Standards mapping

Mapped to the frameworks your auditor cites by clause number.

Boxed.ai is built around the controls described in ISO/IEC 42001, the NIST AI Risk Management Framework, the EU AI Act and the FCA Handbook. Below is how the product features map to specific clauses and articles — and where the boundaries of the mapping sit.

Alignment, not certification

Boxed.ai supports your firm's alignment with these frameworks. We do not — and will not — claim that the product is itself certified to any of them. Where formal certification of the firm's AI management system is needed, the evidence Boxed.ai produces feeds into that programme.

Built around evidence

Every control on this page exists because something in the framework asks for evidence of it. The audit log schema is deliberately wider than what the gate strictly needs to function — because the auditor will ask for it.

Honest about scope

Boxed.ai sits at the execution boundary. It does not retrain models, does not opine on bias in training data, does not replace a privacy impact assessment. We are explicit about where the product line ends.

ISO/IEC 42001

AI Management System

Published December 2023. The international standard for operating an AI management system. Sets out controls a firm needs to demonstrate it can manage AI responsibly across its lifecycle.

Clause / requirement

Boxed.ai capability

Clause 6.1 — Risk and opportunity

Pre-deployment risk scoring; per-agent policy templates

Clause 8.2 — Operational planning and control

Policy gate with documented decision rules

Clause 8.3 — Impact assessment

Connector and tool risk profile recorded per agent

Clause 9.1 — Monitoring and measurement

Tamper-evident log; exception MI dashboards

Annex A controls — Logging and traceability

Hash-chained event log with signed export manifests

NIST AI RMF 1.0

AI Risk Management Framework

US National Institute of Standards and Technology framework for managing AI risk. The four functions — Govern, Map, Measure, Manage — give a common reporting structure for boards and regulators.

Clause / requirement

Boxed.ai capability

Govern — accountability structures

Named approver model; SM&CR-aligned approval routing

Map — context and risk

Pre-deployment risk scoring of each new agent

Measure — risk analysis

Latency, block-rate, false-positive metrics from the gate

Manage — risk response

Per-agent and global kill-switch; structured incident log

EU AI Act

Regulation (EU) 2024/1689

Phased entry into force across 2025–2027. GPAI provider obligations apply from August 2025; the broad obligations on deployers and high-risk system operators apply from August 2026.

Clause / requirement

Boxed.ai capability

Article 9 — Risk management system

Continuous risk assessment of agent behaviour

Article 12 — Record-keeping

Append-only, tamper-evident event log

Article 14 — Human oversight

Approval gates and step-up review on sensitive actions

Article 15 — Accuracy, robustness and cybersecurity

Content sanitisation, anomaly detection, kill-switch

FCA

Conduct rules and supervisory expectations

The Financial Conduct Authority has not issued AI-specific rules at the time of writing, but the Consumer Duty, SM&CR and PS21/3 already cover decisions and communications regardless of how they were produced.

Clause / requirement

Boxed.ai capability

Consumer Duty — avoid foreseeable harm

Per-decision evidence trail for client communications

SM&CR — senior manager accountability

Named approver and timestamp on every gated action

PS21/3 — operational resilience

Service-level kill-switch; tested impact tolerances

SYSC — systems and controls

Documented policy templates and exception MI

Notes for compliance teams

What we'll send you for review.

On request, we'll provide the policy template library, the audit-log schema, an example signed export manifest, the data-flow diagram and the architecture overview — all suitable for sharing with your second line, your external auditor or your firm's data protection officer.

We are early-stage; we will tell you frankly which artefacts are mature and which are still in active iteration. Nothing on this page is a substitute for legal, regulatory or audit advice specific to your firm.

Request the compliance pack