AI Compliance Gap Analysis

Executive Summary

AI compliance frameworks are maturing rapidly, but vulnerability coverage remains uneven. Across four major frameworks — ISO 42001, EU AI Act, NIST AI RMF, and OWASP LLM Top 10 — we track 9,220 CVE-to-control mappings spanning 233 unique controls. NIST AI RMF leads with the broadest coverage (86 controls), while OWASP LLM Top 10 again provides the most concentrated, actionable guidance: just 28 controls absorbing 2,102 mappings — averaging 75 CVEs per control, the highest density of any framework.

The critical finding remains: no framework achieves 100% control coverage from real-world vulnerability data. Gap controls — those with zero mapped CVEs — represent areas where either the threat has not yet materialized in disclosed vulnerabilities or where our mapping methodology has not yet captured the relationship. For CISOs preparing for ISO 42001 certification or EU AI Act compliance, those gaps deserve manual investigation, not celebration.

Key Findings

• NIST AI RMF has the broadest coverage with 86 controls mapped to 2,555 CVE-compliance associations. NIST's comprehensive approach to AI risk — covering Govern, Map, Measure, Manage — produces the widest control surface.
• ISO 42001 maps 79 controls to 2,463 associations. As the primary AI management system standard, ISO 42001's Annex A controls are well-represented by real vulnerability data — particularly A.5.4 (AI system impact assessment) and A.6.2.4 (risk assessment), which have the highest CVE counts.
• EU AI Act has focused but critical coverage with 40 controls and 2,100 mappings. Article 15 (accuracy, robustness, cybersecurity) dominates — reflecting the regulation's emphasis on high-risk AI system security requirements.
• OWASP LLM Top 10 shows the highest CVE density per control — 28 controls absorbing 2,102 associations means each control averages ~75 CVEs. This makes OWASP the most actionable framework for development teams prioritizing fixes.
• The corpus grows ~269 CVEs per month. Continuous compliance evidence is no longer optional — point-in-time audits cannot keep pace with the disclosure rate.
• Gap controls exist in every framework. Controls related to organizational governance, human oversight, transparency reporting, and post-market monitoring tend to have fewer CVE mappings — not because they are less important, but because their risks manifest differently than technical vulnerabilities.

Trend Analysis

The compliance landscape is shifting from aspirational guidance to enforceable requirements. The EU AI Act's implementing provisions are entering enforcement, ISO 42001 certifications are being pursued by enterprises deploying high-risk AI systems, and NIST's AI RMF is becoming the de facto framework for US federal AI governance.

For CISOs, the implication is clear: compliance evidence must be continuous, not point-in-time. The traditional approach of annual audits cannot keep pace with an AI vulnerability landscape producing 269 new CVEs in the last 30 days alone. Automated compliance mapping — linking each new CVE to affected framework controls — is becoming a necessity rather than a convenience.

OWASP LLM Top 10 continues to be the most developer-friendly entry point. Teams that have addressed OWASP's top controls (LLM01: Prompt Injection, LLM03: Supply Chain, LLM05: Improper Output Handling) will find significant overlap with ISO 42001 and EU AI Act requirements, making OWASP an effective starting point for broader compliance programs.

Recommendations

1. Start with OWASP LLM Top 10 for immediate risk reduction. Its high CVE density per control means addressing OWASP issues delivers measurable vulnerability reduction while building evidence applicable to ISO 42001 and EU AI Act.
2. Map your gap controls to compensating controls. If a control has zero CVE mappings, it does not mean zero risk. Conduct a manual assessment for organizational and governance controls that don't map neatly to technical vulnerabilities.
3. Use compliance evidence packs for audit preparation. Download CSV evidence packs per framework (available to subscribers) to demonstrate that your organization is tracking AI-specific vulnerabilities against framework controls.
4. Monitor EU AI Act Article 15 requirements closely. This article has the highest CVE mapping density in the EU AI Act and directly addresses cybersecurity of AI systems — it will likely be the first area auditors examine.
5. Establish cross-framework traceability. A single CVE often maps to controls across all four frameworks. Maintaining this traceability reduces duplicate compliance effort and provides auditors with a comprehensive view.

Methodology

Compliance mappings are generated by AI-powered enrichment (Claude) during CVE analysis, mapping each vulnerability to relevant controls across ISO 42001, EU AI Act, NIST AI RMF, and OWASP LLM Top 10. Mappings include a relevance classification (direct or indirect) and rationale. Gap analysis compares mapped controls against the full control catalog seeded from each framework's official documentation. All numeric values in this analysis are pulled live from the database on every page load — they always match the tables and charts below.