English

Making AI Compliance Evidence Machine-Readable

Computers and Society 2026-04-16 v1

Abstract

AI Assurance -- producing the machine-readable evidence required to demonstrate compliance with AI governance frameworks -- has mature policy scaffolding but lacks the infrastructure to operationalize it. Organizations building high-risk AI systems under the EU AI Act face a gap: frameworks such as the EU AI Act, ISO/IEC 42001, and NIST AI RMF specify what to assure but provide no executable format for how. This paper proposes OSCAL -- the NIST standard adopted for FedRAMP cybersecurity compliance -- as a candidate interchange format for AI governance, complementing rather than replacing the emerging JTC21 standards stack. We define 16 property extensions covering lifecycle phases, enforcement semantics, risk traceability, and risk-acceptance justification, and present a three-layer Compliance-as-Code architecture (policy, evidence, enforcement) that generates assurance evidence as a byproduct of model training. The SDK produces native OSCAL Assessment Results validated against the NIST JSON schema. We test the approach on two Annex III high-risk systems: a credit scoring model and a medical imaging segmentation system. The architecture and reference implementation are open-source under Apache 2.0.

Keywords

Cite

@article{arxiv.2604.13767,
  title  = {Making AI Compliance Evidence Machine-Readable},
  author = {Rodrigo Cilla Ugarte and Miguel Ángel Patricio Guisado and Antonio Berlanga de Jesús and José Manuel Molina López},
  journal= {arXiv preprint arXiv:2604.13767},
  year   = {2026}
}

Comments

9 pages, 2 figures, 3 tables. Submitted to IEEE Computer, Special Issue on AI Governance and Compliance

R2 v1 2026-07-01T12:10:35.810Z