Skip to content

AI‑SPM framework mapping and scoring

AQtive Guard AI Security Posture Management (AI-SPM) uses a configuration-driven approach to link technical findings to framework categories. This process provides visibility into how technical risks may affect your broader compliance goals.

Framework mapping methodology

The SandboxAQ AI security team links technical checks with official framework requirements, such as the EU AI Act, ETSI EN 304 223 – AI Security Principles, NIST AI RMF, and OWASP LLM Top 10.

  • Requirement grouping – Related requirements are grouped into technical categories, such as Technical robustness and safety or Transparency.
  • Curated alignment – AI-SPM rules that have a clear impact on the category are manually mapped to these categories. A single AI-SPM technical rule may contribute to multiple categories.
  • Partial coverage – Because frameworks are high-level, mappings focus on specific and defined technical signals that map onto the technical risks included in the SandboxAQ AI product. Categories that describe purely organizational or human-only activities or that include technical checks that are not measured by the SandboxAQ AI product are excluded from automated checks.

Framework posture score

AQtive Guard calculates the Framework progress score as a high-level risk indicator of how your AI assets that are scanned by AQtive Guard align with defined technical risks which map to a given framework:

  • Category health – A category is considered healthy if it has no flagged Critical or High severity technical risks.
  • Score calculation – The score is the percentage of total framework categories that are currently healthy.
  • Lower-severity findingsMedium, Low, and Informational issues do not reduce the Framework progress score, but they appear in Risk level breakdown and Category results to support long-term remediation planning.

Framework progress score calculation

The Framework progress score is calculated as the percentage of healthy categories relative to the total number of categories with at least one mapped rule.

\[ \text{Framework progress score} = \frac{\text{Healthy categories}}{\text{Total categories with mapped rules}} \times 100 \]

Example

If a framework has 10 categories and 8 have no Critical or High severity issues, the Framework progress score is 80%.

Limitations and caveats

AI-SPM provides a technical risk posture for discovered assets. It assesses only the scanned data provided by an organization for the defined technical risks. An organization can use this as an input into its overall risk assessment, but AI-SPM does not provide nor should it be relied upon to provide an assessment of an organization’s compliance with applicable legal, technical, or regulatory requirements.

  • Technical scope - Mappings only reflect assets onboarded into AI-SPM, such as discovered via GitHub scanning, for the defined technical risks.
  • Governance gap - Organizational obligations, such as policy design or stakeholder engagement, must be managed through processes outside AQtive Guard.
  • Evolving rules - Scores may change as SandboxAQ adds new rules or updates framework mappings to reflect changing regulations.

For broader assumptions and your responsibilities when using AQtive Guard, see the Use conditions statement.