βš–οΈ AI Governance Map

Frameworks Tracked
4
EU AI Act Β· ISO 42001 Β· NIST RMF Β· OECD
Active Obligations
16
6 mandatory Β· 10 recommended
Controls Scored
0
out of 8 with maturity β‰₯ 1
Next Deadline
59d
EU Transparency Rules Β· Aug 2, 2026

πŸ“ˆ Compliance Progress by Layer

Legal Obligations
72%
Management System
58%
Risk Operations
45%
Evidence & Artifacts
31%
Monitoring & Remediation
40%

🎯 Maturity Posture Radar (CCM v4.1.0)

Average maturity per domain β€” scores updated live from Controls tab

⏰ Upcoming Obligations

ObligationFrameworkEffective DateStatus
Disclose AI interactionEU AI Act2026-08-02Due in 59 days
Human oversight for high-riskEU AI Act2027-12-02Upcoming
Logging & traceabilityEU AI Act2027-12-02Upcoming
Control documented informationISO 42001OngoingActive
ObligationFrameworkTopicTypeEffectiveSeverity
CodeControlFamilyTypeAutomationStatusMaturity (1–5)

πŸ“… EU AI Act Application Timeline

πŸ”₯ Governance Risk Heatmap β€” Likelihood Γ— Impact

🩺 NHID‑Clinical v1.3 β€” Voice Agent Conformance

Voluntary framework for AI voice agents in B2B healthcare payer‑provider workflows. Disclosure before data exchange, no human mimicry, human handoff, minimal audit log.

ControlRequirementStatus
DISC‑01Disclose AI identity before any data exchangeβœ… Conformant
MIME‑01No human voice mimicry or impersonationβœ… Conformant
HAND‑01Offer human handoff on requestβœ… Conformant
LOG‑01Minimal audit log of call and disclosuresβœ… Conformant
AUTH‑01Verify caller authorization / NPI delegation⚠️ Gap β€” Not in v1.3
Conformance Score:
4/5 controls

⚠️ v1.3 does not verify caller authorization (AUTH‑01). A spoofed NPI + voice AI can pass all four behavioral controls while completely bypassing identity verification.

πŸ”¬ Test the AUTH‑01 Gap β€” Open Spoofed Identity Simulator β†’

Interactively demonstrate why disclosure alone is not enough to prevent spoofed-identity attacks in B2B healthcare voice channels.

πŸ”— NHID‑Clinical in the 5‑Layer Trust Stack for B2B Healthcare Voice

LayerScope
Layer 0NPI Registry β€” no delegation proof, no call-time authorization
Layer 1STIR/SHAKEN β€” carrier attestation (A/B/C levels), verifies phone number origin only
Layer 2 β˜…NHID‑Clinical v1.3 β€” Behavioral Baseline (disclosure, no mimicry, handoff, audit log)
Layer 3NHID‑Auth v1.4 β€” Ed25519 delegation chain + DPoP call‑nonce binding (closes AUTH‑01)
Layer 4FHIR AuditEvent R4 / IHE BALP β€” healthcare‑native structured logging
Layer 5OpenTelemetry spans β†’ SIEM / enterprise observability pipeline

β˜… NHID‑Clinical is the governance spec that connects these layers for cross‑organizational, real‑time voice‑channel authorization. AUTH‑01 is closed only at Layer 3+.

πŸ“‹ NHID‑Clinical Compliant Event Trace Example

{
  "call_id": "nhid-call-2026-06-04-001",
  "agent_id": "brianna-voice-agent-v3",
  "start_time": "2026-06-04T09:12:00Z",
  "disclosure_time": "2026-06-04T09:12:02Z",
  "disclosure_text": "I'm an automated assistant from Dr. Smith's office.",
  "operational_data_exchanged": "09:12:08Z",
  "human_handoff_requested": true,
  "handoff_time": "2026-06-04T09:12:22Z",
  "audit_log_complete": true,
  "deceptive_artifacts_detected": false,
  "auth_01_verified": false, // ← AUTH-01 gap: NPI not cryptographically verified
  "nhid_clinical_score": "4/5"
}

This trace passes all four behavioral controls (DISC‑01, MIME‑01, HAND‑01, LOG‑01) but AUTH‑01 remains unverified β€” a spoofed caller would produce an identical trace.