Really important perspective Shea. I've spent a long time in the transformation and change adoption space but navigating and coalescing the frameworks, management systems, and jurisdictional compliance boundaries and so on and so forth (thank God for crosswalks) in AI governance and assurance is hard enough without further proliferation of frameworks.

So I am completely with you on not reinventing assurance infrastructure that already exists.

The DSA case study is exactly the right evidence and I think underused in these discussions.

One question and a related addition. On criteria: you frame the gap as criteria for evaluating technical AI system claims, which is right. But I wonder whether there is a parallel criteria gap that should be treated as distinct: human oversight capability. EU AI Act Article 14 is not a technical requirement. It is a capability one. That is a different subject matter entirely, which I don't believe is addressable through ISAE 3000 applied to systems. The system could be assured. The humans?

Your framework correctly separates ISO 42001 from ISAE 3000 because they answer different questions. I think there may be a third question: Human Capability Assurance. One that neither is currently designed to answer i don't think.