Skip to content

Commit 9e66d34

Browse files
docs(144): MAESTRO Companion — NIST AI RMF evaluation ADR (#169)
* docs(144): MAESTRO Companion — NIST AI RMF evaluation ADR (ADR-025) Documentation-only spike closing the MAESTRO compliance umbrella's regulated-adopter half. Records tachi's NIST AI RMF posture as documentation-only mapping (Option A). Three-surface evaluation: - Surface A (Functions × pipeline phases): Govern/Map/Measure/Manage mapped to tachi's 6 pipeline phases; Map/Measure/Manage overlap cells identify where tachi already contributes evidence. - Surface B (Subcategories × control categories): 5-10 representative AI RMF Subcategories crosswalked to tachi's 8 compensating-control categories with Overlap / Gap / Conflict / "No equivalent" labels. - Surface C (GAI risks × STRIDE+AI): all 12 NIST AI 600-1 Generative AI Profile risks mapped to tachi's 11 STRIDE+AI categories. Decision rationale: AI RMF 1.0 is mature (3+ year runway, federal procurement adoption, FFIEC/HIPAA references) — unlike ADR-024's pre-1.0 AIVSS divergence. The binding constraint is structural fit: AI RMF Functions are organizational-tier outcomes while tachi produces artifact-tier evidence. Documentation-only mapping captures alignment explicitly without coupling the pipeline to a framework operating one tier above. Companion artifact at `.claude/skills/tachi-shared/references/nist-ai-rmf-mapping.md` ships the full mapping for procurement / audit citation. The tachi-control-analysis SKILL.md gains an 80-200 word NIST AI RMF Relationship section with a relative-path pointer to ADR-025. ADR-024 Related ADRs line updated with bidirectional ADR-025 back-reference. Re-evaluation triggers: ≥3 regulated-adopter inquiries OR NIST AI RMF 2.0 publication OR SP 800-53 AI overlay GA. Scope discipline: zero drift on schemas/, scripts/, .claude/agents/, examples/ (SC-006 invariant preserved). Backward-compatibility pytest 5/5 byte-identical under SOURCE_DATE_EPOCH=1700000000 (ADR-021 determinism baseline). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs(144): add PRD, spec artifacts, and regenerate BACKLOG Adds the PRD (PM + Architect + Team-Lead sign-offs recorded in frontmatter) and the spec artifact set (spec, plan, tasks, research, quickstart, agent-assignments, checklists/requirements) for Feature 144 NIST AI RMF evaluation. BACKLOG.md regenerated to reflect #144 transition to stage:build. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs(144): finalize ADR-025 merge date and mark T043/T044 complete Set ADR-025 Date field to actual merge date (2026-04-16) per T044 pre-merge instruction. Mark T043 (PR opened) and T044 (architect APPROVED 2026-04-16 — see .aod/results/architect-pr-review-144.md) complete in tasks.md. All 43 tasks now complete (T027 N/A per FR-008 XOR Option A branch). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent c08aa09 commit 9e66d34

File tree

15 files changed

+2949
-3
lines changed

15 files changed

+2949
-3
lines changed

.claude/skills/tachi-control-analysis/SKILL.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,10 @@ The control analysis domain covers three areas:
1717

1818
3. **Residual Risk Calculation and Recommendations** -- Recommendation generation rules for missing and partial controls (templates, effort calibration), residual score computation formula with the P0 binary reduction model (reduction factors by control status), severity band mapping for residual scores, and summary statistics calculations.
1919

20+
## NIST AI RMF Relationship
21+
22+
Tachi's compensating-controls analyzer operates in a STRIDE+AI idiom, not a NIST idiom. The NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1) and its companion Generative AI Profile (NIST AI 600-1) are the U.S. federal reference vocabulary for managing AI system risk — Functions (Govern, Map, Measure, Manage), Subcategories, and 12 GAI risk categories. Tachi's posture toward both documents is **documentation-only mapping** per [ADR-025](../../../docs/architecture/02_ADRs/ADR-025-nist-ai-rmf-evaluation.md): no schema field, no agent, no pipeline phase, and no SARIF tag emits NIST-keyed output. The strongest direct semantic overlap is MEASURE 2.7 ("AI system security and resilience are evaluated and documented") — essentially what `compensating-controls.md` already produces without NIST labeling. Adopters who must cite NIST mappings during procurement, audit, or examination workflows should consult the companion reference `.claude/skills/tachi-shared/references/nist-ai-rmf-mapping.md` and ADR-025 for the three-surface comparison (Functions × phases, Subcategories × control categories, GAI risks × STRIDE+AI), the full re-evaluation triggers, and the structural-fit rationale for choosing mapping over wired integration.
23+
2024
## Baseline-Aware Control Analysis Rules
2125

2226
### Carry-Forward Conditions

.claude/skills/tachi-shared/references/nist-ai-rmf-mapping.md

Lines changed: 110 additions & 0 deletions
Large diffs are not rendered by default.

docs/architecture/01_system_design/README.md

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2662,3 +2662,85 @@ PR review → SC-001 file exists → SC-002 Status: Accepted grep → SC-003 thr
26622662
| Existing backward-compat test suite | Trivial pass gate | `tests/scripts/test_backward_compatibility.py` |
26632663

26642664
**No new technology introduced.** Documentation-only feature. Zero schema changes, zero script changes, zero agent changes, zero example regenerations.
2665+
2666+
---
2667+
2668+
### Feature 144: NIST AI RMF Integration Evaluation ADR
2669+
2670+
## Components
2671+
2672+
This feature does not add or modify runtime components. Components touched are documentation surfaces:
2673+
2674+
### Component 1 — ADR-025 (new)
2675+
2676+
**File**: `docs/architecture/02_ADRs/ADR-025-nist-ai-rmf-evaluation.md`
2677+
**Owner**: architect (Wave 2 author)
2678+
2679+
Sections: Header (Status: Accepted, Date, Deciders, Feature 144, Related ADRs cross-referencing ADR-024 + ADR-020 + ADR-019 + ADR-018 + ADR-021 + ADR-023); Context with three Surface subsections using explicit anchors `<a id="surface-{a,b,c}"></a>`; Decision (canonical noun in first paragraph); Rationale (five-criteria justification); Alternatives Considered (Options A/B/C); Consequences (Positive/Negative/Mitigation/Follow-on); When to Re-Evaluate; References. Length expected 200-280 lines.
2680+
2681+
### Component 2 — `nist-ai-rmf-mapping.md` (new)
2682+
2683+
**File**: `.claude/skills/tachi-shared/references/nist-ai-rmf-mapping.md`
2684+
**Owner**: architect (Wave 2)
2685+
2686+
Content shape conditional on chosen option: Option A → complete mapping table (8 control categories → NIST Subcategories) + Surface C crosswalk; Option B/C → relationship-only stub naming wired-integration site + forward link to follow-on Issue + back-link to ADR-025. Additive only; renderable in standard Markdown.
2687+
2688+
### Component 3 — SKILL.md NIST AI RMF Relationship Section (additive edit)
2689+
2690+
**File**: `.claude/skills/tachi-control-analysis/SKILL.md`
2691+
**Owner**: architect (Wave 2, after ADR-025 Decision text is finalized)
2692+
2693+
Insertion point: After existing `## Domain Overview`, before existing `## Baseline-Aware Control Analysis Rules`. 80-200 words. Decision-noun byte-identical (case-insensitive) to ADR-025 Decision section. Relative link to ADR-025.
2694+
2695+
### Component 4 — ADR-024 Back-Reference (single-line edit)
2696+
2697+
**File**: `docs/architecture/02_ADRs/ADR-024-owasp-aivss-evaluation.md`
2698+
**Owner**: architect (Wave 2, ships in same PR as ADR-025)
2699+
2700+
Append `[ADR-025](ADR-025-nist-ai-rmf-evaluation.md) (companion NIST AI RMF evaluation)` to the existing Related ADRs line. Housekeeping edit — does NOT change ADR-024 Status field.
2701+
2702+
### Component 5 — Follow-On GitHub Issue (conditional)
2703+
2704+
**File**: GitHub Issues (filed via `bash .aod/scripts/bash/create-issue.sh`)
2705+
**Owner**: product-manager (Wave 2 cleanup, only if Option B or C chosen)
2706+
2707+
`stage:discover` label, concrete title, body links back to ADR-025, names surfaces that would change, includes effort estimate copied verbatim from ADR-025 Alternatives, names "non-disruptive"/"opt-in" constraint. **Skipped if Option A chosen** (FR-008 N/A).
2708+
2709+
## Data Flow
2710+
2711+
Documentation flows from authoring (Wave 1 + Wave 2) to publication (PR merge to `main`):
2712+
2713+
```
2714+
Wave 1 (3-hour timebox)
2715+
web-researcher reads NIST AI RMF 1.0 + NIST AI 600-1 (canonical URLs from spec Assumptions)
2716+
→ appends findings to specs/144-*/research.md ## Wave 1 — NIST AI RMF Spec Notes section
2717+
→ escalates to PM if 3-hour budget exceeded (3 contingency options per Edge Case 1)
2718+
2719+
Wave 2 (sequential authorship)
2720+
architect drafts ADR-025 skeleton
2721+
→ fills Surface A/B/C tables from research.md Wave 1 notes + tachi compensating controls reference
2722+
→ drafts Decision (canonical noun) → Rationale → Alternatives → Consequences → Re-Evaluation Triggers → References
2723+
→ creates .claude/skills/tachi-shared/references/nist-ai-rmf-mapping.md (content shape per chosen option)
2724+
→ appends ## NIST AI RMF Relationship section to .claude/skills/tachi-control-analysis/SKILL.md
2725+
→ appends ADR-025 back-reference to docs/architecture/02_ADRs/ADR-024-owasp-aivss-evaluation.md Related ADRs line
2726+
→ product-manager files follow-on Issue if Option B/C chosen (FR-008)
2727+
2728+
PR Cycle (~half-day)
2729+
Open PR with docs: prefix conventional commit
2730+
→ 13 SCs verified (shell + awk + grep + pytest + manual inspection)
2731+
→ architect reviews PR (= "Accepted at merge" attestation per Closed Q2)
2732+
→ squash-merge to main
2733+
```
2734+
2735+
## Tech Stack
2736+
2737+
No tech stack changes. Reference lineage unchanged from current state:
2738+
2739+
- **Documentation format**: Markdown (CommonMark, no GFM extensions required)
2740+
- **ADR conventions**: Match ADR-022/023/024 structural template
2741+
- **Verifiers**: shell (`grep`, `awk`, `wc -w`, `tr`), Python (`pytest tests/scripts/test_backward_compatibility.py`), git (`git diff`, `git log`)
2742+
- **Determinism baseline**: `SOURCE_DATE_EPOCH=1700000000` for byte-identical PDF comparison (per ADR-021)
2743+
- **Conventional commits**: `docs:` prefix only (per Constitution IX + SC-012)
2744+
- **GitHub CLI**: `bash .aod/scripts/bash/create-issue.sh` for FR-008 conditional Issue filing
2745+
2746+
**Zero new runtime dependencies**: empty diff on `requirements*.txt`, `pyproject.toml`, `package.json`. Zero new CLI prerequisites.

docs/architecture/02_ADRs/ADR-024-owasp-aivss-evaluation.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
**Date**: 2026-04-15
55
**Deciders**: Architect, Product Manager, Team-Lead
66
**Feature**: 143 (MAESTRO Phase 4)
7-
**Related ADRs**: [ADR-020](ADR-020-maestro-layer-classification.md) (MAESTRO classification), [ADR-019](ADR-019-shared-definitions-and-model-field-governance.md) (shared cross-agent definitions), [ADR-018](ADR-018-baseline-aware-pipeline-correlation.md) (baseline-aware scoring lineage)
7+
**Related ADRs**: [ADR-020](ADR-020-maestro-layer-classification.md) (MAESTRO classification), [ADR-019](ADR-019-shared-definitions-and-model-field-governance.md) (shared cross-agent definitions), [ADR-018](ADR-018-baseline-aware-pipeline-correlation.md) (baseline-aware scoring lineage), [ADR-025](ADR-025-nist-ai-rmf-evaluation.md) (companion NIST AI RMF evaluation)
88

99
---
1010

0 commit comments

Comments
 (0)