Keys never leave your machine
← FS AI RMF overview

Draft evidence mapping

First public draft mapping (Jul 2026). Voluntary framework — produces evidence for; not certified by. Scope: SDLC, change-management, and audit-trail themes for agent-assisted software changes.

Framework: FS AI RMF (Feb 2026, CRI/FSSCC). IDs below are internal shorthand — not official RCM reference numbers.

What SSX360 covers

ThemeFunctionControl needSSX360 artifact
Change authorizationManageAgent-assisted merges to protected branches are authorized and attributableSigned commit envelope (provenance.actor, provenance.tool, provenance.scope)
Integrity before deployManageChanges are verified before production paths updateScroll Gate CI result per PR (ssx360 check --pr)
Tamper-evident recordGovern / ManageAudit trail survives independent reviewEd25519 signature on envelope — offline verify in CLI or browser
Export for reviewGovernEvidence consumable without trusting SSX360ssx360-ledger --export → ssx360.evidence-pack.v1 JSON
Agent registryGovernDeclared agents/tools tracked over timeApproved-agent registry snapshot in evidence pack
Payments / ledger pathsManageFinancial-infra code paths gatedPolicy preset financial-infra on payments/**, ledger/**

Representative mapping rows (SDLC slice)

IDControl objective themeEvidence SSX360 produces
SDLC-01Software changes attributable to human or agent actorEnvelope provenance.actor_type, provenance.tool
SDLC-02Unauthorized changes blocked on critical branchesScroll Gate blocked / review events in ledger
SDLC-03Change record exportable for independent verificationSigned evidence pack + detached signature
SDLC-04Agent tooling declared at commit timeMCP / hook metadata in envelope
SDLC-05Payments-adjacent paths require trusted actorfinancial-infra policy rule outcomes
AUD-01Sample-ready JSON for assessor reviewcompliance_mappings[] includes FS AI RMF entry
AUD-02Offline verification without platform trustmatrixscroll verify / browser verifier at ssx360.com/verify

PCI DSS v4.0.1 Req 6.5 pairing

Same change-management evidence class — FS AI RMF opens the conversation; PCI and SOC 2 close where assessors write the invoice.

PCI needSSX360 evidence
Authorized custom software changesProtected-branch Scroll Gate
Trace agent-assisted editsSigned envelope per commit
Assessor reviewEvidence pack sample + offline verify

Claims ladder

Allowed

  • produces evidence aligned to FS AI RMF
  • readiness for voluntary control objectives
  • scoped SDLC / change-management slice

Not allowed

  • FS AI RMF certified
  • required by FS AI RMF
  • covers all 230 objectives

Explicitly out of scope

  • Model risk management and training-data governance
  • Board-level AI governance programs
  • Third-party AI vendor due diligence (beyond your code changes)
  • Full 230 FS AI RMF control objectives

We welcome feedback on this draft mapping — email mission@ssx360.com or use the contact form.

Send mapping feedback