Skip to content
Venturalítica

Standards crosswalk

🟡 Partial — Partial crosswalk; two standards with a clause catalog, but the authority registry recognises more sources (national legislation, Croissant-RAI). Coverage is growing.

Venturalítica manages conformance through projection: a single sei.yaml (with its risk section) plus a signed evidence bundle is projected against each applicable standard. The correspondence between standards (crosswalk) is codified in the clause catalogs vendored in the engine (crates/seigarrena-core/resources/standards/).

Standards with a catalog

Section titled “Standards with a catalog”

The engine currently knows two standards with a clause catalog:

Canonical idStandardRole in Venturalítica
eu/pren-18228@2026prEN 18228 — AI risk management for the EU AI ActPriority: product-safety, hazard→harm
iso/23894@2023ISO/IEC 23894 — AI risk managementProcess: identification/analysis/evaluation/treatment cycle

The EU AI Act (Regulation 2024/1689) and DORA (Reg. EU 2022/2554) have no own clause catalog in the engine: their articles are cited in measures via article: and frameworks: in the risk section of sei.yaml.

Beyond the clause catalog, the engine maintains a typed authority registry (resources/standards/registry.yaml) that recognises more normative sources with their authority level: international standards (the ISO/IEC family), harmonised drafts (prEN), national legislation (e.g. the Spanish Workers’ Statute and the LOPDGDD, authority national_legislation, PR#54), and de-facto standards such as Croissant-RAI by MLCommons (mlcommons/croissant-rai@1.0, authority de_facto, PR#88). These sources feed the conformance-presumption derivation even when they do not yet have a full clause catalog.

Correspondence table

Section titled “Correspondence table”

The table below shows the alignment between the requirements of Annex IV (EU AI Act Art. 11), the clauses of prEN 18228, and the clauses of ISO 23894. Relevant ISO/IEC 42001 controls (AI management systems) are shown where applicable.

Cells describe each clause’s subject by paraphrase (never verbatim text from copyrighted standards).

EU AI Act (Annex IV / Art.)prEN 18228ISO 23894ISO 42001What it covers in Venturalítica
Annex IV §1 — system description, intended purpose, versioncl. 6.2.1 — intended purpose6.1.1 — organisational contextsei.yaml (system.intended_purpose); the cloud assembles Annex IV from the signed bundle.json
Art. 9(2)(b) — reasonably foreseeable misusecl. 6.2.2 — foreseeable misuse6.1.4 — AI system impact assessmentsystem.potential_misuses in sei.yaml; sei impact flags unaddressed misuse
Art. 9(2)(b) — risk estimationcl. 6.3 — risk estimation§6.4.3 — analysis (likelihood×impact matrix)6.1.2 — risk assessmentimpact/likelihood per risk; 5×5 matrix in the bundle
Art. 9(2)(b) — risk evaluationcl. 7 — risk evaluation§6.4.4 — evaluation vs appetite6.1.2e — decide if treatment requiredinherent_level vs appetite per risk; sei reconstruct narrates this
Art. 9(5)(a) — control hierarchycl. 9.1.2 — applying the hierarchy of risk controlcontrol_tier per measure; sei conformance verifies the hierarchy
Art. 9(5) — implementation and verification of controlscl. 9.2 — implementation/verification§6.5 — risk treatment6.1.3 — treatment optionsMeasures with enforcement: gate/audit; sei run executes and signs them
Art. 9(5) — per-control residual riskcl. 9.3 — residual risk evaluation§6.5 — treatment (residual target)residual_likelihood per risk; confirmed by the blocking control
Art. 9(5) — acceptable overall residual riskcl. 10 — evaluation of overall residual riskbundle.overall_residual_acceptable(); gap if not reached
Art. 9(6) — testing with acceptance criteriacl. 8.1 — testing + objective evidence + power-statsconstraint per measure + power (bootstrap CI) in ControlResult
Art. 9 — plan review and approvalcl. 11 — risk management review§6.6 — monitoring and review6.1.3 — management approvalsei approve --by <person> — attributable commit; sei reconstruct records it
Art. 11 + Annex IV — technical documentationcl. 4.6 — risk management file§6.7 — recording and reportingSigned .sei/bundle.json (ECDSA-P256+DSSE+in-toto); the cloud assembles Annex IV from the bundle
Art. 10 — data governance§6.4.2 — identification (data as risk source)6.2 — resources / dataMeasures lifecycle: data_preparation; risk risk.data-governance

How sei conformance materialises the crosswalk

Section titled “How sei conformance materialises the crosswalk”

The crosswalk is not an external spreadsheet: it is codified in the vendored clause catalogs of the engine (pren-18228-clauses.yaml, iso-23894-clauses.yaml). Each clause in the catalog declares how it is satisfied:

pren-18228-clauses.yaml (real excerpt, vendored catalog)
clauses:
  - id: "9.2"
    title: "Implementation and verification of risk control measures"
    cycle_phase: risk_control
    annex_za: ["art-9-5"]
    satisfied_by:
      measures_citing: true   # covered if ≥1 measure cites eu/pren-18228@2026#9.2 and passes


  - id: "9.1.2"
    title: "Applying the hierarchy of risk control"
    cycle_phase: risk_control
    satisfied_by:
      criterion: control_hierarchy  # covered if the AP has controls at each hierarchy level


  - id: "10"
    title: "Evaluation of overall residual risk"
    cycle_phase: overall_residual
    satisfied_by:
      criterion: overall_residual   # covered if bundle.overall_residual_acceptable() = true


  - id: "4.6"
    title: "Risk management file"
    cycle_phase: file
    satisfied_by:
      evidence: signed_bundle       # covered if a signed bundle is present
iso-23894-clauses.yaml (real excerpt, vendored catalog)
clauses:
  - id: "6.4.2"
    title: "Risk identification"
    cycle_phase: identification
    satisfied_by:
      measures_citing: true


  - id: "6.5"
    title: "Risk treatment"
    cycle_phase: treatment
    satisfied_by:
      measures_citing: true

Projection mechanism

Section titled “Projection mechanism”

sei conformance runs derive_conformance(ap, control_results, bundle, standard_id):

  1. Loads the clause catalog for the requested standard.
  2. For each clause, evaluates in priority order: criterion built-in → measures_citing (AP measures that cite the clause in standard_clauses and pass) → evidence (bundle artifact present).
  3. Emits COVERED / PARTIAL / GAP per clause, grouped by cycle phase.
  4. The same sei.yaml (risk section) + bundle produces independent reports for eu/pren-18228@2026 and iso/23894@2023 without re-annotation (dedup).
Ventana de terminal
# prEN 18228 conformance (priority)
sei conformance --repo . --standard eu/pren-18228@2026


# ISO 23894 conformance
sei conformance --repo . --standard iso/23894@2023


# All standards with a catalog declared in applicable_standards
sei conformance --repo .


# Iteration-by-iteration evolution (RDD)
sei conformance --repo . --standard eu/pren-18228@2026 --history


# Write signed artifact (.sei/conformance/<slug>.json + .sig)
sei conformance --repo . --out

The --out result is deposited in .sei/conformance/eu_pren-18228_2026.json and .sei/conformance/iso_23894_2023.json (signed), ready for the cloud to render without recalculating.

Annex ZA correspondence (prEN 18228 ↔ EU AI Act)

Section titled “Annex ZA correspondence (prEN 18228 ↔ EU AI Act)”

The pren-18228-clauses.yaml catalog includes the EU AI Act article ids each clause addresses (annex_za), following the normative correspondence table (Annex ZA of the standard). This correspondence is for documentation only; sei conformance does not evaluate it directly.

prEN 18228 clauseEU AI Act article(s) (Annex ZA)
6.2.1 — intended purposeArt. 9(2)
6.2.2 — foreseeable misuseArt. 9(2)(a)
6.3 — estimationArt. 9(2)(b)
7 — evaluationArt. 9(2)(b)
8.1 — testingArt. 9(6)
9.1.2 — hierarchyArt. 9(5)(a)
9.2 — implementationArt. 9(5)
9.3 — per-control residualArt. 9(5)
10 — overall residualArt. 9(5)
11 — reviewArt. 9
4.6 — risk management fileArt. 9(2)

References

Section titled “References”