Positioning

AI Posture alongside ISO/IEC 42001 and NIST AI RMF

AI Posture does not replace your governance program. It is the public, machine-readable output of one. Run NIST AI RMF or ISO/IEC 42001 to govern your inputs; publish your AI Posture as the externally comparable summary of what those programs have actually produced.

The specification states this as a first principle: AI Posture is orthogonal to NIST AI RMF, ISO/IEC 42001, EU AI Act conformance programs, and similar regimes. Those frameworks measure program design, governance structure, and remediation discipline. AI Posture measures externally inspectable output behavior, across three vectors, bounded by the weakest. The two are complementary. Where a framework is required, it remains required; AI Posture does not substitute for it.

What sits where

Family	Measures	How AI Posture relates
Governance management systems	The governance program: policies, roles, procedures, management reviews, internal controls.	The program can organize the work and produce the evidence. AI Posture reports whether the work has produced defensible behavior. The program is not itself the posture.
Risk frameworks	Risks, harms, controls, likelihood, severity, treatment plans.	AI Posture is progressive maturity, not exposure scoring. New risk can reveal a bounded scope or an unmet obligation, but exposure alone does not erase mature behavior already evidenced.
Compliance and legal conformance	Obligations in a statute, regulation, contract, or jurisdiction.	Regulation is one vector of three. A strong Regulation vector does not prove mature People or Infrastructure behavior. AI Posture prevents compliance maturity from being mistaken for whole-organization readiness.
Capability maturity models	Process maturity across staged levels.	AI Posture applies one shared level shape across multiple actor classes and aggregates by the minimum in-scope vector. It is a cross-vector constraint, not a process average.
Behavior-change and adoption models	Human adoption, training, norms, incentives, behavior over time.	People is one vector. AI Posture rejects sentiment alone as maturity evidence and requires behavior that can be inspected while preserving privacy.

Why a separate measurement at all

A governance program is run privately and reported in prose. A board, a regulator, a partner, or an agent then has to take that prose on trust. AI Posture is the artifact those readers can act on without reading the full internal program: a score, a declared scope, per-vector levels, a next-review date, and evidence paths, all machine-readable. It says what is asserted, what is estimated, what is verified, and when it was stamped.

The constraint that does the work. AI Posture is the minimum of its in-scope vectors, never the average. An organization with a mature compliance program and an unmeasured workforce is bounded by the workforce. That is the deficiency a governance review needs to find, and the one an averaged vendor score hides.

Guardrails

AI Posture does not replace any named framework, and claims none of their conformance.
It is not a certification, audit, legal advice, or compliance guarantee.
Reference implementations are not required to hold or publish a posture.
Vector levels are never averaged into a more flattering score.

The full design rationale is in the specification and the non-normative adjacent-framework crosswalk research note. To publish your own posture, see the declaration format and the declaration viewer.