Where PLICA fits in
your governance stack.
Control-alignment mappings for EU AI Act, ISO 42001, NIST AI RMF, OWASP Agentic AI, and AMLR ongoing monitoring — the gap each framework leaves open, and the evidence layer that closes it.
Every major AI governance framework requires data provenance, traceability, and auditability. None of them specifies how to prove that the document an AI model evaluated was the document that was actually submitted — before the ingestion pipeline compressed it, stripped its metadata, and discarded the forensic signals that would have validated it.
This is the PIPL (Pipeline-Induced Provenance Loss) effect. It is present in every production AI pipeline. It is an undocumented data quality deficiency under A.7.3 (ISO 42001), a traceability gap under NIST MEASURE, and a systematic blind spot in every document-based AML monitoring framework.
PLICA's Intake Evidence Layer captures a cryptographic record of the object at the edge — before the pipeline modifies it — and produces verifiable Forensic Reason Codes for every decision. That record is what closes the gap.
AIMS certification requires demonstrable data provenance (A.7), continuous risk assessment (A.4), and input-level transparency (A.5). Standard implementations audit model logic but cannot prove the input object was unmodified at the moment of inference — leaving a data quality deficiency that becomes visible the first time an auditor asks for evidence.
High-risk system requirements mandate data governance, logging, transparency, and human oversight. Article 10 requires that input data be relevant, representative, and free from errors. In production, pipeline-induced degradation means input data quality cannot be asserted at inference time — only at upload time, if captured.
The MEASURE and MANAGE functions require repeatable, documented risk measurement with verifiable artifacts. GOVERN demands provenance and attribution for accountability. The framework is deliberately silent on the technical mechanism — PLICA provides the object-level evidence layer that makes these claims measurable rather than asserted.
The report mandates decision-level traceability for regulated workflows and calls execution provenance as important as artifact integrity. It does not define a separate control for the input object layer — what the agent evaluated before deciding. That gap is the attack surface. Three document-layer attacks pass every OWASP control; all three fail object-level forensic analysis.
The guidelines require data of sufficient quality and integrity, treat authenticity doubts as a mandatory event trigger, and call for deficiencies to be documented and mitigated. They do not specify how an obliged entity proves the intake object was unaltered before the monitoring pipeline processed it — leaving an undocumented data quality deficiency under the very framework that mandates its disclosure.
Request a full mapping
Each mapping document covers the specific control gaps, a full alignment table, and a GTM discovery guide for the relevant buyer persona. Available as PDF for enterprise procurement and audit packages.
ruslanm@plicaforensic.com →