing artifact

Threat catalog at /v1/threats/catalog links each known threat to an OWASP LLM Top 10 reference where one applies, plus a remediation string.

evidence

ThreatCatalogEntry.owasp_ref is non-empty for every cataloged threat. The crosswalk you are reading is the GOVERN-side analog.

S

function

Measure

Use quantitative, qualitative, or mixed-method tools to analyze, assess, benchmark, and monitor AI risk and related impacts.

MEASURE 2.7AI system security and resilience are evaluated and documented.
supported

vibefixing artifact

Every supervised action produces a deterministic risk score and a list of threat signals that fired, written to the evidence chain. Re-running the same input against the current policy is a dry-run via /v1/actions/evaluate.

evidence

Evidence events carry risk_score, threats[], reasons[], policy_version. Replay is reproducible.

MEASURE 3.1Mechanisms for tracking identified AI risks over time are in place.
supported

vibefixing artifact

Evidence chain is append-only and hash-linked. Threat assessments are stored as ThreatAssessmentRow with timestamp, detector_id, severity level, and the signals that matched.

evidence

/v1/threats lists historical assessments. The hash link breaks visibly if a row is modified.

MEASURE 4.2Measurement results regarding AI system trustworthiness are informed by feedback from users.
partial

vibefixing artifact

Findings carry confidence tiers (high / medium / low). Public scans only surface high-confidence priority findings; the dashboard tracks user-initiated overrides as policy edits.

evidence

Decision overrides become policy diffs in source control; the feedback loop is the policy change.

N

function

Manage

Allocate risk resources to mapped and measured risks on a regular basis and as defined by the Govern function.

MANAGE 1.3Responses to AI risks are developed and documented based on the assessment of, and prioritization of, AI risks.
supported

vibefixing artifact

Enforcement mode is a per-deployment environment variable: shadow (log without blocking) and enforce (block on violation). The mode is stamped on every decision so historical analysis distinguishes 'would have blocked' from 'did block'.

evidence

SUPERVISOR_ENFORCEMENT_MODE is read at decision time and recorded with the evidence event.

MANAGE 4.1Post-deployment AI system monitoring plans are implemented.
partial

vibefixing artifact

The supervisor exposes Prometheus-style metrics on decision counts, denial rates, policy violations, and self-check drops. The threat assessment endpoint streams new assessments as they are recorded.

evidence

/metrics endpoint on the supervisor; ThreatAssessmentRow timestamps on /v1/threats.

MANAGE 4.3Incidents and errors are communicated to relevant AI actors, including affected communities.
not addressed

vibefixing artifact

Not addressed end-to-end.

evidence

Vibefixing surfaces incidents to operators via the dashboard and webhooks. Communication to end users or affected communities is a downstream workflow your team owns.

How to use this document

  1. For each sub-category your audit covers, copy the Vibefixing artifact column into your response, and attach the underlying record from the endpoint named in Evidence.
  2. For sub-categories marked not addressed, state explicitly that Vibefixing is not a control for that requirement and document the compensating control inside your organization.
  3. For sub-categories marked partial, confirm scope with your sales contact before relying on the mapping in a regulator-facing document.

Need a deeper review?

Enterprise engagements include a working session with your compliance team to walk through each sub-category and identify the gaps where Vibefixing does not apply. The deliverable is a populated questionnaire your team can submit, not a marketing deck.

email sales →back to compliance overview

NIST AI Risk Management Framework (AI RMF 1.0) is a publication of the National Institute of Standards and Technology, U.S. Department of Commerce. Vibefixing is not affiliated with NIST.