The Decision Provenance Standard and the Frameworks It Converses With
The Decision Provenance Standard™ · v1.0 · open standard, CC-BY 4.0
Read the firewall first
The Decision Provenance Standard's records are audit-ready decision provenance: a structured record of how a decision was made, by whom, against which inputs, with what review, and sealed at what moment. Across every framework below, those records function as an input substrate — material that compliance, audit, and governance personnel use when preparing their own work product.
The Standard informs each framework without satisfying it. A record produced under the Standard may be cited as supporting input; it does not satisfy, ensure, certify, or substitute for any control, requirement, or audit obligation under any framework named here. The obligation belongs to the obligated party and is discharged by that party's qualified personnel — counsel, compliance officers, internal auditors, third-party assessors, and certification bodies. The Standard documents process; those personnel make the substantive determinations.
This sheet is grounded strictly in Companion A — Regulatory Cross-References. Each row carries that framework's own non-claim. Nothing here is legal advice.
AI-governance frameworks
| Framework | What it governs | What the Standard contributes (as input) | What the Standard does NOT do |
|---|---|---|---|
| EU AI Act — Article 14 (Human Oversight) | A provider's design-and-development obligation, paired with deployer-side use obligations, so natural persons can exercise effective human oversight of high-risk AI systems. | Deployer-side: Mode 1 / Mode 2 dispatch structures where oversight is exercised (at authorship vs. at review); the Charter's named accountable owner, escalation rule, and re-decision triggers supply the authority pathway and the monitoring sensitivity oversight presumes. | Does not satisfy, ensure, or certify any Article 14 or Article 26 obligation; does not opine on whether a system is high-risk, whether a deployer discharged Article 26, or whether oversight personnel have the required competence. |
| EU AI Act — Article 17 (Quality Management System) | A provider's obligation to put a quality management system in place for high-risk AI systems. | Bounded: the Standard's territory is the deployer side; the Charter's ai_system_identity field points at the AI system the deployer uses. |
Does not constitute, replace, or contribute structurally to Article 17 QMS documentation; a deployer that is also a provider discharges Article 17 through its own provider-side QMS. |
| EU AI Act — Article 50 (Transparency) | Disclosure obligations when an AI system's output reaches a natural person. | Mode 2 dispatch is the trigger; the five-field disclosure-metadata schema (declaring authority, AI system identity, jurisdiction, content type, timestamp) structures the inputs a named human uses to disclose. | Does not discharge the disclosure obligation; does not generate, approve, or substitute for the disclosure text, and does not opine on whether a given artifact is within Article 50's substantive scope. |
| EU GDPR — Article 17 (Right to Erasure) | A data subject's right to obtain erasure of personal data, subject to the Article 17(3) exceptions. | The redaction-event record pattern documents the lawful basis for archival retention; the seal makes the retained record tamper-evident, which is what makes archival retention defensible. | Does not opine on whether any erasure request applies, whether an Article 17(3) exception holds, or whether a deletion method is adequate under a given jurisdiction's interpretation. |
| EU GDPR — Article 22 (Automated individual decision-making) | Constraints on decisions based solely on automated processing producing legal or similarly significant effects. | The Standard's records inform the controller's Article 22 work. Where the decision is an employment decision, the stricter HR-side firewall below applies. | Does not satisfy GDPR; the Article 22 obligations belong to the controller. |
| NIST AI RMF — Manage 4.1 (post-deployment monitoring) | A voluntary U.S. framework; Manage 4.1 addresses continuous documentation of how AI risks are managed post-deployment. | The Charter's schedule of records is a continuous-documentation commitment (every decision in the class becomes a record); re-decision triggers are the structural shape of "significant performance change" sensitivity. | Does not satisfy or certify any AI RMF outcome (the framework is voluntary and imposes no obligation); does not opine on the broader program's Govern/Map/Measure/Manage maturity. |
| ISO/IEC 42001:2023 (AI Management Systems) | A certifiable international management-system standard; an accredited body audits the AI management system as a whole. | The Charter is one process artifact within an AIMS scope; the schedule of records is documented information per Annex SL clause 7.5 where the deployer chooses to integrate it. | Does not produce an AIMS or an AIMS conformance assessment; the Standard's conformance levels are not ISO/IEC 42001 maturity levels and there is no defined cross-walk. The accredited certification body issues the certificate. |
Internal-control and oversight backbone
| Framework | What it governs | What the Standard contributes (as input) | What the Standard does NOT do |
|---|---|---|---|
| Caremark / Marchand v. Barnhill (Delaware) | The subject domain of board-of-directors oversight duties under Delaware corporate law. | For board-reserved decision classes, the Charter and the sealed affirmation lifecycle produce a structured record of who held authority, on what cadence, with what triggers — material a board, its committees, and its counsel may use as input. | Does not constitute Caremark/Marchand compliance, does not satisfy a board's oversight duties, and does not characterize what the cases hold; legal sufficiency is a substantive determination by counsel admitted in Delaware. |
| COSO 2013 (Internal Control – Integrated Framework) | The design, implementation, and assessment of internal control across five components and seventeen principles. | Maps at the component level: the Charter (Control Environment), re-decision triggers (Risk Assessment), the Mode dispatch state (Control Activities), the schedule of records (Information and Communication), and the continuous-by-design schedule plus conformance grading (Monitoring Activities, most distinctively Principles 16–17). | Is not, individually or in combination, an internal control system; the design and operating effectiveness of the reader's control system is a determination by qualified personnel. |
| SOX § 404 (Management Assessment of ICFR) | Management's assessment of internal control over financial reporting at in-scope issuers, plus the external-auditor attestation. | Where § 404 applicability is independently established, the Charter, schedule of records, and sealed affirmation events are structured inputs to the management assessment and the auditor's audit-trail testing. | Does not constitute § 404 compliance, does not produce a management assessment or auditor attestation, and does not establish applicability; many adopters are not issuers and are outside § 404's direct scope. |
| SOC 2 Type II (AICPA Trust Services Criteria) | An independent CPA's report on the design and operating effectiveness of a service organization's controls over a period (Security, Availability, Processing Integrity, Confidentiality, Privacy). | Maps at the criterion-category level; the continuous-by-design schedule of records aligns structurally with the operating-effectiveness-over-period evaluation a Type II engagement performs. | Is not a control set and does not produce a SOC 2 Type II report; the opinion is the service auditor's, reached under the Trust Services Criteria and AICPA standards. |
HR-side regimes (stricter firewall)
The HR-side regulatory regimes have direct private-right-of-action exposure that most AI-governance regimes do not yet carry, so the "informs without satisfying" firewall is stricter here because the litigation pathway is shorter. The Standard does not authorize, validate, certify, or recommend any deployer's use of its records as input to employment decisions under any of these regimes.
| Framework | What it governs | What the Standard contributes (as input) | What the Standard does NOT do |
|---|---|---|---|
| NYC Local Law 144 (Automated Employment Decision Tools) | Bias-audit, public-summary, and candidate-notice obligations on AEDTs used in NYC hiring, promotion, retention, or termination. | The Standard's records inform the deployer's AEDT bias-audit work. | Does not satisfy NYC LL 144; the AEDT obligations belong to the deployer as AEDT operator. |
| State employment-AI regimes (Colorado SB 24-205, Illinois HB 3773, California ADMT proposed regs) | Risk-assessment, anti-discrimination, and notice-and-explanation obligations on consequential employment decisions substantially assisted by automated systems. | The Standard's records inform the deployer's risk-assessment and notice work. | Does not satisfy any state-level regime. |
| EU AI Act — Annex III (employment-side high-risk) | Classifies recruitment, performance-evaluation, work-allocation, and monitoring AI systems as high-risk under Articles 8–17. | The Standard's records inform the deployer's Annex III conformity-assessment work. | Does not satisfy the EU AI Act high-risk obligations. |
| EU Platform Work Directive / UK ICO Monitoring Guidance / Israel PPL 5741-1981 | Algorithmic-management transparency, workplace-monitoring proportionality, and employment-data consent/purpose-limitation obligations. | The Standard's records inform the deployer's work under each regime. | Does not satisfy any of these regimes; the obligations belong to the deployer, controller, or employer of record. |
Across every row above: the Standard does not authorize, validate, certify, or recommend any deployer's use of its records as input to an employment decision under any of these regimes.
The discipline behind every row
The mapping is structural, not substantive. In each case the Standard's primitives are an input substrate; the conversion from a structured record into legal evidence, an audit attestation, a regulatory filing, or a board-oversight finding is performed by qualified personnel under their own professional standards. Decision provenance is upstream of those determinations — it is not the determinations themselves.
Jurisdiction assumed: U.S. federal and Delaware (primary); United Kingdom, the European Union, and Israel (named secondaries). The traditional frameworks above are predominantly U.S. in origin; for non-U.S. jurisdictions, the cross-reference to local analogues is performed by counsel admitted in that jurisdiction. Not legal advice.