Claims ladder
Allowed
- ✓ produces evidence aligned to FS AI RMF
- ✓ readiness for voluntary control objectives
- ✓ scoped SDLC / change-management slice
Not allowed
- — FS AI RMF certified
- — required by FS AI RMF
- — covers all 230 objectives
First public draft mapping (Jul 2026). Voluntary framework — produces evidence for; not certified by. Scope: SDLC, change-management, and audit-trail themes for agent-assisted software changes.
Framework: FS AI RMF (Feb 2026, CRI/FSSCC). IDs below are internal shorthand — not official RCM reference numbers.
| Theme | Function | Control need | SSX360 artifact |
|---|---|---|---|
| Change authorization | Manage | Agent-assisted merges to protected branches are authorized and attributable | Signed commit envelope (provenance.actor, provenance.tool, provenance.scope) |
| Integrity before deploy | Manage | Changes are verified before production paths update | Scroll Gate CI result per PR (ssx360 check --pr) |
| Tamper-evident record | Govern / Manage | Audit trail survives independent review | Ed25519 signature on envelope — offline verify in CLI or browser |
| Export for review | Govern | Evidence consumable without trusting SSX360 | ssx360-ledger --export → ssx360.evidence-pack.v1 JSON |
| Agent registry | Govern | Declared agents/tools tracked over time | Approved-agent registry snapshot in evidence pack |
| Payments / ledger paths | Manage | Financial-infra code paths gated | Policy preset financial-infra on payments/**, ledger/** |
| ID | Control objective theme | Evidence SSX360 produces |
|---|---|---|
| SDLC-01 | Software changes attributable to human or agent actor | Envelope provenance.actor_type, provenance.tool |
| SDLC-02 | Unauthorized changes blocked on critical branches | Scroll Gate blocked / review events in ledger |
| SDLC-03 | Change record exportable for independent verification | Signed evidence pack + detached signature |
| SDLC-04 | Agent tooling declared at commit time | MCP / hook metadata in envelope |
| SDLC-05 | Payments-adjacent paths require trusted actor | financial-infra policy rule outcomes |
| AUD-01 | Sample-ready JSON for assessor review | compliance_mappings[] includes FS AI RMF entry |
| AUD-02 | Offline verification without platform trust | matrixscroll verify / browser verifier at ssx360.com/verify |
Same change-management evidence class — FS AI RMF opens the conversation; PCI and SOC 2 close where assessors write the invoice.
| PCI need | SSX360 evidence |
|---|---|
| Authorized custom software changes | Protected-branch Scroll Gate |
| Trace agent-assisted edits | Signed envelope per commit |
| Assessor review | Evidence pack sample + offline verify |
Allowed
Not allowed
We welcome feedback on this draft mapping — email mission@ssx360.com or use the contact form.
Send mapping feedback