The NIST AI Risk Management Framework's GOVERN function correctly identifies organizational policies, measurement programs, and accountability structures as necessary conditions for responsible AI deployment. Functions such as GV.OV-03 (AI risk and impact awareness within the organization) and GV.MT-02 (effectiveness of risk treatments is evaluated and documented) identify what organizations should do. They do not specify what a compliant AI governance decision record must contain, nor how such a record should be independently verified.
This gap has a practical consequence: organizations implementing the RMF today can demonstrate that policies exist and that risk management processes are documented, but they cannot produce a per-decision, machine-verifiable artifact that binds each AI inference to the exact policy version that governed it. Auditors and regulators — whether conducting a SOC 2 review, a HIPAA audit, or an AI-specific regulatory examination — are left with attestations rather than evidence.
The absence of a standardized decision record format creates three downstream problems:
The RMF's MAP and MEASURE functions amplify this gap. MAP.5 requires that organizational risk priorities inform AI risk identification across the enterprise. Without per-decision evidence records, there is no artifact to inspect when determining whether an individual AI decision aligned with the organization's stated risk tolerance at decision time. MEASURE.2.5 requires that AI risk metrics and performance data be collected to evaluate AI trustworthiness. A system that produces no per-decision artifact cannot contribute to this measurement program; aggregate metrics are available, but individual-decision auditability is not.
The AI Decision Receipt Specification (ADR-SPEC-1.0) is an open standard that addresses the evidence gap described in Section 1. It defines a vendor-neutral schema, signing conventions, batch Merkle sealing procedures, and a verification interface for AI governance decision records. The specification is designed to be adopted by any AI governance platform, auditor toolchain, or compliance automation system.
The canonical URL for the specification is: https://spec.tailoredtechworks.net/
ADR-SPEC-1.0 is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0) — freely reproducible, adaptable, and redistributable for any purpose, including interoperability implementations. It is vendor-neutral; this comment does not advocate for any commercial product. The specification may be adopted, extended, or incorporated into RMF guidance without restriction.
At its core, ADR-SPEC-1.0 specifies a Decision Receipt — a signed JSON document emitted at the moment an AI governance system evaluates a request. The specification normatively defines:
did:web DID with a DataIntegrityProof (ecdsa-2019). This enables governance evidence to be exchanged via DIF credential exchange and OIDC4VP protocols, and presented to any VC-compatible verifier across organizational boundaries — without requiring the receiving party to have access to the issuing governance platform. RFC 3161 timestamp authority tokens (independent of the issuer) can be embedded in the credential proof for time-anchored non-repudiation.This is the artifact that closes the evidence gap identified in Section 1. The complete field-level schema is available at spec.tailoredtechworks.net.
ADR-SPEC-1.0 compliant implementations can serialize each governance decision record directly to NIST OSCAL Assessment Results Model v1.0.4 — NIST's own machine-readable compliance format. This creates a direct NIST-to-NIST evidence bridge: AI governance evidence generated under the AI RMF is immediately consumable by OSCAL-based audit toolchains without any intermediate transformation.
Each governance decision maps to an OSCAL Assessment Result Observation. The governance verdict (permitted or denied) maps to an OSCAL Finding with a satisfied or not-satisfied control status. The rule provenance captured in each decision record maps to OSCAL relevant-evidence entries. The Merkle batch anchor — the WORM-stored tamper-evidence root — maps to a linked OSCAL evidence artifact. Compliance framework citations carried in each receipt (SOC 2, HIPAA, EU AI Act) are translated to their NIST SP 800-53 control identifiers and attached as related-controls, enabling native OSCAL control mapping without manual re-tagging.
The OSCAL output is conformant to the NIST-published JSON schema at pages.nist.gov/OSCAL. The resulting documents can be attached to OSCAL System Security Plans (SSPs), submitted as FedRAMP continuous monitoring evidence packages, or consumed by any OSCAL-compatible GRC platform. This is the only AI governance artifact format that natively speaks NIST's own evidence language.
The following mappings are drawn from ADR-SPEC-1.0's compliance framework section. Each mapping describes the evidence component within a compliant decision record that satisfies the corresponding RMF subcategory. These mappings demonstrate that per-decision governance records are not an academic construct — they are concrete artifacts that satisfy existing RMF requirements today.
Every ADR receipt contains a cryptographic digest of the exact compiled policy document that governed the decision. This creates an immutable, per-decision binding between the AI system's runtime behavior and the organizational policy version in effect at that moment. Policy version drift — the condition where AI systems continue operating under outdated policy — is detectable by comparing the policy digest embedded in each receipt against the current authorized policy digest, without requiring access to the AI system itself.
ADR receipts are quantifiable, per-decision measurement artifacts. Each receipt preserves a complete replay bundle — the evaluation inputs, the policy state, the execution context, and the environment state at decision time — sufficient to re-evaluate the historical decision and confirm the same outcome. This enables measurement programs to: (a) count denial rates per rule, per organizational unit, per governance surface; (b) detect behavioral drift between policy versions; and (c) provide auditors with a live replay demonstration that the policy treatment produced the claimed outcome. These are the measurement artifacts GV.MT-02 requires.
Every receipt records the identifiers and verbatim expressions of the organizational rules that triggered the governance decision. When these rules are named after organizational risk priorities, each receipt is direct evidence that those priorities were operationalized at the exact point of decision. An auditor can query a receipt corpus for any named risk rule and produce a count of enforcement events, trace decisions to the rule author, and verify rule version — without interviewing any system owner or accessing the AI platform.
Each receipt is a structured data point that can be aggregated into AI risk metrics: denial rates by governance surface and rule, policy coverage measurements, and temporal drift measurements derived from the decision timestamp. The deterministic evaluation commitment embedded in each receipt enables replay-based consistency metrics. Merkle-sealed receipt batches provide tamper-evident continuity guarantees, ensuring that metrics derived from the receipt corpus can be presented to auditors with cryptographic proof that the underlying records have not been modified after the fact.
| RMF Subcategory | Evidence Component in Decision Record | Implementation Evidence Provided |
|---|---|---|
| GV.OV-03 | Policy version binding — cryptographic digest of the compiled policy document active at decision time | Binds each AI decision to the exact organizational policy version in effect at that moment. Enables auditable policy version trail across the full decision corpus. |
| GV.MT-02 | Replay bundle — preserved snapshot of evaluation inputs, policy state, and execution context; plus the decision outcome and rule provenance | Quantifiable per-decision measurement artifact. Supports denial-rate measurement, behavioral drift detection, and live replay verification of risk treatment effectiveness. |
| MAP.5 | Rule provenance — identifiers and verbatim expressions of the organizational rules that triggered the decision, together with the governance surface classification | Named organizational risk rules are recorded in each receipt. Provides an auditor-accessible corpus of enforcement events organized by risk priority and governance surface. |
| MEASURE.2.5 | Deterministic evaluation commitment — a cryptographic hash of the evaluation inputs; decision timestamp; Merkle batch anchor | Structured data points for AI risk metrics collection. Merkle tamper-evidence ensures metrics are derived from unmodified records. |
| GOVERN (all) | Asymmetric signature with publicly resolvable verification key (JWKS endpoint) | Independent third-party verification of any receipt without access to the issuing platform. Auditors and regulators can verify governance evidence autonomously. |
| MAP / MEASURE | Merkle root published to WORM-equivalent storage | Cryptographic tamper-evidence for the complete receipt corpus. Any post-hoc modification to any record in a batch causes Merkle root verification to fail. |
| GOVERN / MAP / MEASURE (OSCAL delivery) | Native serialization to NIST OSCAL Assessment Results Model v1.0.4 — governance verdict, rule provenance, Merkle anchor, and SP 800-53 control mapping | AI governance evidence is directly consumable by OSCAL-compatible audit toolchains, FedRAMP continuous monitoring workflows, and OSCAL SSP attachments — with no manual transformation. Compliance citations (SOC 2, HIPAA, EU AI Act) are automatically resolved to SP 800-53 control identifiers in the OSCAL output. |
We respectfully request that NIST AI RMF supplemental guidance — particularly guidance addressing the GOVERN function's subcategories GV.OV-03 and GV.MT-02, and the MAP.5 and MEASURE.2.5 subcategories — reference standardized per-decision AI governance records as a concrete implementation mechanism.
Specifically, we recommend that the supplemental guidance:
We are not proposing a mandatory standard. We are proposing that NIST guidance acknowledge that the evidence gap exists and point practitioners to a reference implementation. Organizations that have already deployed governance systems generating structured per-decision records can self-assess against ADR-SPEC-1.0. Organizations that have not can use it as a design specification. Auditors can use it as a baseline evidence checklist.
The specification's CC BY 4.0 license explicitly permits incorporation into derivative works, including by NIST. If NIST chooses to develop its own AI Decision Record profile as part of a future RMF supplement, ADR-SPEC-1.0 is offered as a starting point without restriction.
For reference, the architecture described in this comment is currently deployed in production across multi-tenant regulated environments. Each AI governance decision generates an ADR-SPEC-1.0 compliant receipt. Those receipts are sealed into nightly Merkle batches, archived to WORM-equivalent storage, and are independently verifiable via the published JWKS endpoint. DENY-rate metrics, policy-version audit trails, and deterministic replay demonstrations are available on demand to auditors — closing the specific evidence gaps identified in GV.OV-03, GV.MT-02, MAP.5, and MEASURE.2.5.
This is not a future-state proposal. It is a description of what is possible today with existing open standards and available infrastructure.
| Document | Source |
|---|---|
| NIST AI Risk Management Framework (AI RMF 1.0) | NIST AI 100-1, January 2023. doi:10.6028/NIST.AI.100-1 |
| AI Decision Receipt Specification (ADR-SPEC-1.0) | https://spec.tailoredtechworks.net/ — CC BY 4.0 |
| JSON Canonicalization Scheme (RFC 8785) | IETF RFC 8785, June 2020. rfc-editor.org/rfc/rfc8785 |
| JSON Web Key Sets (RFC 7517) | IETF RFC 7517, May 2015. rfc-editor.org/rfc/rfc7517 |
| W3C Verifiable Credentials Data Model v1.1 | w3.org/TR/vc-data-model |
| RFC 3161 — Internet X.509 PKI Time-Stamp Protocol (TSP) | IETF RFC 3161, August 2001. |
| NIST OSCAL Assessment Results Model v1.0.4 | NIST Open Security Controls Assessment Language. pages.nist.gov/OSCAL |
| NIST SP 800-92 — Guide to Computer Security Log Management | NIST Special Publication 800-92, September 2006. |
| AICPA SOC 2 Trust Services Criteria — CC6, CC7 | AICPA TSC, 2017 (with 2022 points of focus). aicpa.org |
| HIPAA Security Rule — 45 CFR Part 164 | HHS, hhs.gov/hipaa |