When the audit committee asks how a decision was reasoned — not whether a policy existed — what shows up?
Two volumes mapping the Decision Protocol method to NIST AI RMF 1.0, ISO/IEC 42001:2023, the EU AI Act, and SR 11-7 Model Risk Management. Honest about coverage. Explicit about gaps. Free to download.
What this crosswalk is — and what it is not
A crosswalk is a structured mapping between two governance frameworks. This document maps the artifacts produced by the Decision Protocol — Acceptable Use Policy, Vendor Policy, Triage Tool, Decision Record, Vendor Review Checklist, the three Decision File Tiers, and the Execution Library — against the requirements of four recognized AI governance standards.
For each requirement, the crosswalk shows three things: the DPI instrument that addresses it, the level of coverage (Direct, Partial, or Out of scope), and where coverage is partial or absent, an honest note explaining why. The method does not promise to cover everything. It promises to be explicit about what it covers.
Two volumes, four standards
Volume 1 maps to the standards most likely to be raised internally — by audit committees, internal compliance reviews, and certification bodies. Volume 2 maps to the standards most likely to be raised externally — by EU regulators or U.S. banking supervisors. Together they cover the four frameworks that compliance, legal, and risk leaders most commonly use to evaluate an AI governance method.
NIST AI RMF 1.0
U.S. National Institute of Standards and Technology AI Risk Management Framework. Four functions (GOVERN / MAP / MEASURE / MANAGE), 19 categories, 72 subcategories. Voluntary but de facto referenced in U.S. federal procurement and many enterprise risk programs.
ISO/IEC 42001:2023
International standard for AI Management Systems. Seven management-system clauses (4–10) plus 38 Annex A controls under nine objectives. Auditable; certification available. Often raised in B2B procurement and in jurisdictions adopting ISO certifications.
EU AI Act
Regulation (EU) 2024/1689. Phased application with key provisions live from August 2026. Volume 2 focuses on Article 26 (deployer obligations), Articles 9–15 (high-risk system requirements as they apply to deployers), and Article 27 (Fundamental Rights Impact Assessment).
SR 11-7 Model Risk Management
Federal Reserve Board / OCC Bulletin 2011-12, adopted by FDIC in 2017. Three-pillar structure: model development & validation; governance & controls; effective challenge. Mandatory for U.S. banks and financial holding companies. Increasingly applied to AI systems as “models”.
Three operating principles bridge the four frameworks
All four standards converge on the same underlying question: was the decision reasoned, recorded, and challenged at the time it was made? The Decision Protocol method answers this question through three principles, which are the conceptual bridge to all four frameworks.
Contemporaneity
The decision is recorded before its consequences are known — not retroactively constructed when a question arrives. Maps to NIST GOVERN, EU AI Act Article 12, SR 11-7 documentation requirements.
Adequate Information
Risks, alternatives, and assumptions are documented at decision time, not assumed away. Maps to NIST MAP function, EU AI Act Article 9, SR 11-7 Section IV on validation.
Conscious Trade-Off
Risk is accepted with a benefit sought and a proportionality reason recorded. Maps to NIST MANAGE 1.x, SR 11-7 effective challenge doctrine, EU AI Act Article 27.
Request the download
Get the download links to all three documents on the next page. The Executive Summary is also available without the form, below.
Just want a quick look? Download the 10-page Executive Summary → · or browse the interactive matrix →
The Decision Protocol Institute distributes structured instruments as digital downloads only. This form does not initiate any consulting, advisory, legal, or implementation service engagement. All strategic and operational responsibilities remain with the adopting organization.
Three honest gaps
A useful crosswalk distinguishes itself from a marketing artifact by stating, on the record, where the method does not cover the requirement. Three categories of gap appear consistently across the four standards.
Gap 01
Technical model evaluation (TEVV). NIST MEASURE 2.1–2.13 and ISO 42001 Annex A.6 controls covering technical performance metrics, robustness testing, fairness testing, and bias measurement are out of scope by design. These are responsibilities of the AI vendor, the developer, or the adopter's data-science function, not of a procedural governance framework.
Gap 02
External stakeholder communication. NIST GOVERN 5.1, MANAGE 4.3, ISO 42001 A.8 controls on communication with affected individuals and communities are partially covered. The Decision Protocol records the internal decision; communication with end-users, regulators, or media is the responsibility of the adopter's communications and legal functions.
Gap 03
Internal audit and management review. ISO 42001 Clause 9.2 (internal audit) and SR 11-7 Section VI (independent review) require organizational functions and authority structures the Decision Protocol cannot provide. The method delivers the audit trail; the audit function itself is the adopter's.
Two volumes. 138 mapped requirements. 28 honest gaps.
Download the full crosswalk above, or browse the matrix to find the requirement you care about.