Frameworks overview & routing

Gamut is multi-framework. A single AI system can be assessed against one framework or several, and the risk tier set at intake, together with the ACRS capability score for agentic systems, routes the right controls to each system.

This page explains how frameworks work in Gamut and how to choose between them. Each framework has its own page with detail.

Why framework references are used

Gamut uses framework names, article numbers, clause labels and control IDs to help you organise governance work, for navigation, assessment workflow and crosswalk traceability.

Not endorsements, not legal advice

Framework references in Gamut are not endorsements by the framework owners, and the product does not replace licensed standards, legal advice, certification audits or regulator guidance. Third-party standard text is not reproduced. Always work from a licensed copy of any standard and obtain appropriate legal or regulatory advice.

The frameworks at a glance

Gamut-native frameworks

Developed by Gamut as part of the platform:

Framework	Structure
GTSAF	358 controls across 17 domains (A to Q); 71 gate, 70 critical.
ATF	5 control elements, 4 autonomy levels, 5 promotion gates.
ACRS	4 capability dimensions, score to 81, 3 risk bands.
MAESTRO	7 architectural layers, 5-level threat severity scale.

Public and third-party references

Mapping Gamut’s workflow to widely used external regimes and standards, at a product-safe level:

Reference	Structure
EU AI Act	6 risk classes, 11 assessment categories anchored to articles.
NIST AI RMF	4 functions: Govern, Map, Measure, Manage.
ISO/IEC 42001	Clauses 4 to 10 plus Annex A controls (8 sections).
ISO/IEC 42005	AI impact assessment across 5 sections.
NAGF	Nigerian AI governance, 7 sections, around 80 items.

How crosswalks work

GTSAF is the hub. Every one of its 358 controls carries audited crosswalk mappings to the EU AI Act, ISO/IEC 42001, ISO/IEC 42005 and NIST AI RMF. Because evidence attaches to GTSAF controls and those controls map outward, a single body of governance work supports several regimes at once, and a reviewer can trace any conclusion across frameworks.

See the GTSAF crosswalk table for the domain-by-domain mapping.

How routing works

1. Register the AI system and complete intake.
2. The risk tier highlights which frameworks and control depth are most relevant. For agentic systems, the ACRS score routes the right GTSAF control depth (baseline, enhanced or comprehensive).
3. You assess the system against one or more frameworks, recording rationale and evidence.
4. Shared evidence and findings mean work done for one framework supports the others through crosswalk traceability.

Choosing a framework

• Need to demonstrate regulatory readiness in the EU? Start with EU AI Act readiness.
• Want maximum assurance depth? Use GTSAF.
• Aligning to a recognised standard? Use NIST AI RMF or ISO/IEC 42001.
• Running an impact assessment? Use ISO/IEC 42005.
• Operating in Nigeria? Use NAGF.
• Governing agents that take action? Add ATF, score risk with ACRS, and threat-model with MAESTRO.