OPA policy bundle enforcing NIST AI RMF + EU AI Act controls at deploy time.
Most enterprises in 2026 are being asked the same question by their regulators: “how do you actually enforce the NIST AI RMF and EU AI Act controls on your AI workloads?” The usual answer is “we have a policy document.” That isn’t enforcement; it’s hope.
This bundle turns the controls into deploy-time machine checks — the kind of policy that breaks the build when an AI workload manifest doesn’t carry the audit-evidence pipeline, the human-oversight mechanism, or the model-version pin a regulator can verify.
What it enforces (12 rules, each citing a primary source):
- Accountability officer declared (NIST GOVERN-1.3 · EU AI Act Art.9)
- Risk tier declared with rationale (NIST GOVERN-2)
- Data lineage attached (NIST MAP-2 · EU AI Act Art.10)
- Eval set referenced on medium/high-risk (NIST MEASURE-2.7)
- Prompts in a versioned registry — no inline strings (OWASP LLM01)
- Model version pinned — no floating tags (NIST MAP-3.4)
- Input + output guardrails declared (MITRE ATLAS)
- Audit-evidence sink + retention (EU AI Act Art.12)
- Human-oversight pattern declared for high-risk (EU AI Act Art.14)
- Cost-attribution tag for FinOps for AI
- EU high-risk conformity assessment reference (EU AI Act Annex III)
- Model provider + region pinned (data-residency, supply chain)
# Try it in 60 seconds git clone https://github.com/uchit/opa-nist-ai-rmf cd opa-nist-ai-rmf brew install opa # or: download binary opa eval -d policy/ -i examples/compliant.yaml 'data.ai.rmf.deny' # [] ← empty = compliant opa eval -d policy/ -i examples/missing-evals.yaml 'data.ai.rmf.deny' # ["eval_set_required: ..."] opa test policy/ tests/ # 24 tests
Wire it into: Kubernetes (Gatekeeper), CI (Conftest, Sentinel), Terraform (Sentinel or OPA pre-apply). Reference implementation for the Regulated GenAI Platform reference architecture and the 9 controls essay.