OSCAL export for AI governance policies

Status: Preview

OVERT-as-Code and its OSCAL export are in active development. This page documents the intended output format.

NIST OSCAL (Open Security Controls Assessment Language) is the machine-readable lingua franca of modern GRC tooling. OVERT-as-Code can emit OSCAL Assessment Results for any policy, so your AI governance becomes an input to the same compliance automation you already run for security controls.

Why it matters

Compliance teams don’t want a PDF — they want findings their tooling can ingest. Exporting OSCAL turns an OVERT policy into structured, mappable evidence:

• Each OVERT control (PRO-1, ATT-2, MEA-1, TOOL-1, HITL-1, RES-1, …) becomes an OSCAL finding.
• Each finding carries a satisfied / not-satisfied status.
• The output drops into OSCAL-aware GRC platforms and audit workflows.

Generating it

glacis overt oscal overt.toml > assessment-results.json

The export reflects the honest state of the policy: controls that are enforced are marked satisfied; controls declared-not-enforced are reported as such rather than silently claimed. This mirrors the conformance ladder — the export never asserts more than the policy actually does.

From export to evidence

OSCAL tells an auditor what your policy claims. The runtime product and the verifier provide the matching proof that the policy ran — closing the loop between a compliance artifact and tamper-evident runtime evidence.

Related

• Policy as code for AI
• The OVERT crosswalks — OVERT ↔ NIST AI RMF / ISO 42001 / EU AI Act
• Documentation is not evidence