Compliance framework library
Ledgix maps every accepted tool call to the controls your auditor cares about. Each framework below has a dedicated evidence-pack export that assembles a signed ZIP from your ledger, policy snapshots, checkpoint chain, and signed manifest.
Status meanings:
- Full — every control in the mapping resolves to an artifact Ledgix produces today. Audit-defensible end-to-end.
- Partial — most controls resolve today; remaining gaps are labelled in-JSON with the phase that completes them.
- Coming soon — framework mapping is tracked for a later release.
Status matrix
| Field | Type | Required | Description |
|---|---|---|---|
| [AIUC-1](/compliance/aiuc1) | GLOBAL | Full | AI Use Case Inventory Certification — technical evidence for auditors. |
| [Australia AI Ethics](/compliance/australia_ai_ethics) | AU | Full | 8 principles from the Department of Industry. |
| [Brazil PL 2338/2023](/compliance/brazil_pl_2338) | BR | Full | AI rights — explanation, human review, traceability. |
| [Canada AIDA (Bill C-27)](/compliance/canada_aida) | CA | Full | High-impact AI — AIAs, mitigation, monitoring, recordkeeping. |
| [CCPA / CPRA](/compliance/ccpa) | US-CA | Full | Consumer rights — DSR intake, know, delete, correct, opt out, limit use. |
| [Colorado SB 24-205](/compliance/colorado_sb_205) | US-CO | Full | High-risk AI — AIAs, bias audits, AG discrimination disclosure (eff. 2026-02-01). |
| [EU AI Act — Article 12](/compliance/eu_ai_act_article_12) | EU | Full | Automatic logs, 6-month retention, tamper-evident (applies 2026-08-02). |
| [EU AI Act — Extended](/compliance/eu_ai_act_extended) | EU | Full | Arts. 10, 13–16, 43, 52, 61 — transparency, oversight, data governance, conformity, post-market. |
| [FINRA 17a-4 / 4511](/compliance/finra_17a4) | US | Full | Broker-dealer books & records retention (WORM) with signed Object Lock attestations. |
| [FTC Act §5](/compliance/ftc_section_5) | US | Full | AI performance claim substantiation via signed marketing-claims registry. |
| [GDPR](/compliance/gdpr) | EU | Full | Integrity, accountability, DSRs (Arts. 15–22), ROPA (Art. 30), DPIAs (Art. 35). |
| [HIPAA §164.312 + BAA + Retention](/compliance/hipaa_partial) | US | Full | Technical safeguards, minimum-necessary attestations, BAA registry, 6-year WORM retention. |
| [ISO/IEC 42001 — Clause 8](/compliance/iso_42001) | ISO | Full | AI management system — operations clause. |
| [ISO/IEC 42001 — Clauses 5/6/7](/compliance/iso_42001_extended) | ISO | Full | Leadership, planning, and support clauses plus training-data lineage. |
| [NIST AI RMF 1.0](/compliance/nist_ai_rmf) | US | Full | GOVERN / MAP / MEASURE / MANAGE functions mapped to ledger evidence. |
| [NYC Local Law 144](/compliance/nyc_ll144) | US-NYC | Full | Automated Employment Decision Tools — annual independent bias audit with impact ratio. |
| [OCC 2011-12 / Fed SR 11-7](/compliance/occ_sr_11_7) | US | Full | Model risk management with model cards, dataset sheets, and signed incidents. |
| [OECD AI Principles](/compliance/oecd_ai_principles) | GLOBAL | Full | Inclusive growth, rights, transparency, accountability. |
| [OSFI E-23](/compliance/osfi_e23) | CA | Full | Model risk & third-party control for Canadian FRFIs. |
| [SEC Rule 17a-4(f)](/compliance/sec_17a4f) | US | Full | Electronic storage media — WORM attestations and audit-trail alternative. |
| [Singapore IMDA MGF v2](/compliance/singapore_imda_mgf) | SG | Full | Model AI Governance Framework v2 + Generative AI Framework. |
| [SOX-for-AI (ITGC)](/compliance/sox_ai) | US | Full | IT general controls for AI-mediated financial actions. |
| [SOX Extended — §302/§906](/compliance/sox_extended) | US | Full | Officer attestation coverage via signed quarterly/annual packets. |
| [UNESCO AI Ethics](/compliance/unesco_ai_ethics) | GLOBAL | Full | 10-value recommendation adopted 2021. |
| SOC 2 CC6 / CC7 | Coming soon | Preview | Per-action access & change management proof. |
| MAS MindForge | Coming soon | Preview | AI risk toolkit for financial institutions. |
How to export an evidence pack
Every framework in the status matrix is selectable from the admin console's Evidence Exports panel. Pick the framework, a time window, and the tenant; Ledgix assembles a deterministic signed ZIP containing ledger events (JSONL by day), the Merkle checkpoint chain, signing key history, policy version snapshots, an Ed25519 manifest signature, and a framework_mapping.json that tells an auditor which file proves which control.
Re-running the same export parameters produces a byte-identical ZIP, so your auditor can independently verify reproducibility.
What "partial" means in practice
A partial framework mapping would be honest about its gaps. Every control in any framework's framework_mapping.json is labelled either:
- resolved against an existing evidence type, or
- tagged
(PARTIAL — Phase X adds …)with a pointer to the evidence type that is still on the roadmap.
As of today, Phases 1–9 have shipped — so every framework in the matrix above resolves every control to a live evidence type. Historical (PARTIAL — Phase X adds …) annotations may still appear in some JSON files where the phase delivered a richer but not strictly required artifact; your auditor sees exactly what is and is not covered, in the same artifact.
Evidence types
See the evidence types reference for the full list of artifact locators that can appear inside an evidence pack.