sitkastack

Frameworks

sitkastack engagements ship governance artifacts mapped to the regulatory frameworks my clients work under. Below: the frameworks where I publish detailed mappings, plus frameworks sitkastack engagements support without dedicated published content.

Detailed mappings

Canada

OSFI Guideline E-23

Model risk management for federally regulated financial institutions in Canada, effective May 1, 2027.

View mapping

US, SEC registrants

SOX and ICFR for AI Systems

Internal control over financial reporting for SEC registrants, extended to the AI systems in ICFR scope.

View mapping

AICPA Trust Services Criteria

SOC 2

AI-specific controls extending the Trust Services Criteria for service organizations.

View mapping

US, voluntary

NIST AI Risk Management Framework

Voluntary US framework structured around the Govern, Map, Measure, and Manage functions.

View mapping

European Union

EU AI Act

Tiered EU regulation for AI systems placed on the EU market or affecting EU subjects.

View mapping

International, AI management systems

ISO/IEC 42001

International standard for an AI management system, integrating with an existing ISO 27001 ISMS.

View mapping

Engagement-supported

sitkastack engagements support these frameworks today. Detailed mappings publish when relevant client work concludes.

US, service organizations

SOC 1

Financial-reporting controls at service organizations, reviewed within your SOX scope.

International

ISO/IEC 27001

Information security management; AI controls extend the existing ISMS.

US insurers

NAIC Model Bulletin on AI

Model governance expectations for AI used by US insurers.

US Federal Reserve

SR 11-7

Model risk management guidance for US banks.

Payment processing

PCI DSS

Applied where AI touches payment processing or cardholder data.

FINRA, FCA, OSC, and others

Sectoral guidance

Sector-specific guidance applied as the client's context requires.

For frameworks not listed, engagements typically extend the sitkastack Framework's reference patterns to the client's specific regulatory context. Questions about your context? Email me.