Govern AI across every framework.
KoraSafe builds governance artifacts from first principles, then maps each field to the regulations that apply to your organization. One workflow, any framework.
KoraSafe builds governance artifacts from first principles, then maps each field to the regulations that apply to your organization. One workflow, any framework.
Strip away the regulatory labeling and a consistent set of requirements emerges across EU AI Act, GDPR, ISO 42001, NIST AI RMF, and SR 11-7. KoraSafe builds its governance model around those shared requirements, not around any single regulator's terminology.
Every framework tiers AI systems by the potential harm of a failure. KoraSafe's risk register captures the inputs that determine tier, independent of which framework is doing the scoring.
Consequential AI decisions require a human in the loop who can review, override, and be accountable. KoraSafe captures oversight design in the HITL Spec artifact and validates it at runtime.
Training data lineage, representation audits, and subgroup performance checks are required by every major framework. KoraSafe's Data Provenance and Bias Testing editors capture the evidence.
Post-deployment drift, performance degradation, and incident tracking are not optional add-ons. KoraSafe's Post-Market Monitoring Plan and guardian runtime agents keep evidence current.
Governance claims without artifacts are assertions. KoraSafe generates structured, auditable documentation for every stage of the AI lifecycle, timestamped and hash-verified.
Regulators and affected persons need different transparency artifacts. KoraSafe generates both from a single data source, keeping them in sync as the model evolves.
Technical transparency for developers, auditors, and downstream deployers. Documents intended use, performance benchmarks, training data, limitations, and known failure modes.
Operational transparency for compliance teams, regulators, and senior stakeholders. Documents how the AI is deployed, what decisions it influences, and what human oversight is in place.
Different frameworks use different vocabulary for supply chain roles, but the concepts are consistent. Knowing your role determines which obligations apply.
Develops or places an AI system on the market. Bears primary documentation and conformity obligations.
Uses an AI system in a professional context. Responsible for use-case risk assessment and human oversight.
Places a third-country AI system on a regulated market. Verifies provider compliance before deployment.
Makes an AI system available without modifying it. Checks compliance and cooperates with authorities.
An organization can hold multiple roles simultaneously. KoraSafe's system registry captures role assignments per AI system and applies the corresponding obligation set.
Residual risk documentation captures what remains after mitigations are applied. It is a pre-deployment artifact required by ISO 42001 Section 6.1, NIST AI RMF Manage 2.1, EU AI Act Article 9, and SR 11-7 model risk governance. KoraSafe generates it from the Risk Register and requires board-level sign-off before the system enters production.
Inherent risk level, controls applied and their effectiveness, residual risk rating, accepted residual risk rationale, board approval record, and scheduled review cadence. Each field maps to the frameworks that require it.
Across the frameworks KoraSafe supports, conformity for high-risk AI systems converges on the same seven workstreams. KoraSafe generates artifacts for each.
Structured record of system design, data, training, evaluation, and intended use. KoraSafe generates the outline from the 9-section universal template.
Continuous risk identification, assessment, mitigation, and residual risk acceptance across the full system lifecycle.
Documented policies, procedures, and controls for development, deployment, and change management. Required by ISO 42001 and EU AI Act Article 17.
Defined override mechanisms, accountability chains, and review cadence for consequential decisions. Captured in the HITL Spec and validated at runtime.
Transparency artifacts for developers and compliance stakeholders respectively. Both generated from a single governance data source.
Automated, tamper-evident event logging for all consequential decisions. KoraSafe's hash-chained audit trail satisfies logging requirements across frameworks.
Structured plan for tracking performance, incidents, and emerging risks after deployment. KoraSafe generates the plan and keeps it current via runtime guardian data.
A human-in-the-loop cannot meaningfully override a decision they cannot understand. Explainability is therefore a prerequisite for effective human oversight, not a separate requirement. KoraSafe supports the tooling that bridges the two.
SHAP (SHapley Additive exPlanations) decomposes a model's output into per-feature contributions. KoraSafe's SHAP starter produces subgroup-aggregated outputs in the bias testing import format.
LIME (Local Interpretable Model-agnostic Explanations) fits a simple surrogate model in the neighborhood of each prediction. Useful for image and text classifiers where SHAP is computationally heavy.
DiCE counterfactual explanations surface the minimal input changes that would flip a decision. Particularly relevant for adverse action notices under FCRA and automated decision explanations under GDPR Article 22.
Starter scripts for all three approaches are available in the developer documentation.
KoraSafe maps your governance work to the frameworks that apply to your organization. The mapping is metadata on each artifact field, surfaced as framework coverage chips. Your governance model stays neutral. The mapping updates as frameworks evolve.
| Framework | Jurisdiction / sector | Key obligations KoraSafe covers |
|---|---|---|
| EU AI Act | EU,all sectors | Technical doc, risk management, HITL, logging, FRIA, post-market monitoring, conformity declaration |
| GDPR | EU,personal data processing | DPIA, Art. 22 automated decision rights, data minimization, lawful basis documentation |
| ISO 42001 | International,all sectors | AI management system, risk treatment, QMS, supplier governance, continual improvement |
| NIST AI RMF | US,all sectors | Govern, Map, Measure, Manage functions; risk tolerance documentation; AI risk register |
| SR 11-7 | US,banking | Model risk management, validation, ongoing monitoring, model inventory, governance policies |
| NYC Local Law 144 | US,NYC employment | Automated employment decision tool bias audit, public results disclosure, candidate notice |
| Colorado SB 205 | US,Colorado, consequential decisions | Algorithmic discrimination assessment, impact assessment, adverse action notice |
| FCRA | US,consumer credit | Adverse action notice, principal reason codes, explainability for credit decisions |
| HIPAA | US,healthcare | PHI handling in AI pipelines, de-identification validation, minimum necessary principle |
| CCPA / CPRA | US,California consumers | Automated decision-making opt-out, data provenance, purpose limitation |
Per-framework deep dives are in progress. Contact us if you need a specific framework covered sooner.
Scoring models, statistical methods, and probe design, documented so your audit team can verify the numbers.
Eight-component weighted score across inventory, risk coverage, regulatory controls, policy enforcement, detection, remediation, evidence, and change management.
Read methodologyAnonymized cohort segmentation and aggregation method for opt-in AI governance benchmarks, with minimum group-size thresholds to prevent re-identification.
Read methodologyHow KoraSafe's PII, bias, and hallucination classifiers are trained, evaluated, and kept current. Precision, recall, and calibration targets for each classifier type.
Read methodologyMonte Carlo loss-exceedance curves, FAIR decomposition into threat event frequency and loss magnitude, and how KoraSafe maps AI incidents to FAIR taxonomy.
Read methodologyHow black-box probes are scored, aggregated into evidence packs, and mapped to regulatory controls. Weighting logic, severity thresholds, and pass/fail criteria.
Read methodology