Skip to main content
Cytra
Request early access

Cytra Compliance playbook

How we implement the standard categories from NIST AI RMF, ISO/IEC 42001, and the EU AI Act.

CARGO's five pillars below — Control, Assessment, Records, Guardrails, and Oversight — are how we organize the standard control categories from those frameworks into twenty objective areas. We did not invent the categories and we don't claim to; CARGO is the lens that maps them once, so you can prove them everywhere. Cytra keeps you aligned and audit-ready, not certified.

NIST AI RMFISO/IEC 42001:2023EU AI Act
On the name "CARGO"

CARGOCytra AI Regulatory and Governance Objectives — is the open framework Cytra developed and publishes to the world. The same five letters name its five pillars: Control, Assessment, Records, Guardrails, and Oversight. The lens is ours and openly published; "CARGO" is simply our internal naming convention for it. The control objectives themselves are not novel and not Cytra's invention — they are the standard requirements of NIST AI RMF and ISO/IEC 42001:2023, aligned with the EU AI Act. The standards do the work.

Compliance-as-record

The playbook isn't a binder — it's fed by what runs.

Cytra Gateway, our managed gateway for AI-agent tool calls, treats every governed call as a structured, signed record. Those records roll up into the same five pillars the playbook describes, so the evidence behind a control is continuous runtime telemetry — mapped to the control objectives of NIST AI RMF, ISO/IEC 42001, and the EU AI Act — rather than a document assembled after the fact.

To be precise about posture: Cytra is aligned, not certified. We map evidence to these frameworks; we do not assert that any certification has been granted, and Cytra Gateway is currently in private beta.

Five pillars, twenty objective areas

CARGO's five pillars — and the standard categories each one carries.

  1. Control & Accountability

    NIST AI RMF Govern · ISO/IEC 42001:2023 §5 · EU AI Act Art. 4

    The governance backbone — who owns AI risk, and the policy and people that make the rest enforceable.

    • Governance structure and accountability — named owners and a cross-functional AI risk committee.
    • Policy, standards, and risk appetite.
    • Roles, competence, and AI literacy (EU AI Act Art. 4).
    • Third-party and supply-chain governance — model providers, data vendors, agent tools.

  2. Assessment & Risk

    NIST AI RMF Map · Measure · ISO/IEC 42001:2023 §6 · EU AI Act Art. 6, 9, 10, 27

    Know what AI you run, classify it by risk, and assess its impact on a continuous lifecycle.

    • AI inventory and system classification (EU AI Act Art. 6 / Annex III).
    • Risk and impact assessment, including the Fundamental Rights Impact Assessment (Art. 27).
    • Continuous risk-management lifecycle (Art. 9).
    • Data governance and quality (Art. 10).

  3. Records & Evidence

    NIST AI RMF Measure · ISO/IEC 42001:2023 §7.5, §9.2 · EU AI Act Art. 11, 12 · Annex IV

    The proof layer — the hardest pillar to satisfy with documents alone, because it demands evidence of what the AI did.

    • Technical documentation (EU AI Act Art. 11 / Annex IV).
    • Automatic logging and record-keeping (Art. 12).
    • Tamper-evident evidence and retention — a per-tenant hash-chain / WORM record.
    • Conformity and audit readiness (Art. 43).

  4. Guardrails & Operations

    NIST AI RMF Manage · ISO/IEC 42001:2023 §8 · EU AI Act Art. 14, 15

    Controls that act where the AI runs, before an action completes — including every agent tool call.

    • Operational safeguards and runtime policy — approval gates, budget ceilings, an operator kill-switch.
    • Security, robustness, and resilience (Art. 15).
    • Bias, fairness, and performance monitoring — continuous, with auditable breach events.
    • Agent and non-human-identity (NHI) governance.

  5. Oversight & Improvement

    NIST AI RMF Manage · Govern · ISO/IEC 42001:2023 §9, §10 · EU AI Act Art. 13, 14, 50, 72, 73

    Keep people in command and close the loop as risks and regulations evolve.

    • Human oversight and intervention (Art. 14) — Understand, Monitor, Intervene, Stop.
    • Transparency and communication (Art. 13, Art. 50).
    • Post-market monitoring and incident response (Art. 72, Art. 73).
    • Review, internal audit, and continual improvement.

Framework snapshot

Pillars
05
Objective areas
20
Posture
Aligned

Aligned and audit-ready, not certified.

Open framework CC BY 4.0

Take the framework. It's yours.

The CARGO Framework publishes free under Creative Commons Attribution 4.0 (CC BY 4.0) — adopt it, adapt it, and build on it, with attribution. The "CARGO" and "Cytra" names and logos stay ours; the control objectives are the standard ones from NIST AI RMF, ISO/IEC 42001, and the EU AI Act, so the framework belongs to everyone. v0.1 is in final public-review — add your email and we'll send the full PDF the moment the public draft opens.

Next step operationalise the playbook

Turn the standards into a record of how your AI runs.

Cytra maps your controls once and turns how your AI runs into continuous evidence across all five pillars — so you can demonstrate alignment with NIST AI RMF, ISO/IEC 42001, and the EU AI Act without duplicating effort. The managed gateway that generates the evidence is in private beta; tell us about your AI and we'll scope early access.

How it works: the gatewayRequest early access