{
  "dataset": {
    "meta": {
      "title": "Apeiris Authority Control Matrix",
      "subtitle": "apeiris.ai/domains/authority \u2014 Apeiris Authority",
      "domain": "authority",
      "namespace": "apeiris://authority",
      "site": "https://apeiris.ai/domains/authority",
      "corpus_url": "https://apeiris.ai/integration/domains/authority-controls-full.json",
      "version": "1.1.0",
      "schema_version": "1.1.0",
      "generated_at": "2026-06-28T00:00:00.000Z",
      "license": "CC BY 4.0",
      "license_url": "https://creativecommons.org/licenses/by/4.0/",
      "baseline_control_count": 9,
      "baseline_controls": [
        "PV-01",
        "PV-02",
        "PA-01",
        "PA-04",
        "PO-01",
        "PO-06",
        "PG-01",
        "PG-02",
        "PE-08"
      ],
      "frameworks": [
        "anthropic_rsp",
        "aws_organizations",
        "coso_erm",
        "eu_ai_act",
        "google_org_policy",
        "iso_37301",
        "iso_42001",
        "microsoft_rai",
        "nist_800_53",
        "nist_rmf",
        "oecd_cg",
        "okta_authz",
        "opa_rego",
        "openai_preparedness",
        "soc2"
      ],
      "profiles": [
        "universal-enterprise",
        "consequential-commitment",
        "procurement-ai",
        "contract-ai",
        "eu-high-risk-ai",
        "public-company-governance",
        "high-risk-sector"
      ],
      "planes": [
        "control",
        "data",
        "both",
        "lifecycle"
      ],
      "authority_domain_notes": {
        "internal_policy_support": true,
        "novel_normative_force": [
          "internal-policy",
          "contractual-obligation"
        ],
        "required_for_internal_policy_obligations": [
          "policy_ref",
          "policy_version"
        ],
        "example_adopter_artifacts": "This matrix embeds 20 example adopter artifacts \u2014 18 internal-policy sources and 2 contractual-obligation (master services agreement) sources. These are artifact classes supplied by the deploying organization, not Apeiris publications: each is titled \"Example adopter artifact \u2014 \u2026\" with authority \"Deploying organization (example)\", and exists to show which adopter-supplied documents satisfy the control's policy_ref / policy_version obligations under the internal-policy and contractual-obligation normative forces."
      },
      "controls_count": 53,
      "schema_extended_on": "2026-06-29",
      "extended_schema_fields": [
        "validation_objective",
        "evidence_required",
        "machine_tests",
        "human_review",
        "blocking_effect",
        "normative_status",
        "anti_patterns",
        "update_status"
      ],
      "published": "2026-07-02",
      "source_freshness": {
        "status": "current",
        "checked_on": "2026-07-02",
        "review_cadence": "quarterly"
      },
      "layers": 6,
      "domain_number": 10,
      "domain_slug": "authority",
      "canonical_prefix": "apeiris://authority/controls/",
      "attestation_artifact": "PolicyAttestation",
      "attestation_control": "PE-08",
      "alias_domain": "authorityverifier.ai",
      "integration_endpoint": "https://apeiris.ai/integration/domains/authority-controls-full.json",
      "source": "https://apeiris.ai/domains/authority/",
      "lenses": [
        "grc_auditor",
        "general_counsel",
        "cfo_procurement",
        "risk_officer",
        "board_governance"
      ],
      "description": "Apeiris Authority Control Matrix: 53 machine-readable controls across 6 layers for verifying enterprise business authority and internal policy governance."
    },
    "controls": [
      {
        "id": "PV-01",
        "name": "Operating Intent Declaration",
        "canonical_id": "apeiris://authority/controls/PV-01",
        "layer": "PV",
        "prefix": "PV",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": true,
        "plain": "Requires that every AI system deployment record a formal, machine-readable declaration of operating intent specifying what the system is authorized to do, in which context, and on whose behalf. This declaration anchors all downstream authority checks and attestation artifacts, ensuring every AI-initiated action traces to an explicit, versioned authorization scope.",
        "threat": {
          "context": "Without a declared intent artifact at deployment time, an AI agent may perform actions that fall outside the scope authorized by the deploying principal and no authority artifact exists to detect or bound the deviation. Silent scope creep and intent drift occur when agents adapt to new contexts without explicit re-authorization.",
          "tags": [
            "intent-drift",
            "scope-creep",
            "principal-accountability-gap"
          ]
        },
        "standard_references": [
          {
            "id": "eu_ai_act",
            "section": "Art. 9",
            "title": "Risk management system"
          },
          {
            "id": "iso_42001",
            "section": "\u00a7 6.1",
            "title": "Actions to address risks and opportunities"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 1.2",
            "title": "Trustworthy AI characteristics are integrated into organizational policies, processes, and procedures"
          },
          {
            "id": "coso_erm",
            "section": "Principle 11",
            "title": "Assesses Severity of Risk"
          }
        ],
        "sources": [
          {
            "id": "eu-ai-act-2024",
            "title": "EU Artificial Intelligence Act",
            "authority": "European Parliament and Council of the European Union",
            "source_type": "regulation",
            "normative_force": "binding-law",
            "version": "2024/1689",
            "published_on": "2024-07-12",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689",
            "license": "open-access",
            "status": "current",
            "flagship": true,
            "source_id": "eu_ai_act",
            "relationship": "normative_requirement",
            "rationale": "Establishes EU Artificial Intelligence Act requirements informing the apeiris://authority/controls/PV-01 Operating Intent Declaration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PV-01 Operating Intent Declaration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PV-01 Operating Intent Declaration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "coso-erm-2017",
            "title": "COSO Enterprise Risk Management: Integrating with Strategy and Performance",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management: Integrating with Strategy and Performance requirements informing the apeiris://authority/controls/PV-01 Operating Intent Declaration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PV-01 Operating Intent Declaration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PV-01 Operating Intent Declaration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "openai_preparedness_fw_v2",
            "title": "OpenAI Preparedness Framework v2",
            "authority": "OpenAI, L.L.C.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2025-04-15",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "openai_preparedness",
            "relationship": "informative_reference",
            "rationale": "Establishes OpenAI Preparedness Framework v2 requirements informing the apeiris://authority/controls/PV-01 Operating Intent Declaration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PV-01 Operating Intent Declaration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "databricks_omnigent_2026",
            "title": "Databricks Omnigent \u2014 Contextual Policies",
            "authority": "Databricks",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2026-07-07",
            "published_on": "2026-07-07",
            "retrieved_on": "2026-07-07",
            "canonical_url": "https://www.databricks.com/blog/contextual-policies-omnigent-using-session-state-better-govern-ai-agents",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "databricks_omnigent_2026",
            "relationship": "supporting_guidance",
            "rationale": "Omnigent treats the user's declared session intent as a first-class authorization anchor, checking each tool call against the original goal \u2014 a runtime analogue of, not an instance of, the deployment-time operating-intent declaration.",
            "reviewed_on": "2026-07-07"
          }
        ],
        "implementation": {
          "pattern": "Capture a structured intent declaration artifact at system deployment time specifying authorized action types, context boundaries, authorizing principal identity, and validity period. Bind the artifact to the deployment record using a cryptographic signature and register it in the authority control registry before activating the agent in production.",
          "steps": [
            "Define and publish a canonical intent declaration schema mandating fields for authorized action types, context scope, authorizing principal identity reference, and validity window.",
            "Integrate intent declaration artifact creation and signing into the production deployment approval gate, blocking activation until a valid artifact is registered.",
            "Register the signed artifact in the authority control registry and propagate the canonical ID to all downstream authorization checkpoints that the agent will invoke.",
            "Configure monitoring to alert when an active intent declaration approaches expiry and require explicit renewal or agent suspension before the validity window closes."
          ],
          "anti_patterns": [
            "Capturing operating intent as unstructured prose in a deployment ticket or wiki page with no machine-readable schema enforcement or cryptographic binding.",
            "Allowing intent declarations to persist indefinitely without a defined validity period, making it impossible to detect declaration staleness."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that a machine-readable intent declaration schema is defined, versioned, and enforced at the deployment gate for all AI system activations.",
            "Verify that the schema requires a cryptographic signature from a principal whose authority to bind the organization to the declared scope can be independently verified.",
            "Check that the deployment pipeline rejects AI system activation when no valid, unexpired intent declaration is present in the registry."
          ],
          "runtime_tests": [
            "Attempt to activate an AI agent without a registered intent declaration and confirm the deployment gate blocks activation.",
            "Submit an intent declaration with an expired validity period and verify the system demands renewal before allowing agent activation.",
            "Trigger an agent action outside the declared action type scope and confirm a boundary violation event is raised and logged."
          ],
          "evidence": [
            "Registry of signed intent declaration artifacts with cryptographic hashes and principal signatures for all active AI deployments.",
            "Deployment gate rejection logs demonstrating that activations without valid declarations were blocked.",
            "Renewal audit trail linking each intent declaration version to deployment lifecycle events and the authorizing principal."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Operating intent declarations provide the primary documentary basis for establishing the scope of authority under which an AI system acted. They are essential for demonstrating in litigation or regulatory inquiry that AI-initiated actions fell within explicitly authorized conduct.",
            "actions": [
              "Review the intent declaration schema to confirm it captures legally relevant scope elements including authorized action types, jurisdictional constraints, and the identity of the authorizing principal.",
              "Verify that declarations are signed by a principal with legally recognized authority to bind the organization to the declared scope.",
              "Confirm that declarations are retained and versioned for the full evidentiary period required by applicable law and contractual obligations."
            ],
            "failure_signals": [
              "AI-initiated commitments for which no corresponding, current intent declaration artifact can be produced in discovery or regulatory inquiry.",
              "Intent declarations signed by principals who lack verifiable authority to authorize the declared scope.",
              "Expired intent declarations associated with AI systems that remain in active production."
            ]
          },
          "cfo_procurement": {
            "summary": "Intent declarations define the financial and operational boundaries within which AI systems are authorized to act on the organization's behalf. For any AI system that can initiate spend or obligate resources, the declaration is a non-negotiable prerequisite control.",
            "actions": [
              "Require that AI systems authorized to initiate procurement or contracting actions have an intent declaration explicitly bounding spend categories and monetary approval limits.",
              "Integrate intent declaration review into the capital expenditure and operating budget approval process for all AI system deployments.",
              "Establish an automatic renewal trigger for intent declarations when budget periods, approval limit schedules, or organizational authority hierarchies change."
            ],
            "failure_signals": [
              "AI systems initiating procurement actions without a current intent declaration specifying authorized spend categories and monetary boundaries.",
              "Intent declarations predating the current budget period or approval limit schedule without documented renewal.",
              "CFO or delegate sign-off absent from intent declarations for AI systems operating in spend-sensitive roles."
            ]
          },
          "risk_officer": {
            "summary": "The intent declaration is the foundational risk-scoping artifact for each AI deployment. It defines the knowingly accepted risk surface and enables systematic assessment of whether observed AI behavior remains within authorized boundaries.",
            "actions": [
              "Require that every intent declaration includes an explicit risk acceptance statement from the authorizing principal acknowledging the action types, context boundaries, and associated residual risks.",
              "Integrate the intent declaration registry into the enterprise risk register to maintain a consolidated view of authorized AI risk exposure across all deployments.",
              "Define pre-escalation triggers for cases where AI behavior approaches declared intent boundaries before a formal boundary violation is confirmed."
            ],
            "failure_signals": [
              "Active AI deployments without a corresponding risk register entry linked to their intent declaration.",
              "Risk assessments performed on AI systems that do not reference the system's declared intent as the basis for scope.",
              "Intent declarations not reviewed following material changes to the enterprise risk environment or the AI system's operating context."
            ]
          },
          "grc_auditor": {
            "summary": "Intent declarations are the primary control artifact for verifying that AI system deployments are within authorized scope. Auditors must verify existence, completeness, signature validity, and renewal compliance for all active declarations.",
            "actions": [
              "Inspect the intent declaration registry to verify that every active AI deployment has a current, signed declaration with all required schema fields populated.",
              "Test that the schema enforced at deployment time matches the canonical intent declaration schema defined in AI governance policy.",
              "Sample expired declarations to confirm associated AI systems were suspended or renewed before expiry, with evidence of renewal authorization."
            ],
            "failure_signals": [
              "Active AI deployments with no corresponding intent declaration in the registry, or with declarations that have lapsed without renewal.",
              "Intent declarations missing required fields such as authorized action types, validity period, or cryptographic principal signature.",
              "No deployment gate rejection logs demonstrating enforcement of the declaration requirement."
            ],
            "metrics": [
              "Percentage of active AI deployments with a current, signed intent declaration (target: 100%)",
              "Mean age of active intent declarations in days (alert threshold: >180 days without review or renewal)",
              "Number of deployment gate rejections due to missing or invalid intent declarations per reporting quarter"
            ]
          },
          "board_governance": {
            "summary": "Operating intent declarations establish the formal boundaries of authorized AI activity across the enterprise. The aggregate inventory of declarations represents the total authorized AI risk posture the organization has accepted.",
            "actions": [
              "Request a periodic summary report on the total inventory of active intent declarations, including action type categories, risk tier classifications, and renewal status.",
              "Ensure that the board risk committee reviews intent declarations for AI systems operating in material, high-consequence, or reputationally sensitive domains.",
              "Confirm that the organization's AI governance policy mandates intent declarations as a non-waivable prerequisite to production deployment, not subject to management exception alone."
            ],
            "failure_signals": [
              "No board-level visibility into the aggregate inventory of authorized AI deployments and their declared intent boundaries.",
              "AI systems operating in board-reportable consequence domains without a declaration reviewed by or reported to the board risk committee.",
              "AI governance policies that treat intent declarations as optional or advisory rather than mandatory."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "managed"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 11",
            "title": "Assesses Severity of Risk",
            "principle_number": 11,
            "component_name": "Performance",
            "normative_force": "industry-framework",
            "fit": "adjacent",
            "fit_rationale": "Intent declaration records authorized scope but does not itself assess risk severity as COSO Principle 11 requires.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Intent declaration records authorized scope but does not itself assess risk severity as COSO Principle 11 requires.",
            "requirement_id": "Principle 11 \u2014 Assesses Severity of Risk",
            "relation": "informs"
          },
          {
            "framework": "eu_ai_act",
            "ref": "Art. 9",
            "title": "Risk management system",
            "normative_force": "binding-law",
            "fit": "partial",
            "fit_rationale": "The signed intent declaration is one input feeding a risk management system, not the full Art. 9 system.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "The signed intent declaration is one input feeding a risk management system, not the full Art. 9 system.",
            "requirement_id": "Art. 9 \u2014 Risk management system",
            "relation": "satisfies"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a7 6.1",
            "title": "Actions to address risks and opportunities",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "Declaring authorized scope anchors authority but is not itself a risk-treatment action under \u00a76.1.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Declaring authorized scope anchors authority but is not itself a risk-treatment action under \u00a76.1.",
            "requirement_id": "\u00a7 6.1 \u2014 Actions to address risks and opportunities",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 1.2",
            "title": "Trustworthy AI characteristics are integrated into organizational policies, processes, and procedures",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "A machine-readable intent declaration operationalizes trustworthy-AI scope in policy but not all GOVERN 1.2 characteristics.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A machine-readable intent declaration operationalizes trustworthy-AI scope in policy but not all GOVERN 1.2 characteristics.",
            "requirement_id": "GOVERN 1.2 \u2014 Trustworthy AI characteristics are integrated into organizational policies, processes, and procedures",
            "relation": "equivalent_to"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "RSP v3.3 \u2014 Capability Thresholds and Required Safeguards",
            "rationale": "Anthropic's Responsible Scaling Policy conditions deployment of more capable models on meeting the Required Safeguards for the applicable AI Safety Level: a model may not be deployed until the designated deployment standard is satisfied and the decision is documented through internal governance. This is a vendor-side analog of the operating intent declaration pattern \u2014 deployment scope and conditions are recorded and approved before activation \u2014 though the RSP governs Anthropic's own model deployments, not deployers' agents.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "adjacent",
            "fit_rationale": "RSP deployment-scope sign-off is a vendor-side analog governing Anthropic's own models, not the deployer's intent declaration.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "openai_preparedness",
            "requirement_id": "Preparedness Framework v2 \u2014 Tracked Categories and Deployment Thresholds",
            "rationale": "OpenAI's Preparedness Framework v2 defines Tracked Categories \u2014 Biological and Chemical, Cybersecurity, and AI Self-improvement \u2014 with High and Critical capability thresholds. A model that reaches a High threshold may not be deployed until safeguards sufficiently minimize the associated risk, and safeguards reports and system cards document the assessed capability scope for each deployment: a documented scope-before-deployment pattern analogous to an operating intent declaration.",
            "normative_force": "best-practice",
            "source_version": "2",
            "fit": "adjacent",
            "fit_rationale": "Preparedness scope-before-deployment documentation is an analogous vendor pattern, not the deployer-side declaration.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Organizations SCP Design \u2014 Scope Boundary Enforcement",
            "rationale": "AWS Organizations Service Control Policies (SCPs) are the primary mechanism for enforcing operating intent boundaries across organizational units. SCPs define maximum available permissions for all IAM principals in an account, effectively encoding the authorized action scope as an enforceable policy artifact. AWS recommends defining SCPs at OU level to anchor each AI workload's operating intent before any principal within that OU can activate the system.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "SCPs can encode authorized action scope as enforceable policy, partially implementing intent boundaries but not the signed declaration.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Responsible AI Standard v2 \u2014 Goal A1: Impact Assessment (Intended Uses)",
            "rationale": "Microsoft's Responsible AI Standard v2 (Goal A1) requires teams to complete a Responsible AI Impact Assessment that formally articulates intended uses, deployment context, and stakeholders early in the AI development lifecycle, with review before production release. It functions as an operating intent declaration by capturing what the AI system is intended to do, for whom, and under which organizational constraints.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "The RAI impact assessment articulates intended uses like an intent declaration but is broader and not the signed machine-readable artifact.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "eu-high-risk-ai"
        ],
        "implementers": [
          "AI Program Office",
          "Legal Counsel",
          "Deployment Engineering",
          "Risk Management"
        ],
        "validation_objective": "Every active AI system deployment must have a machine-readable, cryptographically signed intent declaration registered in the authority control registry before production activation. The deployment pipeline must block agent activation when no valid, unexpired declaration with all required schema fields is present.",
        "evidence_required": [
          "Signed intent declaration artifact with canonical_id, authorized_action_types, context_scope, principal_id, valid_from, and valid_until fields for every active AI deployment",
          "Deployment gate rejection logs demonstrating that agent activations without a registered, unexpired declaration were blocked, with fields for system_id, attempted_at, and rejection_reason",
          "Authority control registry export cross-referencing each active deployment to its current declaration record and cryptographic signature",
          "Principal authorization verification record confirming the signing identity has organizational authority to bind the enterprise to the declared scope",
          "Renewal audit trail linking declaration version history to deployment lifecycle events and authorizing principal identity"
        ],
        "machine_tests": [
          "Attempt to activate AI agent with no intent declaration in registry \u2192 assert deployment gate returns blocked=true with error_code=missing_intent_declaration",
          "Submit intent declaration with valid_until < current_timestamp \u2192 assert deployment pipeline demands renewal and blocks agent activation with error_code=declaration_expired",
          "Submit intent declaration with authorized_action_types field absent \u2192 assert schema validator rejects artifact with error referencing the missing required field",
          "Trigger agent action with action_type not listed in active declaration \u2192 assert boundary violation event emitted to audit log with action_type, declaration_id, and violation_timestamp"
        ],
        "human_review": [
          "Review the intent declaration schema to confirm it captures legally relevant scope elements including authorized action types, jurisdictional constraints, and authorizing principal identity with sufficient precision for evidentiary use",
          "Verify that sampled declarations were signed by principals with verifiable organizational authority to bind the enterprise to the declared scope, not shared service accounts",
          "Assess whether the renewal cadence policy prevents declaration staleness for AI systems subject to frequent retraining, tool additions, or operating context changes"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "binding-law",
        "anti_patterns": [
          "Capturing operating intent as unstructured prose in a deployment ticket or wiki page with no machine-readable schema enforcement or cryptographic binding",
          "Using a single enterprise-wide intent declaration to cover all AI systems rather than requiring per-system declarations with specific authorized action types and context boundaries",
          "Signing intent declarations with shared service account credentials rather than individual principal identities that can be verified against the organization's authorization hierarchy",
          "Setting validity periods longer than one year without an automated renewal alert, making declaration staleness undetectable until an audit discovers an expired artifact",
          "Populating authorized_action_types with a wildcard or overly broad category that encompasses the full range of possible AI actions, defeating the purpose of scope declaration"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PV"
      },
      {
        "id": "PV-02",
        "name": "Operating Intent Boundary Validation",
        "canonical_id": "apeiris://authority/controls/PV-02",
        "layer": "PV",
        "prefix": "PV",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": true,
        "plain": "Validates at runtime that every AI agent action falls within the boundaries declared in the active operating intent artifact. Any action that would exceed the declared intent triggers a boundary violation event and requires escalation or immediate halt before execution proceeds.",
        "threat": {
          "context": "An AI agent operating without real-time boundary validation may commit to actions, issue obligations, or acquire resources beyond what principals authorized. Boundary violations that proceed undetected can produce unauthorized commitments before any human reviewer is aware an exceedance occurred.",
          "tags": [
            "authority-limit-breach",
            "intent-drift",
            "unauthorized-commitment"
          ]
        },
        "standard_references": [
          {
            "id": "eu_ai_act",
            "section": "Art. 9",
            "title": "Risk management system"
          },
          {
            "id": "iso_42001",
            "section": "\u00a7 6.1.4 / \u00a7 8.4",
            "title": "AI system impact assessment"
          },
          {
            "id": "nist_rmf",
            "section": "MAP 1.1",
            "title": "Intended purposes, context-specific laws and norms, and prospective deployment settings are understood and documented"
          },
          {
            "id": "coso_erm",
            "section": "Principle 11",
            "title": "Assesses Severity of Risk"
          }
        ],
        "sources": [
          {
            "id": "eu-ai-act-2024",
            "title": "EU Artificial Intelligence Act",
            "authority": "European Parliament and Council of the European Union",
            "source_type": "regulation",
            "normative_force": "binding-law",
            "version": "2024/1689",
            "published_on": "2024-07-12",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689",
            "license": "open-access",
            "status": "current",
            "flagship": true,
            "source_id": "eu_ai_act",
            "relationship": "normative_requirement",
            "rationale": "Establishes EU Artificial Intelligence Act requirements informing the apeiris://authority/controls/PV-02 Operating Intent Boundary Validation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PV-02 Operating Intent Boundary Validation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PV-02 Operating Intent Boundary Validation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "coso-erm-2017",
            "title": "COSO Enterprise Risk Management: Integrating with Strategy and Performance",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management: Integrating with Strategy and Performance requirements informing the apeiris://authority/controls/PV-02 Operating Intent Boundary Validation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PV-02 Operating Intent Boundary Validation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PV-02 Operating Intent Boundary Validation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PV-02 Operating Intent Boundary Validation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PV-02 Operating Intent Boundary Validation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "source_id": "hashicorp_vault_aar_2026",
            "normative_force": "best-practice",
            "relationship": "implementation_pattern",
            "rationale": "Enterprise vault implementation of OAuth 2.0 RAR (RFC 9396) per-request agent authorization \u2014 provides concrete IaC patterns for the controls in this layer.",
            "reviewed_on": "2026-06-29"
          }
        ],
        "implementation": {
          "pattern": "Instrument all AI agent action pathways with a pre-execution intent boundary check that compares the proposed action type, target resource, and scope against the active intent declaration before the action is submitted to any downstream system. Actions failing the check are queued for escalation rather than rejected silently.",
          "steps": [
            "Define a machine-readable boundary specification within the intent declaration schema that enumerates permitted action types, resource categories, and quantitative limits.",
            "Implement a boundary validation interceptor at the agent action dispatch layer that evaluates each proposed action against the active declaration before allowing execution.",
            "Configure the interceptor to emit a structured boundary violation event to the authority audit log and trigger an escalation workflow for any action exceeding declared limits.",
            "Test the interceptor for bypass resilience by attempting to submit out-of-scope actions through direct API calls, prompt injection, and parameter manipulation."
          ],
          "anti_patterns": [
            "Performing boundary validation only on the initial task assignment rather than at every individual action a long-running agent takes during task execution.",
            "Logging boundary violations without halting execution, creating a situation where violations are observed after the unauthorized action has already been taken."
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that the intent declaration schema includes a machine-readable boundary specification covering action types, resource categories, and quantitative limits.",
            "Confirm that the boundary validation interceptor is positioned before the action dispatch layer, not after, ensuring violations are caught pre-execution.",
            "Check that boundary violation events are emitted to an immutable audit log and automatically trigger the escalation workflow."
          ],
          "runtime_tests": [
            "Submit an agent action of a type not listed in the active intent declaration and verify the interceptor blocks it and emits a violation event.",
            "Submit an action targeting a resource category outside the declared context and confirm the escalation workflow is triggered.",
            "Attempt to bypass the interceptor via direct API parameter manipulation and confirm the action is still blocked."
          ],
          "evidence": [
            "Boundary validation interceptor deployment manifests showing pre-execution positioning in the agent action dispatch layer.",
            "Boundary violation event log entries with structured data fields for action type, resource target, declared limit, and observed value.",
            "Escalation workflow records demonstrating that boundary violations reached human reviewers within the defined SLA."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Boundary validation is the runtime control that prevents unauthorized commitments from occurring. Its presence or absence is directly relevant to whether the organization can demonstrate that AI-initiated actions were constrained to authorized scope at the moment of execution.",
            "actions": [
              "Confirm that boundary validation interceptors are positioned pre-execution and not merely logging post-hoc, so unauthorized actions cannot complete.",
              "Verify that boundary violation events are retained as legal-quality evidence of the control operating as designed.",
              "Review escalation workflow records to confirm that boundary exceedances received timely human review."
            ],
            "failure_signals": [
              "AI agents that completed actions subsequently found to exceed declared intent, with no evidence of a pre-execution boundary check.",
              "Boundary validation implemented as advisory logging rather than a hard block on out-of-scope actions.",
              "Absence of boundary violation event records for AI agents that operated over extended periods."
            ]
          },
          "cfo_procurement": {
            "summary": "Approval limit enforcement for AI procurement and contracting agents depends on boundary validation as its enforcement mechanism. Without real-time boundary checks, approval limits set in intent declarations are advisory only.",
            "actions": [
              "Confirm that spend and commitment limits specified in intent declarations are evaluated by the boundary validation interceptor before any procurement action is submitted.",
              "Verify that boundary violation escalation workflows route over-limit procurement actions to the appropriate financial approver before execution.",
              "Review boundary violation logs periodically to identify patterns of near-limit behavior that may indicate approval limit schedules need updating."
            ],
            "failure_signals": [
              "AI procurement agents that have submitted commitments exceeding declared spend limits without a boundary violation event being generated.",
              "Boundary validation that checks action types but not quantitative limits such as monetary thresholds.",
              "Escalation workflows that route boundary violations to IT operations rather than the appropriate financial authority."
            ]
          },
          "risk_officer": {
            "summary": "Boundary validation converts the risk acceptance encoded in an intent declaration into an enforceable runtime control. Without it, the intent declaration is a planning artifact with no operational effect.",
            "actions": [
              "Require that every AI system with a signed intent declaration has a corresponding boundary validation interceptor deployed and operationally verified.",
              "Include boundary violation rate and escalation response time in the AI risk monitoring dashboard.",
              "Investigate patterns of repeated near-boundary behavior as a leading indicator of intent drift before a formal violation is recorded."
            ],
            "failure_signals": [
              "Intent declarations signed and registered with no corresponding evidence that boundary validation has been deployed and tested for those agents.",
              "Boundary violation rates increasing over time without a corresponding intent declaration update or re-authorization.",
              "Escalation response time exceeding the SLA defined in the authority governance policy."
            ]
          },
          "grc_auditor": {
            "summary": "Boundary validation is the primary runtime control evidence for the PV layer. Auditors must verify that interceptors are deployed, positioned pre-execution, and producing structured violation event records for every active AI agent.",
            "actions": [
              "Inspect deployment manifests to confirm boundary validation interceptors are deployed for all agents with active intent declarations.",
              "Test interceptor enforcement by submitting out-of-scope actions in a staging environment and verifying blocks and event generation.",
              "Sample boundary violation event logs to confirm structured fields are populated and events reached the escalation workflow."
            ],
            "failure_signals": [
              "Agents with active intent declarations for which no corresponding boundary validation interceptor deployment record can be produced.",
              "Boundary violation events missing required structured fields, making them unusable as audit evidence.",
              "Zero boundary violation events for high-volume agents over extended periods, suggesting the interceptor may not be functioning."
            ],
            "metrics": [
              "Percentage of active AI agents with a deployed and verified boundary validation interceptor (target: 100%)",
              "Mean time from boundary violation event to escalation workflow initiation in minutes (target: <5)",
              "Number of boundary violations per agent per reporting period, trended for drift detection"
            ]
          },
          "board_governance": {
            "summary": "Boundary validation is the operational control that gives the organization assurance that declared AI authority limits are enforced in production rather than merely documented. Board oversight should confirm this control class is universally deployed.",
            "actions": [
              "Request confirmation from management that boundary validation interceptors are deployed for all AI agents operating in consequential domains.",
              "Review aggregate boundary violation statistics as part of AI risk reporting to the board risk committee.",
              "Confirm that the AI governance policy requires boundary validation as a mandatory control, not an optional implementation detail."
            ],
            "failure_signals": [
              "Management reporting on AI authority controls that describes intent declarations without confirming runtime enforcement through boundary validation.",
              "No boundary violation data included in AI risk reporting to the board, suggesting the control may not be generating usable monitoring data.",
              "AI governance policy that treats boundary validation as a recommended practice rather than a mandatory deployment requirement."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "managed"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 11",
            "title": "Assesses Severity of Risk",
            "principle_number": 11,
            "component_name": "Performance",
            "normative_force": "industry-framework",
            "fit": "adjacent",
            "fit_rationale": "Pre-execution boundary checks enforce declared limits but do not perform COSO risk-severity assessment.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Pre-execution boundary checks enforce declared limits but do not perform COSO risk-severity assessment.",
            "requirement_id": "Principle 11 \u2014 Assesses Severity of Risk",
            "relation": "informs"
          },
          {
            "framework": "eu_ai_act",
            "ref": "Art. 9",
            "title": "Risk management system",
            "normative_force": "binding-law",
            "fit": "partial",
            "fit_rationale": "Runtime boundary enforcement is a risk-mitigation action within a risk management system, not the whole Art. 9 system.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Runtime boundary enforcement is a risk-mitigation action within a risk management system, not the whole Art. 9 system.",
            "requirement_id": "Art. 9 \u2014 Risk management system",
            "relation": "satisfies"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a7 6.1.4 / \u00a7 8.4",
            "title": "AI system impact assessment",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Boundary validation operationalizes limits from impact assessment but is not itself the AI system impact assessment.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Boundary validation operationalizes limits from impact assessment but is not itself the AI system impact assessment.",
            "requirement_id": "\u00a7 6.1.4 / \u00a7 8.4 \u2014 AI system impact assessment",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "MAP 1.1",
            "title": "Intended purposes, context-specific laws and norms, and prospective deployment settings are understood and documented",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Enforcing declared action types presumes documented intended purpose, but MAP 1.1 is about documenting purpose, not runtime enforcement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Enforcing declared action types presumes documented intended purpose, but MAP 1.1 is about documenting purpose, not runtime enforcement.",
            "requirement_id": "MAP 1.1 \u2014 Intended purposes, context-specific laws and norms, and prospective deployment settings are understood and documented",
            "relation": "equivalent_to"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "RSP v3.3 \u2014 ASL-3 Deployment Standard (Misuse Safeguards and Red-Teaming)",
            "rationale": "The ASL-3 Deployment Standard requires layered misuse safeguards, including red-team testing that the safeguards hold against realistic adversarial attempts to elicit out-of-scope behavior, before and during deployment at that level. This supplies the pattern of adversarially validating boundary enforcement rather than assuming that declared limits hold.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "adjacent",
            "fit_rationale": "RSP adversarial safeguard testing is an analogous validation pattern for Anthropic's own deployments, not this runtime boundary check.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "Amazon Bedrock Policies \u2014 Organization-Level Guardrail Enforcement",
            "rationale": "Amazon Bedrock Policies (generally available April 2026) enable organizations to enforce configured guardrails automatically across all model inference calls within an AWS Organization, eliminating per-account configuration and ensuring that every agent action is validated against declared operating intent boundaries before execution proceeds. This enforces the boundary validation pattern at the infrastructure level.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Bedrock organization guardrails validate each inference against configured boundaries, partially implementing boundary validation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Organization Policy \u2014 Resource Constraint Enforcement",
            "rationale": "Google Cloud Organization Policy Service constraints restrict AI resource operations to declared scope at the resource hierarchy level (organization, folder, or project). Any resource operation that violates an active constraint is denied at the API level before execution, implementing the boundary validation pattern as a platform-enforced control. Managed constraints with dry-run mode enable testing boundary configurations before enforcement.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Org Policy denies out-of-scope resource operations at the API level, partially enforcing boundaries though not tied to an intent artifact.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure Policy \u2014 AI Model Deployment Restriction and Content Safety Filters",
            "rationale": "Azure Policy can restrict which AI models may be deployed and enforce content safety filter configurations as boundary validation gates. Azure AI Content Safety policies validate agent outputs against declared intent boundaries in real time. Microsoft's Cloud Adoption Framework recommends integrating these boundary checks into the CI/CD pipeline to validate that agent behavior remains within declared scope before each release.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Azure Policy and Content Safety gate agent actions against configured limits, partially implementing runtime boundary validation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "eu-high-risk-ai"
        ],
        "implementers": [
          "Platform Engineering",
          "Security Architecture",
          "AI Operations",
          "Risk Management"
        ],
        "profiles": [
          {
            "source_id": "openid",
            "profile": "structured_agent_authorization",
            "profile_url": "https://apeiris.ai/integration/profiles/structured_agent_authorization.json",
            "role": "implementation_anchor",
            "normative_force": "voluntary-standard",
            "reviewed_on": "2026-06-29"
          }
        ],
        "validation_objective": "Every AI agent action must pass a pre-execution boundary check against the active intent declaration before being submitted to any downstream system. Actions exceeding declared action types, resource categories, or quantitative limits must be blocked and a structured violation event emitted; no out-of-scope action may complete execution before a human escalation is triggered.",
        "evidence_required": [
          "Boundary validation interceptor deployment manifest showing pre-execution positioning in the agent action dispatch layer, including component version, deployment_timestamp, and scope of coverage",
          "Boundary violation event log entries with structured fields: action_type, resource_target, declared_limit, observed_value, declaration_id, agent_id, and violation_timestamp",
          "Escalation workflow records confirming boundary violations reached a named human reviewer within the defined SLA, with time-from-violation and reviewer_id recorded",
          "Adversarial bypass test report confirming interceptor blocked actions submitted via direct API calls and parameter manipulation attempts"
        ],
        "machine_tests": [
          "Submit agent action with action_type not listed in active intent declaration \u2192 assert interceptor returns blocked=true with error_code=action_type_not_authorized and emits structured violation event to audit log",
          "Submit action targeting resource_category outside the declared context_scope \u2192 assert escalation workflow is triggered within the defined SLA and assigned to a named reviewer",
          "Attempt to bypass interceptor via direct API call with action_type=* wildcard \u2192 assert action is still blocked and violation event captures the bypass attempt with bypass_method field"
        ],
        "human_review": [
          "Inspect deployment architecture to confirm boundary validation interceptor is positioned pre-execution in the agent action dispatch chain, not as a post-hoc advisory logging layer",
          "Review escalation workflow routing to verify boundary violations reach the appropriate business authority owner for the declared intent domain, not just IT operations",
          "Assess whether the interceptor's quantitative limit checks cover monetary thresholds and resource volume limits, not only categorical action type membership"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "binding-law",
        "anti_patterns": [
          "Implementing boundary validation as advisory logging that records violations after the action has already executed, allowing unauthorized commitments to complete before any human is notified",
          "Validating action type only at initial task assignment rather than at each individual action during multi-step long-running agent execution, leaving subsequent actions unchecked",
          "Routing boundary violation escalations to IT security operations rather than the business authority owner responsible for the declared intent limits",
          "Configuring the interceptor to block only clearly out-of-scope actions while silently passing borderline cases, creating an exploitation path for gradual scope creep",
          "Deploying the interceptor without testing bypass resilience via direct API calls, prompt injection, and parameter manipulation, leaving unverified attack vectors in production"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PV"
      },
      {
        "id": "PV-03",
        "name": "Intended Purpose Alignment Review",
        "canonical_id": "apeiris://authority/controls/PV-03",
        "layer": "PV",
        "prefix": "PV",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Establishes a periodic review cadence to confirm that an AI system's actual operational behavior remains aligned with the intended purpose declared at deployment. Drift between stated purpose and observed behavior triggers a re-authorization review that may result in intent declaration update, system modification, or suspension.",
        "threat": {
          "context": "AI systems evolve through retraining, prompt changes, tool integrations, and user behavior shifts. Without periodic alignment review, a system's effective operational purpose may diverge from its declared intent, exposing the organization to unauthorized behavior that no boundary check is calibrated to catch.",
          "tags": [
            "intent-drift",
            "scope-creep",
            "policy-bypass"
          ]
        },
        "standard_references": [
          {
            "id": "eu_ai_act",
            "section": "Art. 9",
            "title": "Risk management system"
          },
          {
            "id": "iso_37301",
            "section": "\u00a7 9.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "iso_42001",
            "section": "\u00a7 9.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 2.3",
            "title": "Executive leadership takes responsibility for decisions about risks associated with AI system development and deployment"
          }
        ],
        "sources": [
          {
            "id": "eu-ai-act-2024",
            "title": "EU Artificial Intelligence Act",
            "authority": "European Parliament and Council of the European Union",
            "source_type": "regulation",
            "normative_force": "binding-law",
            "version": "2024/1689",
            "published_on": "2024-07-12",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689",
            "license": "open-access",
            "status": "current",
            "flagship": true,
            "source_id": "eu_ai_act",
            "relationship": "normative_requirement",
            "rationale": "Establishes EU Artificial Intelligence Act requirements informing the apeiris://authority/controls/PV-03 Intended Purpose Alignment Review control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-37301-2021",
            "title": "ISO 37301:2021 \u2014 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 \u2014 Compliance Management Systems requirements informing the apeiris://authority/controls/PV-03 Intended Purpose Alignment Review control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PV-03 Intended Purpose Alignment Review control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PV-03 Intended Purpose Alignment Review control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PV-03 Intended Purpose Alignment Review control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "openai_preparedness_fw_v2",
            "title": "OpenAI Preparedness Framework v2",
            "authority": "OpenAI, L.L.C.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2025-04-15",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "openai_preparedness",
            "relationship": "informative_reference",
            "rationale": "Establishes OpenAI Preparedness Framework v2 requirements informing the apeiris://authority/controls/PV-03 Intended Purpose Alignment Review control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PV-03 Intended Purpose Alignment Review control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PV-03 Intended Purpose Alignment Review control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Define a review cadence (minimum quarterly for high-consequence deployments, annually for lower-risk systems) that compares a structured behavioral profile of the AI system's recent actions against the declared intended purpose. Use automated behavioral logging to generate the comparison input and require a human reviewer sign-off on the alignment determination.",
          "steps": [
            "Instrument AI systems to produce a structured behavioral log capturing action type distribution, resource categories accessed, decision frequency, and escalation trigger rates.",
            "Define an intended purpose behavioral profile at deployment time, specifying expected action type distribution ranges, resource access patterns, and acceptable escalation rates.",
            "Schedule periodic alignment reviews that compare the behavioral log summary against the deployed behavioral profile and flag material deviations for human review.",
            "Document the outcome of each review as an alignment review record linked to the intent declaration, including any re-authorization decisions or system modifications made."
          ],
          "anti_patterns": [
            "Treating the initial deployment review as sufficient and performing no subsequent alignment checks unless an incident occurs.",
            "Relying on anecdotal stakeholder feedback rather than structured behavioral log analysis as the primary alignment assessment input."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that a behavioral profile specification is defined for each AI system at deployment time alongside the intent declaration.",
            "Verify that alignment review procedures are documented, scheduled, and assigned to a named reviewer role.",
            "Check that alignment review records are stored and linked to the corresponding intent declaration in the authority registry."
          ],
          "runtime_tests": [
            "Introduce a test AI system with a deliberately misaligned behavioral profile and confirm the review process flags the deviation within the defined review cycle.",
            "Verify that a completed alignment review produces a structured review record with all required fields populated.",
            "Simulate a material behavioral drift scenario and confirm the re-authorization workflow is triggered within the defined SLA."
          ],
          "evidence": [
            "Behavioral profile specifications linked to each active intent declaration in the authority registry.",
            "Signed alignment review records covering all active AI deployments within the defined review cadence.",
            "Re-authorization records for deployments where behavioral drift was identified and addressed."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Periodic alignment reviews create a documented record that the organization actively monitored AI behavior against its declared purpose. This record is critical evidence of ongoing due diligence in regulatory inquiries and litigation.",
            "actions": [
              "Confirm that alignment review records are retained as legal-quality evidence with timestamp, reviewer identity, and sign-off.",
              "Verify that material drift findings are escalated through a documented re-authorization process rather than resolved informally.",
              "Ensure that alignment review cadence meets any applicable regulatory monitoring obligations for the deployment context."
            ],
            "failure_signals": [
              "No alignment review records for AI systems that have been in production for more than the defined review interval.",
              "Alignment reviews completed without a structured comparison against the declared behavioral profile.",
              "Material drift findings that were documented but not escalated or actioned within the defined timeline."
            ]
          },
          "cfo_procurement": {
            "summary": "Alignment reviews for procurement and contracting AI agents verify that the agent's actual behavior in terms of commitment patterns, vendor selections, and spend distribution continues to match the authorized purpose.",
            "actions": [
              "Include spend distribution and commitment type analysis in alignment reviews for procurement AI agents.",
              "Require that alignment reviews for agents with material spend authority are reviewed by or reported to finance leadership.",
              "Use alignment review outcomes to update approval limits and behavioral profiles when procurement patterns legitimately evolve."
            ],
            "failure_signals": [
              "Procurement AI agents operating for extended periods without a behavioral alignment review confirming spend patterns match declared purpose.",
              "Alignment reviews for spend-sensitive agents that do not include quantitative spend distribution analysis.",
              "Material shifts in AI procurement behavior identified during financial reconciliation that were not detected by the alignment review process."
            ]
          },
          "risk_officer": {
            "summary": "Alignment reviews are the key control for detecting intent drift before it produces a material boundary violation or unauthorized commitment. They close the gap between point-in-time deployment authorization and ongoing operational assurance.",
            "actions": [
              "Set alignment review cadence based on risk tier \u2014 minimum quarterly for consequential-commitment and procurement AI deployments.",
              "Include alignment review status and drift findings in the AI risk monitoring dashboard reported to risk leadership.",
              "Define quantitative drift thresholds that automatically trigger an out-of-cycle alignment review and escalation."
            ],
            "failure_signals": [
              "Alignment review cadence set uniformly without risk-based differentiation for higher-consequence deployments.",
              "No quantitative drift thresholds defined, leaving the determination of material drift to subjective reviewer judgment alone.",
              "Risk reporting that tracks boundary violations but not alignment review outcomes, missing early drift signals."
            ]
          },
          "grc_auditor": {
            "summary": "Alignment reviews are the periodic assurance activity that validates ongoing intent compliance between deployment gate events. Auditors should verify cadence adherence, review quality, and escalation follow-through.",
            "actions": [
              "Verify that alignment reviews were completed within the defined cadence for all active AI deployments in scope.",
              "Inspect a sample of alignment review records to confirm they include structured behavioral log comparisons, not just attestation checkboxes.",
              "Confirm that material drift findings were escalated and that re-authorization or remediation was documented and completed."
            ],
            "failure_signals": [
              "Alignment reviews overdue by more than one review cycle for any in-scope AI deployment.",
              "Review records that consist solely of a sign-off attestation with no supporting behavioral analysis data.",
              "Material drift findings that appear in review records but have no corresponding re-authorization or remediation record."
            ],
            "metrics": [
              "Percentage of active AI deployments with alignment reviews completed within the defined cadence (target: 100%)",
              "Mean number of days overdue for late alignment reviews across all in-scope deployments",
              "Number of material drift findings resulting in re-authorization or system modification per reporting period"
            ]
          },
          "board_governance": {
            "summary": "Alignment reviews provide the board with confidence that the organization's AI governance program extends beyond deployment authorization to ongoing operational oversight. They are the primary assurance mechanism for detecting post-deployment purpose drift.",
            "actions": [
              "Request a summary of alignment review completion rates and material drift findings as part of periodic AI governance reporting to the board.",
              "Confirm that the AI governance policy defines mandatory alignment review cadences differentiated by deployment risk tier.",
              "Ensure that significant drift findings are reported to the board risk committee, not resolved solely at the operational level."
            ],
            "failure_signals": [
              "AI governance reporting to the board that confirms deployment authorization rates but provides no data on post-deployment alignment review compliance.",
              "Governance policy that defines deployment authorization requirements but is silent on ongoing behavioral alignment review obligations.",
              "Material AI behavioral drift identified through external means (customer complaints, audit findings, incidents) before internal alignment reviews detected it."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "eu_ai_act",
            "ref": "Art. 9",
            "title": "Risk management system",
            "normative_force": "binding-law",
            "fit": "partial",
            "fit_rationale": "Periodic alignment review is a risk-management monitoring activity contributing to, but not constituting, the Art. 9 system.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Periodic alignment review is a risk-management monitoring activity contributing to, but not constituting, the Art. 9 system.",
            "requirement_id": "Art. 9 \u2014 Risk management system",
            "relation": "satisfies"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a7 9.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "Scheduled comparison of behavior against declared purpose with signed review records directly implements \u00a79.1 monitoring and evaluation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Scheduled comparison of behavior against declared purpose with signed review records directly implements \u00a79.1 monitoring and evaluation.",
            "requirement_id": "\u00a7 9.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a7 9.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "The risk-tiered alignment review cadence directly satisfies \u00a79.1 monitoring, measurement, analysis, and evaluation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "The risk-tiered alignment review cadence directly satisfies \u00a79.1 monitoring, measurement, analysis, and evaluation.",
            "requirement_id": "\u00a7 9.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 2.3",
            "title": "Executive leadership takes responsibility for decisions about risks associated with AI system development and deployment",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Re-authorization triggered by drift routes decisions to leadership, partially addressing GOVERN 2.3 executive accountability.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Re-authorization triggered by drift routes decisions to leadership, partially addressing GOVERN 2.3 executive accountability.",
            "requirement_id": "GOVERN 2.3 \u2014 Executive leadership takes responsibility for decisions about risks associated with AI system development and deployment",
            "relation": "equivalent_to"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "RSP v3.3 \u2014 Capability Assessment (Periodic Re-Evaluation)",
            "rationale": "The RSP requires routine capability assessment of frontier models, with comprehensive re-assessment triggered by elapsed time, increases in training compute, or significant elicitation improvements. If assessment shows a model has crossed a capability threshold, safeguards must be upgraded \u2014 a lifecycle obligation to re-verify that deployed capability remains aligned with the assessed and declared scope.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "adjacent",
            "fit_rationale": "RSP periodic capability re-assessment is an analogous lifecycle re-verification for Anthropic's own models, not the purpose-alignment review.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "openai_preparedness",
            "requirement_id": "Preparedness Framework v2 \u2014 Building Trust (Ongoing Evaluation and Disclosure)",
            "rationale": "The Preparedness Framework v2 commits to ongoing evaluation of deployed models and to keeping published documentation current when material changes occur. Divergence between observed behavior and the assessed capability scope triggers re-evaluation and potential deployment restriction \u2014 a lifecycle purpose-alignment review pattern.",
            "normative_force": "best-practice",
            "source_version": "2",
            "fit": "adjacent",
            "fit_rationale": "Preparedness ongoing-evaluation commitments are an analogous vendor pattern, not the deployer-side alignment review.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Organization Policy \u2014 Managed Constraint Compliance Review",
            "rationale": "Google Cloud managed constraints validate resource configurations against declared governance intent on an ongoing basis, and Cloud Asset Inventory's AnalyzeOrgPolicies API surfaces where constraints are \u2014 and are not \u2014 applied across the resource hierarchy. Reviewing this constraint coverage against the declared intended purpose surfaces drift between declared intent and the controls actually in force.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "AnalyzeOrgPolicies constraint-coverage review surfaces drift between declared intent and enforced controls, partially supporting review.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Responsible AI Standard v2 \u2014 Goal A3: Fit for Purpose",
            "rationale": "Goal A3 of Microsoft's Responsible AI Standard v2 requires evidence that an AI system is fit for the purpose it is deployed for, and impact assessments (Goal A1) must be revisited when intended uses change. Together these support periodic review that a deployed system's observed use remains aligned with its declared intended purpose.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "RAI Goal A3 fit-for-purpose evidence and reassessment on change support periodic alignment review but are broader than behavioral drift.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "eu-high-risk-ai"
        ],
        "implementers": [
          "AI Program Office",
          "Risk Management",
          "Legal Counsel",
          "Internal Audit"
        ],
        "validation_objective": "All active AI deployments must have a documented alignment review completed within the defined risk-tiered cadence. Each review must compare a structured behavioral log against the deployed behavioral profile and produce a signed review record; any material drift finding must trigger a re-authorization workflow before the system continues operating unchanged.",
        "evidence_required": [
          "Behavioral profile specification linked to each active intent declaration, defining expected action type distribution ranges, resource access frequency bands, and acceptable escalation trigger rates for the review period",
          "Structured behavioral log summaries covering the review period, with action type distributions, resource access patterns, and anomaly event counts compared against profile thresholds",
          "Signed alignment review records with reviewer_id, comparison_methodology, drift_findings, determination_of_alignment, and review_completed_at for all active deployments within the defined cadence",
          "Re-authorization records for any deployment where material drift was identified, including the triggering drift finding, remediation action, and updated or reaffirmed intent declaration version"
        ],
        "machine_tests": [
          "Configure test AI agent with behavioral profile specifying action_type_A at 60% frequency; inject behavioral log showing action_type_A at 15% \u2192 assert review workflow flags material deviation within the defined review cycle",
          "Complete alignment review identifying material drift and attempt to continue production operation without a completed re-authorization record \u2192 assert authority control plane flags open re-authorization obligation",
          "Query authority registry for deployments with last_review_at older than cadence_days for their risk tier \u2192 assert alert is generated for all overdue reviews within the monitoring interval"
        ],
        "human_review": [
          "Assess whether quantitative drift thresholds are calibrated to detect behaviorally significant divergence from declared purpose and not merely statistical noise in action type distributions",
          "Review a sample of alignment review records to confirm behavioral log analysis was substantive and compared against the deployed behavioral profile, not merely a sign-off attestation",
          "Verify that material drift findings that triggered re-authorization were fully resolved with a documented remediation decision, not closed with rationale-only waivers that leave the system operating unchanged"
        ],
        "blocking_effect": "requires-review",
        "normative_status": "binding-law",
        "anti_patterns": [
          "Defining alignment review as a periodic stakeholder attestation asking whether the system still behaves as intended rather than a structured comparison of behavioral logs against a quantitative behavioral profile baseline",
          "Applying a single annual review cadence to all AI deployments regardless of consequence tier, treating high-consequence procurement agents the same as low-risk informational assistants",
          "Documenting material drift findings as informational observations without triggering a formal re-authorization workflow, leaving the system operating on a stale intent declaration",
          "Relying on incident reports and user complaints as the primary alignment signal rather than proactive periodic behavioral profile comparison against a pre-defined baseline"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PV"
      },
      {
        "id": "PV-04",
        "name": "Authorized Knowledge Source Registry",
        "canonical_id": "apeiris://authority/controls/PV-04",
        "layer": "PV",
        "prefix": "PV",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Maintains a registry of knowledge sources that an AI system is authorized to access and rely upon when forming decisions or commitments. Access to unregistered knowledge sources is blocked or flagged. This control coordinates with the Apeiris Knowledge domain control apeiris://knowledge/controls/KS-01 for source integrity verification, ensuring that authority and knowledge governance are co-verified.",
        "threat": {
          "context": "AI agents that can freely query unregistered knowledge sources may ground consequential decisions in stale, unauthorized, adversarially manipulated, or legally encumbered content. The authority domain must bound not only what an agent can do but also what information it is permitted to rely upon when deciding whether and how to act.",
          "tags": [
            "knowledge-source-staleness",
            "policy-bypass",
            "intent-drift"
          ]
        },
        "standard_references": [
          {
            "id": "iso_42001",
            "section": "A.7.5",
            "title": "Data provenance"
          },
          {
            "id": "nist_rmf",
            "section": "MAP 2.3",
            "title": "Scientific integrity and TEVV considerations, including data provenance and relevance, are identified and documented"
          },
          {
            "id": "iso_37301",
            "section": "\u00a7 8.1",
            "title": "Operational planning and control"
          }
        ],
        "sources": [
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PV-04 Authorized Knowledge Source Registry control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PV-04 Authorized Knowledge Source Registry control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-37301-2021",
            "title": "ISO 37301:2021 \u2014 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 \u2014 Compliance Management Systems requirements informing the apeiris://authority/controls/PV-04 Authorized Knowledge Source Registry control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PV-04 Authorized Knowledge Source Registry control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PV-04 Authorized Knowledge Source Registry control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PV-04 Authorized Knowledge Source Registry control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PV-04 Authorized Knowledge Source Registry control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Maintain a registry of approved knowledge sources in the authority control plane, where each entry records the source identifier, access authorization scope, data classification, approval authority, and validity period. AI systems query the registry at runtime before accessing any knowledge source; access to unregistered sources is blocked and logged. Coordinate with apeiris://knowledge/controls/KS-01 to ensure source integrity checks are applied in addition to access authorization checks.",
          "steps": [
            "Define the knowledge source registry schema, including fields for source identifier, canonical URI, data classification, approved consumer systems, authorization date, and validity period.",
            "Enumerate and register all knowledge sources currently accessed by each AI system as part of the deployment authorization review.",
            "Implement an access control layer that intercepts all AI system knowledge source queries, validates the source against the registry, and blocks or flags access to unregistered sources.",
            "Establish a registration workflow for new knowledge sources that requires information security, data governance, and legal review before a source is approved and registered."
          ],
          "anti_patterns": [
            "Creating a registry as a documentation artifact that is not consulted at runtime, leaving knowledge source access enforcement to application-level code with no central control.",
            "Registering knowledge sources at a coarse-grained level (e.g., the entire web) that defeats the purpose of authorization scoping."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that a knowledge source registry exists and is referenced by runtime access control components for all in-scope AI systems.",
            "Verify that the registry schema captures data classification and authorization scope, not merely a list of approved source names.",
            "Check that the registration workflow requires information security and legal review for all new sources before they are approved."
          ],
          "runtime_tests": [
            "Attempt to access an unregistered knowledge source from an authorized AI system and confirm the attempt is blocked and logged.",
            "Access a registered source from an AI system not listed as an approved consumer and verify the access is denied.",
            "Submit a new knowledge source registration request and verify it follows the documented review and approval workflow."
          ],
          "evidence": [
            "Knowledge source registry export showing all registered sources, their authorization scope, approval authority, and validity status.",
            "Access control block logs demonstrating enforcement of registry-based restrictions for attempted unauthorized source access.",
            "Registration workflow records for all sources added to the registry in the audit period, including reviewer sign-offs."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "The authorized knowledge source registry establishes which information repositories an AI system is legally authorized to consult. It prevents AI-grounded decisions from relying on sources that are legally restricted, confidentially protected, or subject to third-party intellectual property claims.",
            "actions": [
              "Require that the registration workflow includes a legal review confirming each knowledge source is authorized for the AI system's intended use case.",
              "Verify that knowledge sources subject to data sharing agreements, licensing restrictions, or confidentiality obligations are flagged in the registry with applicable constraints.",
              "Confirm that AI-generated decisions or commitments trace to only registered and legally cleared knowledge sources."
            ],
            "failure_signals": [
              "AI systems found to have accessed knowledge sources subject to confidentiality restrictions or licensing agreements not reflected in the registry.",
              "Registration workflow records missing legal review sign-off for sources that contain third-party proprietary information.",
              "AI-generated commitments that were grounded in knowledge sources subsequently found to be unauthorized for the use case."
            ]
          },
          "cfo_procurement": {
            "summary": "AI procurement agents must be authorized to query specific market data, vendor catalogs, and pricing sources. The knowledge source registry provides the financial governance control that bounds which information feeds can influence AI procurement decisions.",
            "actions": [
              "Confirm that all market data, pricing, and vendor information sources used by AI procurement agents are registered and authorized.",
              "Verify that financial data sources subject to commercial licensing are registered with the licensing constraint noted and are not accessed beyond the licensed scope.",
              "Include knowledge source registry review in the periodic procurement AI governance review."
            ],
            "failure_signals": [
              "AI procurement agents accessing market data or pricing feeds that are not registered as authorized sources.",
              "Knowledge source registry entries for financial data missing licensing constraint fields.",
              "No registry-level distinction between internal authoritative financial data and externally sourced market information."
            ]
          },
          "risk_officer": {
            "summary": "The knowledge source registry bounds the information risk surface that an AI system can act upon. Sources that are stale, adversarially manipulated, or jurisdictionally unauthorized represent a class of risk that the registry control is specifically designed to contain.",
            "actions": [
              "Classify each registered knowledge source by data quality tier (authoritative, validated, indicative) and require risk acceptance for AI systems relying on lower-quality sources for consequential decisions.",
              "Include registry staleness \u2014 sources whose approval dates have passed \u2014 in the AI risk monitoring dashboard.",
              "Require that any knowledge source discovered to have been compromised or manipulated triggers an immediate incident review of all AI decisions grounded in that source."
            ],
            "failure_signals": [
              "AI systems making consequential decisions grounded in knowledge sources classified as indicative or unvalidated without documented risk acceptance.",
              "Knowledge source registry entries that have not been re-validated following a data quality incident affecting that source.",
              "No incident response procedure for the scenario where a registered knowledge source is found to have been adversarially manipulated."
            ]
          },
          "grc_auditor": {
            "summary": "The knowledge source registry is the control artifact that establishes the authorized information boundary for each AI system. Auditors must verify registry completeness, currency, enforcement, and registration workflow compliance.",
            "actions": [
              "Compare the knowledge sources accessed by AI systems during the audit period against the registry to identify any unregistered sources that were consulted.",
              "Inspect registration workflow records to verify that legal, data governance, and information security review was completed for all sources added in the period.",
              "Verify that access control block logs exist and that they confirm enforcement for attempted unauthorized source access."
            ],
            "failure_signals": [
              "Evidence of AI systems accessing knowledge sources not present in the registry, indicating the access control layer is not functioning.",
              "Registry entries created without a completed registration workflow, bypassing the required review steps.",
              "No block logs for the audit period despite production AI systems operating under registry-based access control."
            ],
            "metrics": [
              "Percentage of knowledge sources accessed by AI systems during the period that are present and current in the registry (target: 100%)",
              "Number of registration requests completed within the defined SLA per quarter",
              "Number of unregistered knowledge source access attempts blocked per reporting period"
            ]
          },
          "board_governance": {
            "summary": "The knowledge source registry represents the organization's formal assertion of which information repositories its AI systems are authorized to rely upon. Board governance should confirm that this registry exists and is enforced as a material data governance control.",
            "actions": [
              "Confirm through management reporting that a knowledge source registry exists and is operationally enforced for all consequential AI deployments.",
              "Request that periodic AI governance reporting includes a summary of registry additions, removals, and enforcement statistics.",
              "Confirm that the organization's data governance policy explicitly addresses AI knowledge source authorization as a registerable and auditable control."
            ],
            "failure_signals": [
              "AI governance reporting that addresses model and deployment controls but makes no reference to knowledge source authorization governance.",
              "Data governance policy silent on AI system knowledge source authorization, leaving this decision to individual application teams.",
              "Board-reportable AI incidents found to have originated from AI decisions grounded in unauthorized or unvalidated knowledge sources."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_42001",
            "ref": "A.7.5",
            "title": "Data provenance",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "A registry of approved knowledge sources supports data provenance but A.7.5 also covers origin and lineage beyond access authorization.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A registry of approved knowledge sources supports data provenance but A.7.5 also covers origin and lineage beyond access authorization.",
            "requirement_id": "A.7.5 \u2014 Data provenance",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "MAP 2.3",
            "title": "Scientific integrity and TEVV considerations, including data provenance and relevance, are identified and documented",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Recording approved sources documents provenance, partially addressing MAP 2.3 provenance and relevance requirements.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Recording approved sources documents provenance, partially addressing MAP 2.3 provenance and relevance requirements.",
            "requirement_id": "MAP 2.3 \u2014 Scientific integrity and TEVV considerations, including data provenance and relevance, are identified and documented",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a7 8.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Registry-gated source access is an operational control, partially satisfying \u00a78.1 operational planning.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Registry-gated source access is an operational control, partially satisfying \u00a78.1 operational planning.",
            "requirement_id": "\u00a7 8.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Organizations SCP \u2014 Approved Data Source Restriction",
            "rationale": "AWS Organizations SCPs can deny access to unapproved data storage and retrieval services, restricting AI systems to declared authorized knowledge sources. SCPs applied at the OU level prevent any IAM principal within AI workload accounts from connecting to knowledge stores outside the approved registry, enforcing the authorized knowledge source boundary as an infrastructure-level control.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "SCPs can deny unapproved data services, partially enforcing the authorized-source boundary at infrastructure level.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Organization Policy \u2014 Service Usage Restriction Constraints",
            "rationale": "Google Cloud Organization Policy constraints (constraints/gcp.restrictServiceUsage) can restrict which data storage and knowledge retrieval services AI systems may access within a resource hierarchy node. This enforces the authorized knowledge source registry by denying connections to unapproved services at the API level before any knowledge retrieval occurs.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Service-usage restriction constraints block unapproved retrieval services, partially implementing the source registry at the API layer.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Purview \u2014 Data Governance for AI Knowledge Sources",
            "rationale": "Microsoft Purview data governance provides centralized cataloging and access control for knowledge sources used in AI deployments. Azure Policy can enforce that AI services only connect to Purview-registered, approved knowledge repositories, effectively implementing the authorized knowledge source registry as a platform-enforced governance control.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Purview cataloging plus Azure Policy can restrict AI to approved repositories, partially implementing the authorized-source registry.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta Fine-Grained Authorization \u2014 Knowledge Resource Access Scopes",
            "rationale": "Okta Fine-Grained Authorization (FGA) can enforce relationship-based access control that restricts AI agents to only the knowledge sources authorized for their declared operating scope. Authorization server scopes are issued per task, preventing agents from accessing knowledge repositories outside their registered authorization, implementing the authorized knowledge source registry at the identity layer.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta FGA per-task scopes restrict agents to authorized sources at the identity layer, partially enforcing the registry.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "Knowledge Management",
          "Data Governance",
          "Information Security",
          "AI Operations"
        ],
        "validation_objective": "Every knowledge source accessed by an AI system must appear in the authorized knowledge source registry as an approved entry for that specific consumer system. Access control must block retrieval from unregistered sources before any knowledge transfer occurs and log each blocked attempt with the attempted source URI and consumer system identity.",
        "evidence_required": [
          "Knowledge source registry export showing all registered sources with source_id, canonical_uri, data_classification, approved_consumer_systems, authorization_date, validity_period, and licensing_constraints",
          "Access control block log demonstrating enforcement of registry-based restrictions, with fields for attempted_source_uri, consumer_system_id, block_reason, and block_timestamp for each denied attempt",
          "Registration workflow records for all sources added during the audit period, including information_security_review, data_governance_review, and legal_review sign-off timestamps",
          "Cross-reference audit confirming all knowledge sources queried by AI systems during the period appear in the registry as approved for those consumer systems"
        ],
        "machine_tests": [
          "Attempt query to knowledge source URI not present in registry from authorized AI consumer system \u2192 assert access is blocked with error_code=unregistered_knowledge_source and attempt is logged with source_uri and consumer_system_id",
          "Access registered knowledge source from AI system not listed as an approved_consumer_system for that source \u2192 assert access denied with error_code=consumer_not_authorized",
          "Submit new knowledge source registration request and verify workflow requires information_security_review and legal_review stage completions before source status changes to active in registry"
        ],
        "human_review": [
          "Review registration workflow records for a sample of approved knowledge sources to confirm legal review explicitly confirmed authorization for the AI system's intended use case and identified any licensing or confidentiality constraints",
          "Assess whether the data_classification field in each registry entry accurately reflects the source's sensitivity, licensing restrictions, and any third-party proprietary content limitations",
          "Verify that AI-generated commitments or decisions from the audit period can be traced to registered, approved knowledge sources and that no unregistered sources were consulted"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Maintaining the registry as a documentation artifact consulted only at deployment review rather than enforced at runtime as an access control gate that blocks queries to unregistered sources",
          "Registering knowledge sources at a coarse-grained level such as 'internal data lake' or 'public internet' rather than specific named repositories, defeating the purpose of authorization scoping",
          "Granting all AI consumer systems access to all registered knowledge sources enterprise-wide rather than scoping each source to the specific AI systems that have a documented need",
          "Omitting the legal review step for knowledge sources containing third-party proprietary, licensed, or confidentially restricted content, creating undisclosed legal exposure",
          "Creating registry entries without enforcing a re-validation when a source's licensing terms, data classification, or ownership changes, leaving stale authorization assertions in production"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PV"
      },
      {
        "id": "PV-05",
        "name": "Knowledge Source Version Governance",
        "canonical_id": "apeiris://authority/controls/PV-05",
        "layer": "PV",
        "prefix": "PV",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Tracks the version and change history of each authorized knowledge source used by AI systems. Material updates to knowledge sources trigger a re-validation workflow to confirm continued authority alignment before the new version is relied upon in production decisions. Silent version changes to knowledge sources are treated as change events requiring formal review.",
        "threat": {
          "context": "Silent updates to knowledge sources \u2014 including embeddings, retrieval corpora, policy documents, regulatory reference databases, and pricing tables \u2014 can shift an AI system's effective decision basis without triggering any authority review. The resulting behavior change may be subtle, directionally significant, and undetectable without version governance.",
          "tags": [
            "knowledge-source-staleness",
            "intent-drift",
            "policy-bypass"
          ]
        },
        "standard_references": [
          {
            "id": "iso_42001",
            "section": "A.7.5",
            "title": "Data provenance"
          },
          {
            "id": "nist_rmf",
            "section": "MAP 2.3",
            "title": "Scientific integrity and TEVV considerations, including data provenance and relevance, are identified and documented"
          },
          {
            "id": "nist_800_53",
            "section": "CM-3",
            "title": "Configuration Change Control"
          }
        ],
        "sources": [
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PV-05 Knowledge Source Version Governance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PV-05 Knowledge Source Version Governance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-sp-800-53-r5",
            "title": "NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls requirements informing the apeiris://authority/controls/PV-05 Knowledge Source Version Governance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PV-05 Knowledge Source Version Governance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PV-05 Knowledge Source Version Governance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PV-05 Knowledge Source Version Governance control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Assign a version identifier and content hash to each knowledge source at the time of registry authorization. Implement automated monitoring that detects version changes or hash mismatches and routes them to a re-validation workflow before the updated source is used in production AI decisions. Maintain a versioned change log for each registered knowledge source.",
          "steps": [
            "At the time of knowledge source registry authorization, capture the version identifier, content hash, and authoring entity for the specific version being approved.",
            "Deploy automated hash monitoring that checks registered knowledge sources on a defined schedule and alerts on any hash change, triggering a hold on the updated version pending re-validation.",
            "Define a re-validation workflow that assesses the impact of the version change on AI system behavior and requires an authorization sign-off before the updated version is released to production.",
            "Maintain a versioned change log in the knowledge source registry that records each version transition, re-validation outcome, and authorization sign-off."
          ],
          "anti_patterns": [
            "Authorizing a knowledge source once at the level of its URI or name without capturing a version or content hash, making silent content changes undetectable.",
            "Treating knowledge source updates as routine operational events that do not require formal re-validation before deployment."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that the knowledge source registry schema includes version identifier and content hash fields, and that both are populated for all registered sources.",
            "Verify that automated hash monitoring is deployed and scheduled for all registered knowledge sources.",
            "Check that the re-validation workflow is defined, documented, and includes a production release hold pending authorization sign-off."
          ],
          "runtime_tests": [
            "Modify the content of a registered knowledge source without updating its registry entry and confirm that the hash monitoring system detects the change and triggers an alert within the defined monitoring interval.",
            "Submit an updated knowledge source version through the re-validation workflow and verify that the production release hold is enforced until authorization sign-off is recorded.",
            "Verify that the versioned change log in the registry is updated correctly following a completed re-validation."
          ],
          "evidence": [
            "Knowledge source registry entries showing version identifiers, content hashes, and re-validation records for all registered sources.",
            "Hash monitoring alert logs demonstrating detection of knowledge source changes during the audit period.",
            "Re-validation workflow records with authorization sign-offs for all knowledge source version transitions during the period."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Version governance for knowledge sources establishes a chain of custody for the information relied upon by AI systems in consequential decisions. It is essential for demonstrating that the information basis for AI-initiated actions was authorized at the time of action.",
            "actions": [
              "Confirm that knowledge source version history records are retained for the full evidentiary period applicable to the AI system's decision domain.",
              "Verify that re-validation workflows require documented legal review for knowledge source updates that affect compliance-relevant content.",
              "Ensure that version governance records can establish which specific knowledge source version was active at the time of any disputed AI-initiated action."
            ],
            "failure_signals": [
              "Inability to identify which knowledge source version was active at the time of a disputed AI-initiated decision.",
              "Knowledge source version transitions completed without legal review for sources containing compliance or contractual reference content.",
              "Version governance records retained for periods shorter than the applicable evidentiary retention requirement."
            ]
          },
          "cfo_procurement": {
            "summary": "For AI systems relying on pricing data, vendor databases, or market information, version governance ensures that the specific version of the data relied upon for a procurement decision is known, authorized, and traceable.",
            "actions": [
              "Require that pricing and vendor data sources used by AI procurement agents are subject to version governance with content hash verification.",
              "Include knowledge source version transitions in the change advisory process for AI procurement systems.",
              "Confirm that procurement decisions can be traced to a specific, authorized version of each relied-upon data source."
            ],
            "failure_signals": [
              "AI procurement decisions that cannot be traced to a specific authorized version of the pricing or market data source relied upon.",
              "Pricing data updates applied to AI procurement systems without a formal re-validation confirming the updated data meets authorization requirements.",
              "No version governance applied to vendor catalog or pricing feed data sources used by AI procurement agents."
            ]
          },
          "risk_officer": {
            "summary": "Knowledge source version changes are an unmonitored risk vector that can silently shift AI system behavior. Version governance converts this latent risk into a detected and managed change event.",
            "actions": [
              "Classify knowledge source version change risk based on the materiality of the source to AI decision quality and the rate of change of the source content.",
              "Include knowledge source version governance coverage in the AI risk monitoring dashboard, tracking how many registered sources have current, verified content hashes.",
              "Define incident response procedures for the scenario where a knowledge source version change is detected that was not initiated through the authorized update process."
            ],
            "failure_signals": [
              "Knowledge source content changes detected by hash monitoring that were not initiated through the authorized update workflow, suggesting an unauthorized modification.",
              "High-materiality knowledge sources with no version governance applied, representing unmonitored AI decision risk.",
              "Re-validation backlog growing over time, with knowledge source version updates pending authorization for extended periods."
            ]
          },
          "grc_auditor": {
            "summary": "Version governance is the change control discipline applied to AI knowledge sources. Auditors must verify that version and hash tracking are implemented, that changes trigger re-validation, and that production release holds are enforced.",
            "actions": [
              "Inspect the knowledge source registry to confirm that all registered sources have current version identifiers and content hashes.",
              "Review hash monitoring alert logs to verify that version changes were detected and routed to re-validation workflows.",
              "Sample re-validation records to confirm authorization sign-offs were obtained before updated knowledge source versions were released to production."
            ],
            "failure_signals": [
              "Registered knowledge sources with version identifiers or content hashes that are missing, outdated, or clearly not reflecting the actual current content.",
              "Hash monitoring alerts with no corresponding re-validation record, indicating changes may have been released to production without authorization.",
              "Re-validation workflow records missing authorization sign-offs, with updated versions already active in production."
            ],
            "metrics": [
              "Percentage of registered knowledge sources with a current, verified content hash (target: 100%)",
              "Mean time from hash change detection to re-validation completion in days (target: <5 for high-materiality sources)",
              "Number of knowledge source version transitions deployed to production without completed re-validation sign-off"
            ]
          },
          "board_governance": {
            "summary": "Knowledge source version governance is a component of the organization's AI change management posture. The board should confirm that changes to the information basis of AI systems are treated as material changes requiring formal controls.",
            "actions": [
              "Confirm that the AI change management policy explicitly addresses knowledge source version governance as a covered change event.",
              "Request summary statistics on knowledge source version change frequency and re-validation completion rates as part of periodic AI governance reporting.",
              "Ensure that significant knowledge source incidents \u2014 unauthorized changes, failed re-validations \u2014 are reported to the board risk committee."
            ],
            "failure_signals": [
              "AI change management policy that addresses model and code changes but is silent on knowledge source version governance.",
              "AI governance reporting that provides no visibility into knowledge source version change activity or re-validation status.",
              "Board awareness of AI behavioral changes that originated from unauthorized knowledge source modifications not detected by version governance controls."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_42001",
            "ref": "A.7.5",
            "title": "Data provenance",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Versioning and hashing knowledge sources supports provenance and lineage under A.7.5 but not full data-origin governance.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Versioning and hashing knowledge sources supports provenance and lineage under A.7.5 but not full data-origin governance.",
            "requirement_id": "A.7.5 \u2014 Data provenance",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "MAP 2.3",
            "title": "Scientific integrity and TEVV considerations, including data provenance and relevance, are identified and documented",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Version and hash tracking documents source integrity and relevance, partially addressing MAP 2.3 provenance considerations.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Version and hash tracking documents source integrity and relevance, partially addressing MAP 2.3 provenance considerations.",
            "requirement_id": "MAP 2.3 \u2014 Scientific integrity and TEVV considerations, including data provenance and relevance, are identified and documented",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "CM-3",
            "title": "Configuration Change Control",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Treating source version changes as change events requiring re-validation applies CM-3 change control to knowledge sources.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Treating source version changes as change events requiring re-validation applies CM-3 change control to knowledge sources.",
            "requirement_id": "CM-3 \u2014 Configuration Change Control",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Config \u2014 Configuration Drift Detection for Knowledge Resources",
            "rationale": "AWS Config continuously evaluates resource configurations against approved baselines and detects configuration drift when knowledge source references change from authorized versions. Config rules can alert governance teams when AI system knowledge source configurations diverge from the approved version registry, enabling version governance enforcement at scale across organizational accounts.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Config drift detection can flag knowledge-source reference changes, partially supporting version governance.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Asset Inventory \u2014 Knowledge Resource Version Monitoring",
            "rationale": "Google Cloud Asset Inventory provides real-time change detection for knowledge resources across the resource hierarchy. Combined with Pub/Sub notifications, it enables automated alerting when knowledge source versions change from approved baselines, supporting version governance for AI training data and retrieval knowledge bases.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Asset Inventory change detection with Pub/Sub alerts on version changes, partially implementing version governance.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure Machine Learning \u2014 Model and Data Version Tracking",
            "rationale": "Azure Machine Learning enforces version governance for datasets and model artifacts used as knowledge sources in AI deployments. The ML platform's model registry tracks approved versions and lineage, and Azure Policy can enforce that production AI deployments only reference approved, registered knowledge source versions, implementing version governance as a deployment gate.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Azure ML registry version and lineage tracking with policy enforcement partially implements knowledge-source version governance.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "Data Governance",
          "Change Management",
          "AI Operations",
          "Information Security"
        ],
        "validation_objective": "Every registered knowledge source must have a current version identifier and content hash in the registry; any hash change detected by automated monitoring must trigger a production release hold on the updated version until a re-validation workflow is completed with authorization sign-off; no updated knowledge source version may be used in production AI decisions without a completed re-validation record.",
        "evidence_required": [
          "Knowledge source registry entries showing version_id, content_hash, and hash_verified_at for all registered sources, confirming no entries are missing these required governance fields",
          "Hash monitoring alert log entries for the audit period showing detected change events with source_id, previous_hash, detected_hash, and detected_at fields",
          "Re-validation workflow records with version_from, version_to, impact_assessment_summary, reviewer_id, and signed_at for all knowledge source version transitions during the period",
          "Production deployment gate logs showing release holds enforced for knowledge source updates with pending_revalidation status until sign-off was recorded"
        ],
        "machine_tests": [
          "Modify content of a registered knowledge source without updating its registry version entry \u2192 assert hash monitoring detects change within the defined monitoring interval and generates alert with source_id, previous_hash, and detected_at",
          "Attempt to route an updated knowledge source to a production AI system before re-validation sign-off is recorded \u2192 assert deployment gate blocks the update with error_code=pending_revalidation and source_id",
          "Complete re-validation workflow with authorization sign-off and verify registry versioned change log records version_from, version_to, reviewer_id, and signed_at within 5 minutes of sign-off completion"
        ],
        "human_review": [
          "Review re-validation records for high-materiality knowledge sources to confirm the impact assessment substantively evaluated how content changes could alter AI decision quality, not merely confirmed the hash change",
          "Verify that re-validation workflows for knowledge sources containing compliance reference, legal, or regulatory content include documented legal review before authorization sign-off",
          "Assess whether the hash monitoring interval for critical knowledge sources is sufficiently short to detect time-sensitive unauthorized modifications before they influence production AI decisions"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Authorizing a knowledge source once at the URI or name level without capturing a version identifier or content hash, making silent content changes completely undetectable by governance controls",
          "Treating knowledge source content updates as routine operational events that bypass the re-validation workflow because they are described as minor corrections or data refreshes",
          "Storing only the most recent content hash per source rather than a change history, making it impossible to reconstruct which hash version was active at the time of a specific AI decision",
          "Applying version governance to structured databases only while exempting embedding corpora, retrieval indexes, and prompt libraries from content hash tracking"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PV"
      },
      {
        "id": "PV-06",
        "name": "Operating Context Change Management",
        "canonical_id": "apeiris://authority/controls/PV-06",
        "layer": "PV",
        "prefix": "PV",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Defines a structured change management process for material changes to an AI system's operating context \u2014 including deployment environment changes, user population shifts, integration touchpoint additions, and task scope expansions. Context changes require re-assessment of authority declarations before the changed context is activated in production.",
        "threat": {
          "context": "AI systems deployed in evolving enterprise environments encounter context changes that can invalidate their original authority declarations without triggering any formal review. Without change management, agents continue operating under stale authority assertions against a context that no longer matches the one the declaration was written for.",
          "tags": [
            "intent-drift",
            "scope-creep",
            "internal-policy-violation",
            "policy-bypass"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 17",
            "title": "Pursues Improvement in Enterprise Risk Management"
          },
          {
            "id": "iso_42001",
            "section": "\u00a7 6.3",
            "title": "Planning of changes"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 1.4",
            "title": "The risk management process and its outcomes are established through transparent policies and procedures"
          },
          {
            "id": "eu_ai_act",
            "section": "Art. 9",
            "title": "Risk management system"
          }
        ],
        "sources": [
          {
            "id": "coso-erm-2017",
            "title": "COSO Enterprise Risk Management: Integrating with Strategy and Performance",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management: Integrating with Strategy and Performance requirements informing the apeiris://authority/controls/PV-06 Operating Context Change Management control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PV-06 Operating Context Change Management control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PV-06 Operating Context Change Management control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "eu-ai-act-2024",
            "title": "EU Artificial Intelligence Act",
            "authority": "European Parliament and Council of the European Union",
            "source_type": "regulation",
            "normative_force": "binding-law",
            "version": "2024/1689",
            "published_on": "2024-07-12",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689",
            "license": "open-access",
            "status": "current",
            "flagship": true,
            "source_id": "eu_ai_act",
            "relationship": "normative_requirement",
            "rationale": "Establishes EU Artificial Intelligence Act requirements informing the apeiris://authority/controls/PV-06 Operating Context Change Management control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PV-06 Operating Context Change Management control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PV-06 Operating Context Change Management control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PV-06 Operating Context Change Management control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PV-06 Operating Context Change Management control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Define a set of material context change triggers for AI systems \u2014 such as new integration endpoints, changes to the user population, geographic expansion, or modifications to the task execution environment \u2014 and require that any trigger event initiates a formal context change review that reassesses the active intent declaration before the changed context goes live.",
          "steps": [
            "Enumerate material context change trigger categories in the AI governance policy and publish them as part of the deployment authorization framework.",
            "Implement a context change intake process that captures trigger events from IT change management, product management, and operational teams and routes them to the AI authority review workflow.",
            "Conduct a context change review that compares the proposed new context against the active intent declaration and determines whether the declaration is still valid, requires amendment, or requires full re-authorization.",
            "Document the context change review outcome and update the intent declaration and registry accordingly before activating the changed context in production."
          ],
          "anti_patterns": [
            "Treating context changes as operational updates within the scope of existing deployment authorization rather than potential invalidators of the authority declaration.",
            "Scoping context change review only to security or infrastructure changes while excluding product and business-driven context changes that can equally shift AI authority boundaries."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that material context change trigger categories are defined and published in the AI governance policy.",
            "Verify that the context change intake process has defined channels from IT change management, product management, and operations.",
            "Check that the context change review procedure requires a determination on intent declaration validity before the changed context is activated."
          ],
          "runtime_tests": [
            "Simulate a material context change (e.g., add a new integration endpoint for an active AI system) and verify it routes to the context change review workflow.",
            "Complete a context change review that determines the intent declaration requires amendment and verify the amendment workflow is triggered and completed before the context change goes live.",
            "Attempt to activate a context change without a completed review and confirm the deployment gate blocks the change."
          ],
          "evidence": [
            "Context change review records linked to the triggering change event and the corresponding intent declaration update or reaffirmation.",
            "Deployment gate logs showing enforcement of the context change review prerequisite for context-modifying production changes.",
            "Intent declaration version history showing amendments triggered by context change review outcomes."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Context change management for AI systems ensures that the legal basis for the system's authority assertions remains current as the deployment environment evolves. It prevents the organization from relying on authority declarations that no longer accurately describe the AI system's operating context.",
            "actions": [
              "Confirm that the list of material context change triggers includes legally relevant changes such as new jurisdictions, new user populations, and new third-party integrations.",
              "Verify that context change reviews include a legal assessment when the changed context has cross-jurisdictional or contractual implications.",
              "Ensure that context change review records are retained and can be produced to demonstrate due diligence when the change context is relevant to a legal inquiry."
            ],
            "failure_signals": [
              "AI systems operating in jurisdictions or with user populations not reflected in their active intent declarations due to context expansion without review.",
              "Context change reviews that do not include legal assessment for changes with cross-jurisdictional or contractual implications.",
              "Context change review records that lack documentation of the legal determination made regarding the impact on the intent declaration."
            ]
          },
          "cfo_procurement": {
            "summary": "For AI systems used in procurement and contracting, context changes such as new vendor categories, expanded spend authority, or new geographic markets require that authority declarations are updated to reflect the new boundaries.",
            "actions": [
              "Confirm that expansion of AI procurement agent scope \u2014 new spend categories, new markets, new vendor tiers \u2014 is treated as a material context change requiring intent declaration review.",
              "Include context change review completion as a prerequisite for any procurement AI capability expansion.",
              "Verify that context change reviews for procurement AI systems include a finance leadership sign-off on the updated intent boundaries."
            ],
            "failure_signals": [
              "Procurement AI agents operating in spend categories or markets not covered by their current intent declarations following business expansion.",
              "Procurement capability expansions deployed without a context change review confirming the intent declaration covers the new scope.",
              "Finance leadership not included in context change reviews for procurement AI systems where the change affects spend authority."
            ]
          },
          "risk_officer": {
            "summary": "Context change management closes the loop between the enterprise change management process and the AI authority control plane. Without this connection, material changes to AI operating contexts represent unmonitored expansions of the AI risk surface.",
            "actions": [
              "Integrate the AI context change trigger list with the enterprise change management process so that material AI context changes are automatically routed to the authority review workflow.",
              "Include context change review completion rates and overdue reviews in the AI risk monitoring dashboard.",
              "Define risk escalation procedures for context changes that expand AI authority scope beyond what the existing risk acceptance covers."
            ],
            "failure_signals": [
              "Enterprise change management records showing material AI context changes that did not generate a corresponding authority review event.",
              "AI risk monitoring that tracks incident and violation rates but provides no visibility into the pipeline of pending context change reviews.",
              "Scope expansions for AI systems approved by product or operations teams without a risk assessment of the authority implications."
            ]
          },
          "grc_auditor": {
            "summary": "Context change management audits verify that the organization's AI authority controls adapt in response to changes in the AI system's operational environment, not just at initial deployment.",
            "actions": [
              "Identify material context changes affecting AI systems during the audit period from IT change management records and compare against the context change review log.",
              "Verify that all identified material context changes have a corresponding review record and that the review was completed before the change was activated.",
              "Sample context change review records to confirm they include a substantive assessment of the intent declaration's continued validity, not just a checkbox approval."
            ],
            "failure_signals": [
              "Material context changes identified in IT change management records for which no corresponding authority review record can be found.",
              "Context change reviews completed after the context change was already activated in production, indicating retrospective rather than proactive review.",
              "Review records that consist of a single approval attestation with no analysis of the impact on the intent declaration."
            ],
            "metrics": [
              "Percentage of material context changes with a completed authority review record prior to production activation (target: 100%)",
              "Mean time from context change trigger identification to completed review in days (target: within defined change lead time)",
              "Number of context changes activated in production before their authority review was completed"
            ]
          },
          "board_governance": {
            "summary": "Context change management ensures that the board's confidence in the organization's AI authority controls is not undermined by operational context drift that occurs outside the formal governance process.",
            "actions": [
              "Confirm that the AI governance policy includes explicit context change management requirements that are integrated with the enterprise change management process.",
              "Request periodic reporting on material AI context changes and corresponding review outcomes as part of AI governance reporting to the board.",
              "Ensure that material context changes that expand AI authority scope into new business domains or jurisdictions are reported to the board risk committee."
            ],
            "failure_signals": [
              "AI governance policy that covers initial deployment authorization but does not address ongoing context change management.",
              "Board AI governance reporting that provides no visibility into the volume or outcome of AI context change reviews.",
              "Material AI authority scope expansions discovered through external events (audits, incidents, regulatory inquiries) rather than through the proactive context change management process."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 17",
            "title": "Pursues Improvement in Enterprise Risk Management",
            "principle_number": 17,
            "component_name": "Review and Revision",
            "normative_force": "industry-framework",
            "fit": "adjacent",
            "fit_rationale": "Context-change review is a governance trigger, only loosely related to COSO's ERM-improvement principle.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Context-change review is a governance trigger, only loosely related to COSO's ERM-improvement principle.",
            "requirement_id": "Principle 17 \u2014 Pursues Improvement in Enterprise Risk Management",
            "relation": "informs"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a7 6.3",
            "title": "Planning of changes",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Reassessing authority on context change reflects \u00a76.3 change planning but is scoped to authority declarations.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Reassessing authority on context change reflects \u00a76.3 change planning but is scoped to authority declarations.",
            "requirement_id": "\u00a7 6.3 \u2014 Planning of changes",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 1.4",
            "title": "The risk management process and its outcomes are established through transparent policies and procedures",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "The published change-trigger taxonomy and gated review partially reflect GOVERN 1.4 transparent procedures.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "The published change-trigger taxonomy and gated review partially reflect GOVERN 1.4 transparent procedures.",
            "requirement_id": "GOVERN 1.4 \u2014 The risk management process and its outcomes are established through transparent policies and procedures",
            "relation": "equivalent_to"
          },
          {
            "framework": "eu_ai_act",
            "ref": "Art. 9",
            "title": "Risk management system",
            "normative_force": "binding-law",
            "fit": "partial",
            "fit_rationale": "Re-assessing risk on material context change is a risk-management activity contributing to the Art. 9 system.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Re-assessing risk on material context change is a risk-management activity contributing to the Art. 9 system.",
            "requirement_id": "Art. 9 \u2014 Risk management system",
            "relation": "satisfies"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "RSP v3.3 \u2014 Re-Assessment Triggers on Material Change",
            "rationale": "The RSP treats material changes \u2014 such as significant elicitation improvements or changes in how a model is deployed \u2014 as triggers for renewed capability and safeguards assessment rather than as routine operational events. This is the vendor-side analog of treating operating context change as a formal governance trigger.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "adjacent",
            "fit_rationale": "RSP material-change re-assessment triggers are a vendor-side analog for Anthropic's own deployments, not the deployer's process.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Control Tower Proactive Controls \u2014 Change Governance",
            "rationale": "AWS Control Tower proactive controls evaluate proposed infrastructure changes against governance policy before deployment, blocking context changes that would alter the AI system's operating environment without completing a governance review cycle. This implements operating context change management as a preventive control rather than a detective one.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Control Tower proactive controls block ungoverned infrastructure context changes, partially implementing preventive change management.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Organization Policy \u2014 Policy Simulation for Context Changes",
            "rationale": "Google Cloud Organization Policy's dry-run and simulation modes allow governance teams to test the impact of operating context changes before applying them, ensuring policy constraints remain appropriate for the new context. This supports formal change management review for AI operating context modifications before they take effect.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Org Policy dry-run and simulation let teams test context-change impact before enforcement, partially supporting change review.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Responsible AI Standard v2 \u2014 Goal A1: Impact Assessment (Update on Material Change)",
            "rationale": "Microsoft's Responsible AI Standard v2 requires Responsible AI Impact Assessments to be kept current: when a system's uses, deployment context, or capabilities change materially, the assessment must be reviewed and updated. This treats operating context change as a formal governance trigger rather than a routine operational event.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "RAI requires impact assessments refreshed on material change, partially aligning with treating context change as a governance trigger.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "eu-high-risk-ai"
        ],
        "implementers": [
          "Change Advisory Board",
          "AI Program Office",
          "Risk Management",
          "Platform Engineering"
        ],
        "validation_objective": "All material changes to an AI system's operating context must have a completed authority review record with a declaration validity determination before the changed context is activated in production. The review must confirm whether the active intent declaration remains valid, requires amendment, or requires full re-authorization; production deployment of the changed context must be gated on this determination.",
        "evidence_required": [
          "Enterprise change management records for the audit period cross-referenced against the context change review log, showing that all material AI context changes generated a corresponding authority review event",
          "Context change review records linked to triggering change events, with fields for context_change_type, declaration_validity_determination, reviewer_sign_off, and review_completed_at",
          "Intent declaration version history showing amendments triggered by context change review outcomes where the declaration required updating before the changed context was activated",
          "Deployment gate logs confirming that production activation of context-modifying changes was blocked until an associated completed review record was registered in the authority registry"
        ],
        "machine_tests": [
          "Add new integration endpoint for an active AI system in the change management system \u2192 assert context change review intake generates a review task within the defined SLA with change_type=new_integration and assigned reviewer",
          "Attempt to deploy a context-modifying production change without an associated completed review record \u2192 assert deployment gate blocks the change with error_code=missing_context_review and change_id",
          "Complete context change review determining declaration requires amendment and verify authority registry blocks changed-context activation until amended declaration is registered with review_record_id linked"
        ],
        "human_review": [
          "Verify that the enumerated material context change trigger categories in the AI governance policy cover legally relevant changes including new jurisdictions, new user populations, and new third-party integration dependencies",
          "Review a sample of context change review records to confirm they include substantive analysis of the intent declaration's continued validity against the new context, not merely a sign-off attestation",
          "Assess whether context change intake channels from IT change management, product management, and business operations teams are all generating review events, or whether product-driven context expansions are bypassing the intake process"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "binding-law",
        "anti_patterns": [
          "Treating AI operating context changes as routine operational updates within the scope of existing deployment authorization rather than as potential invalidators of the authority declaration",
          "Scoping context change review only to IT infrastructure and security changes while excluding product-driven expansions such as new user populations, new task categories, or new vendor integrations",
          "Completing context change reviews retrospectively after the changed context is already live in production, converting a required preventive gate into a post-hoc detective activity",
          "Defining material context change triggers so narrowly that geographic expansion, new user population segments, and new integration partners do not qualify, creating systematic blind spots in the review process"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PV"
      },
      {
        "id": "PV-07",
        "name": "Deployment Scope Attestation",
        "canonical_id": "apeiris://authority/controls/PV-07",
        "layer": "PV",
        "prefix": "PV",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Requires a signed attestation confirming the deployment scope \u2014 geographic regions, legal entities, user populations, use-case boundaries, and applicable jurisdictional constraints \u2014 within which an AI system is authorized to operate. Scope attestations must be renewed on material change and at defined intervals.",
        "threat": {
          "context": "AI systems operating beyond their attested deployment scope may violate jurisdictional data protection requirements, exceed contractual deployment limits, or operate in contexts not covered by the organization's risk acceptance or legal review. Scope attestation failures are frequently discovered only through external audit or incident.",
          "tags": [
            "scope-creep",
            "authority-limit-breach",
            "policy-bypass",
            "principal-accountability-gap"
          ]
        },
        "standard_references": [
          {
            "id": "eu_ai_act",
            "section": "Art. 13",
            "title": "Transparency and provision of information to deployers"
          },
          {
            "id": "iso_42001",
            "section": "\u00a7 8.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 1.7",
            "title": "Processes and procedures are in place for decommissioning and phasing out AI systems safely"
          }
        ],
        "sources": [
          {
            "id": "eu-ai-act-2024",
            "title": "EU Artificial Intelligence Act",
            "authority": "European Parliament and Council of the European Union",
            "source_type": "regulation",
            "normative_force": "binding-law",
            "version": "2024/1689",
            "published_on": "2024-07-12",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689",
            "license": "open-access",
            "status": "current",
            "flagship": true,
            "source_id": "eu_ai_act",
            "relationship": "normative_requirement",
            "rationale": "Establishes EU Artificial Intelligence Act requirements informing the apeiris://authority/controls/PV-07 Deployment Scope Attestation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PV-07 Deployment Scope Attestation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PV-07 Deployment Scope Attestation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PV-07 Deployment Scope Attestation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PV-07 Deployment Scope Attestation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "openai_preparedness_fw_v2",
            "title": "OpenAI Preparedness Framework v2",
            "authority": "OpenAI, L.L.C.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2025-04-15",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "openai_preparedness",
            "relationship": "informative_reference",
            "rationale": "Establishes OpenAI Preparedness Framework v2 requirements informing the apeiris://authority/controls/PV-07 Deployment Scope Attestation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PV-07 Deployment Scope Attestation control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Generate a structured deployment scope attestation artifact at the time of production deployment that enumerates geographic regions, legal entities, user population categories, use-case types, and applicable jurisdictional constraints. Require the attestation to be signed by a principal with authority over each dimension of the declared scope. Implement a registry-based scope check that validates AI system operation against the current attestation.",
          "steps": [
            "Define a deployment scope attestation schema covering geographic regions, legal entities, user population categories, use-case types, and applicable regulatory jurisdictions.",
            "Complete the attestation during deployment authorization, obtaining sign-off from the principal authorized to declare scope for each dimension.",
            "Register the signed attestation in the authority control registry and configure runtime monitoring to flag AI system activity outside the attested scope.",
            "Schedule automatic attestation renewal triggers at defined intervals and upon any material change to deployment scope dimensions."
          ],
          "anti_patterns": [
            "Capturing deployment scope in a system description document that is not a formalized attestation artifact with a named signatory and defined validity period.",
            "Defining geographic scope at country level only when actual deployment boundaries are defined by sub-national regulatory zones or specific legal entity restrictions."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that the deployment scope attestation schema covers all required dimensions including geographic regions, legal entities, and regulatory jurisdictions.",
            "Verify that completed attestations include a named signatory with authority over the declared scope dimensions.",
            "Check that the authority control registry stores the attestation and that monitoring is configured to flag out-of-scope activity."
          ],
          "runtime_tests": [
            "Trigger AI system activity in a geographic region not covered by the current deployment scope attestation and confirm that out-of-scope activity monitoring raises an alert.",
            "Submit an attestation without a signatory and verify that the registry rejects the incomplete artifact.",
            "Verify that scope attestation renewal triggers fire correctly at the defined renewal interval."
          ],
          "evidence": [
            "Signed deployment scope attestation artifacts in the authority registry for all active AI deployments.",
            "Out-of-scope activity monitoring alerts for any AI system operation outside attested boundaries during the audit period.",
            "Renewal records showing timely scope attestation renewal for all active deployments."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Deployment scope attestations provide the legal foundation for the organization's assertion that AI systems are operating within jurisdictionally appropriate and contractually compliant boundaries. They are essential evidence in cross-border data protection and contract compliance inquiries.",
            "actions": [
              "Confirm that the attestation schema requires explicit identification of all regulatory jurisdictions applicable to the deployment scope.",
              "Verify that attestations covering EU or other regulated jurisdictions are reviewed by legal counsel before being signed.",
              "Ensure that deployment scope attestations are retained and can be produced to demonstrate regulatory compliance at the time of any disputed AI system operation."
            ],
            "failure_signals": [
              "AI systems processing personal data in jurisdictions not covered by their deployment scope attestation.",
              "Attestations covering regulated jurisdictions signed without documented legal review.",
              "No deployment scope attestation exists for AI systems operating in regulated geographic regions."
            ]
          },
          "cfo_procurement": {
            "summary": "Deployment scope attestations bound the legal entities and geographic markets within which AI procurement and contracting agents can create obligations. They prevent AI agents from committing entities or markets not covered by the organization's risk acceptance.",
            "actions": [
              "Confirm that attestations for procurement AI agents explicitly list the legal entities on whose behalf the agent is authorized to create commitments.",
              "Verify that geographic scope in attestations for procurement AI reflects actual contracting jurisdiction rather than just operational geography.",
              "Include scope attestation review in the periodic governance review for AI systems with spend or commitment authority."
            ],
            "failure_signals": [
              "Commitments created by AI procurement agents on behalf of legal entities not listed in the deployment scope attestation.",
              "Attestations for procurement AI that cover geographic markets without corresponding authorization to create contractual obligations in those markets.",
              "No attestation renewal when the organization's legal entity structure or operating geography changes."
            ]
          },
          "risk_officer": {
            "summary": "Deployment scope attestations define the boundary of the organization's accepted AI risk exposure. Out-of-scope AI operation represents unaccepted risk, and scope attestation monitoring is the control that detects and contains such exposure.",
            "actions": [
              "Include deployment scope attestation currency and out-of-scope activity alerts in the AI risk monitoring dashboard.",
              "Define risk escalation procedures for out-of-scope AI activity detection, including immediate notification to legal and risk leadership.",
              "Set scope attestation renewal cadence based on the pace of business change in the relevant geographic and legal entity dimensions."
            ],
            "failure_signals": [
              "Out-of-scope AI activity alerts that are routed to IT operations without escalation to risk or legal leadership.",
              "Scope attestations not renewed following organizational changes such as new market entry, entity restructuring, or regulatory jurisdiction changes.",
              "AI risk monitoring that tracks behavioral violations but does not include scope attestation compliance status."
            ]
          },
          "grc_auditor": {
            "summary": "Deployment scope attestations are a key compliance artifact for verifying that AI systems operate within authorized geographic, legal entity, and use-case boundaries. Auditors must verify attestation existence, currency, signatory authority, and monitoring enforcement.",
            "actions": [
              "Verify that all active AI deployments in scope have a current, signed deployment scope attestation in the authority registry.",
              "Inspect signatory authority for sampled attestations to confirm that the signing principal has organizational authority over the declared scope dimensions.",
              "Review out-of-scope activity monitoring logs to confirm enforcement and proper escalation of any out-of-scope events."
            ],
            "failure_signals": [
              "Active AI deployments without a corresponding scope attestation, or with attestations that have exceeded their renewal date.",
              "Attestations signed by principals who cannot be verified to have authority over the geographic or legal entity scope they declared.",
              "No out-of-scope monitoring alerts for the audit period despite AI systems operating at scale, suggesting monitoring may not be functioning."
            ],
            "metrics": [
              "Percentage of active AI deployments with a current, signed deployment scope attestation (target: 100%)",
              "Number of out-of-scope activity events detected and escalated per reporting period",
              "Mean time between scope attestation renewal date and completion of renewal (target: <14 days)"
            ]
          },
          "board_governance": {
            "summary": "Deployment scope attestations are the formal boundary documents that define where in the world and within which parts of the organization AI systems are authorized to operate. Board governance should confirm this control is universally applied and that the board is informed of material scope expansions.",
            "actions": [
              "Request a summary of AI deployment scope attestations covering the board's major geographic markets and legal entities.",
              "Confirm that material scope expansions \u2014 new markets, new entities \u2014 require board or board committee awareness before the attestation is signed.",
              "Ensure that the AI governance policy requires scope attestations as a non-waivable deployment prerequisite."
            ],
            "failure_signals": [
              "AI systems operating in new geographic markets or on behalf of new legal entities without board-level awareness of the scope expansion.",
              "No board-level summary of AI deployment scope across the enterprise, preventing governance oversight of the organization's AI operational footprint.",
              "Scope attestations treated as technical deployment documentation rather than governance artifacts requiring principal-level sign-off."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "eu_ai_act",
            "ref": "Art. 13",
            "title": "Transparency and provision of information to deployers",
            "normative_force": "binding-law",
            "fit": "partial",
            "fit_rationale": "A signed scope attestation documents authorized deployment boundaries, partially supporting Art. 13 information provision.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A signed scope attestation documents authorized deployment boundaries, partially supporting Art. 13 information provision.",
            "requirement_id": "Art. 13 \u2014 Transparency and provision of information to deployers",
            "relation": "satisfies"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a7 8.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Scope attestation at deployment is an operational-control artifact, partially satisfying \u00a78.1.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Scope attestation at deployment is an operational-control artifact, partially satisfying \u00a78.1.",
            "requirement_id": "\u00a7 8.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 1.7",
            "title": "Processes and procedures are in place for decommissioning and phasing out AI systems safely",
            "normative_force": "voluntary-standard",
            "fit": "adjacent",
            "fit_rationale": "Scope attestation governs authorized operation, not the safe decommissioning GOVERN 1.7 addresses.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Scope attestation governs authorized operation, not the safe decommissioning GOVERN 1.7 addresses.",
            "requirement_id": "GOVERN 1.7 \u2014 Processes and procedures are in place for decommissioning and phasing out AI systems safely",
            "relation": "equivalent_to"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "RSP v3.3 \u2014 Safeguards Assessment and Risk Report Sign-Off",
            "rationale": "Before deploying a model that requires the ASL-3 standard, the RSP requires a documented assessment that the required safeguards are in place, with sign-off through Anthropic's internal governance (including the Responsible Scaling Officer) and public release of key information. The signed-off report functions as a deployment scope attestation for that model release.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "adjacent",
            "fit_rationale": "RSP signed safeguards sign-off is an analogous deployment attestation for Anthropic's own releases, not the deployer's scope attestation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "openai_preparedness",
            "requirement_id": "Preparedness Framework v2 \u2014 Safety Advisory Group Review and System Card Publication",
            "rationale": "OpenAI's Preparedness Framework requires review by the Safety Advisory Group \u2014 an internal advisory body reporting to OpenAI leadership, not an independent assessor \u2014 of capability evaluations and mitigations before model deployment. The published system card serves as the deployment scope record, documenting that evaluation was completed, risk levels were assessed, and the deployment is bounded to the described intended use.",
            "normative_force": "best-practice",
            "source_version": "2",
            "fit": "adjacent",
            "fit_rationale": "Preparedness SAG review and published system card are an analogous vendor deployment record, not the deployer-side scope attestation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Audit Manager \u2014 Deployment Scope Evidence Collection",
            "rationale": "AWS Audit Manager automates the collection of deployment scope attestation evidence across organizational accounts. Custom frameworks in Audit Manager can map deployment scope requirements to AWS Config rules and CloudTrail evidence, generating attestation artifacts that certify the AI system's authorized deployment scope meets governance requirements at time of activation.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Audit Manager can collect and package deployment-scope evidence, partially producing the scope attestation artifact.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Responsible AI Standard v2 \u2014 Goal A2: Oversight of Significant Adverse Impacts (Sensitive-Use Review)",
            "rationale": "Goal A2 of Microsoft's Responsible AI Standard v2 routes sensitive uses through additional review and oversight before release, so that deployments with potential for significant adverse impact are approved at the appropriate level before production activation. Azure DevOps pipeline gates can enforce completion of such reviews as a deployment condition.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "RAI Goal A2 sensitive-use review gates high-impact deployments, partially aligning with scope attestation before activation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "eu-high-risk-ai"
        ],
        "implementers": [
          "Deployment Engineering",
          "Legal Counsel",
          "Compliance",
          "Risk Management"
        ],
        "validation_objective": "Every active AI deployment must have a current, signed deployment scope attestation in the authority registry enumerating authorized geographic regions, legal entities, user population categories, use-case types, and applicable regulatory jurisdictions. The attestation must bear the signature of a named principal with verifiable authority over the declared scope dimensions, and runtime monitoring must detect and alert on AI activity outside attested boundaries.",
        "evidence_required": [
          "Signed deployment scope attestation artifacts in the authority registry for all active AI deployments, with fields for geographic_regions, legal_entities, user_population_categories, use_case_types, applicable_jurisdictions, signatory_id, valid_from, and valid_until",
          "Signatory authority verification records confirming each signing principal has organizational authority over the specific geographic, legal entity, and jurisdictional scope dimensions they attested",
          "Out-of-scope activity monitoring alerts for any AI system operation detected outside attested boundaries, with system_id, detected_activity, attested_scope, and detection_timestamp",
          "Renewal records showing timely scope attestation renewal at defined intervals and following material scope dimension changes such as new market entry or entity restructuring"
        ],
        "machine_tests": [
          "Trigger AI system activity in geographic region not listed in the current deployment scope attestation \u2192 assert out-of-scope monitoring raises alert within the defined detection window with system_id, detected_region, and attested_regions fields",
          "Submit scope attestation artifact with signatory_id field absent \u2192 assert authority registry rejects the artifact with error_code=missing_signatory before registering it",
          "Set current timestamp past the scope attestation valid_until date \u2192 assert renewal alert fires, attestation status transitions to expired, and system flags the associated deployment as requiring attestation renewal"
        ],
        "human_review": [
          "Verify that the attestation schema for sampled deployments explicitly identifies regulatory jurisdictions applicable to the geographic scope at the appropriate sub-national or data-residency zone level, not only at country level",
          "Confirm that attestations covering EU member states or other regulated jurisdictions include a documented legal counsel review record prior to signatory sign-off",
          "Assess whether out-of-scope activity escalation procedures route alerts to risk management and legal leadership and not solely to IT operations, and confirm the escalation path is tested and documented"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "binding-law",
        "anti_patterns": [
          "Capturing deployment scope in a system description document or project wiki rather than a formalized attestation artifact with a named signatory, defined validity period, and registry registration",
          "Defining geographic scope at country level only when actual regulatory constraints operate at sub-national zone or data-residency region levels, leaving jurisdictional gaps in the attested scope",
          "Signing scope attestations with a shared IT service account rather than a named individual principal whose authority over the declared scope dimensions can be verified in the organizational hierarchy",
          "Treating scope attestation as a one-time deployment gate artifact with no renewal requirement, allowing the attestation to become stale as the organization's geographic and legal entity footprint evolves",
          "Omitting legal entity specification in attestations for AI systems that create contractual obligations, preventing traceability of which entities are authorized to be bound by AI-initiated commitments"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PV"
      },
      {
        "id": "PV-08",
        "name": "Principal Intent vs. Agent Behavior Alignment",
        "canonical_id": "apeiris://authority/controls/PV-08",
        "layer": "PV",
        "prefix": "PV",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Continuously monitors the alignment between the intent declared by the authorizing principal and the observed behavior of the AI agent in production. Divergence above a defined threshold triggers an intent alignment review and may suspend agent operation pending re-authorization.",
        "threat": {
          "context": "Autonomous agents can develop behavioral patterns that diverge from their authorizing principal's intent through model updates, prompt injection, emergent multi-agent interaction, or changes in user behavior over time. Undetected divergence creates a principal accountability gap where no human is monitoring whether agent behavior still reflects the authority granted.",
          "tags": [
            "intent-drift",
            "principal-accountability-gap",
            "scope-creep",
            "policy-bypass"
          ]
        },
        "standard_references": [
          {
            "id": "nist_rmf",
            "section": "MEASURE 2.4",
            "title": "The functionality and behavior of the AI system and its components are monitored when in production"
          },
          {
            "id": "iso_42001",
            "section": "\u00a7 9.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "nist_800_53",
            "section": "SI-7",
            "title": "Software, Firmware, and Information Integrity"
          }
        ],
        "sources": [
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PV-08 Principal Intent vs. Agent Behavior Alignment control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PV-08 Principal Intent vs. Agent Behavior Alignment control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-sp-800-53-r5",
            "title": "NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls requirements informing the apeiris://authority/controls/PV-08 Principal Intent vs. Agent Behavior Alignment control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "openai_preparedness_fw_v2",
            "title": "OpenAI Preparedness Framework v2",
            "authority": "OpenAI, L.L.C.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2025-04-15",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "openai_preparedness",
            "relationship": "informative_reference",
            "rationale": "Establishes OpenAI Preparedness Framework v2 requirements informing the apeiris://authority/controls/PV-08 Principal Intent vs. Agent Behavior Alignment control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PV-08 Principal Intent vs. Agent Behavior Alignment control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PV-08 Principal Intent vs. Agent Behavior Alignment control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PV-08 Principal Intent vs. Agent Behavior Alignment control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Construct a behavioral intent profile from the signed intent declaration at deployment time, defining expected distributions of action types, decision frequencies, resource access patterns, and escalation rates. Deploy a continuous behavioral monitoring service that computes alignment scores against the profile on a rolling basis and triggers alerts and review workflows when alignment scores fall below defined thresholds.",
          "steps": [
            "Extract a quantitative behavioral profile from the intent declaration at deployment time, specifying acceptable ranges for action type distribution, resource category access frequency, and escalation rate.",
            "Deploy a behavioral monitoring service that ingests the agent's action log stream and computes a rolling alignment score against the deployed behavioral profile.",
            "Configure alert thresholds that trigger a human alignment review when the rolling alignment score indicates divergence exceeding the defined tolerance.",
            "Define an escalation path for alignment review findings: minor divergence triggers advisory review, material divergence triggers mandatory re-authorization, and severe divergence triggers automatic agent suspension."
          ],
          "anti_patterns": [
            "Defining alignment thresholds so loosely that the monitoring system would not detect material behavioral drift within the time horizon of a typical agent task.",
            "Treating intent alignment monitoring as equivalent to security anomaly detection, which optimizes for different signals and may miss gradual intent drift entirely."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that a quantitative behavioral intent profile is defined for each AI deployment and linked to the corresponding intent declaration in the registry.",
            "Verify that the behavioral monitoring service is deployed and processing the action log stream for all in-scope AI agents.",
            "Check that alignment threshold configurations define distinct response tiers for advisory, mandatory re-authorization, and suspension levels."
          ],
          "runtime_tests": [
            "Introduce a simulated behavioral drift scenario \u2014 a sustained shift in action type distribution \u2014 and verify the monitoring service detects it and triggers an alignment review within the defined alert latency.",
            "Simulate a severe alignment breach and confirm the automatic agent suspension mechanism activates.",
            "Verify that alignment review records are generated and linked to the triggering alignment event in the audit log."
          ],
          "evidence": [
            "Behavioral intent profiles linked to each active intent declaration in the authority registry.",
            "Alignment score time series data from the behavioral monitoring service covering all active AI agents.",
            "Alignment review records triggered by threshold breaches, including the review outcome and any re-authorization or suspension actions taken."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Intent vs. behavior alignment monitoring provides the operational assurance that AI agents are not acting outside the scope authorized by principals, even after deployment. For legal purposes, evidence of continuous monitoring is critical to demonstrating due diligence in supervision of autonomous AI agents.",
            "actions": [
              "Confirm that alignment monitoring records are retained as legal-quality evidence showing continuous oversight of AI agent behavior against declared intent.",
              "Verify that material alignment breaches are documented and that corrective actions \u2014 re-authorization or suspension \u2014 are recorded with timestamps.",
              "Ensure that the alignment monitoring policy addresses the organization's duty of care obligations for supervising autonomous AI agents."
            ],
            "failure_signals": [
              "AI agents that produced unauthorized outcomes for which no alignment monitoring data exists to show the deviation was or was not detectable.",
              "Material alignment breaches that were detected but not actioned within the defined response timeline.",
              "No retention policy for alignment monitoring data, making it unavailable for evidentiary purposes."
            ]
          },
          "cfo_procurement": {
            "summary": "For AI agents with procurement authority, intent alignment monitoring provides the assurance that agent commitment behavior continues to reflect the authorizing principal's procurement intent and does not drift toward unauthorized spend categories or commitment structures.",
            "actions": [
              "Confirm that procurement AI agent behavioral profiles include spend distribution, commitment type distribution, and vendor selection pattern metrics.",
              "Require that alignment review findings for procurement AI agents are reported to finance leadership within the defined escalation SLA.",
              "Use alignment monitoring data to support procurement AI agent performance reviews and to inform approval limit adjustments."
            ],
            "failure_signals": [
              "Procurement AI agent behavioral profiles that include only action type metrics without financial metrics such as spend distribution and commitment type.",
              "Alignment breach reviews for procurement AI agents not escalated to finance leadership within the defined SLA.",
              "Procurement pattern drift detected in financial reconciliation that was not preceded by an alignment monitoring alert."
            ]
          },
          "risk_officer": {
            "summary": "Intent alignment monitoring is the real-time risk sensing mechanism for the most subtle form of AI authority failure: gradual behavioral drift from declared intent. Without it, the risk of principal accountability gap accumulates silently over the agent's operational lifetime.",
            "actions": [
              "Include alignment score trends and alert rates as primary metrics in the AI risk monitoring dashboard.",
              "Set risk tier-differentiated alignment thresholds: tighter for consequential-commitment and procurement AI, wider for lower-stakes applications.",
              "Define a risk escalation procedure for sustained alignment score degradation that does not cross the alert threshold but trends persistently downward."
            ],
            "failure_signals": [
              "Alignment monitoring configured with identical thresholds across AI agents of different risk tiers, failing to apply appropriate sensitivity to high-consequence deployments.",
              "Persistent downward trends in alignment scores that are below alert threshold but clearly directional, with no risk escalation process to address them.",
              "No alignment monitoring deployed for AI agents with consequential-commitment or procurement authority."
            ]
          },
          "grc_auditor": {
            "summary": "Intent vs. behavior alignment monitoring is the ongoing surveillance control for the PV layer. Auditors must verify that behavioral profiles are defined, monitoring services are deployed and processing, and that threshold breaches are generating reviews and documented responses.",
            "actions": [
              "Inspect behavioral intent profile definitions for all in-scope AI agents to confirm they include quantitative metrics with defined threshold ranges.",
              "Review alignment score time series data to confirm continuous monitoring is occurring for all in-scope agents.",
              "Sample alignment review records triggered during the audit period to confirm substantive review and documented corrective action."
            ],
            "failure_signals": [
              "AI agents with no behavioral intent profile defined, making alignment monitoring impossible or purely subjective.",
              "Gaps in alignment score time series data indicating periods where monitoring was not functioning.",
              "Alignment breach records with no documented review or corrective action, indicating the review workflow is not functioning."
            ],
            "metrics": [
              "Percentage of active AI agents with a deployed behavioral intent profile and active alignment monitoring (target: 100%)",
              "Number of alignment threshold breaches per agent per quarter, trended for escalating drift detection",
              "Mean time from alignment breach alert to completed review and documented corrective action in hours"
            ]
          },
          "board_governance": {
            "summary": "Intent alignment monitoring provides the board with evidence that the organization is actively supervising AI agent behavior against the authority it granted at deployment. It is the operational control that makes the intent declaration system meaningful as an ongoing governance artifact.",
            "actions": [
              "Request summary alignment monitoring statistics in periodic AI governance reporting, including alert rates, review completion rates, and suspension events.",
              "Confirm that the AI governance policy mandates intent alignment monitoring as a required operational control for all AI agents with consequential authority.",
              "Ensure that significant alignment failure events \u2014 material breaches, agent suspensions \u2014 are reported to the board risk committee."
            ],
            "failure_signals": [
              "AI governance reporting to the board that describes deployment authorization controls but provides no data on post-deployment behavioral alignment monitoring.",
              "Governance policy that is silent on the organization's intent alignment monitoring obligations for deployed AI agents.",
              "AI agent suspensions resulting from alignment failures that were not reported to the board risk committee."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "nist_rmf",
            "ref": "MEASURE 2.4",
            "title": "The functionality and behavior of the AI system and its components are monitored when in production",
            "normative_force": "voluntary-standard",
            "fit": "direct",
            "fit_rationale": "Continuous alignment scoring of agent behavior against a deployed profile directly implements MEASURE 2.4 production monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Continuous alignment scoring of agent behavior against a deployed profile directly implements MEASURE 2.4 production monitoring.",
            "requirement_id": "MEASURE 2.4 \u2014 The functionality and behavior of the AI system and its components are monitored when in production",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a7 9.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "Continuous behavioral-alignment monitoring directly satisfies \u00a79.1 monitoring and measurement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Continuous behavioral-alignment monitoring directly satisfies \u00a79.1 monitoring and measurement.",
            "requirement_id": "\u00a7 9.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "SI-7",
            "title": "Software, Firmware, and Information Integrity",
            "normative_force": "voluntary-standard",
            "fit": "adjacent",
            "fit_rationale": "SI-7 concerns software and information integrity verification, related to but distinct from behavioral intent-alignment monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "SI-7 concerns software and information integrity verification, related to but distinct from behavioral intent-alignment monitoring.",
            "requirement_id": "SI-7 \u2014 Software, Firmware, and Information Integrity",
            "relation": "equivalent_to"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "Claude's Constitution + Anthropic Usage Policy \u2014 Acting Within Principal-Granted Scope",
            "rationale": "Claude's Constitution describes Claude as acting on behalf of its principals within the scope of the instructions and permissions they grant, and Anthropic's Usage Policy (anthropic.com/legal/aup) conditions deployment on appropriate human oversight for consequential use. These documents \u2014 not the RSP, which governs Anthropic's own scaling and deployment decisions \u2014 supply the vendor-side expression of principal intent alignment: agent behavior that exceeds principal-granted scope is a policy violation warranting escalation.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "adjacent",
            "fit_rationale": "Claude's Constitution and AUP express the vendor-side principal-scope expectation, an analog rather than the deployer's monitoring evidence.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "openai_preparedness",
            "requirement_id": "Preparedness Framework v2 \u2014 Research Categories (Long-Range Autonomy)",
            "rationale": "Preparedness Framework v2 no longer treats model autonomy as a deployment-gating Tracked Category: long-range autonomy and autonomous replication and adaptation are Research Categories under active study. The framework's treatment of autonomy risk therefore informs \u2014 but does not gate \u2014 principal-intent alignment monitoring for deployed agents.",
            "normative_force": "best-practice",
            "source_version": "2",
            "fit": "supporting",
            "fit_rationale": "Preparedness treats autonomy as a research category that informs but does not gate alignment monitoring, providing only background context.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta for AI Agents \u2014 Scoped Token Authorization",
            "rationale": "Okta for AI Agents (GA 2025) issues scoped, short-lived OAuth tokens that bind agent behavior to the authorizing principal's declared intent. Agents receive only the API permissions required for the specific task authorized by the principal; actions outside the token scope are denied at the authorization layer. Cross App Access (XAA) maintains the principal-to-agent authorization chain across service boundaries.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta scoped short-lived tokens bind agent actions to principal-granted scope, partially enforcing intent alignment at authorization.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Gemini Enterprise Agent Platform \u2014 Agent Access Control",
            "rationale": "Google Cloud's Gemini Enterprise Agent Platform enforces that agent actions are bounded by IAM access controls tied to the authorizing principal identity. Agent Gateway with Identity-Aware Proxy validates that each agent action corresponds to a permission granted to the authorizing principal, detecting and blocking behavior that exceeds declared principal intent.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Agent Gateway and IAP bound agent actions to the principal's granted permissions, partially detecting behavior exceeding declared intent.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "AI Operations",
          "Security Operations",
          "Risk Management",
          "Platform Engineering"
        ],
        "validation_objective": "The behavioral monitoring system must continuously compute intent alignment scores for every active AI agent against its deployed behavioral profile, with no coverage gaps exceeding the configured monitoring interval. Any alignment breach at or above the defined threshold must generate an automated alert within the configured latency, and each triggered review must produce a documented outcome (advisory, re-authorization, or suspension) with a named reviewer and resolution timestamp.",
        "evidence_required": [
          "behavioral_intent_profile linked to each active agent's intent declaration in the authority registry, specifying quantitative metric ranges for action_type_distribution, resource_access_frequency, and escalation_rate",
          "alignment_score_time_series records from the behavioral monitoring service for each active AI agent, showing continuous coverage with no gaps exceeding the configured polling interval over the audit period",
          "alignment_breach_alert_records documenting the breach timestamp, alignment_score value, threshold value, and triggering agent_id, each linked to the agent's intent declaration",
          "alignment_review_records for each triggered alert, including review_outcome (advisory / re-authorization / suspension), reviewer_identity, and resolution_timestamp"
        ],
        "machine_tests": [
          "Inject a simulated sustained shift in action_type_distribution exceeding the drift threshold into the agent action log \u2192 assert alignment_breach_alert fires within the configured alert_latency_seconds with the correct agent_id and threshold_value",
          "Trigger a severe alignment breach simulation \u2192 assert agent suspension_event record is created with agent_id, breach_timestamp, and suspending_principal_id before any further agent actions are processed",
          "Query alignment score time series for an active agent covering the past 30 days \u2192 assert no gap between consecutive records exceeds the configured monitoring_interval_seconds"
        ],
        "human_review": [
          "Review a sample of alignment review records to confirm each contains a substantive finding, named reviewer, and documented corrective action rather than a pro-forma closure with no analysis",
          "Assess whether alert threshold configurations differentiate between high-consequence agents (consequential-commitment, procurement authority) and lower-stakes deployments with appropriately tighter sensitivity settings",
          "Verify that the escalation path from alignment breach alert through review to corrective action has been exercised at least once per agent authority tier during the audit period and that response timelines met the defined SLA"
        ],
        "blocking_effect": "advisory",
        "normative_status": "voluntary-standard",
        "anti_patterns": [
          "Defining behavioral intent profiles using qualitative descriptions rather than quantitative metric ranges, making threshold-based alignment scoring impossible",
          "Using identical alignment thresholds across all AI agents regardless of authority tier, failing to apply tighter sensitivity to agents with consequential-commitment or procurement authority",
          "Treating behavioral alignment monitoring as equivalent to security anomaly detection and relying on existing SIEM infrastructure that optimizes for threat signals rather than gradual intent drift",
          "Reacting only to threshold-crossing breach events without a procedure for sustained downward drift that stays below the alert threshold but is clearly directional",
          "Retaining alignment monitoring evidence only within short rolling windows, making it unavailable for quarterly PV-09 evidence package compilation or regulatory inquiry"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PV"
      },
      {
        "id": "PV-09",
        "name": "Principal Verification Layer Evidence Package",
        "canonical_id": "apeiris://authority/controls/PV-09",
        "layer": "PV",
        "prefix": "PV",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Compile a structured principal verification layer evidence package on a quarterly basis, consolidating artifacts from PV-01 through PV-08 to demonstrate that principal authorization, operating intent declarations, and behavioral alignment monitoring are current, complete, and defensible. The package is a required input to the PE-08 PolicyAttestation production process.",
        "threat": {
          "context": "Without periodic structured compilation of principal verification layer evidence, the PolicyAttestation (PE-08) rests on unverified assertions from individual controls rather than compiled, reviewed, and signed layer evidence. Layer-level coverage deficiencies are only visible through compilation.",
          "tags": [
            "governance-evidence-gap",
            "attestation-unverifiable",
            "compliance-deficit"
          ]
        },
        "standard_references": [
          {
            "id": "iso_42001",
            "section": "\u00a7 9.3",
            "title": "Management review of AI governance system at planned intervals"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 1.5",
            "title": "Ongoing monitoring and periodic review of the risk management process and its outcomes are planned"
          },
          {
            "id": "eu_ai_act",
            "section": "Art. 17",
            "title": "Quality management system for high-risk AI"
          }
        ],
        "sources": [
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PV-09 Principal Verification Layer Evidence Package control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PV-09 Principal Verification Layer Evidence Package control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Define a quarterly evidence compilation process for the Principal Verification layer. Collect required artifacts from PV-01 through PV-08. Review for completeness, currency, and identified gaps. Produce a signed evidence package and submit it as input to the PE-08 PolicyAttestation production cycle.",
          "steps": [
            "Define the PV-layer evidence package schema: required_artifacts[], acceptance_criteria[], gap_register, package_owner, and review_signatories.",
            "For each control in PV-01 through PV-08, define specific required evidence artifacts and freshness criteria.",
            "Compile artifacts quarterly: generate or collect required evidence and stage for structured review.",
            "Conduct a review session to evaluate completeness, identify gaps, and assign remediation owners with deadlines.",
            "Produce a signed principal verification layer evidence package with an overall verdict and submit it as input to PE-08 PolicyAttestation.",
            "Retain the package as an immutable record for the period required by applicable regulations and internal policy."
          ],
          "anti_patterns": [
            "Treating PE-08 attestation as a substitute for per-layer evidence compilation.",
            "Compiling evidence only when an audit or regulatory inquiry is pending rather than on a recurring quarterly cycle."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that a PV-layer evidence package schema exists with defined required artifacts for each control in PV-01 through PV-08.",
            "Verify that a quarterly compilation schedule is established with named package owners and review signatories.",
            "Check that the evidence package output format is accepted as input to PE-08 attestation production."
          ],
          "runtime_tests": [
            "Verify a completed evidence package was produced in the most recent quarter with all required artifacts present.",
            "Confirm that a gap register exists and identified gaps have assigned owners and remediation deadlines.",
            "Confirm the package is signed and retained in the tamper-evident record store."
          ],
          "evidence": [
            "Signed principal verification layer evidence package for each of the four most recent quarters.",
            "Gap registers with assigned owners and remediation deadlines for any identified deficiencies.",
            "Submission record linking the package to the PE-08 attestation production cycle."
          ]
        },
        "lenses": {
          "grc_auditor": {
            "summary": "The PV-09 evidence package is the audit-ready artifact for the Principal Verification layer.",
            "actions": [
              "Request the four most recent PV-layer evidence packages and review for completeness.",
              "Verify that gap registers from prior quarters have remediation outcomes documented.",
              "Confirm the package submission record links to PE-08 attestation inputs."
            ],
            "failure_signals": [
              "Missing PV-layer evidence packages for any quarter in the audit period.",
              "Gap registers with items open for more than two consecutive quarters without documented remediation plans.",
              "Evidence packages that are unsigned or not retained in the tamper-evident record store."
            ],
            "metrics": [
              "Package completeness rate: all required artifacts present in each quarterly package (target: 100%).",
              "Gap remediation rate: all prior-quarter gaps have documented outcomes before current quarter package.",
              "Package timeliness: submitted to PE-08 attestation cycle within 10 business days of quarter end."
            ]
          },
          "general_counsel": {
            "summary": "The PV-09 package is the defensibility record for the Principal Verification layer: when a regulator, counterparty, or court asks whether the organization's principal authorization, operating intent, and behavioral alignment controls were operating, the quarterly package is the evidence the organization produces.",
            "actions": [
              "Confirm the package format and retention period satisfy the evidentiary requirements of applicable law and contractual audit rights before the first submission cycle.",
              "Review each quarterly package for gaps in PV-01 through PV-08 evidence that could undermine a future regulatory or litigation position.",
              "Verify that the package is signed by an identified accountable owner whose authority to certify the layer can be demonstrated."
            ],
            "failure_signals": [
              "A regulator or counterparty request for layer evidence that cannot be answered from a compiled, signed package.",
              "Packages whose contents conflict with representations previously made in disclosures or contract certifications.",
              "Retention lapses that leave quarters within the evidentiary period unrecoverable."
            ]
          },
          "cfo_procurement": {
            "summary": "The PV-09 package converts Principal Verification layer control operation into a periodic, reviewable deliverable \u2014 the artifact that lets finance and procurement rely on the layer without re-auditing individual controls each quarter.",
            "actions": [
              "Fund the compilation process as a recurring governance obligation rather than an ad hoc audit response.",
              "Require the package (or its gap register) as an input to renewal, budget, and vendor decisions that depend on principal authorization, operating intent, and behavioral alignment controls operating.",
              "Track the cost of gap remediation surfaced by the package to prioritize control investment."
            ],
            "failure_signals": [
              "Business decisions that assume the layer is operating when the most recent package shows open gaps.",
              "Compilation effort repeatedly funded from audit contingency rather than the governance budget.",
              "Vendor or renewal approvals proceeding in quarters with missing packages."
            ]
          },
          "risk_officer": {
            "summary": "The PV-09 package tells the risk function whether the principals acting through AI systems are actually authorized and whether their behavior still matches the intent they declared. Its gap register surfaces the layer's live exposures: unverified principals, stale operating-intent declarations, and behavioral-alignment monitoring blind spots that let an agent drift from its sanctioned purpose.",
            "actions": [
              "Map each open gap to a concrete principal-authority exposure (unauthorized actor, expired intent declaration, unmonitored behavioral drift) and give it a named owner and remediation date in the enterprise risk register.",
              "Track quarter-over-quarter movement in behavioral-alignment monitoring coverage; a shrinking monitored population is a rising exposure even when no incident has occurred.",
              "Reconcile the package's authorized-principal roster against the systems in production so that no AI is directed by a principal the layer has not verified.",
              "Escalate any quarter where PV-01 through PV-08 artifacts show observed agent behavior diverging from the intent that was declared for it."
            ]
          },
          "board_governance": {
            "summary": "For the board, the PV-09 package answers a governance question the PolicyAttestation ultimately rests on: are AI systems being directed only by authorized principals acting within their declared intent? It is the layer-level evidence that principal authorization and behavioral-alignment monitoring are operating across production systems.",
            "actions": [
              "Ask for the count of production AI systems whose directing principals are verified and continuously monitored, and the trend across quarters.",
              "Require reporting whenever behavioral-alignment monitoring detects intent drift, and confirm each case reached a documented resolution.",
              "Withhold acceptance of the PE-08 PolicyAttestation if the PV layer cannot show current, signed evidence that principals are authorized.",
              "Confirm the layer's threshold for authorizing autonomous action reflects the board's stated risk appetite."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_42001",
            "requirement_id": "\u00a79.3",
            "fit": "direct",
            "rationale": "ISO/IEC 42001 \u00a79.3 requires management review at planned intervals. PV-09 provides the structured review artifact for the Principal Verification layer.",
            "normative_force": "certification-standard",
            "source_version": "2023",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "requirement_id": "GOVERN 1.5",
            "fit": "direct",
            "rationale": "NIST AI RMF GOVERN 1.5 requires planned ongoing monitoring and periodic review of the risk management process and its outcomes, with clear roles and review cadence. PV-09 instantiates this periodic layer-level review at the Principal Verification layer.",
            "normative_force": "voluntary-standard",
            "source_version": "1.0",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "eu_ai_act",
            "requirement_id": "Art. 17",
            "fit": "direct",
            "rationale": "EU AI Act Art. 17 requires a quality management system. PV-09 is the QMS artifact for the Principal Verification layer.",
            "normative_force": "binding-law",
            "source_version": "2024",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "satisfies"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "high-risk-sector"
        ],
        "implementers": [
          "GRC / Internal Audit",
          "AI Operations",
          "Risk Management"
        ],
        "validation_objective": "A complete, signed principal verification layer evidence package must be produced each quarter, containing all required artifacts from PV-01 through PV-08, a gap register with remediation owners and deadlines, and a submission record linking the package to the current PE-08 attestation production cycle. No PE-08 attestation may be issued without a current, signed PV-layer evidence package as a traceable input.",
        "evidence_required": [
          "signed_pv_layer_evidence_package for each of the four most recent quarters, containing artifact_list[], gap_register, overall_verdict, package_owner, and review_signatories with signature timestamps",
          "gap_register entries from any prior-quarter packages with documented remediation_status and closure_date for each identified deficiency, not carried forward as perpetually open items",
          "submission_record linking each PV-layer evidence package to the PE-08 attestation production cycle it fed, with submission_timestamp and accepted_by fields confirming the attestation dependency was satisfied",
          "artifact_currency_records confirming each artifact in the package meets the freshness criteria defined in the PV-09 package schema at the time of compilation"
        ],
        "machine_tests": [
          "Query the evidence package store for a package with a compilation_date in the most recent quarter \u2192 assert a signed package exists with overall_verdict populated and all required_artifact type IDs present",
          "Check submission_records for the most recent PE-08 attestation cycle \u2192 assert a current PV-layer evidence package is referenced with submission_timestamp predating the PE-08 issued_at date",
          "Validate the package schema against the PV-09 required_artifacts definition \u2192 assert no required artifact type is absent and no artifact's collected_at timestamp exceeds its defined freshness_threshold"
        ],
        "human_review": [
          "Review the four most recent evidence packages to confirm gap registers from prior quarters show documented remediation outcomes with closure dates, not just open items indefinitely deferred",
          "Assess whether the quarterly compilation review session produced substantive findings by examining meeting records and reviewer sign-off documentation for analytical depth versus procedural rubber-stamping",
          "Verify that freshness criteria defined for each PV-layer artifact type are calibrated to the risk profile of the control they evidence and have been reviewed within the past 12 months"
        ],
        "blocking_effect": "requires-review",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Using the PE-08 PolicyAttestation as a substitute for per-layer evidence compilation, producing attestation assertions without underlying compiled and reviewed layer evidence",
          "Compiling evidence only when an external audit or regulatory inquiry is pending rather than maintaining a recurring quarterly schedule",
          "Including artifacts from individual controls without applying freshness criteria, allowing stale evidence from prior quarters to satisfy current package requirements",
          "Treating the evidence package as an unstructured document archive rather than a structured artifact with defined required_artifact types, acceptance criteria, and a formal gap register",
          "Assigning no named package owner or review signatories, making the compilation process unaccountable and impossible to audit"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PV",
        "lens_enrichment": "ap42 2026-07-08"
      },
      {
        "id": "PA-01",
        "name": "Delegation of Authority Integration",
        "canonical_id": "apeiris://authority/controls/PA-01",
        "layer": "PA",
        "prefix": "PA",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": true,
        "plain": "Integrates the enterprise delegation of authority (DoA) framework with AI system authorization controls, ensuring every AI-initiated commitment traces to a human principal with verified, current authority. This control coordinates with Apeiris Identity domain controls apeiris://identity/controls/IC-08 (identity attestation) and apeiris://identity/controls/NI-05 (non-identity verification) to ensure principal identity claims are verified before authority is granted.",
        "threat": {
          "context": "Without explicit DoA framework integration, AI agents may issue commitments that no authorized human principal has sanctioned, referencing stale or invalid authority delegations. This creates unenforceable commitments and regulatory exposure. Cross-domain dependency: principal identity must be verified via apeiris://identity/controls/IC-08 and apeiris://identity/controls/NI-05 before any authority delegation to an AI system is treated as valid.",
          "tags": [
            "unauthorized-commitment",
            "principal-accountability-gap",
            "escalation-failure"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 2",
            "title": "Establishes Operating Structures"
          },
          {
            "id": "iso_37301",
            "section": "\u00a7 7.2",
            "title": "Competence"
          },
          {
            "id": "iso_42001",
            "section": "\u00a7 5.3",
            "title": "Organizational roles, responsibilities and authorities"
          },
          {
            "id": "nist_800_53",
            "section": "AC-5",
            "title": "Separation of Duties"
          }
        ],
        "sources": [
          {
            "id": "coso-erm-2017",
            "title": "COSO Enterprise Risk Management: Integrating with Strategy and Performance",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management: Integrating with Strategy and Performance requirements informing the apeiris://authority/controls/PA-01 Delegation of Authority Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-37301-2021",
            "title": "ISO 37301:2021 \u2014 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 \u2014 Compliance Management Systems requirements informing the apeiris://authority/controls/PA-01 Delegation of Authority Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PA-01 Delegation of Authority Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-sp-800-53-r5",
            "title": "NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls requirements informing the apeiris://authority/controls/PA-01 Delegation of Authority Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PA-01 Delegation of Authority Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PA-01 Delegation of Authority Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PA-01 Delegation of Authority Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PA-01 Delegation of Authority Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "source_id": "hashicorp_vault_aar_2026",
            "normative_force": "best-practice",
            "relationship": "implementation_pattern",
            "rationale": "Enterprise vault implementation of OAuth 2.0 RAR (RFC 9396) per-request agent authorization \u2014 provides concrete IaC patterns for the controls in this layer.",
            "reviewed_on": "2026-06-29"
          }
        ],
        "implementation": {
          "pattern": "Map the enterprise DoA framework to the AI authorization control plane by associating each principal role with the AI action types and approval limits they are authorized to delegate. Verify principal identity via Identity domain controls before any delegation is recorded. Register delegations in the authority registry with expiry dates and automatically propagate revocations to all AI systems that received authority from a revoked delegation.",
          "steps": [
            "Inventory the enterprise DoA framework and extract the set of action types, resource categories, and approval limits that each principal role is authorized to delegate to AI systems.",
            "Implement a delegation registration workflow that requires principal identity verification (referencing apeiris://identity/controls/IC-08 and apeiris://identity/controls/NI-05) before any delegation to an AI system is recorded in the authority registry.",
            "Propagate registered delegations to the boundary validation interceptors of the AI systems to which authority has been delegated, with automatic expiry and revocation support.",
            "Establish a delegation audit log that records every delegation grant, modification, expiry, and revocation with the identity of the acting principal and a timestamp."
          ],
          "anti_patterns": [
            "Granting AI systems standing authority to act on behalf of a role rather than individual, verified human principals, making accountability non-attributable.",
            "Implementing delegation without expiry dates or revocation propagation, leaving AI systems holding delegated authority after the delegating principal's role or employment has changed."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that the delegation registration workflow requires verified principal identity before any authority delegation is recorded.",
            "Verify that registered delegations carry expiry dates and that the registry automatically marks delegations expired after their validity period.",
            "Check that revocation events propagate to all AI systems holding delegated authority within the defined propagation SLA."
          ],
          "runtime_tests": [
            "Attempt to register a delegation without completing the principal identity verification step and confirm the workflow blocks the registration.",
            "Revoke a delegation and verify that AI systems that held the revoked authority refuse to execute actions that required it within the defined propagation window.",
            "Allow a delegation to reach its expiry date and confirm that associated AI systems no longer treat the authority as valid."
          ],
          "evidence": [
            "Delegation registry entries showing all active delegations with principal identity references, grant dates, and expiry dates.",
            "Revocation propagation logs confirming timely propagation to all affected AI systems.",
            "Delegation audit log covering all grant, modification, expiry, and revocation events during the audit period."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "DoA integration is the control that ensures AI-initiated commitments can be traced to a specific, legally accountable human principal with verified authority. Without it, commitments made by AI systems have no clear legal authorization chain.",
            "actions": [
              "Confirm that the delegation registration workflow establishes a documented legal authority chain from the organization's governance instruments to each AI system delegation.",
              "Verify that the delegation registry can produce an authority chain trace for any AI-initiated commitment, showing the delegation path from the authorizing principal to the AI action.",
              "Ensure that delegation records are retained for the full period that commitments made under those delegations may be subject to dispute or regulatory review."
            ],
            "failure_signals": [
              "AI-initiated commitments for which no delegation record exists in the authority registry linking the action to a human principal with verified authority.",
              "Delegation registrations completed without documented principal identity verification, breaking the legal accountability chain.",
              "Revoked delegations that were still accepted as valid by AI systems after the revocation, producing commitments under invalid authority."
            ]
          },
          "cfo_procurement": {
            "summary": "DoA integration for procurement AI systems ensures that every AI-initiated purchase order, contract, or commitment obligation is authorized by a principal whose financial authority to delegate has been verified and is current.",
            "actions": [
              "Require that all delegations to AI procurement systems reference a specific human principal by name and employee ID, not a generic role, to ensure individual accountability.",
              "Verify that the monetary limits in AI procurement delegations align with the delegating principal's authority under the enterprise DoA matrix.",
              "Establish a quarterly review of active delegations to AI procurement systems to confirm the delegating principals retain the authority they delegated."
            ],
            "failure_signals": [
              "AI procurement system delegations that reference a role rather than a named, verified individual, making financial accountability non-attributable.",
              "Delegations to AI procurement systems that carry approval limits exceeding what the delegating principal's DoA authority permits.",
              "No periodic review process for active delegations to AI procurement systems, leaving stale delegations active after personnel changes."
            ]
          },
          "risk_officer": {
            "summary": "DoA integration defines the accountability boundary for AI-initiated risk. Every delegation creates a risk assumption by the delegating principal, and the aggregate of delegations across all AI systems represents the total AI-initiated risk the organization has accepted through named human principals.",
            "actions": [
              "Map active AI system delegations to the risk register to identify which human principals are accountable for AI-initiated risk in each action category.",
              "Define a risk escalation procedure for cases where an AI system attempts to take an action for which no valid delegation exists in the registry.",
              "Include delegation registry health \u2014 active delegations vs. expired or revoked delegations that were not renewed \u2014 in the AI risk monitoring dashboard."
            ],
            "failure_signals": [
              "No mapping between AI system delegations and the enterprise risk register, preventing identification of which principals bear accountability for AI-initiated risk.",
              "High rates of AI system actions attempted without a valid delegation, indicating the DoA integration is not keeping pace with AI operational demands.",
              "Expired delegations that were not renewed before expiry, causing AI system authorization gaps."
            ]
          },
          "grc_auditor": {
            "summary": "DoA integration is the foundational control for principal accountability in AI systems. Auditors must verify that every active AI system has a valid, current delegation chain registered, and that delegation lifecycle events are properly recorded.",
            "actions": [
              "Inspect the delegation registry to confirm that all AI systems in production have current, non-expired delegations with verified principal identity references.",
              "Sample delegation registration records to verify that principal identity verification was completed before each delegation was granted.",
              "Review revocation propagation logs to confirm that revocations reached all affected AI systems within the defined SLA."
            ],
            "failure_signals": [
              "AI systems in production with no active delegation in the registry, or with delegations that have expired without renewal.",
              "Delegation registration records missing the identity verification reference required as a prerequisite.",
              "Revocation events with no corresponding propagation record, indicating AI systems may still hold invalidated authority."
            ],
            "metrics": [
              "Percentage of production AI systems with a current, non-expired, verified delegation in the registry (target: 100%)",
              "Mean time from delegation revocation event to confirmed propagation to all affected AI systems in minutes (target: <60)",
              "Number of AI action attempts blocked due to missing or expired delegation per reporting period"
            ]
          },
          "board_governance": {
            "summary": "DoA integration extends the board-sanctioned human authority structure to the AI layer. The board should confirm that the enterprise DoA framework explicitly addresses AI system authority and that the integration is operationally enforced.",
            "actions": [
              "Confirm that the enterprise DoA framework has been updated to include explicit provisions for delegating authority to AI systems, including limits and accountability requirements.",
              "Request a summary of the total scope of authority delegated to AI systems across the enterprise as part of periodic AI governance reporting.",
              "Ensure that the board's risk oversight role includes review of material AI authority delegations, particularly in consequential-commitment and procurement domains."
            ],
            "failure_signals": [
              "Enterprise DoA framework that predates the organization's AI deployments and does not address AI system authority delegation.",
              "Board AI governance reporting that does not include a summary of the scope and scale of authority delegated to AI systems.",
              "Material AI authority delegations authorized by management without board risk committee awareness."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "managed"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 2",
            "title": "Establishes Operating Structures",
            "principle_number": 2,
            "component_name": "Governance and Culture",
            "normative_force": "industry-framework",
            "fit": "partial",
            "fit_rationale": "Mapping DoA to AI authority defines operating structures and reporting lines, partially reflecting COSO Principle 2.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Mapping DoA to AI authority defines operating structures and reporting lines, partially reflecting COSO Principle 2.",
            "requirement_id": "Principle 2 \u2014 Establishes Operating Structures",
            "relation": "informs"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a7 7.2",
            "title": "Competence",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "Delegation integration verifies authority, not the personnel competence \u00a77.2 addresses.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Delegation integration verifies authority, not the personnel competence \u00a77.2 addresses.",
            "requirement_id": "\u00a7 7.2 \u2014 Competence",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a7 5.3",
            "title": "Organizational roles, responsibilities and authorities",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Binding AI commitments to delegated principal authority reflects \u00a75.3 roles and authorities, scoped to AI delegation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Binding AI commitments to delegated principal authority reflects \u00a75.3 roles and authorities, scoped to AI delegation.",
            "requirement_id": "\u00a7 5.3 \u2014 Organizational roles, responsibilities and authorities",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "AC-5",
            "title": "Separation of Duties",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Delegation hierarchies with authority ceilings support separation of duties, partially addressing AC-5.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Delegation hierarchies with authority ceilings support separation of duties, partially addressing AC-5.",
            "requirement_id": "AC-5 \u2014 Separation of Duties",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS IAM Permission Boundaries \u2014 Delegation Scope Enforcement",
            "rationale": "AWS IAM permission boundaries define the maximum set of permissions that a delegated IAM principal (user or role) can exercise. Permission boundaries enforce the principle that a delegating principal cannot grant more authority than it possesses: a sub-principal's effective permissions are the intersection of its identity policy and the permission boundary. This is the authoritative AWS mechanism for implementing delegation-of-authority hierarchies that cannot be circumvented.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "IAM permission boundaries enforce that a sub-principal cannot exceed delegated authority, partially implementing the DoA ceiling.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud IAM Resource Hierarchy \u2014 Inherited Authority Limits",
            "rationale": "Google Cloud IAM enforces delegation of authority through the resource hierarchy: IAM policies set at the organization level constrain what can be delegated at folder and project levels. A child resource can only receive permissions that the parent already holds, implementing an unbreakable delegation chain. Policies applied at the organization level by the org admin represent the ceiling of all delegation within the hierarchy.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Resource-hierarchy inheritance ensures children inherit no more than parent authority, partially implementing an unbreakable chain.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta Authorization Server \u2014 OAuth 2.0 Delegation Constraints",
            "rationale": "Okta's custom authorization servers enforce OAuth 2.0 delegation rules: token scopes issued to AI agents may not exceed the scopes granted to the delegating principal. This implements the delegation authority ceiling at the identity layer. Okta for AI Agents replaces hardcoded credentials with scoped, short-lived tokens ensuring agents only receive the authority explicitly delegated by a principal with the appropriate access.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta authorization-server scope constraints cap agent tokens at the delegating principal's scope, partially enforcing the DoA ceiling.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure RBAC \u2014 Authority Delegation Hierarchy",
            "rationale": "Azure Role-Based Access Control enforces authority delegation hierarchies by requiring that role assignments be granted by a principal with 'Owner' or 'User Access Administrator' rights on the target scope. This prevents AI systems from self-granting permissions beyond the delegation level authorized by an accountable human principal. Azure PIM adds approval requirements and time-bounding to high-privilege delegation events.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Azure RBAC requires a privileged principal to grant roles, partially enforcing accountable authority delegation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "consequential-commitment",
          "procurement-ai"
        ],
        "implementers": [
          "Legal Counsel",
          "Human Resources",
          "IT Identity Management",
          "AI Program Office"
        ],
        "profiles": [
          {
            "source_id": "openid",
            "profile": "structured_agent_authorization",
            "profile_url": "https://apeiris.ai/integration/profiles/structured_agent_authorization.json",
            "role": "implementation_anchor",
            "normative_force": "voluntary-standard",
            "reviewed_on": "2026-06-29"
          }
        ],
        "validation_objective": "Every AI-initiated commitment must reference a valid delegation of authority record in the enterprise DoA system at the time of action, with the delegating principal's identity, delegation scope, and delegation expiry verified before execution. No AI commitment may proceed without a resolvable DoA record confirming the authorizing principal holds current, unexpired authority to delegate the specific action class being initiated.",
        "evidence_required": [
          "delegation_of_authority_record retrieved from the enterprise DoA system at action time, containing delegating_principal_id, delegated_scope, effective_date, expiry_date, and authority_class",
          "commitment_to_doa_linkage_log showing each AI-initiated commitment with the DoA record ID it was validated against, the validation_timestamp, and the validation_outcome (valid / expired / not_found)",
          "principal_authority_verification_record confirming the delegating principal's current standing and active status in the enterprise authorization system at the time of delegation issuance",
          "doa_schema_conformance_record confirming the DoA integration schema covers all authority classes (financial, contractual, procurement, operational) exercised by in-scope AI agents"
        ],
        "machine_tests": [
          "Submit an AI commitment request referencing a DoA record with expiry_date set to one hour in the past \u2192 assert the request is rejected with error_code=delegation_expired before any commitment record is created",
          "Submit an AI commitment request with no DoA record ID in the request payload \u2192 assert rejection with error_code=missing_delegation_reference",
          "Submit a valid commitment request with a current DoA record \u2192 assert a commitment_to_doa_linkage_log entry is created with doa_record_id, principal_id, authority_class, and validation_timestamp all populated"
        ],
        "human_review": [
          "Review a sample of AI-initiated commitments to confirm each is linked to a DoA record with a verifiable authority chain from the AI agent back to a named, authorized human principal",
          "Verify that the DoA integration schema covers all authority classes exercised by AI agents in scope, not just financial approval limits, including contractual, procurement, and operational authority classes",
          "Assess whether delegation expiry and revocation events in the enterprise DoA system are propagated to the AI authorization layer within an acceptable latency, with no window where expired or revoked delegations remain enforceable for AI actions"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "industry-framework",
        "anti_patterns": [
          "Caching DoA records at agent deployment time and reusing them for all subsequent commitments without re-validating currency at each action, missing intervening expirations and revocations",
          "Maintaining a parallel AI-specific delegation record store that is not synchronized with the enterprise DoA system, creating an authority divergence gap between human and AI commitments",
          "Linking AI commitments to the AI system's service account identity rather than to the specific human principal whose delegated authority the AI is exercising",
          "Treating DoA integration as a configuration-time setting rather than a per-commitment runtime validation, making the control blind to mid-deployment delegation changes",
          "Limiting DoA integration to financial authority classes while omitting contractual and procurement authority, leaving those commitment types without verified delegation coverage"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PA"
      },
      {
        "id": "PA-02",
        "name": "Approval Limit Enforcement",
        "canonical_id": "apeiris://authority/controls/PA-02",
        "layer": "PA",
        "prefix": "PA",
        "plane": "control",
        "capability_risk": {
          "capability_level": "elevated"
        },
        "baseline": false,
        "plain": "Enforces monetary, quantity, and scope approval limits for AI-initiated commitments by checking proposed actions against the authorizing principal's delegation of authority thresholds before execution. Commitments exceeding limits are blocked pending escalation. This control coordinates with apeiris://data/controls/DX-01 for structured commitment data capture and apeiris://agentic/controls/AT-05 as the downstream behavioral enforcement layer.",
        "threat": {
          "context": "AI procurement and contracting agents operating without hard approval limit enforcement can commit organizations to obligations that exceed any individual principal's authority \u2014 either through a single over-limit action or through accumulation of individually within-limit actions that aggregate beyond threshold. The elevated capability risk reflects the direct financial consequence of enforcement failure.",
          "tags": [
            "authority-limit-breach",
            "unauthorized-commitment",
            "procurement-bypass",
            "contract-violation"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 7",
            "title": "Defines Risk Appetite"
          },
          {
            "id": "coso_erm",
            "section": "Principle 13",
            "title": "Implements Risk Responses"
          },
          {
            "id": "iso_37301",
            "section": "\u00a7 8.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 1.3",
            "title": "Risk management activities are determined and prioritized based on organizational risk tolerance"
          }
        ],
        "sources": [
          {
            "id": "coso-erm-2017-p7",
            "title": "COSO Enterprise Risk Management: Integrating with Strategy and Performance",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management: Integrating with Strategy and Performance requirements informing the apeiris://authority/controls/PA-02 Approval Limit Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "coso-erm-2017-p13",
            "title": "COSO Enterprise Risk Management: Integrating with Strategy and Performance",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management: Integrating with Strategy and Performance requirements informing the apeiris://authority/controls/PA-02 Approval Limit Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-37301-2021",
            "title": "ISO 37301:2021 \u2014 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 \u2014 Compliance Management Systems requirements informing the apeiris://authority/controls/PA-02 Approval Limit Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PA-02 Approval Limit Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PA-02 Approval Limit Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PA-02 Approval Limit Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PA-02 Approval Limit Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PA-02 Approval Limit Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "databricks_omnigent_2026",
            "title": "Databricks Omnigent \u2014 Contextual Policies",
            "authority": "Databricks",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2026-07-07",
            "published_on": "2026-07-07",
            "retrieved_on": "2026-07-07",
            "canonical_url": "https://www.databricks.com/blog/contextual-policies-omnigent-using-session-state-better-govern-ai-agents",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "databricks_omnigent_2026",
            "relationship": "supporting_guidance",
            "rationale": "Omnigent accumulates a per-session risk score and enforces soft (ask-the-user) and hard (block) thresholds on sensitive actions \u2014 a session-state threshold-enforcement mechanism analogous to approval-limit gating.",
            "reviewed_on": "2026-07-07"
          }
        ],
        "implementation": {
          "pattern": "Retrieve the active delegation record for the authorizing principal from the authority registry before every AI-initiated commitment action. Extract the applicable approval limit for the commitment type and compare it against the proposed commitment value. Block execution and trigger escalation for any proposed commitment that would exceed the limit, whether individually or in aggregate against running period totals.",
          "steps": [
            "Define a commitment limit schema that captures per-action limits, period aggregate limits, and commitment type scope restrictions for each principal delegation.",
            "Implement a pre-commitment enforcement check that retrieves the active delegation record, computes the running period aggregate, and blocks execution for over-limit actions.",
            "Configure escalation routing for blocked commitments that directs the over-limit action to the appropriate higher-authority approver based on the excess amount and commitment type.",
            "Maintain a running commitment ledger per delegation that tracks period totals and serves as the authoritative input for aggregate limit enforcement."
          ],
          "anti_patterns": [
            "Enforcing per-action limits without an aggregate period limit, enabling an AI agent to exceed effective authority by making many individually within-limit commitments.",
            "Routing over-limit escalations to IT or operations teams rather than the finance or legal authority with jurisdiction over the commitment type."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that the commitment limit schema includes both per-action and period aggregate limits, not only per-action limits.",
            "Verify that the pre-commitment enforcement check queries the running commitment ledger before approving any commitment action.",
            "Check that escalation routing configuration directs over-limit actions to the appropriate financial or legal authority, not to a generic operations queue."
          ],
          "runtime_tests": [
            "Submit an AI commitment action that exceeds the per-action limit and confirm it is blocked and routed to escalation.",
            "Submit a series of within-limit commitment actions that cumulatively exceed the period aggregate limit and confirm the aggregate enforcement triggers.",
            "Verify that the commitment ledger is updated correctly and atomically after each approved commitment action."
          ],
          "evidence": [
            "Commitment limit configurations showing per-action and aggregate period limits for each active AI system delegation.",
            "Enforcement block logs recording every over-limit commitment attempt with the proposed value, applicable limit, and escalation routing destination.",
            "Commitment ledger snapshots showing period running totals for each delegation during the audit period."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Approval limit enforcement is the primary control that prevents AI-initiated commitments from exceeding any human principal's delegated authority. Its enforceability is directly relevant to whether the organization can disclaim liability for AI commitments that exceed its intended scope.",
            "actions": [
              "Confirm that approval limits are technically enforced as hard blocks rather than soft warnings, so over-limit commitments cannot complete without explicit human escalation.",
              "Verify that the escalation records for over-limit commitments provide legal-quality evidence of the blocking decision and the escalation path taken.",
              "Ensure that commitment limit configurations are traceable to the DoA instrument authorizing the specific limit values."
            ],
            "failure_signals": [
              "AI-initiated commitments that completed execution after exceeding declared approval limits without evidence of escalation authorization.",
              "Approval limits implemented as logging-only advisories rather than hard execution blocks.",
              "Over-limit escalation records that do not identify which higher-authority principal approved the exception and on what basis."
            ]
          },
          "cfo_procurement": {
            "summary": "Approval limit enforcement translates the enterprise DoA matrix into a technically enforced financial control on AI procurement agents. It is the control that makes the DoA framework operationally meaningful for AI-initiated spend.",
            "actions": [
              "Verify that commitment limit configurations for AI procurement systems are derived from and aligned with the current enterprise DoA matrix approval thresholds.",
              "Require that the commitment ledger provides real-time visibility into period aggregate spend by AI procurement agents, not just blocking on individual transactions.",
              "Include AI procurement system commitment enforcement statistics in the periodic finance risk reporting package."
            ],
            "failure_signals": [
              "AI procurement approval limits that have not been updated to reflect the current enterprise DoA matrix, creating misalignment between technical controls and governance policy.",
              "No period aggregate visibility into AI procurement commitment totals, exposing the organization to incremental over-limit accumulation.",
              "Over-limit escalations being approved by IT or operations staff rather than the finance principal with delegated authority at the required level."
            ]
          },
          "risk_officer": {
            "summary": "Approval limit enforcement operationalizes the organization's financial risk appetite for AI-initiated commitments. The elevated capability risk classification requires heightened monitoring: enforcement failures have direct and immediate financial consequences.",
            "actions": [
              "Classify AI procurement and contracting systems at the elevated capability risk tier and apply correspondingly tighter monitoring SLAs for over-limit enforcement events.",
              "Include commitment limit enforcement event rates in the AI risk monitoring dashboard, tracking both the frequency of over-limit attempts and the disposition of escalations.",
              "Define a risk escalation procedure for situations where the commitment ledger indicates period aggregate spend is approaching but has not yet reached the period limit."
            ],
            "failure_signals": [
              "AI procurement systems classified below the elevated capability risk tier, reducing monitoring sensitivity for a direct financial risk control.",
              "No visibility into near-limit period aggregate spend trends, leaving the organization blind to accumulation risk before the limit is breached.",
              "Over-limit escalation approvals that are not reviewed by risk leadership, removing risk oversight from the exception process."
            ]
          },
          "grc_auditor": {
            "summary": "Approval limit enforcement is the quantitative financial control in the PA layer. Auditors must verify that limit configurations are current, hard enforcement is implemented, aggregation is tracked, and escalations are properly authorized.",
            "actions": [
              "Compare current AI procurement system commitment limit configurations against the enterprise DoA matrix to verify alignment.",
              "Review enforcement block logs to confirm that all over-limit attempts were blocked and escalated, with no instances of over-limit execution without escalation authorization.",
              "Inspect commitment ledger records to verify period aggregate tracking is functioning correctly and matches the sum of individual commitment transactions."
            ],
            "failure_signals": [
              "Commitment limit configurations that differ from the current DoA matrix without a documented exception approval.",
              "Over-limit commitment actions present in execution logs that do not appear in enforcement block logs or escalation records.",
              "Commitment ledger period totals that do not reconcile with the sum of individual approved commitment transactions."
            ],
            "metrics": [
              "Number of over-limit commitment attempts blocked and escalated per AI system per reporting period",
              "Percentage of over-limit escalations resolved by an authorized higher-principal approver vs. auto-approved or unresolved (target: 100% reviewed by authorized principal)",
              "Reconciliation variance between commitment ledger period totals and executed commitment transaction sums (target: zero variance)"
            ]
          },
          "board_governance": {
            "summary": "Approval limit enforcement ensures that the financial authority limits established by the board through the DoA framework are technically enforced on AI systems as rigorously as they are on human employees. The board should confirm that this control is in place for all AI systems with spend authority.",
            "actions": [
              "Confirm that the board's DoA policy explicitly extends to AI system commitment authority and is reflected in technical enforcement configurations.",
              "Request periodic reporting on aggregate AI-initiated commitments against DoA-authorized limits as part of board financial oversight.",
              "Ensure that material over-limit escalations \u2014 those representing significant enterprise financial risk \u2014 are reported to the board audit or risk committee."
            ],
            "failure_signals": [
              "Board DoA policy that does not address AI system commitment authority, leaving AI approval limit enforcement to management discretion.",
              "No board-level visibility into the aggregate volume and value of AI-initiated commitments against authorized limits.",
              "Material over-limit escalations resolved at the management level without board committee awareness."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 7",
            "title": "Defines Risk Appetite",
            "principle_number": 7,
            "component_name": "Strategy and Objective-Setting",
            "normative_force": "industry-framework",
            "fit": "partial",
            "fit_rationale": "Approval limits operationalize risk appetite thresholds but do not themselves define appetite, per Principle 7.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Approval limits operationalize risk appetite thresholds but do not themselves define appetite, per Principle 7.",
            "requirement_id": "Principle 7 \u2014 Defines Risk Appetite",
            "relation": "informs"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a7 8.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Pre-execution limit checks are an operational control, partially satisfying \u00a78.1 operational planning.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Pre-execution limit checks are an operational control, partially satisfying \u00a78.1 operational planning.",
            "requirement_id": "\u00a7 8.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 1.3",
            "title": "Risk management activities are determined and prioritized based on organizational risk tolerance",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Enforcing per-principal limits reflects risk-tolerance thresholds, partially addressing GOVERN 1.3.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Enforcing per-principal limits reflects risk-tolerance thresholds, partially addressing GOVERN 1.3.",
            "requirement_id": "GOVERN 1.3 \u2014 Risk management activities are determined and prioritized based on organizational risk tolerance",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "AC-5",
            "title": "Separation of Duties",
            "normative_force": "voluntary-standard",
            "fit": "adjacent",
            "fit_rationale": "Approval-limit enforcement bounds commitment magnitude, related to but not the duty separation AC-5 requires.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Approval-limit enforcement bounds commitment magnitude, related to but not the duty separation AC-5 requires.",
            "requirement_id": "AC-5 \u2014 Separation of Duties",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Organizations SCP + AWS Budgets \u2014 Approval Limit Controls",
            "rationale": "AWS Organizations SCPs can categorically deny actions and services for IAM principals in AI workload accounts, bounding what those principals may do at all. SCP conditions cannot reference spend, so monetary approval limits are enforced with AWS Budgets actions, which can apply restrictive IAM or SCP-managed policies or trigger approval workflows when configured spend thresholds are crossed.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "SCPs bound service actions and Budgets actions enforce spend thresholds, partially implementing approval limits.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Privileged Access Manager \u2014 Approval-Gated Elevated Permissions",
            "rationale": "Google Cloud Privileged Access Manager (PAM) requires principals to request and receive approval before exercising elevated permissions. PAM supports multi-level approval workflows (up to two approval levels with multiple approvers at each level), implementing approval limit enforcement for AI systems that require elevated authority for high-impact actions. Multi-level approvals require Security Command Center Premium or Enterprise tier.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "PAM multi-level approvals gate elevated permissions, partially enforcing approval limits for high-impact actions.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta Authorization Server \u2014 Time-Bounded Approval-Scoped Tokens",
            "rationale": "Okta's authorization server issues time-bounded tokens with scopes explicitly limited to approved action categories. AI agents requiring actions above their standing authorization limit must request new tokens with elevated scopes, triggering Okta Workflows approval steps before the higher-authority token is issued. This enforces approval limits as an identity-layer gate rather than an application-layer check.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Above-limit actions require new approval-gated token scopes, partially enforcing approval limits at the identity layer.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure Policy Custom Definitions \u2014 AI Action Approval Thresholds",
            "rationale": "Azure Policy custom definitions can enforce approval gates for AI-initiated actions above defined impact thresholds. Policy effects such as 'Deny' and 'Audit' can block or flag AI resource operations that imply financial commitment or operational impact above approved limits, implementing approval limit enforcement as an automated policy control within the Azure governance framework.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Azure Policy deny and audit effects can block AI actions above impact thresholds, partially implementing approval-limit enforcement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "consequential-commitment",
          "procurement-ai"
        ],
        "implementers": [
          "Finance",
          "Procurement",
          "Platform Engineering",
          "Legal Counsel"
        ],
        "validation_objective": "Every AI-initiated commitment must be evaluated against the authorizing principal's current approval limits across all applicable dimensions (monetary, quantity, and scope) before execution. Any proposed commitment that exceeds any limit dimension must be blocked at the authorization layer before execution; logging and alerting after execution is not sufficient to satisfy this control.",
        "evidence_required": [
          "approval_limit_enforcement_log recording each commitment request with the principal's limit values per dimension, the proposed commitment values, the enforcement decision (approved/blocked), and decision_timestamp",
          "principal_limit_lookup_record showing the limit values retrieved from the enterprise DoA system at evaluation time, with a retrieval_timestamp confirming currency at the moment of evaluation",
          "blocked_commitment_record for each denied request, documenting the specific limit dimension exceeded, the excess amount or quantity, and the escalation path activated",
          "limit_configuration_audit confirming current approval limit thresholds in the AI authorization layer match the enterprise DoA schedule and have not drifted from the authoritative source"
        ],
        "machine_tests": [
          "Submit an AI commitment request for a monetary amount equal to the principal's limit plus $1 \u2192 assert the request is blocked with error_code=approval_limit_exceeded and dimension=monetary before any commitment record is written",
          "Submit a commitment request that is within the monetary limit but exceeds the quantity limit by one unit \u2192 assert block with error_code=approval_limit_exceeded and dimension=quantity",
          "Submit a commitment request within all limit dimensions \u2192 assert it proceeds and an approval_limit_enforcement_log entry is created with decision=approved and all limit values recorded alongside proposed values",
          "Revoke a principal's approval authority mid-session and submit a new commitment request \u2192 assert the limit lookup retrieves null or zero limits and the request is blocked with error_code=no_active_authority"
        ],
        "human_review": [
          "Review a sample of blocked commitment records to confirm each identifies the specific limit dimension exceeded and the escalation path activated, not just a generic rejection without diagnostic detail",
          "Assess whether limit dimensions cover all material commitment types exercised by AI agents in scope (monetary, quantity, scope category, vendor tier) or are narrowly restricted to monetary limits only",
          "Verify that approval limit thresholds in the AI authorization layer match the current enterprise DoA schedule and that a reconciliation process exists to detect drift between the two systems"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "industry-framework",
        "anti_patterns": [
          "Enforcing monetary limits only while omitting quantity and scope dimensions, enabling an AI agent to structure a large commitment as many small individually in-limit transactions that collectively exceed the principal's intended authority",
          "Evaluating approval limits against the principal's limits cached at deployment time rather than retrieved from the DoA system at each commitment request, missing limit reductions and revocations",
          "Implementing the approval limit check as a logging-and-alerting control rather than a blocking gate, allowing over-limit commitments to execute while generating after-the-fact alerts",
          "Caching principal limit values locally in the AI agent without a TTL or freshness check, allowing stale limit values to govern commitments for extended periods after a DoA change",
          "Maintaining AI-specific approval limit tables that are not derived from and synchronized with the enterprise DoA schedule, creating a shadow authority framework that diverges from the authoritative source"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PA"
      },
      {
        "id": "PA-03",
        "name": "Escalation Gate Design and Testing",
        "canonical_id": "apeiris://authority/controls/PA-03",
        "layer": "PA",
        "prefix": "PA",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Defines and tests escalation gates \u2014 mandatory human approval checkpoints \u2014 that AI agents must traverse before executing actions above defined authority thresholds. Gates are tested for correctness, bypass resistance, and failure-safe behavior on a defined cadence, ensuring they function as genuine blocks and not administrative formalities.",
        "threat": {
          "context": "Escalation gates that have not been tested for bypass resistance may be circumvented through prompt injection, API parameter manipulation, state machine exploitation, or social engineering of the escalation approver. A gate that is technically present but practically bypassable provides no authority protection.",
          "tags": [
            "escalation-failure",
            "authority-limit-breach",
            "policy-bypass"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 15",
            "title": "Assesses Substantial Change"
          },
          {
            "id": "iso_37301",
            "section": "\u00a7 8.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_rmf",
            "section": "MANAGE 4.1",
            "title": "Post-deployment AI system monitoring plans are implemented, including mechanisms for incident response, recovery, and change management"
          },
          {
            "id": "nist_800_53",
            "section": "IR-4",
            "title": "Incident Handling"
          }
        ],
        "sources": [
          {
            "id": "coso-erm-2017",
            "title": "COSO Enterprise Risk Management: Integrating with Strategy and Performance",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management: Integrating with Strategy and Performance requirements informing the apeiris://authority/controls/PA-03 Escalation Gate Design and Testing control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-37301-2021",
            "title": "ISO 37301:2021 \u2014 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 \u2014 Compliance Management Systems requirements informing the apeiris://authority/controls/PA-03 Escalation Gate Design and Testing control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PA-03 Escalation Gate Design and Testing control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-sp-800-53-r5",
            "title": "NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls requirements informing the apeiris://authority/controls/PA-03 Escalation Gate Design and Testing control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PA-03 Escalation Gate Design and Testing control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PA-03 Escalation Gate Design and Testing control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PA-03 Escalation Gate Design and Testing control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PA-03 Escalation Gate Design and Testing control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Design escalation gates as stateful checkpoints in the AI action execution pipeline where the action execution context is paused, an approval request is issued to the designated human approver, and execution is blocked until an explicit approval decision is received and cryptographically recorded. Test gates periodically for bypass resistance using red team exercises that attempt to circumvent the gate through technical and procedural means.",
          "steps": [
            "Define escalation gate trigger conditions for each AI system, mapping action types and approval limit thresholds to the required escalation level and approver role.",
            "Implement escalation gates as fail-safe checkpoints: execution is blocked by default, and the gate opens only on receipt of a cryptographically signed approval from the designated approver.",
            "Document bypass resistance test cases covering prompt injection, API parameter manipulation, state machine exploitation, and approver social engineering vectors.",
            "Schedule and conduct bypass resistance testing on a defined cadence (minimum semi-annually for consequential-commitment systems) and remediate any identified weaknesses before returning the gate to production."
          ],
          "anti_patterns": [
            "Implementing escalation gates as notification-only workflows where the action proceeds unless the approver explicitly rejects it within a time window \u2014 this is a soft gate, not a hard block.",
            "Testing only the happy path (correct escalation and approval flow) without testing bypass resistance, leaving gate vulnerabilities undiscovered."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that escalation gates are implemented as fail-safe checkpoints \u2014 blocking by default \u2014 rather than notification-and-proceed workflows.",
            "Verify that gate approval decisions require a cryptographic signature from the designated approver, preventing spoofed approvals.",
            "Check that bypass resistance test cases cover at least prompt injection, API manipulation, and state machine exploitation vectors."
          ],
          "runtime_tests": [
            "Trigger an AI action that exceeds an escalation threshold and verify the gate blocks execution and issues an approval request to the correct approver.",
            "Attempt to bypass the escalation gate through direct API parameter manipulation and confirm the attempt is blocked and logged.",
            "Allow an escalation request to time out without an approver response and confirm the action remains blocked rather than auto-approved."
          ],
          "evidence": [
            "Escalation gate design documentation showing fail-safe architecture, trigger conditions, and approver routing for all in-scope AI systems.",
            "Bypass resistance test records from the most recent test cycle, including test cases executed, findings, and remediation actions.",
            "Gate activation and approval logs for the audit period showing triggered escalations, approver identities, approval decisions, and decision timestamps."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Escalation gates that have been tested for bypass resistance provide the legal assurance that the organization's authority controls cannot be trivially circumvented. Untested gates represent a gap between documented controls and operational reality.",
            "actions": [
              "Confirm that escalation gate designs are documented as formal control specifications, not just implementation decisions.",
              "Verify that bypass resistance test records are retained as evidence that control testing was conducted.",
              "Ensure that gate approval records create a legal-quality audit trail linking each escalated action to a specific human approver decision."
            ],
            "failure_signals": [
              "Escalation gates with no corresponding bypass resistance test records, creating a gap between the documented control and its operational assurance.",
              "Gate approval records that do not identify the specific individual who approved the escalation, making accountability non-attributable.",
              "Soft gates (notification-and-proceed) deployed where the control design specifies a hard block."
            ]
          },
          "cfo_procurement": {
            "summary": "Escalation gates are the operational checkpoint that routes over-limit AI procurement commitments to appropriate human financial authority. Their bypass resistance is as important as their existence \u2014 a gate that can be circumvented provides no financial protection.",
            "actions": [
              "Confirm that procurement AI escalation gates route over-limit actions to the specific finance principal with delegated authority at the required level, not to a generic approver queue.",
              "Include bypass resistance test results for procurement AI escalation gates in the periodic finance risk reporting package.",
              "Require that the escalation approver for over-limit procurement actions confirms receipt and review of the commitment details before the approval decision is recorded."
            ],
            "failure_signals": [
              "Procurement AI escalation gates routing over-limit actions to IT operations or a generic approvals queue rather than the required finance authority level.",
              "No bypass resistance testing conducted for procurement AI escalation gates despite their direct financial consequence.",
              "Escalation approval records that show approver sign-off without evidence that the approver received and reviewed the commitment details."
            ]
          },
          "risk_officer": {
            "summary": "Escalation gate design and testing closes the gap between control design and operational assurance. An untested escalation gate is a risk control whose effectiveness is unknown; bypass resistance testing converts it into a measured and evidenced control.",
            "actions": [
              "Require bypass resistance testing for all escalation gates governing consequential-commitment AI systems before those systems go live and on a defined semi-annual cadence thereafter.",
              "Include escalation gate test status and finding remediation in the AI risk monitoring dashboard.",
              "Define a risk escalation procedure for the discovery of gate bypass vulnerabilities, including immediate suspension of the affected AI system pending remediation."
            ],
            "failure_signals": [
              "Escalation gates deployed for consequential-commitment AI systems without prior bypass resistance testing.",
              "Bypass resistance findings from previous test cycles that have not been remediated within the defined SLA.",
              "No defined response procedure for the discovery of a gate bypass vulnerability, leaving the organization without a containment protocol."
            ]
          },
          "grc_auditor": {
            "summary": "Escalation gate testing is the assurance activity that validates the control effectiveness of the gate design. Auditors must verify that gates are fail-safe, tested, and that bypass resistance findings are remediated.",
            "actions": [
              "Inspect escalation gate configurations to confirm fail-safe (block-by-default) architecture for all consequential-commitment AI systems.",
              "Review the most recent bypass resistance test records for each in-scope gate, including the test cases executed and findings.",
              "Confirm that all findings from the most recent test cycle have been remediated and that re-testing was conducted before the gate was returned to production."
            ],
            "failure_signals": [
              "Escalation gates configured with auto-approve on timeout rather than a block-by-default fail-safe architecture.",
              "Bypass resistance test records that are incomplete, covering only functional testing without adversarial bypass test cases.",
              "Open findings from bypass resistance testing that have not been remediated within the defined SLA, with no documented risk acceptance."
            ],
            "metrics": [
              "Percentage of consequential-commitment AI escalation gates with current bypass resistance test records (within the defined test cadence) (target: 100%)",
              "Number of bypass resistance findings per gate per test cycle, trended for improving or degrading gate robustness",
              "Mean time from bypass resistance finding identification to confirmed remediation in days (target: <30 for high-severity findings)"
            ]
          },
          "board_governance": {
            "summary": "Escalation gate testing provides the board with assurance that the human approval checkpoints designed to bound AI authority are operationally effective, not merely documented. The board should confirm that testing is mandatory and that significant findings are reported.",
            "actions": [
              "Confirm that the AI governance policy mandates bypass resistance testing for escalation gates in consequential-commitment AI systems on a defined cadence.",
              "Request a summary of escalation gate test status and findings as part of periodic AI governance reporting to the board.",
              "Ensure that significant gate bypass vulnerabilities \u2014 those that would allow over-limit AI commitments to complete without human approval \u2014 are reported to the board risk committee."
            ],
            "failure_signals": [
              "AI governance policy that requires escalation gates without mandating bypass resistance testing to verify their operational effectiveness.",
              "No escalation gate testing status in board AI governance reporting, preventing the board from knowing whether its authority controls are working.",
              "Discovery of an escalation gate bypass vulnerability through an incident rather than proactive testing."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 15",
            "title": "Assesses Substantial Change",
            "principle_number": 15,
            "component_name": "Review and Revision",
            "normative_force": "industry-framework",
            "fit": "adjacent",
            "fit_rationale": "Escalation gates block above-threshold actions but are not the substantial-change assessment Principle 15 describes.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Escalation gates block above-threshold actions but are not the substantial-change assessment Principle 15 describes.",
            "requirement_id": "Principle 15 \u2014 Assesses Substantial Change",
            "relation": "informs"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a7 8.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Designed and tested escalation checkpoints are operational controls, partially satisfying \u00a78.1.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Designed and tested escalation checkpoints are operational controls, partially satisfying \u00a78.1.",
            "requirement_id": "\u00a7 8.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "MANAGE 4.1",
            "title": "Post-deployment AI system monitoring plans are implemented, including mechanisms for incident response, recovery, and change management",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Tested escalation gates are a post-deployment control mechanism, partially addressing MANAGE 4.1.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Tested escalation gates are a post-deployment control mechanism, partially addressing MANAGE 4.1.",
            "requirement_id": "MANAGE 4.1 \u2014 Post-deployment AI system monitoring plans are implemented, including mechanisms for incident response, recovery, and change management",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "IR-4",
            "title": "Incident Handling",
            "normative_force": "voluntary-standard",
            "fit": "adjacent",
            "fit_rationale": "Escalation gates are preventive approval checkpoints, related to but distinct from IR-4 incident handling.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Escalation gates are preventive approval checkpoints, related to but distinct from IR-4 incident handling.",
            "requirement_id": "IR-4 \u2014 Incident Handling",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Control Tower Detective Controls \u2014 Policy Violation Escalation",
            "rationale": "AWS Control Tower detective controls continuously monitor accounts for policy violations and escalate findings through AWS Security Hub. When AI-initiated actions violate governance policies, findings are classified and routed to response teams via EventBridge rules, implementing escalation gate logic as an automated, organization-wide control that does not depend on individual account configuration.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Control Tower detective controls escalate policy-violation findings, partially implementing escalation routing though detective not preventive.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Privileged Access Manager \u2014 Multi-Level Approval Escalation",
            "rationale": "Google Cloud PAM's multi-level approval workflow supports up to two approval levels with multiple approvers at each level, implementing escalation gates where initial requests are reviewed by immediate approvers before escalating to senior approvers for high-impact decisions. PAM requires principals to provide justifications and enforces mandatory human approval steps before elevated access is granted. Multi-level approvals require Security Command Center Premium or Enterprise tier.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "PAM multi-level mandatory approvals implement escalation checkpoints, partially matching the gate design.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta Workflows \u2014 Automated Escalation Gate Enforcement",
            "rationale": "Okta Workflows can implement automated escalation gates that enforce mandatory human approval steps before AI agents receive elevated authorization tokens. Workflow logic can route escalation requests to defined approver groups, enforce time limits for approvals, and automatically revoke access if escalation conditions are not met within the required window.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta Workflows enforce mandatory approval steps before elevated tokens issue, partially implementing escalation gates.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Responsible AI Standard v2 \u2014 Goal A5: Human Oversight and Control",
            "rationale": "Goal A5 of Microsoft's Responsible AI Standard v2 requires that AI systems be designed for effective human oversight and control, including defining the points at which human review or approval is required before consequential actions proceed \u2014 the design obligation that escalation gates implement.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "RAI Goal A5 requires defined human-approval points before consequential actions, the design obligation escalation gates implement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "consequential-commitment",
          "procurement-ai"
        ],
        "implementers": [
          "Platform Engineering",
          "Security Architecture",
          "Operations",
          "AI Program Office"
        ],
        "validation_objective": "Every defined escalation gate must be implemented as a hard approval checkpoint that the AI agent cannot bypass, self-approve, or advance past by timeout. Gate correctness, bypass resistance, and timeout-handling behavior must each be tested against a documented test suite before go-live and after any gate configuration change, with test execution records and outcomes retained as evidence.",
        "evidence_required": [
          "escalation_gate_definition_record for each gate specifying gate_id, threshold type (monetary/quantity/scope), threshold value, required_approver_roles, timeout_behavior, and the version of the gate configuration",
          "gate_test_execution_record showing test results for threshold trigger, bypass resistance, self-approval prevention, and timeout-handling tests per gate, with test_executor, execution_timestamp, and pass/fail outcome for each test case",
          "gate_activation_log recording each triggered escalation with gate_id, triggering_commitment_id, notified_approver_ids, approval_decision, decision_timestamp, and approver_identity",
          "bypass_attempt_audit_record showing any detected attempts to route commitments around configured escalation gates, including the detection mechanism and the action taken in response"
        ],
        "machine_tests": [
          "Submit an AI commitment at one unit above the configured escalation threshold \u2192 assert a gate_activation record is created, the AI agent is blocked from proceeding, and approver notification is dispatched within the configured notification_latency_seconds",
          "Attempt to approve an escalation gate request using the requesting agent's own service account identity as the approver \u2192 assert rejection with error_code=self_approval_prohibited",
          "Let an escalation gate notification expire without any approver response \u2192 assert the commitment is denied with outcome=timeout_denial and not auto-approved or left in an indefinite pending state",
          "Submit a commitment at one unit below the escalation threshold \u2192 assert no gate is triggered and the commitment proceeds through standard approval limit enforcement without a gate activation record"
        ],
        "human_review": [
          "Review gate test execution records to confirm bypass resistance and self-approval prevention test cases were executed against each gate, not only threshold trigger tests",
          "Assess the timeout handling behavior specified for each gate to confirm that approval timeout produces a commitment denial rather than auto-approval or an indefinitely pending state that blocks future operations",
          "Verify that required_approver_roles assigned to each gate are current given the organization's present structure and that individuals holding those roles have no conflict of interest with the requesting principal's authority chain"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "industry-framework",
        "anti_patterns": [
          "Configuring escalation gate timeouts to default to auto-approval when no response is received, allowing commitments to execute unreviewed when approvers are unavailable",
          "Including the requesting AI agent's service account in the set of eligible approver roles for its own escalation gate, enabling programmatic self-approval",
          "Designing gates that trigger only on monetary thresholds without covering quantity and scope thresholds, enabling commitment structuring to avoid gate activation",
          "Testing only the threshold trigger condition without testing bypass resistance, self-approval prevention, and timeout behavior, leaving critical failure modes unvalidated before go-live",
          "Configuring a single undifferentiated escalation gate for all action types rather than threshold-differentiated gates calibrated to each commitment class and authority tier"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PA"
      },
      {
        "id": "PA-04",
        "name": "Principal Accountability Binding",
        "canonical_id": "apeiris://authority/controls/PA-04",
        "layer": "PA",
        "prefix": "PA",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": true,
        "plain": "Binds every consequential AI action to a named human principal who bears accountability for the action's authority and outcome. Accountability binding is recorded in an immutable audit artifact at the time of action and cannot be transferred to another AI system. EU AI Act Articles 14 and 26(2) require that high-risk AI systems operate under effective human oversight assigned by the deployer to identified, competent natural persons.",
        "threat": {
          "context": "Without explicit accountability binding, organizations face a principal accountability gap in which no human can be held responsible for AI-initiated decisions. This gap creates regulatory, contractual, and governance failures, and prevents post-incident accountability assignment. Unbound AI accountability is not merely a governance shortcoming \u2014 it exposes the organization to unanswerable liability.",
          "tags": [
            "principal-accountability-gap",
            "unauthorized-commitment",
            "escalation-failure"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 1",
            "title": "Exercises Board Risk Oversight"
          },
          {
            "id": "coso_erm",
            "section": "Principle 2",
            "title": "Establishes Operating Structures"
          },
          {
            "id": "eu_ai_act",
            "section": "Art. 25 / Art. 26",
            "title": "Responsibilities along the AI value chain; obligations of deployers of high-risk AI systems"
          },
          {
            "id": "iso_42001",
            "section": "\u00a7 5.1",
            "title": "Leadership and commitment"
          }
        ],
        "sources": [
          {
            "id": "eu-ai-act-2024",
            "title": "EU Artificial Intelligence Act",
            "authority": "European Parliament and Council of the European Union",
            "source_type": "regulation",
            "normative_force": "binding-law",
            "version": "2024/1689",
            "published_on": "2024-07-12",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689",
            "license": "open-access",
            "status": "current",
            "flagship": true,
            "source_id": "eu_ai_act",
            "relationship": "normative_requirement",
            "rationale": "Establishes EU Artificial Intelligence Act requirements informing the apeiris://authority/controls/PA-04 Principal Accountability Binding control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "coso-erm-2017-p2",
            "title": "COSO Enterprise Risk Management: Integrating with Strategy and Performance",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management: Integrating with Strategy and Performance requirements informing the apeiris://authority/controls/PA-04 Principal Accountability Binding control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "coso-erm-2017-p3",
            "title": "COSO Enterprise Risk Management: Integrating with Strategy and Performance",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management: Integrating with Strategy and Performance requirements informing the apeiris://authority/controls/PA-04 Principal Accountability Binding control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "oecd-cg-2023",
            "title": "G20/OECD Principles of Corporate Governance 2023",
            "authority": "Organisation for Economic Co-operation and Development",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "2023",
            "published_on": "2023-09-11",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.oecd.org/en/publications/2023/09/g20-oecd-principles-of-corporate-governance-2023_60836fcb.html",
            "license": "open-access",
            "status": "current",
            "flagship": true,
            "source_id": "oecd_cg",
            "relationship": "implementation_pattern",
            "rationale": "Establishes OECD Principles of Corporate Governance requirements informing the apeiris://authority/controls/PA-04 Principal Accountability Binding control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PA-04 Principal Accountability Binding control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PA-04 Principal Accountability Binding control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PA-04 Principal Accountability Binding control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PA-04 Principal Accountability Binding control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "At the time each consequential AI action is authorized, capture the name, role, identity reference, and delegation authority basis of the human principal who bears accountability for the action. Write this accountability binding as an immutable record in the authority audit log, linked to the action's execution record. Accountability bindings must be captured before the action executes \u2014 not retrospectively assigned.",
          "steps": [
            "Define the set of consequential AI action types for which accountability binding is required, based on action materiality criteria in the AI governance policy.",
            "Implement accountability capture at the pre-execution authorization step, recording the accountable principal's identity reference, role, and delegation authority basis alongside the action authorization record.",
            "Write accountability binding records to an append-only audit log that prevents modification of existing entries, ensuring the binding cannot be retroactively altered.",
            "Validate at the authorization step that the accountability binding references a current, active human principal \u2014 not a role, system, or former employee \u2014 before the action is permitted to execute."
          ],
          "anti_patterns": [
            "Attributing accountability to a role, team, or system rather than a named human individual, making it impossible to identify the accountable party in a dispute or regulatory inquiry.",
            "Capturing accountability bindings retrospectively after the action has executed, removing the link between accountability and pre-authorization."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that accountability binding capture is positioned at the pre-execution authorization step for all defined consequential action types.",
            "Verify that accountability binding records reference a named human individual with a verifiable identity reference, not a role or team.",
            "Check that the audit log storing accountability bindings is append-only and protected against modification of existing entries."
          ],
          "runtime_tests": [
            "Trigger a consequential AI action and verify that an accountability binding record is written to the audit log before the action executes.",
            "Attempt to trigger a consequential action without a valid human principal in the accountability binding field and confirm execution is blocked.",
            "Attempt to modify an existing accountability binding record in the audit log and confirm the write is rejected."
          ],
          "evidence": [
            "Accountability binding records in the audit log for every consequential AI action during the audit period, each referencing a named human principal.",
            "Audit log integrity evidence confirming the append-only constraint has been enforced with no modifications to existing entries.",
            "Sample accountability binding records showing the identity reference, role, and delegation authority basis fields are populated for consequential actions."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Principal accountability binding creates the legal record establishing which human is responsible for each consequential AI action. It is essential for contract enforcement, regulatory compliance, and liability assignment. Without it, AI-initiated actions exist in an accountability vacuum.",
            "actions": [
              "Confirm that accountability binding records constitute legal-quality evidence \u2014 with named individual, identity reference, role, and timestamp \u2014 sufficient for use in dispute resolution and regulatory inquiry.",
              "Verify that accountability binding records are retained for the full period that the corresponding AI actions may be subject to legal review.",
              "Ensure that the governance policy prohibits the assignment of accountability to roles, teams, or AI systems rather than named human individuals."
            ],
            "failure_signals": [
              "Consequential AI actions with no accountability binding record, or with bindings that reference a role rather than a named individual.",
              "Accountability bindings that were captured retroactively after the action executed rather than before.",
              "Audit log entries for accountability bindings that have been modified after initial capture, undermining their evidentiary reliability."
            ]
          },
          "cfo_procurement": {
            "summary": "Accountability binding for AI procurement actions establishes the named human who is financially responsible for each AI-initiated commitment. This binding is the foundational control for procurement accountability in an environment where AI agents take purchasing actions.",
            "actions": [
              "Confirm that accountability bindings for procurement AI actions reference the specific human principal whose financial authority covers the commitment amount.",
              "Require that accountability binding records for material commitments include the dollar amount, vendor, and commitment type as context alongside the principal identity.",
              "Use accountability binding records as the basis for attribution in financial audits and procurement reviews involving AI-initiated commitments."
            ],
            "failure_signals": [
              "Procurement AI commitment actions with accountability bindings referencing a generic finance role rather than a named individual with specific procurement authority.",
              "Material AI procurement commitments with accountability binding records that lack the commitment amount and vendor context needed for meaningful financial accountability.",
              "No process for verifying that the accountable principal referenced in a procurement AI binding actually had sufficient financial authority for the commitment amount at the time of binding."
            ]
          },
          "risk_officer": {
            "summary": "Accountability binding is the control that ensures AI risk has a human owner. It closes the principal accountability gap that represents one of the most significant governance risks in enterprise AI deployment.",
            "actions": [
              "Define the set of consequential AI action types requiring accountability binding, calibrated to the materiality criteria in the AI risk framework.",
              "Include accountability binding coverage rate \u2014 the percentage of consequential actions with a valid human binding \u2014 in the AI risk monitoring dashboard.",
              "Define risk escalation procedures for cases where the intended accountable principal is unavailable at the time an accountability binding is required."
            ],
            "failure_signals": [
              "Materiality criteria for accountability binding set so broadly that low-risk actions are bound but material actions in non-obvious categories are excluded.",
              "Accountability binding coverage rate below 100% for defined consequential action types, indicating binding capture is not functioning for some action paths.",
              "No defined procedure for handling unavailability of the intended accountable principal, creating operational gaps in consequential action authorization."
            ]
          },
          "grc_auditor": {
            "summary": "Principal accountability binding is a mandatory baseline control whose audit evidence must demonstrate 100% coverage for defined consequential action types. Auditors must verify binding completeness, individual attribution, and audit log integrity.",
            "actions": [
              "Pull the complete list of consequential AI actions during the audit period and verify that each has a corresponding accountability binding record in the audit log.",
              "Inspect a sample of binding records to confirm they reference named individuals with verifiable identity references, not roles or teams.",
              "Test the append-only constraint of the audit log by attempting a modification and confirming it is rejected."
            ],
            "failure_signals": [
              "Consequential AI actions with no accountability binding record in the audit log.",
              "Binding records referencing roles, organizational units, or AI system identifiers rather than human individual identity references.",
              "Audit log modification test showing that historical binding records can be altered, undermining their evidentiary integrity."
            ],
            "metrics": [
              "Percentage of defined consequential AI actions with a valid human accountability binding record (target: 100%)",
              "Percentage of accountability binding records that reference a named individual with a verifiable identity reference (target: 100%)",
              "Number of audit log integrity violations detected per reporting period (target: zero)"
            ]
          },
          "board_governance": {
            "summary": "Principal accountability binding is the control that ensures the board's fundamental expectation \u2014 that humans remain accountable for AI-initiated actions \u2014 is operationally enforced. It is a baseline control that should be non-negotiable in the organization's AI governance policy.",
            "actions": [
              "Confirm that the board's AI governance policy explicitly requires principal accountability binding as a mandatory prerequisite for consequential AI action authorization.",
              "Request evidence from management that accountability binding is implemented and enforced for all AI systems operating in consequential-commitment domains.",
              "Ensure that the board risk committee reviews any exception requests that would waive or defer accountability binding requirements."
            ],
            "failure_signals": [
              "AI governance policy that is silent on principal accountability binding, leaving this foundational control to management discretion.",
              "Management reporting to the board that describes AI system deployment and performance without addressing accountability binding coverage.",
              "Exception requests to waive accountability binding that are approved by management without board committee awareness."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "managed"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 1",
            "title": "Exercises Board Risk Oversight",
            "principle_number": 1,
            "component_name": "Governance and Culture",
            "normative_force": "industry-framework",
            "fit": "adjacent",
            "fit_rationale": "Per-action accountability binding supports oversight but is not the board-level risk oversight Principle 1 addresses.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Per-action accountability binding supports oversight but is not the board-level risk oversight Principle 1 addresses.",
            "requirement_id": "Principle 1 \u2014 Exercises Board Risk Oversight",
            "relation": "informs"
          },
          {
            "framework": "eu_ai_act",
            "ref": "Art. 25 / Art. 26",
            "title": "Responsibilities along the AI value chain; obligations of deployers of high-risk AI systems",
            "normative_force": "binding-law",
            "fit": "partial",
            "fit_rationale": "Binding actions to accountable natural persons implements part of Art. 26 deployer human-oversight obligations.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Binding actions to accountable natural persons implements part of Art. 26 deployer human-oversight obligations.",
            "requirement_id": "Art. 25 / Art. 26 \u2014 Responsibilities along the AI value chain; obligations of deployers of high-risk AI systems",
            "relation": "satisfies"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a7 5.1",
            "title": "Leadership and commitment",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "Accountability binding operationalizes responsibility per action, distinct from the leadership commitment \u00a75.1 requires.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Accountability binding operationalizes responsibility per action, distinct from the leadership commitment \u00a75.1 requires.",
            "requirement_id": "\u00a7 5.1 \u2014 Leadership and commitment",
            "relation": "equivalent_to"
          },
          {
            "framework": "oecd_cg",
            "ref": "IV",
            "title": "Disclosure and transparency",
            "normative_force": "voluntary-standard",
            "source_version": "2023",
            "fit": "adjacent",
            "fit_rationale": "Immutable accountability records aid transparency but are not the disclosure regime OECD Chapter IV addresses.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Immutable accountability records aid transparency but are not the disclosure regime OECD Chapter IV addresses.",
            "requirement_id": "IV \u2014 Disclosure and transparency",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS CloudTrail \u2014 Principal Accountability Binding for All API Calls",
            "rationale": "AWS CloudTrail records the authenticated IAM principal identity for every API call across all AWS services, creating an immutable audit record that binds every AI-initiated action to an accountable human principal. CloudTrail logs cannot be deleted without explicit action by a principal with appropriate IAM permissions, maintaining non-repudiable accountability chains for forensic and regulatory purposes.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "CloudTrail records the authenticated principal for every API call, partially implementing immutable accountability binding.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta Identity Tokens \u2014 Principal Identity Binding for AI Agents",
            "rationale": "Okta's identity tokens bind AI agent actions to the authenticated principal who authorized the agent's operation. Okta Cross App Access (XAA) maintains the principal accountability chain across service boundaries, ensuring that the authorizing human identity is attributable to every downstream AI-initiated action regardless of how many service hops occur.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta identity tokens and XAA bind actions to the authorizing principal across hops, partially implementing accountability binding.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Audit Logs \u2014 Non-Repudiable Principal Binding",
            "rationale": "Google Cloud Admin Activity and Data Access Audit Logs record the authenticated principal identity for all resource operations, creating a non-repudiable audit trail that binds AI-initiated actions to accountable principals. Organization-level audit log configuration ensures consistent principal accountability binding across all projects within the governance hierarchy.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Cloud Audit Logs record authenticated principals non-repudiably, partially implementing accountability binding.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Purview Audit \u2014 Principal Accountability for AI Actions",
            "rationale": "Microsoft Purview Audit provides immutable audit logging that binds AI system actions to responsible authenticated principals. Purview's unified audit log captures identity, time, resource, and action details for AI workload events, ensuring that every AI-initiated action can be attributed to an accountable organizational principal in regulatory inquiries or forensic investigations.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Purview immutable audit logs attribute AI actions to accountable principals, partially implementing accountability binding.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "eu-high-risk-ai",
          "public-company-governance"
        ],
        "implementers": [
          "Legal Counsel",
          "Human Resources",
          "AI Program Office",
          "Board of Directors"
        ],
        "validation_objective": "Every consequential AI action must produce an immutable accountability binding artifact atomically with the action, containing the action_id, agent_id, principal_id, delegation_basis_id, action_scope, and an integrity hash sealing the record. The artifact must be written to a tamper-evident, append-only store from which neither the AI agent nor its service account can modify or delete entries.",
        "evidence_required": [
          "accountability_binding_artifact for each consequential AI action, containing action_id, agent_id, principal_id, delegation_basis_id, action_scope, action_timestamp, and integrity_hash (sha256) \u2014 all fields must be non-null",
          "tamper_evident_store_audit_record confirming the binding store is append-only and that no modification or deletion events occurred for any binding artifact during the audit period",
          "principal_existence_validation_record confirming the principal_id referenced in each binding artifact resolves to a current, active human identity in the enterprise identity system at the time of binding",
          "binding_completeness_scan result confirming 100% of consequential AI actions in the audit period have a corresponding accountability binding artifact with no gaps"
        ],
        "machine_tests": [
          "Execute a consequential AI action through the authorized path \u2192 assert an accountability_binding_artifact is created within the same transaction with agent_id, principal_id, delegation_basis_id, and integrity_hash all populated and non-null",
          "Attempt to modify an existing accountability binding artifact using the AI agent's service account credentials \u2192 assert rejection with error_code=immutable_record_violation and confirm the original record is unchanged",
          "Query the binding store for all consequential AI actions over the past 30 days \u2192 assert zero records have null or missing principal_id fields",
          "Submit a consequential action referencing a principal_id that does not exist in the enterprise identity system \u2192 assert rejection with error_code=unresolvable_principal before the action executes"
        ],
        "human_review": [
          "Review a sample of accountability binding artifacts to confirm each references a specific, verifiable delegation_basis_id (DoA record or policy ID) rather than a generic service account or system identity",
          "Assess whether the definition of 'consequential AI action' in the binding policy is broad enough to capture all actions with material authority implications, including data deletions, access grants, and policy modifications, not only financial commitments",
          "Verify that the tamper-evident store access controls prevent the AI agent's service account, its operators, and platform administrators from modifying or deleting binding records, with any administrative access requiring multi-party authorization"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "binding-law",
        "anti_patterns": [
          "Recording only the AI agent's service account as the responsible party without linking to a named human principal and the specific delegation basis that authorized the action",
          "Writing accountability binding artifacts to a mutable log store where the AI agent's service account or platform operators can modify or delete entries",
          "Using a generic 'AI system' or 'automated process' label as the principal_id in binding artifacts, making individual human accountability untraceable",
          "Defining 'consequential action' so narrowly that only financial commitments above a materiality threshold are bound, excluding consequential non-financial actions such as data deletions, permission escalations, or configuration changes",
          "Writing binding artifacts asynchronously after action execution rather than atomically within the same transaction, creating a window where consequential actions exist without binding records"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PA"
      },
      {
        "id": "PA-05",
        "name": "Multi-Party Approval Workflow",
        "canonical_id": "apeiris://authority/controls/PA-05",
        "layer": "PA",
        "prefix": "PA",
        "plane": "control",
        "capability_risk": {
          "capability_level": "elevated"
        },
        "baseline": false,
        "plain": "Requires two or more independent human approvers for AI-initiated commitments above a defined materiality threshold. The workflow enforces sequencing, prevents collusion through separation of duties, and produces a cryptographically linked approval chain as the authorization artifact for the commitment.",
        "threat": {
          "context": "High-value AI-initiated commitments approved by a single principal create concentration risk, bypass separation-of-duties requirements, and expose the organization to single-point-of-failure authorization. The elevated capability risk reflects the direct financial consequence of allowing a single compromised or pressured approver to authorize a material AI commitment.",
          "tags": [
            "unauthorized-commitment",
            "authority-limit-breach",
            "procurement-bypass"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a7 8.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_800_53",
            "section": "AC-5",
            "title": "Separation of Duties"
          },
          {
            "id": "coso_erm",
            "section": "Principle 7",
            "title": "Defines Risk Appetite"
          }
        ],
        "sources": [
          {
            "id": "iso-37301-2021",
            "title": "ISO 37301:2021 \u2014 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 \u2014 Compliance Management Systems requirements informing the apeiris://authority/controls/PA-05 Multi-Party Approval Workflow control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-sp-800-53-r5",
            "title": "NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls requirements informing the apeiris://authority/controls/PA-05 Multi-Party Approval Workflow control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "coso-erm-2017",
            "title": "COSO Enterprise Risk Management: Integrating with Strategy and Performance",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management: Integrating with Strategy and Performance requirements informing the apeiris://authority/controls/PA-05 Multi-Party Approval Workflow control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PA-05 Multi-Party Approval Workflow control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PA-05 Multi-Party Approval Workflow control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PA-05 Multi-Party Approval Workflow control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PA-05 Multi-Party Approval Workflow control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Configure multi-party approval workflow for AI-initiated commitments above the defined materiality threshold. The workflow enforces a defined approval sequence, prevents the same individual from serving as more than one approver, and produces a linked chain of cryptographically signed approval records. Each approver must independently review the commitment details before signing; the workflow does not reveal prior approver decisions until the quorum threshold is reached.",
          "steps": [
            "Define materiality thresholds by commitment type above which multi-party approval is required, and configure the required approver count and sequencing for each tier.",
            "Implement the approval workflow with an independent review requirement: each approver receives the full commitment details and must provide a signed decision without visibility into other approvers' decisions until the quorum is reached.",
            "Enforce separation of duties in the approver roster: the same individual may not serve as both the AI system's designated principal and an approver in the same workflow instance.",
            "Produce a linked approval chain record on workflow completion, with each approver's signed decision, timestamp, and identity reference cryptographically linked to the commitment record."
          ],
          "anti_patterns": [
            "Showing prior approver decisions to subsequent approvers before the quorum is reached, enabling anchoring bias that undermines the independence of multi-party review.",
            "Allowing the same individual to approve as both the initiating principal's delegate and as an independent approver, defeating the separation-of-duties requirement."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that multi-party approval workflow configurations require independent review without visibility into prior approver decisions until quorum.",
            "Verify that separation-of-duties enforcement prevents the same individual from serving in more than one approver role in the same workflow instance.",
            "Check that the linked approval chain record includes a cryptographic signature from each approver and is linked to the corresponding commitment record."
          ],
          "runtime_tests": [
            "Submit an AI commitment above the materiality threshold as a single-approver action and confirm the workflow blocks it and initiates multi-party review.",
            "Attempt to assign the same individual as both a delegate approver and an independent approver in the same workflow and verify the separation-of-duties enforcement rejects the configuration.",
            "Complete a multi-party approval workflow and verify that the resulting approval chain record is cryptographically sound and linked to the commitment record."
          ],
          "evidence": [
            "Multi-party approval workflow configurations showing materiality thresholds, required approver counts, and separation-of-duties constraints.",
            "Approval chain records for material AI commitments during the audit period, each showing independent approver signatures with timestamps.",
            "Workflow execution logs showing multi-party review for all commitments above the defined materiality threshold."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Multi-party approval workflows provide evidence that material AI-initiated commitments were not authorized unilaterally. The linked approval chain is the legal artifact demonstrating independent, sequenced human review and authorization.",
            "actions": [
              "Confirm that the approval chain record produced by completed workflows is legally sufficient to demonstrate independent human review of material AI commitments.",
              "Verify that the workflow design requires each approver to attest to independent review of the commitment details, not merely counter-sign a prior decision.",
              "Ensure that approval chain records are retained for the full evidentiary period applicable to the commitments they authorize."
            ],
            "failure_signals": [
              "Multi-party workflow records where approval decisions are timestamps with no evidence of independent review of the commitment details.",
              "Approval chain records where the identity of the approvers cannot be verified against the organization's authority hierarchy.",
              "Material AI commitments completed on the basis of single-approver review when the multi-party threshold had been reached."
            ]
          },
          "cfo_procurement": {
            "summary": "Multi-party approval for AI procurement commitments is the separation-of-duties control that prevents a single individual from authorizing high-value spend unilaterally. It is the AI-layer equivalent of dual-signature requirements on high-value procurement instruments.",
            "actions": [
              "Set multi-party approval materiality thresholds for AI procurement commitments consistent with the dual-signature requirements in the enterprise procurement policy.",
              "Require that at least one independent approver in the multi-party workflow is a finance principal with authority over the commitment amount.",
              "Include multi-party approval workflow completion rates and exception counts in the periodic finance risk reporting package."
            ],
            "failure_signals": [
              "Multi-party approval thresholds for AI procurement set higher than the dual-signature thresholds in the enterprise procurement policy, creating a gap in coverage.",
              "Multi-party procurement approval workflows where no finance principal is included in the required approver roster.",
              "High-value AI procurement commitments completed with single-approver authorization in excess of the defined materiality threshold."
            ]
          },
          "risk_officer": {
            "summary": "Multi-party approval for high-value AI commitments addresses concentration risk \u2014 the risk that a single compromised, pressured, or mistaken approver can authorize a material obligation. The elevated capability risk classification requires heightened assurance that the workflow is functioning correctly.",
            "actions": [
              "Set multi-party approval materiality thresholds based on the concentration risk analysis in the AI risk framework.",
              "Monitor multi-party approval workflow completion times and exception rates as primary risk metrics for high-value AI commitment authorization.",
              "Define a risk escalation procedure for situations where no quorum of independent approvers is available for a time-sensitive commitment."
            ],
            "failure_signals": [
              "Multi-party approval materiality thresholds set without a documented concentration risk analysis to support them.",
              "High rates of multi-party workflow exceptions being resolved by falling back to single-approver authorization, defeating the control.",
              "No defined procedure for the unavailability of required approvers, creating uncontrolled pressure to bypass the multi-party requirement."
            ]
          },
          "grc_auditor": {
            "summary": "Multi-party approval workflows are the separation-of-duties control for high-value AI commitments. Auditors must verify that the workflow is triggered at the correct threshold, independence is enforced, and the approval chain record is complete and cryptographically sound.",
            "actions": [
              "Compare AI commitment execution records against multi-party approval workflow records to confirm all commitments above threshold have a corresponding multi-party approval chain.",
              "Inspect a sample of approval chain records to verify that approver identities are distinct and that no individual appears in more than one approver role.",
              "Test the cryptographic validity of sampled approval chain records to confirm they have not been modified after completion."
            ],
            "failure_signals": [
              "AI commitments above the materiality threshold present in execution records without a corresponding multi-party approval chain.",
              "Approval chain records where the same identity reference appears in multiple approver roles, indicating separation-of-duties enforcement is not functioning.",
              "Approval chain records whose cryptographic signatures cannot be validated, indicating potential tampering."
            ],
            "metrics": [
              "Percentage of AI commitments above the materiality threshold with a completed multi-party approval chain record (target: 100%)",
              "Number of multi-party workflow exceptions (fallback to single-approver) per reporting period (target: zero absent documented emergency justification)",
              "Mean multi-party approval workflow completion time in hours (alert threshold: >48 hours indicating workflow friction)"
            ]
          },
          "board_governance": {
            "summary": "Multi-party approval for high-value AI commitments mirrors the dual-authorization requirements the board has established for high-value human-initiated transactions. The board should confirm that this control is applied consistently across human and AI-initiated commitment pathways.",
            "actions": [
              "Confirm that the enterprise procurement policy has been updated to address AI-initiated commitments and that multi-party approval requirements are consistent across human and AI commitment pathways.",
              "Request a summary of high-value AI commitment volumes and multi-party approval workflow performance in periodic board financial oversight reporting.",
              "Ensure that the board audit committee reviews any extended pattern of multi-party approval exceptions or workflow failures."
            ],
            "failure_signals": [
              "Enterprise procurement policy dual-signature requirements not extended to AI-initiated commitments, creating a coverage gap.",
              "Board financial reporting that covers high-value human commitments but provides no visibility into high-value AI commitments and their approval controls.",
              "Patterns of multi-party approval exceptions not reported to the board audit committee."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a7 8.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "The multi-approver workflow is an operational control, partially satisfying \u00a78.1.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "The multi-approver workflow is an operational control, partially satisfying \u00a78.1.",
            "requirement_id": "\u00a7 8.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "AC-5",
            "title": "Separation of Duties",
            "normative_force": "voluntary-standard",
            "fit": "direct",
            "fit_rationale": "Requiring two independent approvers with an enforced separation-of-duties check directly implements AC-5.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Requiring two independent approvers with an enforced separation-of-duties check directly implements AC-5.",
            "requirement_id": "AC-5 \u2014 Separation of Duties",
            "relation": "equivalent_to"
          },
          {
            "framework": "coso_erm",
            "ref": "Principle 7",
            "title": "Defines Risk Appetite",
            "principle_number": 7,
            "component_name": "Strategy and Objective-Setting",
            "normative_force": "industry-framework",
            "fit": "adjacent",
            "fit_rationale": "Multi-party approval above a materiality threshold reflects appetite but does not define it per Principle 7.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Multi-party approval above a materiality threshold reflects appetite but does not define it per Principle 7.",
            "requirement_id": "Principle 7 \u2014 Defines Risk Appetite",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Resource Access Manager \u2014 Cross-Account Share Acceptance",
            "rationale": "AWS Resource Access Manager (RAM) shares resources across accounts: shares to accounts within the same organization can be accepted automatically, while shares to external accounts require explicit acceptance by the receiving account owner. RAM therefore provides a two-party acceptance step only across organizational boundaries \u2014 genuine multi-party approval workflows for AI resource access must be implemented explicitly (for example, in change-management pipelines) rather than assumed from RAM.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "RAM provides only cross-boundary two-party acceptance; genuine multi-party approval must be built explicitly, so this is adjacent.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud PAM Multi-Level Approval \u2014 Dual-Authorization Workflows",
            "rationale": "Google Cloud Privileged Access Manager supports multi-level approval workflows requiring authorization from multiple independent approvers before elevated access is granted. For AI systems requiring high-impact authority, PAM can be configured to require sign-off from both a technical approver and a business owner, implementing genuine multi-party approval rather than sequential single-approver chains. Multi-level approvals require Security Command Center Premium or Enterprise tier.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "PAM multi-level approvals can require independent technical and business sign-off, partially implementing multi-party approval.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta Workflows \u2014 Multi-Party Token Approval Chains",
            "rationale": "Okta Workflows can enforce multi-party approval chains before issuing elevated OAuth tokens for AI agent operations. Workflow steps can be configured to require independent approval from a designated security reviewer and a business process owner before a high-authority token is issued, ensuring no single approver can authorize high-impact AI actions unilaterally.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta Workflows can require independent reviewers before elevated tokens issue, partially implementing multi-party approval.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure DevOps Required Reviewers \u2014 Multi-Party AI Deployment Approval",
            "rationale": "Azure DevOps branch protection policies with required reviewers and GitHub Advanced Security enforce multi-party approval gates for AI deployment pipelines. For AI systems deployed in high-consequence environments, Microsoft's Cloud Adoption Framework recommends requiring independent approval from security, compliance, and business stakeholders before deployment proceeds.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Azure DevOps required-reviewer gates enforce multi-party deployment approval, partially implementing the workflow for pipelines.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "consequential-commitment",
          "procurement-ai"
        ],
        "implementers": [
          "Finance",
          "Legal Counsel",
          "Platform Engineering",
          "Procurement"
        ],
        "validation_objective": "Every AI-initiated commitment above the defined materiality threshold must receive approval from at least two independent human approvers before execution, where independence is enforced at approval time by a separation-of-duties check confirming approvers are not from the same organizational unit or delegation chain. The full approval chain \u2014 with each approver's identity, approval timestamp, and digital signature \u2014 must be recorded before the commitment executes.",
        "evidence_required": [
          "multi_party_approval_record for each above-threshold commitment, containing commitment_id, materiality_threshold_value, approver_1_identity, approver_1_timestamp, approver_2_identity, approver_2_timestamp, and separation_of_duties_check_result",
          "independence_validation_record confirming each approver pair satisfied the configured separation-of-duties rule (different org unit, different delegation chain) at approval time, with the rule version applied",
          "collusion_prevention_audit_record showing the workflow system enforced approver role separation and detected any attempts to assign both approvals to the same organizational unit",
          "approval_chain_integrity_record with digital signatures from each approver confirming the commitment details were not altered between sequential approvals"
        ],
        "machine_tests": [
          "Submit an above-threshold AI commitment and assign both required approvers from the same organizational unit \u2192 assert rejection with error_code=separation_of_duties_violation before either approval can be recorded",
          "Submit an above-threshold commitment where the first approver's identity matches the second approver identity \u2192 assert rejection with error_code=duplicate_approver_prohibited",
          "Submit a commitment with two valid, independently sourced approvals \u2192 assert the commitment proceeds and a multi_party_approval_record is created with both approver identities, timestamps, and independence_validation_result=pass",
          "Submit a commitment below the materiality threshold \u2192 assert the multi-party approval workflow is not triggered and the commitment proceeds through standard approval limit enforcement without a multi_party_approval_record"
        ],
        "human_review": [
          "Review a sample of multi_party_approval_records to confirm independence_validation was applied in each case and that approver pairs came from genuinely independent organizational units rather than nominal units within the same effective authority chain",
          "Assess whether the materiality threshold for triggering multi-party approval is calibrated to the organization's current risk profile and whether the threshold has been formally reviewed within the past 12 months",
          "Verify that the separation-of-duties rule configuration reflects the current organizational structure and that a process exists to update the rule when reorganizations alter reporting lines or delegation chains"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Configuring the separation-of-duties rule using org unit names that are stale after a reorganization, allowing approvers from the same effective authority chain to serve as independent co-approvers",
          "Presenting approver_2 with approver_1's decision before approver_2 submits their own judgment, creating anchoring bias that defeats the independence purpose of multi-party approval",
          "Setting the materiality threshold at a level that no AI-initiated commitment in practice ever reaches, rendering the multi-party control permanently inactive",
          "Treating the second approval as a notification acknowledgment rather than an independent review of the commitment details, with no mechanism confirming approver_2 reviewed the full commitment scope",
          "Permitting a workflow administrator account to inject programmatic approvals, bypassing the requirement for named human approvers and creating a single point of collusion"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PA"
      },
      {
        "id": "PA-06",
        "name": "Emergency Override and Break-Glass",
        "canonical_id": "apeiris://authority/controls/PA-06",
        "layer": "PA",
        "prefix": "PA",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Defines a controlled emergency override procedure \u2014 break-glass \u2014 that temporarily suspends normal authority controls during formally declared incidents. Break-glass activations require multi-party authorization, generate immediate audit notifications to a designated oversight roster, and must be formally closed within a defined time window with a post-incident accountability review.",
        "threat": {
          "context": "Uncontrolled emergency override mechanisms become permanent backdoors that are invoked in non-emergency scenarios, bypassing all authority controls without detection. Break-glass without formal activation requirements, notification obligations, and time-bound closure requirements creates a systemic bypass vulnerability in the authority control plane.",
          "tags": [
            "policy-bypass",
            "authority-limit-breach",
            "escalation-failure"
          ]
        },
        "standard_references": [
          {
            "id": "nist_rmf",
            "section": "MANAGE 4.3",
            "title": "Incidents and errors are communicated to relevant AI actors; processes for tracking, responding to, and recovering from incidents are followed and documented"
          },
          {
            "id": "iso_37301",
            "section": "\u00a7 4.6",
            "title": "Compliance risk assessment"
          },
          {
            "id": "nist_800_53",
            "section": "IR-4",
            "title": "Incident Handling"
          }
        ],
        "sources": [
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PA-06 Emergency Override and Break-Glass control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-37301-2021",
            "title": "ISO 37301:2021 \u2014 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 \u2014 Compliance Management Systems requirements informing the apeiris://authority/controls/PA-06 Emergency Override and Break-Glass control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-sp-800-53-r5",
            "title": "NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls requirements informing the apeiris://authority/controls/PA-06 Emergency Override and Break-Glass control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PA-06 Emergency Override and Break-Glass control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PA-06 Emergency Override and Break-Glass control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PA-06 Emergency Override and Break-Glass control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PA-06 Emergency Override and Break-Glass control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Define break-glass as a formally declared activation with its own access control, notification, and time-bound closure requirements. Break-glass must not be a side-channel that bypasses the authorization framework silently; it must be a controlled, auditable deviation from normal controls with defined scope, duration, and mandatory post-incident review.",
          "steps": [
            "Define break-glass activation criteria, activation authority (minimum two-principal requirement), scope (which controls are overridden and to what extent), and maximum permitted duration before mandatory review.",
            "Implement break-glass activation as a separate, elevated-privilege workflow that generates an immediate notification to the designated oversight roster \u2014 including legal and risk leadership \u2014 at the moment of activation.",
            "Configure the break-glass mechanism to automatically time-limit overrides and trigger a mandatory post-incident accountability review before re-enabling normal controls.",
            "Document all actions taken under break-glass authority in a separate, immutable emergency action log that is reviewed as part of the post-incident accountability review."
          ],
          "anti_patterns": [
            "Implementing break-glass as a simple credential or code that any administrator can use without formal activation, notification, or logging.",
            "Allowing break-glass activation to be self-authorized by the same individual who will use the override, removing the multi-party requirement at the highest-risk moment."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that break-glass activation requires a documented multi-principal authorization, not a single individual's decision.",
            "Verify that activation triggers immediate notification to the designated oversight roster, including legal and risk leadership.",
            "Check that the break-glass mechanism includes an automatic time limit and a mandatory post-incident review closure step."
          ],
          "runtime_tests": [
            "Attempt to activate break-glass with a single-principal authorization and confirm the workflow requires a second principal before activation proceeds.",
            "Complete a test break-glass activation in a non-production environment and verify that notifications reach the designated oversight roster within the required time window.",
            "Allow a test break-glass activation to reach its time limit and confirm that the automatic review trigger fires and the override lapses."
          ],
          "evidence": [
            "Break-glass activation records from the audit period, each showing the multi-principal authorization, activation timestamp, declared scope, and oversight notification confirmation.",
            "Emergency action logs for all actions taken under break-glass authority during the audit period.",
            "Post-incident accountability review records for all break-glass activations, confirming review completion before re-enabling normal controls."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Break-glass controls are the legal perimeter around emergency derogation from AI authority controls. The activation record, emergency action log, and post-incident review together constitute the evidentiary package for demonstrating that emergency overrides were controlled and accountable.",
            "actions": [
              "Confirm that the break-glass policy defines the legal basis for emergency derogation from authority controls and the conditions under which it is permissible.",
              "Verify that break-glass activation records identify the named principals who authorized the activation and the legal or operational basis for the declaration.",
              "Ensure that the post-incident review includes a legal assessment of any actions taken under break-glass authority that may have created commitments or obligations."
            ],
            "failure_signals": [
              "Break-glass activations for which no multi-principal authorization record exists.",
              "Emergency action logs that are incomplete or were not created during a break-glass period, making it impossible to reconstruct what occurred.",
              "Post-incident reviews that do not address the legal implications of actions taken under break-glass authority."
            ]
          },
          "cfo_procurement": {
            "summary": "Break-glass activations may authorize AI procurement actions that would normally require multi-party approval. The emergency action log and post-incident review must capture and ratify any financial commitments made under break-glass authority.",
            "actions": [
              "Confirm that the post-incident review for break-glass activations includes a financial reconciliation of all procurement commitments made under emergency authority.",
              "Require that emergency procurement commitments above the normal materiality threshold are ratified by the appropriate financial authority in the post-incident review.",
              "Include break-glass activation history and emergency procurement commitment totals in the periodic finance risk reporting package."
            ],
            "failure_signals": [
              "Post-incident reviews that do not include a financial reconciliation of commitments made under break-glass authority.",
              "Emergency procurement commitments that were not ratified in the post-incident review, leaving them without standard multi-party authorization.",
              "Break-glass activations used to avoid multi-party approval requirements for procurement commitments that were not genuinely emergencies."
            ]
          },
          "risk_officer": {
            "summary": "Break-glass is a controlled risk acceptance event. Every activation represents a period during which normal authority controls are suspended, and the risk framework must treat activations as material risk events requiring immediate notification and timely review.",
            "actions": [
              "Define break-glass activation as a Tier 1 risk event requiring immediate notification to risk leadership and inclusion in the AI risk monitoring dashboard.",
              "Set maximum permitted break-glass duration based on the risk tier of the AI system and require risk approval for any duration extension.",
              "Conduct a pattern review of break-glass activations annually to identify whether emergency overrides are being used inappropriately in non-emergency scenarios."
            ],
            "failure_signals": [
              "Break-glass activations not appearing in the AI risk monitoring dashboard as material risk events.",
              "Duration extensions granted without risk leadership approval, indicating the time-limit controls are not being enforced.",
              "Annual pattern review identifying recurring break-glass activations that do not correspond to documented emergency events."
            ]
          },
          "grc_auditor": {
            "summary": "Break-glass controls must be audited for both the design quality of the activation mechanism and the appropriateness of individual activations. Auditors should verify that each activation was genuinely justified and that post-incident reviews were completed.",
            "actions": [
              "Inspect all break-glass activation records from the audit period to verify multi-principal authorization, declared scope, and oversight notification completion.",
              "Review emergency action logs for completeness and confirm that all actions taken under break-glass authority are captured.",
              "Verify that post-incident accountability reviews were completed for all activations within the defined time window."
            ],
            "failure_signals": [
              "Break-glass activations without complete multi-principal authorization records or oversight notification confirmations.",
              "Emergency action log gaps during break-glass periods, suggesting not all emergency actions were captured.",
              "Post-incident reviews not completed within the defined time window, or completed reviews that did not address the accountability for all emergency actions."
            ],
            "metrics": [
              "Number of break-glass activations per reporting period, trended to identify patterns of inappropriate use",
              "Percentage of break-glass activations with a completed post-incident review within the defined closure window (target: 100%)",
              "Mean break-glass duration in hours per activation (alert threshold: exceeding the defined maximum duration)"
            ]
          },
          "board_governance": {
            "summary": "Break-glass is the highest-risk operational mechanism in the AI authority control plane. The board should confirm that its activation is tightly controlled, that each activation is reported to board risk oversight, and that the mechanism cannot be used to systematically bypass authority controls.",
            "actions": [
              "Confirm that the board risk committee receives notification of all break-glass activations, either immediately or in the next scheduled reporting cycle depending on materiality.",
              "Request an annual review of break-glass activation history and post-incident review outcomes as part of AI governance reporting.",
              "Ensure that the AI governance policy prohibits the use of break-glass for situations that are operationally inconvenient rather than genuinely emergent."
            ],
            "failure_signals": [
              "Break-glass activations not reported to the board risk committee.",
              "No annual review of break-glass activation history in board AI governance reporting.",
              "Break-glass activations that appear to be operational workarounds rather than genuine emergency responses, indicating control erosion."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "nist_rmf",
            "ref": "MANAGE 4.3",
            "title": "Incidents and errors are communicated to relevant AI actors; processes for tracking, responding to, and recovering from incidents are followed and documented",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Break-glass mandates oversight notification and post-incident review, partially addressing MANAGE 4.3 incident communication and recovery.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Break-glass mandates oversight notification and post-incident review, partially addressing MANAGE 4.3 incident communication and recovery.",
            "requirement_id": "MANAGE 4.3 \u2014 Incidents and errors are communicated to relevant AI actors; processes for tracking, responding to, and recovering from incidents are followed and documented",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a7 4.6",
            "title": "Compliance risk assessment",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "Controlled override procedures relate to compliance risk but are not the \u00a74.6 risk assessment itself.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Controlled override procedures relate to compliance risk but are not the \u00a74.6 risk assessment itself.",
            "requirement_id": "\u00a7 4.6 \u2014 Compliance risk assessment",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "IR-4",
            "title": "Incident Handling",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Formally declared, time-bounded break-glass with post-incident review partially implements IR-4 incident handling.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Formally declared, time-bounded break-glass with post-incident review partially implements IR-4 incident handling.",
            "requirement_id": "IR-4 \u2014 Incident Handling",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Break-Glass Account Procedure \u2014 SCP Exception with Full Audit",
            "rationale": "AWS recommends maintaining dedicated break-glass accounts with defined SCP exceptions for emergency override scenarios. All break-glass account activity is captured by CloudTrail, creating a complete, tamper-evident record of every emergency action. Break-glass credentials should be held in secure vault storage (for example, AWS Secrets Manager) with access restricted to specific emergency roles, ensuring that emergency overrides are governed, audited, and time-bounded.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "AWS break-glass accounts with SCP exceptions and full CloudTrail audit partially implement governed emergency override.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud PAM Emergency Access \u2014 Justified Time-Bounded Break-Glass",
            "rationale": "Google Cloud Privileged Access Manager supports emergency access grants with mandatory justification requirements and automatic time-bounded expiry. Break-glass scenarios are handled through PAM emergency entitlements that record the justification, approver identity (or bypass conditions), and access window, providing governed break-glass access with complete audit trail and automatic revocation.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "PAM justified, time-bounded emergency grants with audit partially implement governed break-glass.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta Privileged Access + Okta Workflows \u2014 Emergency Override Governance",
            "rationale": "Okta Privileged Access supports governed break-glass access patterns with justification capture and time-bounded validity, and Okta Workflows can automate emergency issuance and expiry handling. Emergency access events are recorded in the Okta System Log with principal identity and justification context, enabling post-incident review of every break-glass authorization event.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta Privileged Access and Workflows provide justified, time-bounded emergency access with logging, partially implementing break-glass.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure PIM Emergency Access \u2014 Governed Break-Glass Activation",
            "rationale": "Azure Privileged Identity Management (PIM) emergency activation supports governed break-glass access with required justification, mandatory MFA, and automatic role expiry. Microsoft recommends maintaining documented emergency override procedures in the Responsible AI governance framework, ensuring break-glass events are traceable to an accountable principal with a declared justification.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Azure PIM emergency activation with justification, MFA, and auto-expiry partially implements governed break-glass.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "consequential-commitment"
        ],
        "implementers": [
          "Security Operations",
          "IT Operations",
          "Legal Counsel",
          "Executive Leadership"
        ],
        "validation_objective": "Every break-glass activation must be preceded by documented multi-principal authorization, must generate immediate notification to a named oversight roster, and must have a closed post-incident accountability review within the defined window. No emergency override may remain active beyond its time-limit without documented risk-leadership extension approval.",
        "evidence_required": [
          "break_glass_activation_record containing activation_id, activating_principals (minimum two), declared_scope, activation_timestamp, and oversight_notification_delivery_timestamp",
          "emergency_action_log listing every action taken under break-glass authority with actor, action, timestamp, and system affected",
          "post_incident_review_record confirming review completion timestamp, named reviewers, legal assessment outcome, and re-enablement sign-off",
          "oversight_notification_delivery_log confirming each roster member was notified within the required time window after activation"
        ],
        "machine_tests": [
          "Attempt break-glass activation signed by only one principal \u2192 assert workflow requires second principal acknowledgment before activation proceeds",
          "Complete a test break-glass activation and verify oversight notification events appear in the notification log within the defined SLA window",
          "Advance a test break-glass activation past its defined time-limit without extension \u2192 assert automatic override lapse event fires and override scope is revoked",
          "Trigger break-glass activation in a non-production environment and confirm emergency action log entries are created for each action taken under emergency authority"
        ],
        "human_review": [
          "Review each break-glass activation record from the audit period to assess whether the declared emergency justification is credible and not an operational workaround",
          "Assess whether the post-incident review for each activation addresses all actions taken under break-glass authority and includes a legal evaluation of resulting commitments",
          "Verify the break-glass activation pattern over the period for signs of inappropriate use as a routine override mechanism"
        ],
        "blocking_effect": "requires-review",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Implementing break-glass as a shared static credential or bypass code that any administrator can invoke without a formal two-principal activation workflow",
          "Self-authorization of break-glass by the same individual who will exercise the override, eliminating the multi-party control at the highest-risk moment",
          "Failing to configure an automatic time-limit on break-glass scope, allowing emergency overrides to remain active indefinitely after the triggering incident is resolved",
          "Documenting break-glass activations only in the post-incident review rather than at the moment of activation, creating an accountability gap between activation and recording",
          "Using break-glass activation to circumvent planned approval workflows when an action is operationally inconvenient rather than genuinely emergent"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PA"
      },
      {
        "id": "PA-07",
        "name": "Approval Record and Audit Trail",
        "canonical_id": "apeiris://authority/controls/PA-07",
        "layer": "PA",
        "prefix": "PA",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Maintains a tamper-evident, time-stamped audit trail of all AI system approval events, including approval grants, denials, escalations, and overrides. Audit records must capture the approver identity, decision rationale category, decision timestamp, and the AI action to which the approval applies, and must be retained for the period required by applicable regulations and internal policy.",
        "threat": {
          "context": "Missing or incomplete approval audit trails prevent post-incident analysis, create regulatory non-compliance exposure, and make it impossible to determine whether a commitment was properly authorized. Audit trail gaps are frequently discovered only at the point when they are needed for a dispute or investigation.",
          "tags": [
            "principal-accountability-gap",
            "contract-violation",
            "internal-policy-violation"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 13",
            "title": "Implements Risk Responses"
          },
          {
            "id": "iso_37301",
            "section": "\u00a7 9.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "soc2",
            "section": "CC7.2",
            "title": "The entity monitors system components and the operation of those components"
          },
          {
            "id": "nist_800_53",
            "section": "AU-12",
            "title": "Audit Record Generation"
          }
        ],
        "sources": [
          {
            "id": "coso-erm-2017",
            "title": "COSO Enterprise Risk Management: Integrating with Strategy and Performance",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management: Integrating with Strategy and Performance requirements informing the apeiris://authority/controls/PA-07 Approval Record and Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-37301-2021",
            "title": "ISO 37301:2021 \u2014 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 \u2014 Compliance Management Systems requirements informing the apeiris://authority/controls/PA-07 Approval Record and Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aicpa-soc2",
            "title": "AICPA SOC 2 Trust Services Criteria",
            "authority": "American Institute of Certified Public Accountants",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "TSC 2017",
            "published_on": "2017-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "aicpa-soc2",
            "relationship": "normative_requirement",
            "rationale": "Establishes AICPA SOC 2 Trust Services Criteria requirements informing the apeiris://authority/controls/PA-07 Approval Record and Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-sp-800-53-r5",
            "title": "NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev. 5 \u2014 Security and Privacy Controls requirements informing the apeiris://authority/controls/PA-07 Approval Record and Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PA-07 Approval Record and Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PA-07 Approval Record and Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PA-07 Approval Record and Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PA-07 Approval Record and Audit Trail control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Implement a centralized, append-only approval audit log that captures all approval events across AI systems in a structured, queryable format. Approval events are written to the log atomically with the approval decision \u2014 no approval decision takes effect unless its audit record is successfully written. The log is protected against modification by the AI systems and their operators, and is subject to independent integrity verification.",
          "steps": [
            "Define the canonical audit record schema for approval events, including fields for event type, AI system identifier, action identifier, approver identity reference, decision, decision rationale category, decision timestamp, and delegation authority reference.",
            "Implement atomic record creation: the approval decision is committed to the AI system only after the audit record has been successfully written to the append-only log.",
            "Configure independent integrity verification for the approval audit log, using techniques such as cryptographic hash chaining or external log attestation.",
            "Establish retention policies that meet or exceed the retention requirements of all applicable regulations and internal policies, with automated deletion prevention for records within the retention period."
          ],
          "anti_patterns": [
            "Writing audit records asynchronously or separately from the approval decision, creating a window where approval decisions can be taken without a corresponding audit record.",
            "Storing the approval audit log in the same system as the AI approval workflow, allowing workflow administrators to modify both the approval decision and its audit record."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that the audit record schema includes all required fields and that schema validation is enforced at record creation time.",
            "Verify that audit record creation is atomic with the approval decision \u2014 the decision cannot be recorded without a corresponding audit entry.",
            "Check that the audit log is stored in a system with independent access controls from the AI approval workflow, and that integrity verification is configured."
          ],
          "runtime_tests": [
            "Trigger an approval event and verify that an audit record is created atomically and appears in the log before the approval decision is returned to the requesting system.",
            "Attempt to modify an existing audit record and confirm the append-only protection rejects the modification.",
            "Verify that the integrity verification mechanism detects a simulated log tampering event within the defined monitoring interval."
          ],
          "evidence": [
            "Approval audit log export showing complete, structured records for all approval events during the audit period.",
            "Integrity verification reports confirming no tampering events were detected during the audit period.",
            "Retention policy documentation specifying applicable regulatory retention periods and the technical mechanism enforcing minimum retention."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "The approval audit trail is the evidentiary foundation for demonstrating that AI-initiated commitments were properly authorized. Its completeness, integrity, and retention determine whether the organization can defend itself in disputes and regulatory inquiries involving AI actions.",
            "actions": [
              "Confirm that the approval audit trail satisfies the evidentiary standards applicable to the commitment types the AI systems authorize.",
              "Verify that audit record retention periods meet or exceed all applicable regulatory retention requirements for each commitment type and jurisdiction.",
              "Ensure that the integrity verification mechanism provides evidence admissible in the applicable dispute resolution forums."
            ],
            "failure_signals": [
              "Approval audit records missing for AI-initiated commitments that are the subject of dispute or regulatory inquiry.",
              "Audit trail retention periods shorter than the applicable regulatory requirement for the commitment type.",
              "Integrity verification failures that cannot be explained, raising questions about the reliability of all records in the affected period."
            ]
          },
          "cfo_procurement": {
            "summary": "The approval audit trail for AI procurement actions is the financial accountability record that supports reconciliation, audit, and dispute resolution for AI-initiated commitments. Its completeness is a prerequisite for meaningful financial controls.",
            "actions": [
              "Confirm that approval audit records for AI procurement events include the commitment amount, vendor, and contract reference needed for financial reconciliation.",
              "Verify that the audit trail is available and queryable by the finance and internal audit functions for reconciliation and review purposes.",
              "Include approval audit trail completeness metrics in the periodic finance risk reporting package."
            ],
            "failure_signals": [
              "Approval audit records for procurement events that lack the financial context fields \u2014 amount, vendor, contract reference \u2014 needed for reconciliation.",
              "Finance and internal audit teams unable to query the approval audit trail for AI procurement events without IT intermediation.",
              "Approval audit trail completeness gaps identified during financial reconciliation for AI procurement commitments."
            ]
          },
          "risk_officer": {
            "summary": "The approval audit trail is the monitoring foundation for the entire PA control layer. Without a complete and reliable trail, anomaly detection, pattern analysis, and post-incident investigation for AI authorization events are all impaired.",
            "actions": [
              "Include approval audit trail completeness and integrity verification status in the AI risk monitoring dashboard as foundational health metrics.",
              "Define anomaly detection rules over the audit trail \u2014 such as unusual approval rates, approvals outside business hours, or concentration of approvals by a single individual \u2014 as AI authorization risk signals.",
              "Require that the approval audit trail feeds into the enterprise SIEM for correlation with other security and compliance monitoring signals."
            ],
            "failure_signals": [
              "Approval audit trail gaps \u2014 periods with no audit records for active AI systems \u2014 that are not explained by system downtime.",
              "No anomaly detection configured over the approval audit trail, leaving authorization pattern anomalies undetected.",
              "Approval audit trail data not integrated with the enterprise SIEM, preventing correlation with security monitoring."
            ]
          },
          "grc_auditor": {
            "summary": "The approval audit trail is the primary evidence source for GRC audits of the PA control layer. Auditors must verify completeness, record structure, integrity protection, and retention compliance.",
            "actions": [
              "Pull complete approval audit trail records for the audit period and verify that all approval events for in-scope AI systems are captured with required fields populated.",
              "Perform integrity verification on sampled log segments to confirm the hash chain or external attestation is intact.",
              "Verify that the retention enforcement mechanism prevents deletion of records within the minimum required retention period."
            ],
            "failure_signals": [
              "Approval events present in AI system execution logs with no corresponding audit trail record.",
              "Audit records with required fields unpopulated or with values that appear incorrect relative to the corresponding execution record.",
              "Integrity verification failures on any log segment, even if subsequently explained, indicating a gap in the control."
            ],
            "metrics": [
              "Percentage of approval events with a corresponding, complete audit trail record (target: 100%)",
              "Number of integrity verification failures detected per reporting period (target: zero)",
              "Percentage of audit records retained within the applicable regulatory minimum retention period (target: 100%)"
            ]
          },
          "board_governance": {
            "summary": "The approval audit trail is the organization's institutional memory for AI authorization decisions. Its quality determines whether the board can obtain a reliable account of AI authority governance in any period. The board should confirm that it is complete, protected, and retained.",
            "actions": [
              "Confirm that the board risk committee receives reporting on approval audit trail health \u2014 completeness and integrity \u2014 as part of periodic AI governance reporting.",
              "Ensure that the AI governance policy mandates the approval audit trail as a non-waivable control for all AI systems with commitment authority.",
              "Request that internal audit independently verify approval audit trail completeness and integrity on at least an annual basis."
            ],
            "failure_signals": [
              "No approval audit trail health metrics in board AI governance reporting, making it impossible for the board to assess the reliability of AI authorization records.",
              "Internal audit not including approval audit trail verification in its AI system audit scope.",
              "Discovery of approval audit trail gaps through an external audit or incident investigation rather than through proactive internal monitoring."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 13",
            "title": "Implements Risk Responses",
            "principle_number": 13,
            "component_name": "Performance",
            "normative_force": "industry-framework",
            "fit": "adjacent",
            "fit_rationale": "An approval audit trail records decisions, supporting but not constituting the risk responses Principle 13 addresses.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "An approval audit trail records decisions, supporting but not constituting the risk responses Principle 13 addresses.",
            "requirement_id": "Principle 13 \u2014 Implements Risk Responses",
            "relation": "informs"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a7 9.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Tamper-evident approval records support \u00a79.1 analysis but are the record substrate rather than the monitoring activity.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Tamper-evident approval records support \u00a79.1 analysis but are the record substrate rather than the monitoring activity.",
            "requirement_id": "\u00a7 9.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "soc2",
            "ref": "CC7.2",
            "title": "The entity monitors system components for anomalies",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "An approval audit trail feeds anomaly monitoring but does not itself perform the CC7.2 detection function.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "An approval audit trail feeds anomaly monitoring but does not itself perform the CC7.2 detection function.",
            "requirement_id": "CC7.2 \u2014 The entity monitors system components for anomalies",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "AU-12",
            "title": "Audit Record Generation",
            "normative_force": "voluntary-standard",
            "fit": "direct",
            "fit_rationale": "Generating a structured audit record atomically with every approval decision directly implements AU-12.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Generating a structured audit record atomically with every approval decision directly implements AU-12.",
            "requirement_id": "AU-12 \u2014 Audit Record Generation",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS CloudTrail + Audit Manager \u2014 Tamper-Evident Approval Records",
            "rationale": "AWS CloudTrail combined with AWS Audit Manager provides organization-wide tamper-evident approval records. CloudTrail log file integrity validation detects any modification or deletion of approval event logs. Audit Manager aggregates approval evidence across accounts and maps it to compliance framework controls, generating audit-ready approval trail packages that satisfy regulatory evidence requirements.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "CloudTrail integrity validation and Audit Manager packaging partially implement tamper-evident approval records.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Audit Logs \u2014 Immutable Approval Event Records",
            "rationale": "Google Cloud Admin Activity Audit Logs provide immutable records of all IAM policy decisions and approval events across the resource hierarchy. Logs cannot be disabled for admin activity events, ensuring complete approval trail coverage. Organization-level audit log sinks to Cloud Storage or BigQuery provide long-term, tamper-resistant approval record retention.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Admin Activity audit logs immutably record approval events, partially implementing the approval audit trail.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta System Log \u2014 Non-Repudiable Authorization Decision Records",
            "rationale": "Okta System Log records all authorization decisions, token issuances, and approval workflow events with cryptographically signed, tamper-resistant timestamps. System Log events include principal identity, scope granted, approval chain participants, and decision timestamps, providing a complete non-repudiable approval audit trail for all AI agent authorization events.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta System Log records signed, tamper-resistant authorization decisions, partially implementing the approval audit trail.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Purview Audit \u2014 Unified AI Authorization Audit Trail",
            "rationale": "Microsoft Purview Audit provides a unified audit trail for AI system authorization events and approval decisions across the Microsoft 365 and Azure environments. Purview audit records are immutable and retained for configurable periods, supporting regulatory evidence requirements. Integration with Microsoft Sentinel enables real-time alerting on approval audit trail gaps.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Purview immutable audit records of authorization events partially implement the approval audit trail.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "consequential-commitment",
          "procurement-ai",
          "public-company-governance"
        ],
        "implementers": [
          "IT Audit",
          "Platform Engineering",
          "Compliance",
          "Legal Counsel"
        ],
        "validation_objective": "Every AI system approval event must produce a structured, tamper-evident audit record atomically with the approval decision, such that no approval decision can take effect without a corresponding log entry containing approver identity, decision rationale category, decision timestamp, and action reference. The audit log must be retained for the full required regulatory period with integrity verification confirming no tampering.",
        "evidence_required": [
          "approval_audit_log export covering the full audit period with structured records for every approval event, each containing event_type, ai_system_id, action_id, approver_identity_ref, decision, rationale_category, decision_timestamp, and delegation_authority_ref",
          "integrity_verification_report confirming hash chain or external attestation is intact across all log segments in the audit period",
          "atomic_write_confirmation_log demonstrating approval decisions were committed only after their corresponding audit record was written",
          "retention_policy_document specifying applicable regulatory retention periods and the technical enforcement mechanism preventing early deletion"
        ],
        "machine_tests": [
          "Trigger an approval event and query the audit log immediately \u2192 assert the approval audit record exists with all required schema fields populated before the decision is returned to the requester",
          "Attempt to modify an existing approval audit record directly \u2192 assert the append-only protection rejects the modification with an error",
          "Simulate a log tampering event on a test segment \u2192 assert the integrity verification mechanism detects and alerts within the defined monitoring interval"
        ],
        "human_review": [
          "Reconcile a sample of approval audit records against the corresponding AI system execution records to confirm completeness and field accuracy",
          "Assess whether the retention enforcement mechanism covers all applicable regulatory periods for each commitment type and jurisdiction represented in the AI portfolio",
          "Review the integrity verification alert history to confirm any detected anomalies were investigated and resolved with documented outcomes"
        ],
        "blocking_effect": "advisory",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Writing approval audit records asynchronously after the approval decision, creating a window where decisions are committed without a corresponding audit entry",
          "Storing the approval audit log in the same system and access control boundary as the AI approval workflow, enabling administrators to alter both the decision and its record",
          "Using mutable storage for audit records without cryptographic hash chaining or external attestation, making tampering undetectable",
          "Omitting the approver identity reference or decision rationale category from audit records, preventing meaningful post-incident analysis",
          "Applying a single retention period to all approval records regardless of the commitment type, leading to premature deletion of records subject to longer regulatory requirements"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PA"
      },
      {
        "id": "PA-08",
        "name": "Authority Scope Change Notification",
        "canonical_id": "apeiris://authority/controls/PA-08",
        "layer": "PA",
        "prefix": "PA",
        "plane": "control",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Requires that any material change to an AI system's authority scope \u2014 including expansion of approval limits, addition of new commitment types, change of authorizing principal, or modification of escalation gate thresholds \u2014 triggers immediate notification to affected stakeholders and initiates a re-attestation workflow before the change takes effect in production.",
        "threat": {
          "context": "Unauthorized or undocumented expansions of AI authority scope create commitment exposure that stakeholders are unaware of and cannot control. Scope changes that bypass notification and re-attestation accumulate into a gap between the authority scope that governance participants believe the AI system has and the authority it actually exercises.",
          "tags": [
            "scope-creep",
            "internal-policy-violation",
            "principal-accountability-gap"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a7 6.3",
            "title": "Planning of changes"
          },
          {
            "id": "iso_42001",
            "section": "\u00a7 6.3",
            "title": "Planning of changes"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 1.4",
            "title": "The risk management process and its outcomes are established through transparent policies and procedures"
          }
        ],
        "sources": [
          {
            "id": "iso-37301-2021",
            "title": "ISO 37301:2021 \u2014 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 \u2014 Compliance Management Systems requirements informing the apeiris://authority/controls/PA-08 Authority Scope Change Notification control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PA-08 Authority Scope Change Notification control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": true,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PA-08 Authority Scope Change Notification control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PA-08 Authority Scope Change Notification control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PA-08 Authority Scope Change Notification control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PA-08 Authority Scope Change Notification control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PA-08 Authority Scope Change Notification control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Define a set of authority scope change triggers that classify changes as material (requiring notification and re-attestation before taking effect) or non-material (requiring notification within a defined lag but not a pre-change hold). Route material authority scope change notifications to the designated stakeholder roster \u2014 including legal, risk, finance, and the accountable principal \u2014 before the change is committed to the authority registry.",
          "steps": [
            "Define the authority scope change trigger taxonomy, distinguishing material changes (approval limit expansion, new commitment types, principal substitution) from non-material changes (clarifications, minor threshold adjustments within current risk acceptance).",
            "Implement a pre-change notification and re-attestation workflow for material changes that blocks the authority registry update until notification acknowledgments and re-attestation sign-offs are received.",
            "Configure the notification to include a structured change summary describing the current scope, the proposed change, and the business justification.",
            "Maintain a change history in the authority registry that records every scope change notification event and the corresponding re-attestation outcome."
          ],
          "anti_patterns": [
            "Treating approval limit adjustments within the existing principal's DoA as non-material regardless of the direction of the change \u2014 expansions of AI approval limits are always material and require notification.",
            "Sending change notifications to a generic distribution list rather than a defined stakeholder roster with named recipients who are accountable for reviewing and acknowledging the change."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that the authority scope change trigger taxonomy distinguishes material from non-material changes and that the taxonomy is published in AI governance policy.",
            "Verify that the pre-change workflow blocks the authority registry update until required notifications are acknowledged and re-attestation is complete.",
            "Check that the notification template includes a structured change summary with current scope, proposed change, and business justification."
          ],
          "runtime_tests": [
            "Submit a material authority scope change (e.g., approval limit expansion) without routing it through the notification and re-attestation workflow and confirm the registry update is blocked.",
            "Complete a material change notification workflow and verify that the authority registry update is only committed after all required acknowledgments are received.",
            "Verify that the change history in the authority registry is updated correctly following a completed scope change event."
          ],
          "evidence": [
            "Authority registry change history showing all scope change notification events during the audit period with corresponding re-attestation outcomes.",
            "Pre-change notification records with stakeholder acknowledgments for all material scope changes during the period.",
            "Registry update block logs confirming that material scope changes were held pending notification completion."
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Authority scope change notification ensures that legal counsel is informed of material changes to AI commitment authority before those changes take effect. This is essential for maintaining the legal defensibility of AI-initiated commitments and for ensuring that legal review keeps pace with evolving AI authority.",
            "actions": [
              "Confirm that legal counsel is included in the mandatory notification roster for all material AI authority scope changes.",
              "Verify that the notification template provides sufficient information for legal review \u2014 current scope, proposed change, and relevant regulatory or contractual context.",
              "Ensure that legal review of material scope changes is documented as part of the re-attestation workflow."
            ],
            "failure_signals": [
              "Material AI authority scope changes for which legal counsel was not notified or did not acknowledge receipt.",
              "Notification templates that describe scope changes in technical terms without sufficient legal context for meaningful review.",
              "Re-attestation workflows that do not require legal sign-off for scope changes with contractual or regulatory implications."
            ]
          },
          "cfo_procurement": {
            "summary": "Authority scope change notification for AI procurement systems ensures that finance leadership is informed before approval limit expansions or new commitment type authorizations take effect. It prevents authority creep from advancing silently beyond the boundaries of financial governance oversight.",
            "actions": [
              "Confirm that the CFO or delegate is included in the mandatory notification roster for all AI procurement authority scope changes.",
              "Require that any expansion of AI procurement approval limits triggers a finance leadership review before the registry update.",
              "Include a summary of AI procurement authority scope changes and re-attestation outcomes in the periodic finance risk reporting package."
            ],
            "failure_signals": [
              "AI procurement approval limits expanded without a corresponding notification to and acknowledgment from finance leadership.",
              "New AI commitment types added to procurement agent authority without a finance leadership review of the financial exposure implications.",
              "Finance risk reporting that does not include a summary of AI procurement authority scope changes during the period."
            ]
          },
          "risk_officer": {
            "summary": "Authority scope change notification closes the gap between AI authority configuration changes and enterprise risk management awareness. Without it, the risk profile of AI authority controls can change silently through configuration adjustments that bypass the risk governance process.",
            "actions": [
              "Include authority scope change notification events in the AI risk monitoring dashboard, tracking notification completion rates and re-attestation timelines.",
              "Require that material scope changes expanding AI authority undergo a risk impact assessment before re-attestation sign-off.",
              "Define a risk escalation procedure for scope change proposals that exceed the current risk acceptance boundaries established for the AI system."
            ],
            "failure_signals": [
              "AI authority scope expansions that were not preceded by a risk impact assessment, creating risk acceptance gaps.",
              "Notification completion rates below 100% for material scope changes, indicating notifications are not reliably reaching the designated stakeholders.",
              "Scope change proposals that exceed current risk acceptance boundaries being progressed through re-attestation without a risk escalation event."
            ]
          },
          "grc_auditor": {
            "summary": "Authority scope change notification is the governance control that prevents AI authority creep from advancing outside the governance framework. Auditors must verify that all material scope changes during the period were notified and re-attested before taking effect.",
            "actions": [
              "Inspect the authority registry change history to identify all scope change events during the audit period and classify each as material or non-material.",
              "Verify that all material scope changes have pre-change notification records with acknowledgments from all required stakeholders.",
              "Confirm that authority registry updates for material changes were committed only after re-attestation completion."
            ],
            "failure_signals": [
              "Authority registry scope changes classified as material for which no pre-change notification record exists.",
              "Pre-change notifications issued but not acknowledged by all required stakeholders before the registry update was committed.",
              "Material scope changes committed to the registry with a timestamp before the re-attestation completion timestamp, indicating the hold was bypassed."
            ],
            "metrics": [
              "Percentage of material authority scope changes with complete pre-change notification and re-attestation records (target: 100%)",
              "Mean time from scope change notification issuance to last required stakeholder acknowledgment in hours (alert threshold: >48 hours)",
              "Number of authority registry scope updates committed before re-attestation completion per reporting period (target: zero)"
            ]
          },
          "board_governance": {
            "summary": "Authority scope change notification ensures that changes to the AI authority posture are visible to governance stakeholders before they take effect. The board should confirm that material AI authority expansions cannot be implemented as routine configuration changes below the governance visibility threshold.",
            "actions": [
              "Confirm that material AI authority scope changes are reported to the board risk committee as part of periodic AI governance reporting.",
              "Ensure that the AI governance policy defines authority scope change as a governed event with defined notification and re-attestation requirements.",
              "Request that the annual AI governance review includes a retrospective summary of all material authority scope changes made during the year."
            ],
            "failure_signals": [
              "Material AI authority scope expansions implemented during the period that were not reflected in board governance reporting.",
              "AI governance policy that classifies authority scope changes as operational configuration updates rather than governance events.",
              "Annual AI governance review that does not include a retrospective on authority scope changes made during the year."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a7 6.3",
            "title": "Planning of changes",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Gating scope changes on notification and re-attestation reflects \u00a76.3 change planning, scoped to authority.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Gating scope changes on notification and re-attestation reflects \u00a76.3 change planning, scoped to authority.",
            "requirement_id": "\u00a7 6.3 \u2014 Planning of changes",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a7 6.3",
            "title": "Planning of changes",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Blocking authority-scope changes pending re-attestation reflects \u00a76.3 planning of changes for the AIMS.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Blocking authority-scope changes pending re-attestation reflects \u00a76.3 planning of changes for the AIMS.",
            "requirement_id": "\u00a7 6.3 \u2014 Planning of changes",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 1.4",
            "title": "The risk management process and its outcomes are established through transparent policies and procedures",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Stakeholder notification and re-attestation of scope changes reflect GOVERN 1.4 transparent procedures, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Stakeholder notification and re-attestation of scope changes reflect GOVERN 1.4 transparent procedures, partially.",
            "requirement_id": "GOVERN 1.4 \u2014 The risk management process and its outcomes are established through transparent policies and procedures",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS CloudTrail + EventBridge \u2014 SCP and IAM Policy Change Detection",
            "rationale": "AWS CloudTrail captures all AWS Organizations API calls \u2014 including SCP create, update, attach, and detach events \u2014 making it the authoritative change-detection mechanism for authority scope changes (AWS Config does not track SCPs). EventBridge rules matching these CloudTrail events can trigger automated notifications and governance review workflows whenever authority-defining policies are modified.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "CloudTrail SCP and IAM change events with EventBridge notifications partially implement scope-change detection and alerting.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Asset Inventory + Pub/Sub \u2014 Real-Time Policy Change Notification",
            "rationale": "Google Cloud Asset Inventory with Pub/Sub notifications delivers real-time alerts when organization policy constraints are modified, including changes that would alter AI system authority scope. Feed-based monitoring can trigger automated notification workflows to governance stakeholders whenever an authority-defining constraint is added, modified, or removed at any level of the resource hierarchy.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Asset Inventory feeds with Pub/Sub deliver real-time policy-change notifications, partially implementing scope-change alerting.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta Event Hooks \u2014 Authorization Policy Change Notifications",
            "rationale": "Okta event hooks emit real-time notifications when authorization server policy definitions, scopes, or claims are modified. These webhooks enable immediate notification of authority scope changes to governance stakeholders, triggering review workflows before modified authorization policies take effect for AI agent token issuances.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta event hooks notify on authorization-policy changes, partially implementing scope-change notification.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure Event Grid \u2014 AI Governance Policy Change Alerts",
            "rationale": "Azure Policy change events delivered through Azure Event Grid alert stakeholders in real time when AI governance policy definitions or assignments are modified. Integration with Azure Monitor action groups ensures that authority scope changes trigger immediate notification to designated governance reviewers before the modified policy takes effect across managed resource groups.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Azure Policy change events via Event Grid alert governance stakeholders, partially implementing scope-change notification.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "Change Management",
          "AI Program Office",
          "Legal Counsel",
          "Risk Management"
        ],
        "validation_objective": "Every material AI authority scope change \u2014 including approval limit expansions, new commitment type additions, principal substitutions, and escalation gate threshold modifications \u2014 must be blocked from taking effect in the authority registry until pre-change notifications are acknowledged by all required stakeholders and a re-attestation sign-off is recorded. The authority registry must contain a complete change history linking each scope update to its notification and re-attestation events.",
        "evidence_required": [
          "authority_registry_change_history log listing all scope change events during the audit period with timestamps, change classification (material/non-material), and re-attestation outcome references",
          "pre_change_notification_records for all material scope changes, each showing notification content, required recipient roster, and acknowledgment timestamps from all named recipients",
          "registry_update_block_log confirming that material scope changes were held pending notification completion before the registry update was committed",
          "re_attestation_sign_off_records for all material scope changes, identifying each signatory and their sign-off timestamp"
        ],
        "machine_tests": [
          "Submit a material authority scope change (approval limit expansion) without routing through the notification workflow \u2192 assert the registry update is blocked until notification acknowledgments are received",
          "Complete a material change notification workflow for all required stakeholders and verify the registry update is committed only after the final acknowledgment is recorded",
          "Submit a non-material scope change and verify it proceeds without a pre-change hold while still generating a notification within the defined lag period"
        ],
        "human_review": [
          "Inspect all material scope changes from the audit period to verify that each expansion of AI authority was accompanied by a risk impact assessment before re-attestation sign-off",
          "Assess whether the scope change trigger taxonomy correctly classifies boundary cases \u2014 particularly approval limit expansions \u2014 as material rather than operational configuration updates",
          "Review the change history for scope expansions that bypassed the notification workflow or were committed before re-attestation was complete"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Treating upward approval limit adjustments within an existing principal's delegation as non-material configuration changes, bypassing the notification and re-attestation requirement",
          "Sending change notifications to a generic distribution alias without named recipients who are individually accountable for reviewing and acknowledging the change",
          "Committing the authority registry update before all required stakeholder acknowledgments are received, making the notification requirement advisory rather than blocking",
          "Classifying principal substitutions as administrative updates rather than material scope changes, allowing authority reassignment without legal and risk review",
          "Omitting a structured change summary from notifications, leaving recipients unable to assess the significance of the proposed scope change without requesting additional context"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PA"
      },
      {
        "id": "PA-09",
        "name": "Authority Scope Layer Evidence Package",
        "canonical_id": "apeiris://authority/controls/PA-09",
        "layer": "PA",
        "prefix": "PA",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Compile a structured authority scope layer evidence package on a quarterly basis, consolidating artifacts from PA-01 through PA-08 to demonstrate that delegation of authority chains, approval limits, and scope change notifications are documented and current. The package is a required input to the PE-08 PolicyAttestation production process.",
        "threat": {
          "context": "Without periodic structured compilation of authority scope layer evidence, the PolicyAttestation (PE-08) rests on unverified assertions from individual controls rather than compiled, reviewed, and signed layer evidence. Layer-level coverage deficiencies are only visible through compilation.",
          "tags": [
            "governance-evidence-gap",
            "attestation-unverifiable",
            "compliance-deficit"
          ]
        },
        "standard_references": [
          {
            "id": "iso_42001",
            "section": "\u00a7 9.3",
            "title": "Management review of AI governance system at planned intervals"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 1.5",
            "title": "Ongoing monitoring and periodic review of the risk management process and its outcomes are planned"
          },
          {
            "id": "eu_ai_act",
            "section": "Art. 17",
            "title": "Quality management system for high-risk AI"
          }
        ],
        "sources": [
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PA-09 Authority Scope Layer Evidence Package control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PA-09 Authority Scope Layer Evidence Package control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Define a quarterly evidence compilation process for the Authority Scope layer. Collect required artifacts from PA-01 through PA-08. Review for completeness, currency, and identified gaps. Produce a signed evidence package and submit it as input to the PE-08 PolicyAttestation production cycle.",
          "steps": [
            "Define the PA-layer evidence package schema: required_artifacts[], acceptance_criteria[], gap_register, package_owner, and review_signatories.",
            "For each control in PA-01 through PA-08, define specific required evidence artifacts and freshness criteria.",
            "Compile artifacts quarterly: generate or collect required evidence and stage for structured review.",
            "Conduct a review session to evaluate completeness, identify gaps, and assign remediation owners with deadlines.",
            "Produce a signed authority scope layer evidence package with an overall verdict and submit it as input to PE-08 PolicyAttestation.",
            "Retain the package as an immutable record for the period required by applicable regulations and internal policy."
          ],
          "anti_patterns": [
            "Treating PE-08 attestation as a substitute for per-layer evidence compilation.",
            "Compiling evidence only when an audit or regulatory inquiry is pending rather than on a recurring quarterly cycle."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that a PA-layer evidence package schema exists with defined required artifacts for each control in PA-01 through PA-08.",
            "Verify that a quarterly compilation schedule is established with named package owners and review signatories.",
            "Check that the evidence package output format is accepted as input to PE-08 attestation production."
          ],
          "runtime_tests": [
            "Verify a completed evidence package was produced in the most recent quarter with all required artifacts present.",
            "Confirm that a gap register exists and identified gaps have assigned owners and remediation deadlines.",
            "Confirm the package is signed and retained in the tamper-evident record store."
          ],
          "evidence": [
            "Signed authority scope layer evidence package for each of the four most recent quarters.",
            "Gap registers with assigned owners and remediation deadlines for any identified deficiencies.",
            "Submission record linking the package to the PE-08 attestation production cycle."
          ]
        },
        "lenses": {
          "grc_auditor": {
            "summary": "The PA-09 evidence package is the audit-ready artifact for the Authority Scope layer.",
            "actions": [
              "Request the four most recent PA-layer evidence packages and review for completeness.",
              "Verify that gap registers from prior quarters have remediation outcomes documented.",
              "Confirm the package submission record links to PE-08 attestation inputs."
            ],
            "failure_signals": [
              "Missing PA-layer evidence packages for any quarter in the audit period.",
              "Gap registers with items open for more than two consecutive quarters without documented remediation plans.",
              "Evidence packages that are unsigned or not retained in the tamper-evident record store."
            ],
            "metrics": [
              "Package completeness rate: all required artifacts present in each quarterly package (target: 100%).",
              "Gap remediation rate: all prior-quarter gaps have documented outcomes before current quarter package.",
              "Package timeliness: submitted to PE-08 attestation cycle within 10 business days of quarter end."
            ]
          },
          "general_counsel": {
            "summary": "The PA-09 package is the defensibility record for the Authority Scope layer: when a regulator, counterparty, or court asks whether the organization's delegated authority, approval limits, and escalation gates controls were operating, the quarterly package is the evidence the organization produces.",
            "actions": [
              "Confirm the package format and retention period satisfy the evidentiary requirements of applicable law and contractual audit rights before the first submission cycle.",
              "Review each quarterly package for gaps in PA-01 through PA-08 evidence that could undermine a future regulatory or litigation position.",
              "Verify that the package is signed by an identified accountable owner whose authority to certify the layer can be demonstrated."
            ],
            "failure_signals": [
              "A regulator or counterparty request for layer evidence that cannot be answered from a compiled, signed package.",
              "Packages whose contents conflict with representations previously made in disclosures or contract certifications.",
              "Retention lapses that leave quarters within the evidentiary period unrecoverable."
            ]
          },
          "cfo_procurement": {
            "summary": "The PA-09 package converts Authority Scope layer control operation into a periodic, reviewable deliverable \u2014 the artifact that lets finance and procurement rely on the layer without re-auditing individual controls each quarter.",
            "actions": [
              "Fund the compilation process as a recurring governance obligation rather than an ad hoc audit response.",
              "Require the package (or its gap register) as an input to renewal, budget, and vendor decisions that depend on delegated authority, approval limits, and escalation gates controls operating.",
              "Track the cost of gap remediation surfaced by the package to prioritize control investment."
            ],
            "failure_signals": [
              "Business decisions that assume the layer is operating when the most recent package shows open gaps.",
              "Compilation effort repeatedly funded from audit contingency rather than the governance budget.",
              "Vendor or renewal approvals proceeding in quarters with missing packages."
            ]
          },
          "risk_officer": {
            "summary": "The PA-09 package shows the risk function the current shape of delegated authority: who or what may act, up to which approval limit, and whether the quarter's scope changes were captured. Its gap register is the authoritative list of authority-scope exposures, chief among them unbounded or stale delegations and approval limits that no longer match the risk the action carries.",
            "actions": [
              "Verify that every delegation-of-authority chain in the package terminates in a named, accountable human, and flag any that does not as a priority exposure.",
              "Test a sample of approval limits against the value and irreversibility of the actions they gate, recording miscalibrated limits as risk-register items with owners.",
              "Confirm scope-change notifications from the quarter are reflected in the live authorization configuration so that granted authority and enforced authority agree.",
              "Treat any delegation carrying no expiry or review date as an open exposure and drive it to a bounded term."
            ]
          },
          "board_governance": {
            "summary": "The PA-09 package gives the board a defensible answer to who is allowed to authorize AI action and how far that authority reaches. It is the layer evidence that delegation chains and approval limits are documented, current, and bounded by the limits the board itself set.",
            "actions": [
              "Require the highest-value approval limits in force to be reported, with confirmation that they align with board-approved thresholds.",
              "Ask whether any authority is delegated without a terminating accountable human owner, and treat any such case as a governance finding.",
              "Review the volume and nature of scope changes each quarter as a signal of how fast the authority surface is expanding.",
              "Condition PolicyAttestation acceptance on the authority-scope layer being current, since a stale delegation map undermines every downstream control."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_42001",
            "requirement_id": "\u00a79.3",
            "fit": "direct",
            "rationale": "ISO/IEC 42001 \u00a79.3 requires management review at planned intervals. PA-09 provides the structured review artifact for the Authority Scope layer.",
            "normative_force": "certification-standard",
            "source_version": "2023",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "requirement_id": "GOVERN 1.5",
            "fit": "direct",
            "rationale": "NIST AI RMF GOVERN 1.5 requires planned ongoing monitoring and periodic review of the risk management process and its outcomes, with clear roles and review cadence. PA-09 instantiates this periodic layer-level review at the Authority Scope layer.",
            "normative_force": "voluntary-standard",
            "source_version": "1.0",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "eu_ai_act",
            "requirement_id": "Art. 17",
            "fit": "direct",
            "rationale": "EU AI Act Art. 17 requires a quality management system. PA-09 is the QMS artifact for the Authority Scope layer.",
            "normative_force": "binding-law",
            "source_version": "2024",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "satisfies"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "high-risk-sector"
        ],
        "implementers": [
          "GRC / Internal Audit",
          "AI Operations",
          "Risk Management"
        ],
        "validation_objective": "A signed, structured authority scope layer evidence package must be produced every quarter, containing required artifacts from PA-01 through PA-08 with completeness and freshness verified against defined acceptance criteria. The package must include a gap register with remediation owners and deadlines for any deficiencies, and must be submitted as a documented input to the PE-08 PolicyAttestation production cycle within 10 business days of quarter end.",
        "evidence_required": [
          "signed_pa_layer_evidence_package for each of the four most recent quarters, each containing required_artifacts[], gap_register, package_owner, review_signatories, and overall verdict",
          "gap_register_with_remediation entries from each quarterly package showing identified deficiencies, assigned owners, remediation deadlines, and resolution status from prior quarters",
          "pe_08_submission_record linking each quarterly package to its PE-08 PolicyAttestation production cycle input with submission timestamp",
          "artifact_completeness_checklist for each package mapping each control in PA-01 through PA-08 to its required evidence artifact and confirming presence and freshness"
        ],
        "machine_tests": [
          "Query the evidence package record store for the most recent quarter \u2192 assert a signed package exists with all required PA-01 through PA-08 artifact references populated",
          "Check the gap register from the most recent package \u2192 assert each open item has an assigned owner and a remediation deadline within the current quarter",
          "Verify the submission record for the most recent quarterly package \u2192 assert it links to the PE-08 attestation input set with a timestamp within 10 business days of quarter end"
        ],
        "human_review": [
          "Review gap registers from the prior four quarters to assess whether identified deficiencies are being remediated progressively or recurring across multiple periods",
          "Assess the overall verdict assigned to each quarterly package to confirm the determination reflects the actual completeness and freshness of the compiled artifacts rather than a pro forma pass",
          "Verify that review signatories on each package represent the appropriate cross-functional accountability \u2014 AI operations, risk management, and GRC \u2014 not just a single team"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "binding-law",
        "anti_patterns": [
          "Treating PE-08 PolicyAttestation as a substitute for per-layer evidence compilation, producing an attestation without a compiled and reviewed evidence package underlying it",
          "Compiling evidence packages only when an audit or regulatory inquiry is pending rather than on a recurring quarterly schedule independent of external triggers",
          "Producing a package with an overall pass verdict despite an incomplete artifact set, without recording the deficiencies in the gap register with assigned remediation owners",
          "Allowing the same individual who owns the evidence to be the sole signatory on the package, removing independent review from the compilation process"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PA",
        "lens_enrichment": "ap42 2026-07-08"
      },
      {
        "id": "PO-01",
        "name": "Internal Policy Register for AI Deployments",
        "canonical_id": "apeiris://authority/controls/PO-01",
        "layer": "PO",
        "prefix": "PO",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": true,
        "plain": "Maintain a structured, version-controlled register of all internal policies governing AI deployment, covering authority limits, communication constraints, and data use obligations. The register is the authoritative source for runtime policy evaluation and audit across all authority domain controls.",
        "threat": {
          "context": "Without a central policy register, AI systems operate under unverifiable or outdated authority constraints, creating undetected policy-bypass risk and making post-incident attribution infeasible.",
          "tags": [
            "policy-bypass",
            "authority-limit-breach",
            "internal-policy-violation"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a77.5",
            "title": "Documented information"
          },
          {
            "id": "iso_42001",
            "section": "\u00a77.5",
            "title": "Documented information"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 1.2",
            "title": "Trustworthy AI characteristics are integrated into organizational policies, processes, and procedures"
          },
          {
            "id": "nist_800_53",
            "section": "PL-1",
            "title": "Policy and Procedures"
          }
        ],
        "sources": [
          {
            "id": "src-po01-1",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PO-01 Internal Policy Register for AI Deployments control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po01-2",
            "title": "ISO 42001 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 42001 AI Management Systems requirements informing the apeiris://authority/controls/PO-01 Internal Policy Register for AI Deployments control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po01-3",
            "title": "Example adopter artifact \u2014 AI Governance Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "src-po01-4",
            "title": "NIST AI Risk Management Framework",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI Risk Management Framework requirements informing the apeiris://authority/controls/PO-01 Internal Policy Register for AI Deployments control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PO-01 Internal Policy Register for AI Deployments control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PO-01 Internal Policy Register for AI Deployments control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PO-01 Internal Policy Register for AI Deployments control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "opa_rego_docs_2024",
            "title": "Open Policy Agent \u2014 Policy Language and Documentation",
            "authority": "Cloud Native Computing Foundation (CNCF) / Styra Inc.",
            "source_type": "framework",
            "normative_force": "best-practice",
            "version": "0.68",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.openpolicyagent.org/docs/",
            "license": "open-access",
            "status": "current",
            "flagship": false,
            "source_id": "opa_rego_docs_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Open Policy Agent \u2014 Policy Language and Documentation requirements informing the apeiris://authority/controls/PO-01 Internal Policy Register for AI Deployments control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Central policy registry with machine-readable control mappings, automated deployment intake gating, and scheduled review workflows.",
          "steps": [
            "Define and publish the policy register schema covering policy ID, version, effective date, owning team, AI deployment scope, and authority domain applicability",
            "Ingest all current AI governance, authority limit, communication, and data use policies with structured metadata and full version history",
            "Gate AI deployment approvals on the presence of a current, non-expired policy register entry enforced via the deployment pipeline"
          ],
          "anti_patterns": [
            "Storing policies in unstructured document repositories without version tracking or AI deployment linkage",
            "Allowing AI systems to reach production without an explicit policy register reference in the deployment record"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify the register schema captures version, effective date, scope, owning team, and deployment linkage fields",
            "Confirm all active AI deployments have at least one current, non-expired policy register entry",
            "Validate that register modification requires dual-authorization with all changes logged and attributed"
          ],
          "runtime_tests": [
            "Attempt to initiate an AI deployment without a policy register entry and verify the workflow blocks approval",
            "Update a policy version and confirm linked AI deployments receive a review notification within one business day",
            "Query the register for deployments with expired entries and verify automated escalation fires"
          ],
          "evidence": [
            "doc:policy-register-schema-current",
            "log:deployment-policy-linkage-audit-log",
            "policy:ai-governance-policy-v3.0",
            "config:policy-register-access-control-matrix"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "The policy register provides legal defensibility by proving AI deployments operated under documented, versioned authority constraints at the time of any contested action.",
            "actions": [
              "Review register completeness against the active AI deployment inventory quarterly",
              "Require General Counsel sign-off on new or revised authority-limit policy entries before they take effect"
            ],
            "failure_signals": [
              "An AI deployment cannot produce a policy register entry during litigation discovery",
              "The policy version in effect at the time of a disputed action cannot be reconstructed from register history"
            ]
          },
          "cfo_procurement": {
            "summary": "Financial authority policies governing AI systems must appear in the register to prevent spend committed under a superseded or absent policy version.",
            "actions": [
              "Confirm AI systems with spend or commitment capability have financial authority limit policies registered",
              "Require CFO countersignature on register entries affecting commitment thresholds above materiality limits"
            ],
            "failure_signals": [
              "An AI system committed spend under a superseded policy version without a register update",
              "Financial authority policy is missing from the register for an AI system with active procurement access"
            ]
          },
          "risk_officer": {
            "summary": "Policy register completeness is a leading risk indicator; coverage gaps represent unmitigated policy-bypass exposure across the AI portfolio.",
            "actions": [
              "Track register coverage ratio as a KRI in the quarterly risk dashboard",
              "Escalate AI deployments with unresolved policy linkage gaps to the CRO within 48 hours",
              "Include policy register completeness in the annual AI risk assessment"
            ],
            "failure_signals": [
              "Register coverage falls below 100% for production AI deployments",
              "A new AI deployment has been in production more than five business days without a policy register entry"
            ]
          },
          "grc_auditor": {
            "summary": "The policy register is the primary audit artifact confirming organizational AI authority constraints are documented, current, and applied to all active deployments.",
            "actions": [
              "Sample policy register entries against the deployed AI inventory each audit cycle",
              "Verify version history and reviewer signatures on all entries modified during the audit period",
              "Test that policy constraints in the register align with runtime enforcement configuration"
            ],
            "failure_signals": [
              "Register entries lack version history or reviewer attribution",
              "The deployed AI inventory does not match register coverage"
            ],
            "metrics": [
              "Policy register coverage rate: % of active AI deployments with a current non-expired entry (target: 100%)",
              "Mean time to register update following a policy change (target: \u22645 business days)",
              "Quarterly review completion rate (target: 100%)"
            ]
          },
          "board_governance": {
            "summary": "A maintained policy register demonstrates that board governance expectations for AI authority constraints have been operationalized and remain auditable.",
            "actions": [
              "Request an annual summary of policy register coverage and gap remediation from the Compliance Officer",
              "Confirm board-approved AI governance policies are reflected in the register with correct effective dates"
            ],
            "failure_signals": [
              "A board-approved AI policy cannot be located in the register during a board inquiry",
              "A material gap between board-level governance decisions and register-documented constraints persists beyond one quarter"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "managed"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a77.5",
            "title": "Documented information",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "A version-controlled policy register is documented information under \u00a77.5 but \u00a77.5 is broader than the register.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A version-controlled policy register is documented information under \u00a77.5 but \u00a77.5 is broader than the register.",
            "requirement_id": "\u00a77.5 \u2014 Documented information",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a77.5",
            "title": "Documented information",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "The authoritative policy register maintains documented information per \u00a77.5, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "The authoritative policy register maintains documented information per \u00a77.5, partially.",
            "requirement_id": "\u00a77.5 \u2014 Documented information",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 1.2",
            "title": "Trustworthy AI characteristics are integrated into organizational policies, processes, and procedures",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "A register of AI governance policies operationalizes GOVERN 1.2 policy integration, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A register of AI governance policies operationalizes GOVERN 1.2 policy integration, partially.",
            "requirement_id": "GOVERN 1.2 \u2014 Trustworthy AI characteristics are integrated into organizational policies, processes, and procedures",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "PL-1",
            "title": "Policy and Procedures",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Maintaining an authoritative policy register partially satisfies PL-1's requirement to develop and document policies.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Maintaining an authoritative policy register partially satisfies PL-1's requirement to develop and document policies.",
            "requirement_id": "PL-1 \u2014 Policy and Procedures",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Control Tower Landing Zone \u2014 Centralized Policy Registry",
            "rationale": "AWS Control Tower maintains a centralized registry of governance guardrails (implemented as SCPs and Config rules) applied to each organizational unit. This serves as a machine-readable internal policy register for AI deployments: each guardrail represents an enforceable policy with a defined scope, target OU, and compliance status. The Control Tower dashboard provides a real-time view of policy coverage across all enrolled accounts.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Control Tower's guardrail registry is a machine-readable policy register, partially implementing PO-01 at infrastructure scope.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Organization Policy Service \u2014 Centralized Machine-Readable Policy Register",
            "rationale": "Google Cloud Organization Policy Service functions as a centralized, machine-readable register of all governance constraints applied across the resource hierarchy. Policies are queryable via API, enabling automated validation that all required constraints are in place for each AI deployment scope. Organization Policy's constraint catalog provides a canonical reference for all declared governance policies.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Org Policy Service is a centralized, queryable constraint register, partially implementing the policy register.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure Policy Initiative Assignments \u2014 AI Policy Register Implementation",
            "rationale": "Microsoft's Cloud Adoption Framework recommends using Azure Policy initiative assignments to maintain a machine-readable internal policy register for AI deployments. Initiative assignments document which policy definitions apply to which management groups, subscriptions, and resource groups, creating an auditable registry that maps each AI deployment scope to its applicable governance policies.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Azure Policy initiatives map policies to scopes as an auditable register, partially implementing PO-01.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "opa_rego",
            "requirement_id": "OPA Policy Language documentation (Rego)",
            "fit": "direct",
            "rationale": "Open Policy Agent (OPA) Rego provides a declarative policy language for encoding AI operating policies as machine-evaluable code; PO-01 internal policy register should define the canonical policy artifacts that are encoded in OPA-compatible form.",
            "normative_force": "best-practice",
            "source_version": "0.68",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "informs"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "Compliance Officer",
          "AI Governance Lead",
          "General Counsel"
        ],
        "validation_objective": "Every active AI deployment must have at least one current, non-expired policy register entry in the authoritative policy register, and that entry must contain version, effective date, scope, owning team, and deployment linkage fields. No AI deployment may enter or remain in production without a valid policy register reference confirmed by the deployment pipeline.",
        "evidence_required": [
          "policy_register_schema_document specifying required fields including policy_id, version, effective_date, expiry_date, owning_team, ai_deployment_scope, and authority_domain_applicability",
          "deployment_policy_linkage_audit_log confirming every active AI deployment has a corresponding current policy register entry with a non-expired effective date",
          "policy_register_access_control_matrix demonstrating that register modifications require dual authorization and all changes are attributed and logged",
          "deployment_pipeline_gate_configuration showing that AI deployment approval workflows validate the presence of a current policy register entry before proceeding"
        ],
        "machine_tests": [
          "Attempt to initiate an AI deployment without a matching policy register entry \u2192 assert the deployment pipeline blocks the approval and returns a policy-registration-required error",
          "Update a policy version in the register and verify that all linked AI deployments receive a review notification within one business day",
          "Query the register for entries with an expiry_date in the past and verify that automated escalation fires for each expired entry within the defined monitoring interval"
        ],
        "human_review": [
          "Cross-reference the active AI deployment inventory against the policy register to confirm 100% coverage and identify any deployments operating without a current entry",
          "Assess whether register entries for AI systems with financial commitment authority have been countersigned by the CFO or delegate as required by internal policy",
          "Review the version history and reviewer attribution for all register entries modified during the audit period to confirm dual-authorization was applied"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Storing AI governance policies in unstructured document repositories (SharePoint folders, email threads) without version tracking or deployment linkage, preventing automated validation",
          "Allowing AI systems to reach production without an explicit policy register reference in the deployment record, relying on informal confirmation instead",
          "Maintaining a policy register that lists policies without linking them to specific AI deployments, making it impossible to determine which policy applies to which system at runtime",
          "Permitting single-person updates to policy register entries without a dual-authorization requirement, creating a risk of undocumented authority limit changes",
          "Failing to configure policy register expiry dates, allowing entries to remain nominally current long after the underlying policy has been revised or superseded"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PO"
      },
      {
        "id": "PO-02",
        "name": "Policy Version Control and Distribution",
        "canonical_id": "apeiris://authority/controls/PO-02",
        "layer": "PO",
        "prefix": "PO",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Establish version control and structured distribution workflows for all AI authority policies so that AI systems and human reviewers always operate against the current approved version. Superseded versions must be retained in an immutable archive to support audit reconstruction.",
        "threat": {
          "context": "Uncontrolled policy distribution allows AI systems to operate against stale or superseded authority constraints, creating exploitable gaps between documented governance intent and runtime enforcement.",
          "tags": [
            "policy-bypass",
            "internal-policy-violation",
            "knowledge-source-staleness"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a77.5",
            "title": "Documented information"
          },
          {
            "id": "nist_800_53",
            "section": "CM-3",
            "title": "Configuration Change Control"
          },
          {
            "id": "iso_42001",
            "section": "\u00a77.5",
            "title": "Documented information"
          }
        ],
        "sources": [
          {
            "id": "src-po02-1",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PO-02 Policy Version Control and Distribution control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po02-2",
            "title": "NIST SP 800-53 Rev 5 \u2014 Configuration Change Control",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Configuration Change Control requirements informing the apeiris://authority/controls/PO-02 Policy Version Control and Distribution control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po02-3",
            "title": "ISO 42001 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 42001 AI Management Systems requirements informing the apeiris://authority/controls/PO-02 Policy Version Control and Distribution control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po02-4",
            "title": "ISACA COBIT 2019 \u2014 Information and Technology Policy Management",
            "authority": "ISACA",
            "source_type": "framework",
            "normative_force": "best-practice",
            "version": "2019",
            "published_on": "2019-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.isaca.org/resources/cobit",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "cobit_2019",
            "relationship": "informative_reference",
            "rationale": "Establishes ISACA COBIT 2019 \u2014 Information and Technology Policy Management requirements informing the apeiris://authority/controls/PO-02 Policy Version Control and Distribution control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PO-02 Policy Version Control and Distribution control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PO-02 Policy Version Control and Distribution control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PO-02 Policy Version Control and Distribution control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Policy-as-code repository with semantic versioning, approval-gated merge, automated distribution pipeline, and immutable archive for superseded versions.",
          "steps": [
            "Store all authority policies in a version-controlled repository with semantic versioning, committer attribution, and approval gating on every merge",
            "Implement an automated distribution pipeline that pushes approved version updates to linked AI system runtime configurations within one business day",
            "Retain all superseded policy versions in an immutable archive with their effective date ranges for audit reconstruction"
          ],
          "anti_patterns": [
            "Distributing policy updates via email or informal channels without version tagging or acknowledgment tracking",
            "Overwriting superseded policy versions rather than archiving them with their effective date range"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify the policy repository enforces semantic versioning and requires an approval workflow before a version becomes effective",
            "Confirm all AI system runtime configurations reference a specific policy version rather than an unversioned policy label",
            "Validate that superseded policy versions are retained in an immutable archive with effective date metadata"
          ],
          "runtime_tests": [
            "Publish a policy version update and confirm all linked AI system configurations are updated and revalidated within one business day",
            "Attempt to deploy an AI system referencing a superseded policy version and verify the pipeline flags it as stale",
            "Retrieve the effective policy version for a historical date and confirm it matches the archive record"
          ],
          "evidence": [
            "log:policy-version-distribution-log",
            "config:ai-runtime-policy-version-references",
            "doc:policy-archive-effective-date-ranges",
            "test:policy-distribution-pipeline-test-run"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Policy version control ensures the exact authority constraint in effect at the time of a disputed AI action can be retrieved and presented as evidence.",
            "actions": [
              "Require version-controlled distribution for all policies with external legal significance",
              "Ensure archive retention spans at least the applicable statute of limitations for contract disputes"
            ],
            "failure_signals": [
              "The policy version in effect at the time of a disputed AI action cannot be retrieved from the archive",
              "Distribution records show gaps where stakeholders were not notified of a version change"
            ]
          },
          "cfo_procurement": {
            "summary": "Version-controlled financial authority policies prevent AI systems from operating under commitment thresholds that were informally revised but never formally distributed.",
            "actions": [
              "Confirm that financial authority limit changes pass through the formal version control pipeline, not informal channels",
              "Verify AI systems receive updated commitment threshold values within one business day of a policy version change"
            ],
            "failure_signals": [
              "An informal update to financial authority thresholds was not captured in the version control pipeline",
              "An AI system continued to apply an outdated commitment limit after a formal policy revision"
            ]
          },
          "risk_officer": {
            "summary": "Policy version drift between documented and runtime constraints is a systemic risk indicator; uncontrolled distribution creates exploitable policy-bypass conditions.",
            "actions": [
              "Monitor mean lag between policy approval and AI runtime configuration update as a KRI",
              "Trigger a risk exception review when an AI system is found operating against a policy version more than one revision behind current"
            ],
            "failure_signals": [
              "Mean policy distribution lag exceeds five business days for production AI systems",
              "An AI system is operating against a policy version that has been superseded more than once"
            ]
          },
          "grc_auditor": {
            "summary": "Version control and distribution logs are primary audit artifacts demonstrating that AI systems operated under current approved policy versions throughout the audit period.",
            "actions": [
              "Reconcile AI runtime policy version references against the policy version archive for each audit period",
              "Verify distribution logs show all registered consumers were notified of each version change within SLA",
              "Sample archived policy versions for completeness and immutability"
            ],
            "failure_signals": [
              "An AI runtime configuration references a policy version not found in the archive",
              "Distribution log gaps indicate policy consumers were not notified of a version change"
            ],
            "metrics": [
              "Mean policy distribution lag: hours from approval to AI runtime configuration update (target: \u226424 hours)",
              "Policy version currency rate: % of AI systems running the current approved version (target: 100%)",
              "Archive completeness: % of historical policy versions retained with effective date metadata (target: 100%)"
            ]
          },
          "board_governance": {
            "summary": "Formal version control over AI authority policies ensures governance decisions are durably captured and the board can retrieve the constraint set in effect at any historical point.",
            "actions": [
              "Require that all board-approved AI authority policy changes pass through the formal version control pipeline",
              "Confirm version control processes are included in the scope of the annual compliance program review"
            ],
            "failure_signals": [
              "A board-approved policy change was circulated informally and is absent from the version control archive",
              "The audit committee cannot retrieve the policy version in effect during a material AI action"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a77.5",
            "title": "Documented information",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Versioned policy storage with immutable archive is documented-information control under \u00a77.5, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Versioned policy storage with immutable archive is documented-information control under \u00a77.5, partially.",
            "requirement_id": "\u00a77.5 \u2014 Documented information",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a77.5",
            "title": "Documented information",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Semantic versioning and retention of superseded policies reflect \u00a77.5 documented information, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Semantic versioning and retention of superseded policies reflect \u00a77.5 documented information, partially.",
            "requirement_id": "\u00a77.5 \u2014 Documented information",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "CM-3",
            "title": "Configuration Change Control",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Approval-gated, versioned policy merges apply CM-3 configuration change control to policy-as-code.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Approval-gated, versioned policy merges apply CM-3 configuration change control to policy-as-code.",
            "requirement_id": "CM-3 \u2014 Configuration Change Control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 1.2",
            "title": "Trustworthy AI characteristics are integrated into organizational policies, processes, and procedures",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Keeping AI systems on current approved policy versions partially operationalizes GOVERN 1.2 policy integration.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Keeping AI systems on current approved policy versions partially operationalizes GOVERN 1.2 policy integration.",
            "requirement_id": "GOVERN 1.2 \u2014 Trustworthy AI characteristics are integrated into organizational policies, processes, and procedures",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Organizations + CloudTrail \u2014 SCP Change History and IaC-Based Policy Versioning",
            "rationale": "AWS Organizations does not maintain SCP version history \u2014 UpdatePolicy replaces the policy document in place \u2014 so controlled policy versioning relies on managing SCPs as infrastructure-as-code (CloudFormation or Terraform) under repository version control, with CloudTrail providing the authoritative change history. AWS Control Tower propagates updated controls to enrolled accounts when policies are modified at the management account level, keeping account-level enforcement aligned with the versioned policy source.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Managing SCPs as version-controlled IaC with CloudTrail history partially implements policy version control.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Organization Policy Dry-Run \u2014 Safe Policy Version Testing",
            "rationale": "Google Cloud Organization Policy supports dry-run and simulation modes that allow governance teams to test policy version changes against existing resource configurations before deploying them. This enables controlled policy version distribution with impact assessment before enforcement, preventing unintended operational disruption when AI governance policy versions are updated.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Org Policy dry-run testing enables controlled version rollout, partially supporting versioned distribution.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure Resource Manager Policy Versioning \u2014 Automated Policy Distribution",
            "rationale": "Azure Policy definitions are versioned through Azure Resource Manager, and Azure DevOps pipelines can automate the testing and distribution of updated policy versions across management group hierarchies. Policy assignment updates trigger automated compliance scans, ensuring that all AI deployments are evaluated against the current policy version immediately upon distribution.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Azure Policy ARM versioning with pipeline distribution partially implements policy version control and distribution.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "Compliance Officer",
          "AI Governance Lead"
        ],
        "validation_objective": "All AI authority policies must be stored in a version-controlled repository with semantic versioning and approval-gated merges, and every AI system runtime configuration must reference a specific approved policy version. Upon a policy version update, all linked AI system configurations must be updated to the new version within one business day, and all superseded versions must be retained in an immutable archive with their effective date ranges intact.",
        "evidence_required": [
          "policy_version_distribution_log showing each policy version publication event, the list of linked AI system configurations notified, and the timestamp of configuration update for each consumer",
          "ai_runtime_policy_version_references confirming each active AI system references a specific approved policy version rather than an unversioned label",
          "policy_archive_effective_date_ranges document confirming all superseded policy versions are retained with their start and end effective dates",
          "policy_repository_approval_log showing committer attribution and approval workflow completion for every version merge during the audit period"
        ],
        "machine_tests": [
          "Publish a new policy version and verify all linked AI system runtime configurations are updated to reference the new version within one business day",
          "Attempt to deploy an AI system referencing a superseded policy version \u2192 assert the pipeline flags the version as stale and requires acknowledgment or update before proceeding",
          "Retrieve the policy archive for a historical date within the retention period and confirm the correct effective version is returned with matching effective date range"
        ],
        "human_review": [
          "Reconcile the policy version distribution log against the AI runtime policy version references to confirm all consumers were updated following each version publication during the audit period",
          "Assess archive completeness by sampling a set of historical policy versions and confirming each is retained with accurate effective date metadata and full policy text",
          "Review the approval log for all version merges to verify that no version reached the effective state without the required approval workflow completion"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Distributing policy updates via email, Slack, or informal channels without version tagging, approval gating, or acknowledgment tracking from consuming AI system owners",
          "Overwriting superseded policy versions in-place rather than archiving them with their effective date range, destroying the ability to reconstruct the authority constraint in effect at a historical point",
          "AI system runtime configurations that reference an unversioned policy label (e.g., 'current_authority_policy') rather than a specific version identifier, making it impossible to determine which version is actually enforced",
          "Applying policy version updates to AI runtime configurations manually rather than through an automated distribution pipeline, creating version drift between organizational policy intent and runtime enforcement",
          "Setting a retention period for superseded policy versions that is shorter than the applicable statute of limitations for disputes involving AI-initiated commitments"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PO"
      },
      {
        "id": "PO-03",
        "name": "Contractual Obligation Extraction",
        "canonical_id": "apeiris://authority/controls/PO-03",
        "layer": "PO",
        "prefix": "PO",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Extract and structure binding obligations from vendor and customer contracts and map them to AI authority constraints in the policy register. This ensures contractual commitments are reflected in the authority limits governing AI action at runtime, not left to informal awareness.",
        "threat": {
          "context": "When contractual obligations are not extracted and mapped to AI constraints, AI systems may take actions that breach vendor agreements or customer commitments with no policy-layer enforcement preventing the violation.",
          "tags": [
            "contract-violation",
            "policy-bypass",
            "commitment-without-authority"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_800_53",
            "section": "SA-4",
            "title": "Acquisition Process"
          },
          {
            "id": "iso_42001",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          }
        ],
        "sources": [
          {
            "id": "src-po03-1",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PO-03 Contractual Obligation Extraction control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po03-2",
            "title": "NIST SP 800-53 Rev 5 \u2014 Acquisition Process",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Acquisition Process requirements informing the apeiris://authority/controls/PO-03 Contractual Obligation Extraction control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po03-3",
            "title": "Example adopter artifact \u2014 Master Services Agreement \u2014 AI Authority Obligations (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "contractual-obligation",
            "normative_force": "contractual-obligation",
            "version": "",
            "published_on": "",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "src-po03-4",
            "title": "ISO 42001 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 42001 AI Management Systems requirements informing the apeiris://authority/controls/PO-03 Contractual Obligation Extraction control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PO-03 Contractual Obligation Extraction control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PO-03 Contractual Obligation Extraction control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PO-03 Contractual Obligation Extraction control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Automated contract ingestion with NLP-assisted obligation extraction, structured mapping to the authority control register, and mandatory General Counsel review gate before mappings take effect.",
          "steps": [
            "Establish a contract intake pipeline that ingests executed agreements, applies obligation extraction to identify authority-relevant clauses, and produces a structured obligation manifest with source clause citations",
            "Map extracted obligations to existing authority register entries or create new entries where gaps are identified, requiring General Counsel review before mappings are finalized",
            "Link obligation manifests to AI deployment records so runtime authority evaluation reflects current contractual constraints, with re-extraction triggered on any contract amendment"
          ],
          "anti_patterns": [
            "Relying on manual contract review without a structured extraction process, leading to missed or inconsistently applied obligations",
            "Extracting obligations but failing to link them to AI deployment authority constraints, leaving the runtime unenforced"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify the obligation extraction pipeline produces a structured manifest with source contract reference, clause location, obligation type, and authority impact",
            "Confirm all executed contracts within AI-relevant scope have been processed by the extraction pipeline within 10 business days of signing",
            "Validate that mapped obligations in the authority register retain a back-reference to the source contract and clause"
          ],
          "runtime_tests": [
            "Submit a sample contract with known obligation clauses and verify the extraction pipeline correctly identifies all authority-relevant obligations",
            "Amend a contract and confirm the extraction pipeline is retriggered and the obligation manifest is updated before AI deployment continues",
            "Attempt to activate an AI deployment referencing an obligation that has not passed General Counsel review and verify it is blocked"
          ],
          "evidence": [
            "doc:obligation-extraction-manifest-sample",
            "contract:msa-2024-obligation-mapping",
            "log:contract-intake-pipeline-audit-log",
            "authority:general-counsel-obligation-review-sign-offs"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Obligation extraction translates contract language into enforceable AI authority constraints, closing the gap between legal commitments and runtime behavior.",
            "actions": [
              "Review and approve all obligation-to-authority mappings before they take effect in AI deployments",
              "Establish a contract change notification process so that obligation mappings are updated whenever a contract is amended"
            ],
            "failure_signals": [
              "An AI action violates a contract term that was never extracted or mapped to an authority constraint",
              "A contract amendment was not processed by the extraction pipeline, leaving stale obligations in the register"
            ]
          },
          "cfo_procurement": {
            "summary": "Contractual financial obligations must be extracted and reflected in AI authority limits to prevent AI-initiated spend that exceeds or conflicts with agreed terms.",
            "actions": [
              "Require that all vendor agreements with spend-relevant clauses pass through the obligation extraction pipeline before any AI system is granted procurement access",
              "Verify extracted financial obligation limits are consistent with CFO-approved authority thresholds"
            ],
            "failure_signals": [
              "An AI system exceeded a contractually agreed spend cap that was not reflected in its authority constraints",
              "A vendor contract's financial obligation clauses were not extracted prior to AI system activation"
            ]
          },
          "risk_officer": {
            "summary": "Unmapped contractual obligations represent uncontrolled liability exposure; pipeline coverage rate is a direct risk indicator for this control.",
            "actions": [
              "Track obligation extraction pipeline coverage as a KRI \u2014 % of executed contracts processed within 10 business days of signing",
              "Require risk exception sign-off for any AI deployment activated before all applicable contract obligations are extracted and mapped"
            ],
            "failure_signals": [
              "Extraction pipeline coverage falls below 100% for contracts executed in the last 90 days",
              "An AI deployment was activated without confirmed obligation extraction for all applicable agreements"
            ]
          },
          "grc_auditor": {
            "summary": "The obligation extraction manifest and authority register mappings are the primary audit artifacts demonstrating that contractual constraints were incorporated into AI authority enforcement.",
            "actions": [
              "Sample extracted obligation manifests against source contracts to verify extraction completeness",
              "Confirm all authority register entries with contractual origin have a back-reference to source contract and clause",
              "Verify General Counsel review sign-offs are present for all obligation mappings active in production"
            ],
            "failure_signals": [
              "Authority register entries reference contract obligations without a traceable source clause citation",
              "General Counsel sign-off is absent for obligation mappings active in production"
            ],
            "metrics": [
              "Obligation extraction coverage: % of executed contracts processed within 10 business days of signing (target: 100%)",
              "Mapping review completeness: % of extracted obligations with documented General Counsel review (target: 100%)",
              "Stale obligation rate: % of active obligation mappings whose source contract was amended without re-extraction (target: 0%)"
            ]
          },
          "board_governance": {
            "summary": "Systematic obligation extraction ensures the board can confirm material contractual commitments are enforced in AI authority constraints, not left to informal awareness.",
            "actions": [
              "Request annual confirmation from General Counsel that all material contracts have completed the obligation extraction process",
              "Ensure board-approved contracts involving AI systems trigger mandatory obligation extraction before AI deployment activation"
            ],
            "failure_signals": [
              "A material contract's obligations were not extracted prior to AI deployment activation",
              "The board cannot confirm obligation extraction coverage for contracts executed during the review period"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Structured extraction of contract obligations into authority constraints is operational control under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Structured extraction of contract obligations into authority constraints is operational control under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Mapping contractual obligations to AI authority limits is operational planning under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Mapping contractual obligations to AI authority limits is operational planning under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "SA-4",
            "title": "Acquisition Process",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Capturing binding contract obligations reflects SA-4 acquisition requirements, partially, focused on obligation mapping.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Capturing binding contract obligations reflects SA-4 acquisition requirements, partially, focused on obligation mapping.",
            "requirement_id": "SA-4 \u2014 Acquisition Process",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "MAP 1.1",
            "title": "Intended purposes, context-specific laws and norms, and prospective deployment settings are understood and documented",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Extracting and mapping contractual obligations documents applicable norms per MAP 1.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Extracting and mapping contractual obligations documents applicable norms per MAP 1.1, partially.",
            "requirement_id": "MAP 1.1 \u2014 Intended purposes, context-specific laws and norms, and prospective deployment settings are understood and documented",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Artifact \u2014 Compliance Documentation for Contractual Obligations",
            "rationale": "AWS Artifact provides on-demand access to AWS compliance reports, certifications, and agreements that are relevant to extracting and documenting contractual obligations for AI deployments. Data Processing Addenda, BAAs, and compliance reports available through Artifact provide the source documentation for AI system contractual obligation extraction workflows.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "AWS Artifact supplies source compliance documents for obligations but does not itself extract or map contractual obligations.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Responsible AI Standard v2 \u2014 Goal A1: Impact Assessment (Structured Documentation Template)",
            "rationale": "Microsoft's Responsible AI Impact Assessment template (Goal A1) provides a structured, versioned format for documenting a system's intended uses, stakeholders, and applicable obligations. The template pattern is adaptable to structured extraction of contractual obligations affecting AI deployments, though the Standard itself does not address contract parsing.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "The RAI impact-assessment template is an adaptable documentation pattern; the Standard does not address contract obligation parsing.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Assured Workloads \u2014 Regulatory Obligation Constraint Mapping",
            "rationale": "Google Assured Workloads automatically applies Organization Policy constraints derived from regulatory contractual obligations (FedRAMP, ITAR, EU GDPR) to AI workload environments. The Assured Workloads framework provides a mechanism for translating contractual compliance obligations into enforced technical constraints, supporting structured contractual obligation extraction.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Assured Workloads translates regulatory contract obligations into enforced constraints, partially supporting obligation extraction.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          }
        ],
        "tiers": [
          "contract-ai",
          "procurement-ai"
        ],
        "implementers": [
          "General Counsel",
          "Contract Management",
          "Procurement"
        ],
        "validation_objective": "Every executed contract within AI-relevant scope must be processed by the obligation extraction pipeline within 10 business days of signing, producing a structured obligation manifest with source clause citations. All extracted obligations must be mapped to authority register entries with a General Counsel review sign-off before the mapping takes effect in AI deployment authority evaluation, and no AI deployment may be activated under a contract whose obligations have not been fully extracted, mapped, and reviewed.",
        "evidence_required": [
          "obligation_extraction_manifest for each in-scope executed contract, containing source_contract_id, clause_location, obligation_type, authority_impact, and extraction_timestamp",
          "contract_intake_pipeline_audit_log showing each contract's ingestion date, extraction completion date, and days-to-extraction for SLA compliance tracking",
          "general_counsel_obligation_review_sign_offs confirming each obligation mapping was reviewed and approved by legal counsel with review_date and reviewer identity",
          "authority_register_entries_with_contractual_origin showing obligation-to-constraint mappings with back-references to the source contract and clause identifier"
        ],
        "machine_tests": [
          "Submit a sample contract with known obligation clauses through the extraction pipeline \u2192 assert all authority-relevant clauses are identified and appear in the structured manifest with correct clause location references",
          "Amend an already-processed contract and verify the extraction pipeline is retriggered automatically and produces an updated obligation manifest before the amendment effective date",
          "Attempt to activate an AI deployment under a contract whose obligations have not received General Counsel review sign-off \u2192 assert the deployment workflow is blocked with an obligation-review-pending status"
        ],
        "human_review": [
          "Sample obligation manifests against their source contracts to assess extraction completeness \u2014 specifically checking whether exclusivity clauses, spend caps, and prohibited use restrictions were captured",
          "Assess whether General Counsel review sign-offs for obligation mappings reflect substantive legal review or are being applied as a formality without documented rationale",
          "Review the obligation-to-authority-register mappings to confirm that extracted obligations have been translated into enforceable runtime constraints, not merely documented as informational records"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Relying on manual contract review by the contracting team without a structured extraction process, leading to inconsistent identification of authority-relevant obligations across the AI contract portfolio",
          "Extracting obligations from contracts but failing to link them to AI deployment authority constraints in the runtime register, leaving the contractual commitments unenforced at the system level",
          "Processing new contract obligations but not triggering re-extraction when amendments are executed, allowing stale obligation mappings to remain active while the contractual terms have changed",
          "Activating AI deployments before General Counsel review of obligation mappings is complete, treating the review as a concurrent rather than a prerequisite step",
          "Mapping broad contractual obligation categories (e.g., 'data use restrictions') to authority register entries without specifying the actual clause-level constraint, making the mapping unenforceable and unauditable"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PO"
      },
      {
        "id": "PO-04",
        "name": "Contract Term Conflict Detection",
        "canonical_id": "apeiris://authority/controls/PO-04",
        "layer": "PO",
        "prefix": "PO",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Detect and resolve conflicts between the terms of multiple active contracts that could produce contradictory authority constraints for AI systems. Unresolved conflicts must be escalated to General Counsel before AI deployments governed by the conflicting terms are activated.",
        "threat": {
          "context": "When multiple contracts impose conflicting obligations on AI authority \u2014 for example, one agreement permitting a data action another prohibits \u2014 AI systems may satisfy one contract while breaching another, creating unresolvable liability.",
          "tags": [
            "contract-violation",
            "policy-bypass",
            "authority-limit-breach"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_800_53",
            "section": "SA-4",
            "title": "Acquisition Process"
          },
          {
            "id": "iso_42001",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          }
        ],
        "sources": [
          {
            "id": "src-po04-1",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PO-04 Contract Term Conflict Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po04-2",
            "title": "NIST SP 800-53 Rev 5 \u2014 Acquisition Process",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Acquisition Process requirements informing the apeiris://authority/controls/PO-04 Contract Term Conflict Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po04-3",
            "title": "ISO 42001 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 42001 AI Management Systems requirements informing the apeiris://authority/controls/PO-04 Contract Term Conflict Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po04-4",
            "title": "ACC Legal Operations Contract Management Best Practices",
            "authority": "Association of Corporate Counsel",
            "source_type": "framework",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.acc.com/legalops",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "acc_legal_ops_contract_mgmt",
            "relationship": "informative_reference",
            "rationale": "Establishes ACC Legal Operations Contract Management Best Practices requirements informing the apeiris://authority/controls/PO-04 Contract Term Conflict Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PO-04 Contract Term Conflict Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PO-04 Contract Term Conflict Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PO-04 Contract Term Conflict Detection control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Automated conflict detection engine comparing authority constraints extracted from all active contracts, with conflict reports surfaced to General Counsel for resolution before AI deployment proceeds.",
          "steps": [
            "Build or integrate a conflict detection engine that compares authority constraints across all active obligation manifests and flags any clause pairs that produce contradictory AI authority outcomes",
            "Generate a conflict report for each detected contradiction, including source contracts, conflicting clause references, and the AI deployments affected",
            "Require General Counsel resolution sign-off on all open conflicts before any AI deployment governed by the conflicting terms may be activated or renewed"
          ],
          "anti_patterns": [
            "Permitting AI deployments to proceed while contract term conflicts remain unresolved, leaving the governing authority ambiguous",
            "Relying on human legal reviewers to detect conflicts without systematic tooling, accepting gaps proportional to review volume"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify the conflict detection engine evaluates all active obligation manifests on a scheduled basis and on every new contract ingestion",
            "Confirm that all detected conflicts produce a structured conflict report with source clause citations and affected AI deployment references",
            "Validate that no AI deployment with an open contract conflict is permitted to move to production without General Counsel resolution sign-off"
          ],
          "runtime_tests": [
            "Inject two contracts with deliberately contradictory data use clauses and verify the engine detects and reports the conflict",
            "Attempt to activate an AI deployment while a conflict affecting its authority constraints remains open and verify it is blocked",
            "Resolve a conflict and confirm the AI deployment activation gate clears within one business day"
          ],
          "evidence": [
            "log:conflict-detection-engine-run-history",
            "doc:conflict-report-sample-with-resolution-sign-off",
            "authority:general-counsel-conflict-resolution-log",
            "test:conflict-detection-synthetic-test-cases"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Contract term conflict detection surfaces unresolvable contradictions before AI systems act on ambiguous authority, protecting the organization from breaching at least one agreement regardless of the action taken.",
            "actions": [
              "Review and resolve all open conflict reports within five business days of detection",
              "Establish a conflict resolution precedence policy specifying which contract type governs when terms cannot be reconciled"
            ],
            "failure_signals": [
              "An AI system acted under authority derived from a contract term that conflicted with another active agreement",
              "Open conflict reports older than five business days exist for AI deployments that are already in production"
            ]
          },
          "cfo_procurement": {
            "summary": "Financial term conflicts between vendor agreements and customer contracts can produce AI-initiated spend that simultaneously satisfies one party and breaches another; early detection limits exposure.",
            "actions": [
              "Require conflict detection to run before any new vendor agreement is executed that overlaps scope with an existing customer commitment",
              "Escalate financial term conflicts to CFO within two business days of detection"
            ],
            "failure_signals": [
              "A financial term conflict between a vendor agreement and a customer contract was not detected before AI system activation",
              "An AI system exceeded a commitment limit permitted under one contract but prohibited under another"
            ]
          },
          "risk_officer": {
            "summary": "Undetected contract term conflicts are an unquantifiable liability; the open conflict count and mean resolution time are direct risk indicators.",
            "actions": [
              "Track open conflict count and mean resolution time as KRIs in the quarterly risk dashboard",
              "Require risk exception approval for any AI deployment that is activated while a conflict report is open"
            ],
            "failure_signals": [
              "Open conflict count for production AI deployments is greater than zero for more than five business days",
              "A conflict report was closed without documented General Counsel resolution"
            ]
          },
          "grc_auditor": {
            "summary": "Conflict detection logs and resolution sign-offs are the audit artifacts demonstrating that contradictory contract obligations were identified and resolved before AI authority was exercised.",
            "actions": [
              "Review all conflict reports generated during the audit period and confirm each has a documented resolution",
              "Verify no AI deployment was activated while a conflict affecting its authority constraints was open",
              "Sample source clause citations in conflict reports against the originating contracts"
            ],
            "failure_signals": [
              "Conflict reports lack General Counsel resolution sign-offs",
              "AI deployment records show activation during a period when an open conflict applied to its authority scope"
            ],
            "metrics": [
              "Open conflict rate: number of unresolved conflicts affecting active AI deployments (target: 0)",
              "Mean conflict resolution time: business days from detection to General Counsel sign-off (target: \u22645 days)",
              "Detection coverage: % of new contract ingestions that trigger conflict detection run (target: 100%)"
            ]
          },
          "board_governance": {
            "summary": "Conflict detection ensures the board can confirm AI systems do not operate under contradictory contractual authority, a condition that would make governance accountability impossible to assign.",
            "actions": [
              "Require quarterly reporting on open conflict counts and resolution status to the audit committee",
              "Ensure the conflict resolution precedence policy is reviewed and approved at the board level"
            ],
            "failure_signals": [
              "The board learns of an AI liability event that originated from an unresolved contract term conflict",
              "The conflict resolution precedence policy has not been reviewed in the last 12 months"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Automated detection and escalation of conflicting contract terms is operational control under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Automated detection and escalation of conflicting contract terms is operational control under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Resolving contradictory authority constraints before deployment is operational planning under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Resolving contradictory authority constraints before deployment is operational planning under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "SA-4",
            "title": "Acquisition Process",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Detecting conflicts among acquired contract terms partially reflects SA-4 acquisition-process requirements.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Detecting conflicts among acquired contract terms partially reflects SA-4 acquisition-process requirements.",
            "requirement_id": "SA-4 \u2014 Acquisition Process",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "MAP 1.1",
            "title": "Intended purposes, context-specific laws and norms, and prospective deployment settings are understood and documented",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Surfacing contradictory contractual norms partially supports MAP 1.1 documentation of applicable laws and norms.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Surfacing contradictory contractual norms partially supports MAP 1.1 documentation of applicable laws and norms.",
            "requirement_id": "MAP 1.1 \u2014 Intended purposes, context-specific laws and norms, and prospective deployment settings are understood and documented",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Config \u2014 Contractual Requirement Conflict Detection",
            "rationale": "AWS Config rules can detect resource configurations that conflict with contractual requirements (e.g., data residency violations, prohibited service usage, encryption requirements). Config conformance packs map AWS Config rules to specific contractual obligations and alert on violations, enabling automated detection of contract term conflicts before they result in compliance breaches.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "Config rules detect config-level violations of contractual requirements but not contradictions between contract clauses.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Assured Workloads \u2014 Sovereign Compliance Conflict Detection",
            "rationale": "Google Assured Workloads enforces sovereign compliance constraints that prevent AI workload configurations from conflicting with data residency and regulatory contract terms. The framework uses Organization Policy constraints to deny configurations that would violate contract-specified data handling requirements, detecting and preventing conflicts at the infrastructure provisioning stage.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "Assured Workloads prevents configs conflicting with residency terms but does not detect inter-contract clause conflicts.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Purview Compliance Solutions \u2014 Contractual Conflict Detection",
            "rationale": "Microsoft Purview compliance solutions can detect data handling practices that conflict with contractual data use obligations. Purview's information protection and data governance capabilities identify when AI systems process data in ways that violate contract-specified handling requirements, generating conflict alerts before contractual breaches occur.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "Purview detects data-handling practices conflicting with obligations but not contradictions between contract terms.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "contract-ai",
          "procurement-ai"
        ],
        "implementers": [
          "General Counsel",
          "Contract Management"
        ],
        "validation_objective": "The conflict detection engine must have processed all active obligation manifests and flagged every clause pair that produces contradictory AI authority constraints, with no AI deployment governed by conflicting contract terms activated without a General Counsel resolution record on file.",
        "evidence_required": [
          "conflict_detection_run_log with run_timestamp, manifests_evaluated_count, and conflicts_detected_count per scheduled run",
          "structured conflict_report for each detected contradiction citing source_contract_ids, conflicting_clause_references, and affected_ai_deployment_ids",
          "general_counsel_resolution_record for each conflict including resolution_decision, resolved_at timestamp, and approver_signature",
          "ai_deployment_activation_gate_log showing conflict_status_check result and resolution_record_id referenced at activation time for each deployment"
        ],
        "machine_tests": [
          "Inject two synthetic contracts with contradictory data-use clauses \u2192 assert conflict_detection_run_log records a conflict report within one scheduled run cycle",
          "Attempt to activate an AI deployment while a conflict affecting its authority scope is open \u2192 assert activation is blocked with reason=open_conflict and conflict_id referenced",
          "Resolve a flagged conflict with a General Counsel sign-off record \u2192 assert the affected deployment activation gate clears within the next run cycle"
        ],
        "human_review": [
          "Review each General Counsel conflict resolution record for documented precedence rationale explaining which contract's terms govern the AI deployment",
          "Assess conflict detection engine scope configuration to confirm all active obligation manifests are included, covering new contract types added since the last review",
          "Verify the conflict resolution precedence policy is board-approved and current relative to the organization's active contract portfolio"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Permitting AI deployments to activate under authority derived from a contract whose terms are flagged as conflicting with another active agreement, treating the conflict as advisory rather than blocking",
          "Running conflict detection only at contract inception rather than continuously as new contracts are ingested and existing ones are amended",
          "Treating a General Counsel verbal acknowledgment as a resolution record without requiring a signed, timestamped resolution decision",
          "Scoping the conflict detection engine only to customer-facing contracts while excluding internal vendor agreements from the conflict analysis"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PO"
      },
      {
        "id": "PO-05",
        "name": "Data Use Policy Enforcement",
        "canonical_id": "apeiris://authority/controls/PO-05",
        "layer": "PO",
        "prefix": "PO",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Enforce enterprise data use policies as authority constraints on AI systems, ensuring AI actions involving data assets remain within the boundaries authorized by policy. Note: the privacy domain (apeiris://privacy) governs data subject rights and personal data processing rules; this control governs the enterprise policy mechanism that authorizes or restricts AI use of enterprise data assets independent of personal data protections.",
        "threat": {
          "context": "Without enforced data use policies, AI systems may access, transform, or share enterprise data assets in ways that exceed authorized scope, violating contractual confidentiality obligations or internal governance rules \u2014 even in contexts where privacy regulations do not apply.",
          "tags": [
            "policy-bypass",
            "authority-limit-breach",
            "internal-policy-violation"
          ]
        },
        "standard_references": [
          {
            "id": "eu_ai_act",
            "section": "Art. 10",
            "title": "Data and data governance"
          },
          {
            "id": "iso_37301",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_800_53",
            "section": "AC-23",
            "title": "Data Mining Protection"
          }
        ],
        "sources": [
          {
            "id": "src-po05-1",
            "title": "EU Artificial Intelligence Act",
            "authority": "European Parliament and Council of the European Union",
            "source_type": "regulation",
            "normative_force": "binding-law",
            "version": "2024/1689",
            "published_on": "2024-07-12",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689",
            "license": "open-access",
            "status": "current",
            "flagship": false,
            "source_id": "eu_ai_act",
            "relationship": "normative_requirement",
            "rationale": "Establishes EU Artificial Intelligence Act requirements informing the apeiris://authority/controls/PO-05 Data Use Policy Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po05-2",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PO-05 Data Use Policy Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po05-3",
            "title": "NIST SP 800-53 Rev 5 \u2014 Data Mining Protection",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Data Mining Protection requirements informing the apeiris://authority/controls/PO-05 Data Use Policy Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po05-4",
            "title": "NIST AI RMF Playbook \u2014 GOVERN 6.2",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI RMF Playbook \u2014 GOVERN 6.2 requirements informing the apeiris://authority/controls/PO-05 Data Use Policy Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PO-05 Data Use Policy Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PO-05 Data Use Policy Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PO-05 Data Use Policy Enforcement control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Data use policy constraints expressed as machine-readable rules attached to enterprise data assets and evaluated at AI request time, with audit logging of all policy decisions.",
          "steps": [
            "Define a machine-readable data use policy schema covering authorized actors, permitted actions, data asset scope, and time boundaries, attached to each governed data asset in the enterprise catalog",
            "Integrate policy evaluation into all AI data access paths so that each data request is checked against the governing policy before access is granted or denied",
            "Log every policy evaluation decision with actor, asset, action, policy version, and verdict to support audit and anomaly detection"
          ],
          "anti_patterns": [
            "Enforcing data use restrictions only at ingestion time while permitting unrestricted AI access to already-ingested data",
            "Conflating this control with privacy controls \u2014 data use policy enforcement applies to all enterprise data assets, not only personal data"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify data use policies are expressed in a machine-readable schema and attached to all enterprise data assets within AI scope",
            "Confirm AI data access paths invoke policy evaluation before granting access, with no bypass routes for privileged AI processes",
            "Validate that policy evaluation logs include the policy version in effect at the time of each decision"
          ],
          "runtime_tests": [
            "Attempt an AI data access action that exceeds the authorized scope in the governing policy and verify it is denied with a logged policy decision",
            "Update a data use policy to restrict a previously permitted action and confirm the AI system receives the restriction within one business day",
            "Query policy evaluation logs for a date range and verify completeness against the access request log for the same period"
          ],
          "evidence": [
            "config:data-use-policy-schema-and-asset-attachments",
            "log:ai-data-access-policy-evaluation-log",
            "policy:enterprise-data-use-policy-current",
            "test:data-use-policy-enforcement-test-suite"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Data use policy enforcement ensures AI systems cannot access or share enterprise data in ways that breach confidentiality obligations in vendor or customer contracts, independent of privacy law compliance.",
            "actions": [
              "Map all contractual data use restrictions to machine-readable policy rules and confirm enforcement coverage before AI activation",
              "Review data use policy evaluation logs for anomalies when contract disputes arise"
            ],
            "failure_signals": [
              "An AI system shared or transformed enterprise data in violation of a contractual confidentiality obligation not reflected in its data use policy",
              "Policy evaluation logs are incomplete for the period covering a disputed AI data action"
            ]
          },
          "cfo_procurement": {
            "summary": "Unauthorized use of enterprise data assets by AI systems can trigger breach-of-contract penalties and remediation costs; policy enforcement is a direct financial risk control.",
            "actions": [
              "Confirm that data use restrictions in material vendor agreements are reflected as enforced policy rules on the relevant data assets",
              "Include data use policy coverage in pre-AI-activation procurement checklists"
            ],
            "failure_signals": [
              "An AI system accessed proprietary data covered by a vendor agreement in a way that triggered a breach claim",
              "A data use policy covering a material contract obligation was not machine-readable or not enforced at the AI access layer"
            ]
          },
          "risk_officer": {
            "summary": "Data use policy coverage gaps directly correspond to uncontrolled AI data access risk; the coverage rate and deny-action rate are the key risk indicators for this control.",
            "actions": [
              "Track data asset policy coverage as a KRI \u2014 % of enterprise data assets within AI scope with an attached, enforced data use policy",
              "Monitor the deny-action rate in policy evaluation logs for anomalous spikes indicating attempted policy bypass"
            ],
            "failure_signals": [
              "Data asset policy coverage falls below 100% for assets within AI system scope",
              "A spike in policy evaluation denials is not investigated within 24 hours"
            ]
          },
          "grc_auditor": {
            "summary": "Policy evaluation logs and asset policy attachments are the primary audit artifacts demonstrating that AI data access remained within authorized boundaries throughout the audit period.",
            "actions": [
              "Reconcile policy evaluation logs against AI data access request logs to confirm no unlogged access occurred",
              "Sample data asset policy attachments to verify they reflect current contractual and internal data use restrictions",
              "Review denied access events for evidence of systematic policy bypass attempts"
            ],
            "failure_signals": [
              "AI data access request logs contain records not present in the policy evaluation log",
              "A data asset within AI scope lacks an attached data use policy"
            ],
            "metrics": [
              "Data asset policy coverage: % of enterprise data assets within AI scope with an attached enforced policy (target: 100%)",
              "Policy evaluation log completeness: % of AI data access requests with a corresponding policy evaluation record (target: 100%)",
              "Deny-action anomaly response time: hours from spike detection to investigation initiation (target: \u226424 hours)"
            ]
          },
          "board_governance": {
            "summary": "Data use policy enforcement provides the board with confidence that AI systems cannot access enterprise data in ways that violate material contractual obligations or internal governance decisions.",
            "actions": [
              "Request annual confirmation from General Counsel that all material data use restrictions are reflected as enforced AI policy rules",
              "Include data use policy coverage in the board's AI risk oversight dashboard"
            ],
            "failure_signals": [
              "A material data breach or contract dispute reveals that an AI system accessed data outside its authorized policy scope",
              "Board-approved data use restrictions have not been translated into machine-readable enforcement rules"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "eu_ai_act",
            "ref": "Art. 10",
            "title": "Data and data governance",
            "normative_force": "binding-law",
            "fit": "partial",
            "fit_rationale": "Enforcing machine-readable data-use policies on AI access partially addresses Art. 10 data governance for enterprise assets.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Enforcing machine-readable data-use policies on AI access partially addresses Art. 10 data governance for enterprise assets.",
            "requirement_id": "Art. 10 \u2014 Data and data governance",
            "relation": "satisfies"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Runtime evaluation of data-use policy is operational control under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Runtime evaluation of data-use policy is operational control under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "AC-23",
            "title": "Data Mining Protection",
            "normative_force": "voluntary-standard",
            "fit": "adjacent",
            "fit_rationale": "AC-23 targets data-mining and aggregation threats specifically, related to but narrower than general data-use policy enforcement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "AC-23 targets data-mining and aggregation threats specifically, related to but narrower than general data-use policy enforcement.",
            "requirement_id": "AC-23 \u2014 Data Mining Protection",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Attaching and enforcing data-use policies on assets is operational planning under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Attaching and enforcing data-use policies on assets is operational planning under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Organizations SCP + Amazon Macie \u2014 Data Use Policy Enforcement",
            "rationale": "AWS Organizations SCPs restrict AI system data access to approved storage services and categories, while Amazon Macie enforces data classification and use restrictions at scale by identifying sensitive data patterns and detecting policy violations. Together, these services implement data use policy enforcement as an automated, organization-wide control that does not depend on individual developer compliance.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "SCP service restrictions plus Macie classification enforce data-use restrictions, partially implementing the control at scale.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Assured Workloads \u2014 Data Sovereignty and Use Restriction Enforcement",
            "rationale": "Google Assured Workloads enforces data sovereignty and use restrictions for AI workloads through managed Organization Policy constraints tied to regulatory compliance profiles. Constraints restrict data storage locations, processing service usage, and external transfer paths, implementing data use policy enforcement as a platform-level control aligned to declared contractual and regulatory obligations.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Assured Workloads enforces data residency and use restrictions via managed constraints, partially implementing data-use enforcement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure Policy + Microsoft Purview Data Governance \u2014 Automated Data Use Enforcement",
            "rationale": "Azure Policy and Microsoft Purview data governance work together to enforce data use restrictions across AI deployments, with automated remediation for non-compliant data handling patterns. Purview data map policies define permitted use for each data asset, and Azure Policy enforces that AI services only access data assets whose permitted use covers the declared operating intent.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Azure Policy and Purview enforce permitted-use policies on data assets, partially implementing data-use enforcement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "Privacy Officer",
          "General Counsel",
          "AI Engineering"
        ],
        "validation_objective": "Every AI data access request must be evaluated against the machine-readable data use policy attached to the target enterprise data asset before access is granted or denied, with the evaluation decision logged with actor_id, asset_id, requested_action, policy_version, and verdict \u2014 and no data asset within AI system scope may lack an attached, enforced policy.",
        "evidence_required": [
          "data_use_policy_registry listing each enterprise data asset within AI scope with attached policy_id, policy_version, and enforcement_status=active",
          "ai_data_access_policy_evaluation_log with actor_id, asset_id, requested_action, policy_id, policy_version, verdict, and evaluated_at for every AI data access request",
          "policy_evaluation_coverage_report confirming 100% of AI data access requests in the review period have a corresponding evaluation record",
          "data_use_policy_document for each governed asset, signed by the policy owner and dated within the last 12 months"
        ],
        "machine_tests": [
          "Submit an AI data access request for an asset with a policy that prohibits the requested action type \u2192 assert deny verdict with reason=policy_restriction and a logged evaluation record",
          "Attempt AI access to an enterprise data asset with no attached data use policy \u2192 assert access is blocked with error=no_policy_attached",
          "Update a data use policy to revoke a previously permitted action, then attempt that action \u2192 assert deny verdict is returned within one evaluation cycle of the policy update"
        ],
        "human_review": [
          "Reconcile AI data access request logs against policy evaluation logs for a sample period to confirm no access occurred without a corresponding evaluation record",
          "Review a sample of data asset policy documents to confirm they reflect current contractual data use restrictions and have been reviewed by the policy owner within 12 months",
          "Assess the policy evaluation logic for completeness \u2014 verify it evaluates actor identity, action type, data category, and time-boundary constraints, not just asset-level read/write permissions"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "binding-law",
        "anti_patterns": [
          "Enforcing data use policy only at initial data ingestion into AI pipelines while permitting unrestricted AI access to data already present in model context or vector stores",
          "Relying on database-level access controls as a proxy for data use policy enforcement without verifying the access control model maps to authorized-action semantics",
          "Maintaining data use policies in human-readable governance documents without machine-readable enforcement rules attached to the data assets themselves",
          "Conflating this control with privacy controls (apeiris://privacy) and treating GDPR compliance as full coverage of enterprise data use policy obligations",
          "Using a single blanket data use policy for all enterprise data assets instead of per-asset policies reflecting specific contractual and classification constraints"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PO"
      },
      {
        "id": "PO-06",
        "name": "Communication and Commitment Policy",
        "canonical_id": "apeiris://authority/controls/PO-06",
        "layer": "PO",
        "prefix": "PO",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": true,
        "plain": "Define and enforce policies governing what AI systems are authorized to communicate externally and what commitments they are permitted to make on behalf of the organization. All external communications and commitments initiated by AI must fall within explicitly documented authority limits reviewed and approved by General Counsel and Chief Risk Officer.",
        "threat": {
          "context": "Without explicit communication and commitment policies, AI systems may make representations or commitments that bind the organization to unintended obligations, creating legal liability and reputational harm from unauthorized commitments.",
          "tags": [
            "unauthorized-commitment",
            "authority-limit-breach",
            "policy-bypass"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          },
          {
            "id": "coso_erm",
            "section": "Principle 15",
            "title": "Assesses Substantial Change"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 2.1",
            "title": "Roles, responsibilities, and lines of communication related to AI risk management are documented and clear"
          },
          {
            "id": "nist_800_53",
            "section": "AC-5",
            "title": "Separation of Duties"
          }
        ],
        "sources": [
          {
            "id": "src-po06-1",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PO-06 Communication and Commitment Policy control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po06-2",
            "title": "COSO Enterprise Risk Management Framework",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management Framework requirements informing the apeiris://authority/controls/PO-06 Communication and Commitment Policy control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po06-3",
            "title": "NIST AI Risk Management Framework",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI Risk Management Framework requirements informing the apeiris://authority/controls/PO-06 Communication and Commitment Policy control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po06-4",
            "title": "Example adopter artifact \u2014 Enterprise Communications and Commitment Authority Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PO-06 Communication and Commitment Policy control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PO-06 Communication and Commitment Policy control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "openai_preparedness_fw_v2",
            "title": "OpenAI Preparedness Framework v2",
            "authority": "OpenAI, L.L.C.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2025-04-15",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "openai_preparedness",
            "relationship": "informative_reference",
            "rationale": "Establishes OpenAI Preparedness Framework v2 requirements informing the apeiris://authority/controls/PO-06 Communication and Commitment Policy control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PO-06 Communication and Commitment Policy control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Enumerated communication authority matrix defining permitted statement types, commitment scopes, and escalation triggers for each AI system, enforced via pre-send policy evaluation with human-in-the-loop gates for high-stakes communications.",
          "steps": [
            "Define a communication authority matrix for each AI system specifying permitted communication types, maximum commitment values, prohibited statement categories, and mandatory escalation triggers",
            "Implement pre-send policy evaluation that classifies outbound AI communications against the authority matrix and blocks or escalates those exceeding authorized scope",
            "Require General Counsel and Chief Risk Officer joint approval of the authority matrix before any AI system with external communication capability is activated"
          ],
          "anti_patterns": [
            "Defining AI communication limits informally or only in system prompts rather than in a versioned, auditable authority matrix",
            "Permitting AI systems to make open-ended commitments without an explicit enumerated authority limit approved by legal and risk"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify a communication authority matrix exists for every AI system with external communication capability, with General Counsel and CRO approval signatures",
            "Confirm pre-send policy evaluation is implemented at every AI outbound communication path with no bypass routes",
            "Validate that all escalation triggers in the matrix are routed to a human reviewer with documented response SLAs"
          ],
          "runtime_tests": [
            "Trigger an AI system to generate a communication exceeding its authority matrix limits and verify pre-send evaluation blocks it before delivery",
            "Test escalation paths by generating a communication at an escalation trigger threshold and confirming it routes to the designated human reviewer",
            "Audit a sample of AI external communications against the authority matrix and verify all fall within authorized scope"
          ],
          "evidence": [
            "policy:doa-policy-v4.2",
            "doc:ai-communication-authority-matrix-current",
            "log:pre-send-policy-evaluation-log",
            "authority:general-counsel-cro-authority-matrix-approvals"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "The communication authority matrix defines the outer boundary of what AI systems may say or commit on the organization's behalf; it is the legal backstop against unauthorized binding representations.",
            "actions": [
              "Review and approve the communication authority matrix for every AI system with external communication capability before activation",
              "Update the matrix whenever legal, regulatory, or contractual changes alter the scope of permissible AI commitments"
            ],
            "failure_signals": [
              "An AI system made a representation later construed as a binding commitment that exceeded its documented authority matrix",
              "The communication authority matrix was not updated following a material change in the organization's contractual or regulatory obligations"
            ]
          },
          "cfo_procurement": {
            "summary": "AI-initiated commitments not bounded by an explicit financial authority limit can create unbudgeted obligations; the authority matrix is the financial control boundary for AI communications.",
            "actions": [
              "Confirm that financial commitment limits in the authority matrix are consistent with board-approved delegation of authority thresholds",
              "Require CFO review of matrix entries involving spend commitments or pricing representations"
            ],
            "failure_signals": [
              "An AI system made a pricing or spend commitment exceeding the CFO-approved limit in its authority matrix",
              "The authority matrix does not include explicit financial commitment ceilings for AI systems with commercial negotiation capability"
            ]
          },
          "risk_officer": {
            "summary": "Unauthorized AI commitments are one of the highest-consequence authority domain risks; the authority matrix coverage rate and pre-send block rate are primary risk indicators.",
            "actions": [
              "Track authority matrix coverage as a KRI \u2014 % of AI systems with external communication capability that have an approved matrix",
              "Review pre-send policy evaluation block events weekly for patterns indicating systematic authority limit pressure"
            ],
            "failure_signals": [
              "An AI system with external communication capability lacks an approved authority matrix",
              "Pre-send block rate exceeds historical baseline, suggesting AI systems are regularly attempting communications beyond authorized scope"
            ]
          },
          "grc_auditor": {
            "summary": "The authority matrix and pre-send policy evaluation log are the primary audit artifacts confirming that all AI external communications and commitments remained within documented, approved authority limits.",
            "actions": [
              "Sample AI external communications against the authority matrix for each audit period to verify compliance",
              "Confirm pre-send evaluation logs are complete and include policy version, communication classification, and verdict for every outbound AI message",
              "Verify General Counsel and CRO approval signatures are current on all active authority matrices"
            ],
            "failure_signals": [
              "Pre-send evaluation logs are incomplete for the audit period",
              "An active AI system's authority matrix lacks current General Counsel and CRO approval signatures"
            ],
            "metrics": [
              "Authority matrix coverage: % of AI systems with external capability that have an approved, current matrix (target: 100%)",
              "Pre-send evaluation coverage: % of AI external communications with a logged pre-send policy decision (target: 100%)",
              "Matrix review currency: % of authority matrices reviewed within the last 12 months (target: 100%)"
            ]
          },
          "board_governance": {
            "summary": "Communication and commitment policy is a foundational enterprise governance control; the board must confirm that AI systems cannot bind the organization beyond the limits the board has authorized.",
            "actions": [
              "Require that the aggregate communication authority limits across all AI systems be presented to the board annually for confirmation against the enterprise delegation of authority policy",
              "Ensure any AI system with material commitment authority is disclosed to the audit committee"
            ],
            "failure_signals": [
              "The aggregate AI communication authority has not been presented to the board in the last 12 months",
              "An AI system with material commitment authority was activated without audit committee disclosure"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "managed"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Pre-send evaluation against a communication authority matrix is operational control under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Pre-send evaluation against a communication authority matrix is operational control under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "coso_erm",
            "ref": "Principle 15",
            "title": "Assesses substantial change",
            "principle_number": 15,
            "component_name": "Review and Revision",
            "normative_force": "industry-framework",
            "fit": "adjacent",
            "fit_rationale": "A communication authority matrix bounds external statements, unrelated to Principle 15's substantial-change assessment.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "A communication authority matrix bounds external statements, unrelated to Principle 15's substantial-change assessment.",
            "requirement_id": "Principle 15 \u2014 Assesses substantial change",
            "relation": "informs"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 2.1",
            "title": "Roles, responsibilities, and lines of communication related to AI risk management are documented and clear",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Documented communication authority limits reflect GOVERN 2.1 clear communication lines, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Documented communication authority limits reflect GOVERN 2.1 clear communication lines, partially.",
            "requirement_id": "GOVERN 2.1 \u2014 Roles, responsibilities, and lines of communication related to AI risk management are documented and clear",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "AC-5",
            "title": "Separation of Duties",
            "normative_force": "voluntary-standard",
            "fit": "adjacent",
            "fit_rationale": "Communication authority limits and GC/CRO approval touch oversight but are not the duty separation AC-5 requires.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Communication authority limits and GC/CRO approval touch oversight but are not the duty separation AC-5 requires.",
            "requirement_id": "AC-5 \u2014 Separation of Duties",
            "relation": "equivalent_to"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "Anthropic Usage Policy + Claude's Constitution \u2014 Operator Scope and Permitted Communications",
            "rationale": "Anthropic's Usage Policy (anthropic.com/legal/aup) sets binding conditions on what deployments of Claude may do, including requirements for human oversight in consequential domains, and Claude's Constitution describes Claude as acting within the scope of instructions and permissions the operator grants. Together they form the vendor-side permission model for what a deployed agent may represent or commit to on an operator's behalf; neither document is part of the RSP, which governs Anthropic's own model deployments.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "adjacent",
            "fit_rationale": "The AUP and Constitution set a vendor-side permission model for operator commitments, an analog rather than the deployer's control.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "openai_preparedness",
            "requirement_id": "OpenAI Usage Policies \u2014 Permitted Use and Representation Governance",
            "rationale": "OpenAI's Usage Policies govern what customers may build and deploy with its models, including prohibitions on deception and impersonation and requirements for disclosure and human oversight in consequential domains. Deployments that permit unauthorized commitments or misrepresentation can violate these policies and risk access termination. The policies do not prescribe per-deployment commitment-scope configuration \u2014 that remains the deployer's control to implement.",
            "normative_force": "best-practice",
            "source_version": "2",
            "fit": "adjacent",
            "fit_rationale": "OpenAI usage policies prohibit misrepresentation but leave per-deployment commitment-scope configuration to the deployer, so they are adjacent.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS SCP \u2014 AI Agent External Communication Service Restriction",
            "rationale": "AWS Organizations SCPs can restrict which services AI agents may use for external communication (e.g., denying SES, SNS, or API Gateway calls from AI workload accounts without explicit allow). This bounds the communication and commitment-making surface of AI agents at the infrastructure level, supporting the enforcement of communication policy as a platform control.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "SCPs can deny external-communication services to AI accounts, partially bounding the commitment surface at infrastructure level.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "consequential-commitment"
        ],
        "implementers": [
          "General Counsel",
          "Chief Risk Officer",
          "Communications"
        ],
        "validation_objective": "A General-Counsel-and-CRO-approved communication authority matrix must exist for every AI system with external communication capability, and every outbound AI communication must be evaluated against that matrix before transmission \u2014 with communications exceeding documented authority limits blocked or escalated, and the evaluation logged with communication_class, authority_matrix_version, and verdict.",
        "evidence_required": [
          "communication_authority_matrix for each AI system with external capability, including permitted_statement_types, max_commitment_value, prohibited_categories, escalation_triggers, general_counsel_approval_signature, and cro_approval_signature with timestamps",
          "pre_send_policy_evaluation_log with communication_id, ai_system_id, communication_class, authority_matrix_version, verdict (permit/block/escalate), and evaluated_at for every outbound AI communication",
          "escalation_routing_record for each escalated communication with escalation_trigger_matched, reviewer_id, and resolution_decision",
          "authority_matrix_review_history showing General Counsel and CRO review timestamps and revision rationale for each version"
        ],
        "machine_tests": [
          "Trigger an AI system to generate a commitment statement exceeding its documented max_commitment_value \u2192 assert pre-send evaluation blocks delivery and logs a blocked_communication_record with reason=commitment_ceiling_exceeded",
          "Generate a communication matching an escalation_trigger category in the authority matrix \u2192 assert the communication is routed to the designated human reviewer queue rather than transmitted directly",
          "Attempt to activate an AI system with external communication capability without an approved authority matrix on file \u2192 assert activation is blocked with error=no_approved_authority_matrix"
        ],
        "human_review": [
          "Review a sample of escalated communications and confirm each has a documented human resolution decision and was not transmitted without reviewer approval",
          "Assess each AI system's communication authority matrix to verify that commitment value ceilings are consistent with the enterprise delegation of authority policy approved by the board",
          "Verify that authority matrices have been reviewed and re-approved following any material change to contractual commitments, regulatory obligations, or AI system product capabilities"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Defining AI communication limits only in system prompt instructions rather than in a versioned, auditable authority matrix with documented General Counsel and CRO approval",
          "Applying pre-send policy evaluation only to high-value commitment communications while treating routine external AI communications as unscoped and unevaluated",
          "Permitting AI systems to make open-ended representations about the organization's capabilities or obligations without an explicit authority matrix entry permitting that statement type",
          "Treating the absence of an explicit prohibition as implicit authorization for AI to communicate or commit, rather than requiring explicit positive authorization for each permitted communication category"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PO"
      },
      {
        "id": "PO-07",
        "name": "Third-Party Policy Requirements",
        "canonical_id": "apeiris://authority/controls/PO-07",
        "layer": "PO",
        "prefix": "PO",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Flow down applicable enterprise AI authority policy requirements to third-party vendors and service providers that develop, operate, or support AI systems on the organization's behalf. Third-party policy compliance must be verified before vendor AI systems are granted access to enterprise resources or authorized to act for the organization.",
        "threat": {
          "context": "Third-party AI systems operating without documented authority policy requirements can take actions on behalf of the enterprise that exceed authorized scope, bypass internal controls, and create principal accountability gaps that are difficult to attribute.",
          "tags": [
            "policy-bypass",
            "procurement-bypass",
            "authority-limit-breach",
            "principal-accountability-gap"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_800_53",
            "section": "SA-9",
            "title": "External System Services"
          },
          {
            "id": "iso_42001",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          }
        ],
        "sources": [
          {
            "id": "src-po07-1",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PO-07 Third-Party Policy Requirements control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po07-2",
            "title": "NIST SP 800-53 Rev 5 \u2014 External System Services",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 External Information System Services requirements informing the apeiris://authority/controls/PO-07 Third-Party Policy Requirements control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po07-3",
            "title": "ISO 42001 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 42001 AI Management Systems requirements informing the apeiris://authority/controls/PO-07 Third-Party Policy Requirements control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po07-4",
            "title": "OECD Principles on AI",
            "authority": "Organisation for Economic Co-operation and Development",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "2024",
            "published_on": "2024-05-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://oecd.ai/en/ai-principles",
            "license": "open-access",
            "status": "current",
            "flagship": false,
            "source_id": "oecd_ai_principles",
            "relationship": "implementation_pattern",
            "rationale": "Establishes OECD Principles on AI requirements informing the apeiris://authority/controls/PO-07 Third-Party Policy Requirements control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PO-07 Third-Party Policy Requirements control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PO-07 Third-Party Policy Requirements control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PO-07 Third-Party Policy Requirements control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Third-party AI policy annex included in all vendor agreements, with pre-activation compliance verification and ongoing audit rights for the enterprise.",
          "steps": [
            "Develop a standard third-party AI authority policy annex that specifies required controls, prohibited actions, authority limit obligations, and audit rights, to be attached to all vendor agreements involving AI systems",
            "Require vendors to provide documented evidence of policy compliance \u2014 including their authority constraint configuration \u2014 before any AI system is granted access to enterprise resources",
            "Conduct annual verification reviews of third-party AI policy compliance and invoke contract remediation or termination rights where violations are identified"
          ],
          "anti_patterns": [
            "Relying on vendor SOC 2 reports as a proxy for AI authority policy compliance without verifying that authority-specific controls are within scope",
            "Activating third-party AI systems without a signed policy annex or documented compliance verification"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify all vendor agreements involving AI systems include the standard third-party AI authority policy annex with audit rights",
            "Confirm a compliance verification record exists for each third-party AI system before its activation date",
            "Validate that annual review cycles are scheduled and tracked for all active third-party AI vendor relationships"
          ],
          "runtime_tests": [
            "Attempt to activate a third-party AI system without a completed compliance verification record and verify the activation is blocked",
            "Request compliance evidence from a sample of active vendors and confirm it covers all required authority control areas",
            "Test audit rights by requesting a vendor's authority constraint configuration and confirm the vendor responds within the contractual SLA"
          ],
          "evidence": [
            "contract:vendor-ai-policy-annex-template",
            "doc:third-party-ai-compliance-verification-records",
            "log:vendor-activation-gate-checks",
            "policy:third-party-ai-requirements-policy-current"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Third-party policy requirements establish the contractual basis for holding vendors accountable when their AI systems take unauthorized actions on the organization's behalf.",
            "actions": [
              "Ensure the policy annex template is reviewed and approved by General Counsel annually and attached to all new vendor agreements",
              "Include AI authority policy compliance as a condition precedent to vendor AI system activation in all contracts"
            ],
            "failure_signals": [
              "A vendor AI system took an unauthorized action on the organization's behalf with no contractual authority policy annex in place",
              "Audit rights were not contractually secured, preventing the organization from investigating a third-party AI incident"
            ]
          },
          "cfo_procurement": {
            "summary": "Third-party AI systems without documented authority constraints represent uncapped financial exposure; the policy annex is the procurement control that sets those limits.",
            "actions": [
              "Include third-party AI policy annex execution as a procurement gate before any vendor AI system is approved for spend-affecting actions",
              "Verify that vendor authority constraint configurations cap commitment values at the enterprise-approved limits"
            ],
            "failure_signals": [
              "A third-party AI system committed spend in excess of enterprise-approved limits because no authority policy annex was in place",
              "A vendor activated its AI system for spend-affecting actions before the procurement gate was cleared"
            ]
          },
          "risk_officer": {
            "summary": "Third parties operating AI on the organization's behalf extend the authority domain risk perimeter; uncovered vendors are uncontrolled risk exposure.",
            "actions": [
              "Track third-party AI policy annex coverage as a KRI \u2014 % of vendors with active AI systems that have signed the annex and passed compliance verification",
              "Include third-party AI compliance in the annual vendor risk assessment program"
            ],
            "failure_signals": [
              "Third-party annex coverage falls below 100% for vendors with active AI systems",
              "A vendor's annual compliance review is overdue by more than 30 days"
            ]
          },
          "grc_auditor": {
            "summary": "Signed policy annexes and compliance verification records are the primary audit artifacts demonstrating that third-party AI systems operating on the enterprise's behalf were subject to documented authority requirements.",
            "actions": [
              "Verify that all active third-party AI vendor relationships have a signed policy annex on file",
              "Sample compliance verification records for completeness and confirm they cover all required authority control areas",
              "Review vendor audit responses for timeliness and completeness"
            ],
            "failure_signals": [
              "An active vendor AI relationship lacks a signed policy annex",
              "Compliance verification records are missing or incomplete for vendors activated during the audit period"
            ],
            "metrics": [
              "Third-party annex coverage: % of vendors with active AI systems that have a signed policy annex (target: 100%)",
              "Compliance verification currency: % of vendor AI relationships with a verification record updated within 12 months (target: 100%)",
              "Audit response SLA compliance: % of vendor audit requests answered within the contractual response period (target: 100%)"
            ]
          },
          "board_governance": {
            "summary": "The board must have confidence that third parties operating AI on the enterprise's behalf are subject to equivalent authority constraints, not a governance gap that creates unattributable liability.",
            "actions": [
              "Require annual reporting on third-party AI policy annex coverage and compliance verification status to the audit committee",
              "Ensure material third-party AI relationships are disclosed and their authority constraints reviewed at the board level"
            ],
            "failure_signals": [
              "Material third-party AI vendors lack signed policy annexes at the time of board review",
              "A third-party AI incident occurs that could not be investigated due to absent audit rights"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Flowing authority policy down to vendors with pre-activation verification is operational control under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Flowing authority policy down to vendors with pre-activation verification is operational control under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Third-party policy annex and compliance verification are operational planning under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Third-party policy annex and compliance verification are operational planning under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "SA-9",
            "title": "External System Services",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Requiring vendor compliance with authority policy before access reflects SA-9 external-service provider requirements, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Requiring vendor compliance with authority policy before access reflects SA-9 external-service provider requirements, partially.",
            "requirement_id": "SA-9 \u2014 External System Services",
            "relation": "equivalent_to"
          },
          {
            "framework": "oecd_cg",
            "ref": "II.F / IV.A",
            "title": "Related party transactions \u2014 approval and disclosure",
            "normative_force": "voluntary-standard",
            "source_version": "2023",
            "fit": "adjacent",
            "fit_rationale": "Third-party AI vendor policy flow-down differs from the related-party transaction approval OECD II.F/IV.A addresses.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Third-party AI vendor policy flow-down differs from the related-party transaction approval OECD II.F/IV.A addresses.",
            "requirement_id": "II.F / IV.A \u2014 Related party transactions \u2014 approval and disclosure",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Control Tower + Marketplace Governance \u2014 Third-Party Policy Compliance",
            "rationale": "AWS Control Tower governance guardrails extend to third-party software procured through AWS Marketplace by enforcing SCP-based restrictions on third-party service activation and configuration. Organizations can require that third-party AI components comply with organizational governance standards before deployment, implementing third-party policy requirements as preventive controls.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Control Tower guardrails can require third-party components meet standards before deployment, partially enforcing third-party policy.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Org Policy \u2014 Third-Party Integration Restriction",
            "rationale": "Google Cloud Organization Policy constraints can restrict the types of third-party integrations and marketplace solutions AI systems may use across the resource hierarchy. Constraints on external API usage and approved service categories enforce that third-party components meet organizational policy requirements before they can be integrated into AI deployments.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Org Policy constraints restrict third-party integrations to approved categories, partially enforcing third-party policy requirements.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          }
        ],
        "tiers": [
          "procurement-ai",
          "contract-ai"
        ],
        "implementers": [
          "Procurement",
          "General Counsel",
          "Vendor Management"
        ],
        "validation_objective": "Every vendor agreement involving an AI system must include a signed third-party AI authority policy annex before that AI system is granted access to enterprise resources or authorized to act on the organization's behalf, with documented compliance verification evidence on file confirming the vendor's authority constraint configuration meets all required controls.",
        "evidence_required": [
          "vendor_agreement_register listing all active vendors with AI systems, each with policy_annex_status (signed/unsigned), annex_version, signed_at timestamp, and audit_rights_confirmed flag",
          "third_party_compliance_verification_record for each vendor AI system with controls_verified[], evidence_reviewed[], verifier_id, verification_date, and pass/fail verdict per required control area",
          "vendor_activation_gate_log showing compliance_verification_record_id referenced at AI system activation time for each third-party deployment",
          "annual_vendor_review_record with completion_date, findings_summary, and remediation_actions for each active vendor relationship"
        ],
        "machine_tests": [
          "Attempt to activate a third-party AI system without a completed compliance verification record on file \u2192 assert activation is blocked with reason=missing_compliance_verification",
          "Submit a vendor activation request with policy_annex_status=unsigned \u2192 assert the activation workflow blocks progression with error=unsigned_policy_annex",
          "Set a vendor's annual review date to overdue status \u2192 assert a compliance alert is generated and routed to the Vendor Management queue within one business day"
        ],
        "human_review": [
          "Sample compliance verification records for three active vendor AI relationships and assess whether evidence reviewed covers all required authority control areas, including authority constraint configuration documentation",
          "Review the third-party AI authority policy annex template to confirm it includes audit rights, required contract terms for authority constraint configuration, and an obligation to notify of material policy changes",
          "Evaluate annual review outcomes for completeness and confirm that identified compliance gaps resulted in documented remediation actions or contract termination proceedings"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Accepting a vendor's SOC 2 Type II report as full compliance evidence for third-party AI authority policy requirements without verifying AI-specific authority controls are within the SOC 2 scope",
          "Activating a third-party AI system on a provisional basis before policy annex execution, with intent to complete compliance formalities after the system is operational",
          "Including audit rights in the policy annex template but failing to specify the contractual response SLA, leaving the organization unable to enforce timely audit responses",
          "Conducting compliance verification at contract inception but not scheduling annual reviews, allowing vendor authority constraint configurations to drift from required standards",
          "Treating third-party policy compliance as a procurement gate only, without monitoring whether vendor AI system behavior remains within documented authority constraints during operation"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PO"
      },
      {
        "id": "PO-08",
        "name": "Policy Obligation Gap Analysis",
        "canonical_id": "apeiris://authority/controls/PO-08",
        "layer": "PO",
        "prefix": "PO",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Conduct periodic structured analyses comparing the current policy register coverage against all known obligation sources \u2014 regulatory, contractual, and internal \u2014 to identify gaps where AI authority constraints have not been defined. Identified gaps must be assigned an owner and remediated within a documented timeframe.",
        "threat": {
          "context": "As the regulatory and contractual landscape evolves, new obligations arise faster than policy registers are updated. Undetected gaps allow AI systems to operate in obligation areas with no authority constraint, enabling scope creep and policy bypass.",
          "tags": [
            "policy-bypass",
            "authority-limit-breach",
            "scope-creep"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 10",
            "title": "Identifies Risk"
          },
          {
            "id": "iso_37301",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "iso_42001",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          }
        ],
        "sources": [
          {
            "id": "src-po08-1",
            "title": "COSO Enterprise Risk Management Framework",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management Framework requirements informing the apeiris://authority/controls/PO-08 Policy Obligation Gap Analysis control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po08-2",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PO-08 Policy Obligation Gap Analysis control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po08-3",
            "title": "ISO 42001 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 42001 AI Management Systems requirements informing the apeiris://authority/controls/PO-08 Policy Obligation Gap Analysis control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-po08-4",
            "title": "NIST SP 800-53 Rev 5 \u2014 Security Assessment",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Security Assessment requirements informing the apeiris://authority/controls/PO-08 Policy Obligation Gap Analysis control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PO-08 Policy Obligation Gap Analysis control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PO-08 Policy Obligation Gap Analysis control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PO-08 Policy Obligation Gap Analysis control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Quarterly obligation gap analysis comparing all obligation sources \u2014 regulatory horizon scan, executed contracts, and internal policies \u2014 against the policy register, with a remediation backlog tracked by Compliance Officer.",
          "steps": [
            "Maintain an obligation source inventory covering regulatory obligations, executed contracts, and internal policy commitments, updated continuously via a regulatory horizon scanning process and contract intake pipeline",
            "Conduct a quarterly gap analysis comparing the obligation source inventory against the policy register to identify obligation areas with no mapped authority constraint",
            "Assign every identified gap an owner and a remediation target date, tracked in a compliance backlog reviewed by the Compliance Officer and GRC Auditor monthly"
          ],
          "anti_patterns": [
            "Conducting gap analysis only at annual audit time rather than on a continuous basis as obligations evolve",
            "Identifying gaps without assigning owners and remediation dates, resulting in a gap list that grows without resolution"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify an obligation source inventory exists and is updated continuously via regulatory horizon scanning and contract intake",
            "Confirm quarterly gap analysis reports are produced and reviewed by Compliance Officer and GRC Auditor",
            "Validate that all identified gaps have an assigned owner and a documented remediation target date"
          ],
          "runtime_tests": [
            "Introduce a simulated new regulatory obligation into the obligation source inventory and confirm it surfaces as a gap in the next analysis cycle",
            "Review the compliance backlog for gaps older than their remediation target date and verify they have been escalated",
            "Test that the gap analysis process flags the same known gaps when run against the same obligation source inventory snapshot"
          ],
          "evidence": [
            "doc:obligation-source-inventory-current",
            "log:quarterly-gap-analysis-report-history",
            "policy:gap-remediation-backlog-current",
            "test:gap-analysis-regression-test-results"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Policy obligation gap analysis identifies where the organization has accepted legal obligations \u2014 regulatory or contractual \u2014 that have not yet been operationalized as AI authority constraints.",
            "actions": [
              "Review quarterly gap analysis reports for legal risk items requiring prioritized remediation",
              "Ensure regulatory horizon scanning covers all jurisdictions in which the organization deploys AI systems"
            ],
            "failure_signals": [
              "A regulatory obligation came into effect that had not been identified by the horizon scanning process before AI systems were required to comply",
              "Gaps identified in a prior quarter remain unassigned or unremediated in the current analysis"
            ]
          },
          "cfo_procurement": {
            "summary": "Financial obligation gaps \u2014 where contracted commitments have not been translated into AI authority constraints \u2014 represent uncontrolled financial exposure that the gap analysis surfaces for remediation.",
            "actions": [
              "Review gap analysis items related to financial obligations for CFO prioritization",
              "Require that financial obligation gaps are remediated before AI systems with spending authority are renewed or expanded"
            ],
            "failure_signals": [
              "A financial obligation from an executed contract was not detected by the gap analysis before the AI system acted",
              "Financial obligation gaps remain in the remediation backlog beyond their target date"
            ]
          },
          "risk_officer": {
            "summary": "The gap count and mean gap age are direct risk exposure indicators; a growing backlog signals that the organization's obligation scope is outpacing its policy register coverage.",
            "actions": [
              "Track open gap count and mean gap age as KRIs in the quarterly risk dashboard",
              "Escalate gaps involving high-risk obligation areas to the CRO within five business days of identification"
            ],
            "failure_signals": [
              "Open gap count for high-risk obligation areas is greater than zero at the time of quarterly review",
              "Mean gap age exceeds the remediation target date for more than 20% of open items"
            ]
          },
          "grc_auditor": {
            "summary": "Gap analysis reports and the remediation backlog are the primary audit artifacts demonstrating that the organization systematically identifies and closes policy coverage gaps before they result in uncontrolled AI authority risk.",
            "actions": [
              "Review gap analysis reports for all quarters in the audit period and confirm each identified gap has a documented owner and remediation target",
              "Verify that closed gaps have corresponding policy register updates evidencing remediation",
              "Test that the obligation source inventory is current relative to the organization's regulatory and contractual landscape"
            ],
            "failure_signals": [
              "Gap analysis reports were not produced in one or more quarters during the audit period",
              "Closed gaps in the backlog lack corresponding policy register updates"
            ],
            "metrics": [
              "Open gap count: number of identified obligation gaps without a current policy register entry (target: 0 for high-risk gaps; trending to zero for all others)",
              "Mean gap age: average days from gap identification to remediation (target: \u226430 days for high-risk items)",
              "Gap analysis cadence compliance: % of scheduled quarterly analyses completed on time (target: 100%)"
            ]
          },
          "board_governance": {
            "summary": "Obligation gap analysis provides the board with systematic assurance that the AI authority control register is keeping pace with the evolving obligation landscape, rather than accumulating unmanaged gaps.",
            "actions": [
              "Request an annual summary of gap analysis findings, open items, and remediation status from the Compliance Officer",
              "Confirm that the gap analysis program covers all regulatory jurisdictions material to the organization's AI deployments"
            ],
            "failure_signals": [
              "The annual board review reveals significant obligation gaps that were not previously reported",
              "The gap analysis program does not cover a regulatory jurisdiction in which the organization is deploying AI systems"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 10",
            "title": "Identifies Risk",
            "principle_number": 10,
            "component_name": "Performance",
            "normative_force": "industry-framework",
            "fit": "partial",
            "fit_rationale": "Comparing obligation sources against the policy register to find coverage gaps partially implements Principle 10 risk identification.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Comparing obligation sources against the policy register to find coverage gaps partially implements Principle 10 risk identification.",
            "requirement_id": "Principle 10 \u2014 Identifies Risk",
            "relation": "informs"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Periodic gap analysis is a monitoring and evaluation activity under \u00a79.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Periodic gap analysis is a monitoring and evaluation activity under \u00a79.1, partially.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Quarterly obligation gap analysis is monitoring and evaluation under \u00a79.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Quarterly obligation gap analysis is monitoring and evaluation under \u00a79.1, partially.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "CA-7",
            "title": "Continuous Monitoring",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Recurring obligation-coverage analysis partially implements CA-7 continuous monitoring of control coverage.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Recurring obligation-coverage analysis partially implements CA-7 continuous monitoring of control coverage.",
            "requirement_id": "CA-7 \u2014 Continuous Monitoring",
            "relation": "equivalent_to"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "RSP v3.3 \u2014 Required Safeguards as Blocking Conditions",
            "rationale": "Under the RSP, a model whose capability assessment triggers a higher AI Safety Level may not be deployed \u2014 or must have its deployment restricted \u2014 until the corresponding Required Safeguards are in place. Unmet safeguard obligations are blocking conditions, not advisory findings, which is the pattern PO-08 generalizes: obligations identified as unmet must block rather than merely inform.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "adjacent",
            "fit_rationale": "The RSP's unmet-safeguards-block pattern is an analogous blocking principle, not the deployer's obligation gap analysis.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Asset Inventory AnalyzeOrgPolicies \u2014 Constraint Coverage Gap Identification",
            "rationale": "Cloud Asset Inventory's AnalyzeOrgPolicies API reports where organization policy constraints are applied across the resource hierarchy, enabling detection of AI workload environments where declared policy obligations are not reflected in enforced constraints. Policy Analyzer complements this on the IAM side by answering which principals hold which access, surfacing permission coverage gaps.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "AnalyzeOrgPolicies surfaces where declared constraints are unenforced, partially supporting obligation gap analysis.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "Compliance Officer",
          "GRC Auditor",
          "General Counsel"
        ],
        "validation_objective": "A quarterly obligation gap analysis must be completed comparing all obligation sources in the obligation source inventory against the policy register, with every identified gap assigned an owner and a documented remediation target date \u2014 and no high-risk obligation area may have an open, unowned gap for more than five business days after identification.",
        "evidence_required": [
          "obligation_source_inventory document listing all regulatory, contractual, and internal obligation sources with last_updated timestamp and source_type for each entry",
          "quarterly_gap_analysis_report for each of the most recent four quarters, comparing obligation_source_inventory against policy_register and identifying each gap with obligation_source_id, gap_description, and risk_classification",
          "gap_remediation_backlog with owner_id, remediation_target_date, status, and completion_evidence_ref for every identified gap, updated after each quarterly analysis",
          "regulatory_horizon_scan_log confirming continuous monitoring of applicable regulatory developments with new obligations captured in the inventory within 30 days of publication"
        ],
        "machine_tests": [
          "Insert a simulated new regulatory obligation into the obligation_source_inventory \u2192 assert it appears as an unmatched obligation in the next quarterly gap analysis report with gap_status=open",
          "Set a gap's remediation_target_date to a past date with status=open \u2192 assert an escalation alert is generated and routed to the Compliance Officer queue",
          "Run the gap analysis against an obligation_source_inventory snapshot with known gaps \u2192 assert the same gap set is produced on re-run (regression test for analysis consistency)"
        ],
        "human_review": [
          "Review the obligation_source_inventory to assess whether it reflects the current regulatory and contractual landscape for all jurisdictions in which the organization deploys AI systems, including recent regulatory changes",
          "Assess each open gap in the remediation backlog for risk classification accuracy and verify high-risk gaps have been escalated to the CRO within the required timeframe",
          "Evaluate whether closed gaps have corresponding policy register updates that materially address the identified obligation \u2014 not just nominal entries that name the obligation without defining an AI authority constraint"
        ],
        "blocking_effect": "advisory",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Conducting obligation gap analysis only when a regulatory audit or contractual dispute is anticipated rather than on a continuous quarterly cadence",
          "Identifying gaps without assigning owners and remediation target dates, producing a gap list that accumulates without driving resolution",
          "Scoping the obligation source inventory to only current regulations while excluding emerging guidance, consultation papers, and enacted-but-not-yet-effective obligations from the horizon scan",
          "Treating a policy register entry that names an obligation area as full coverage without verifying a machine-readable AI authority constraint has been defined and is enforced",
          "Treating the gap analysis as complete when it produces zero gaps without verifying that the obligation source inventory itself is comprehensive and current"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PO"
      },
      {
        "id": "PO-09",
        "name": "Policy Obligation Layer Evidence Package",
        "canonical_id": "apeiris://authority/controls/PO-09",
        "layer": "PO",
        "prefix": "PO",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Compile a structured policy obligation layer evidence package on a quarterly basis, consolidating artifacts from PO-01 through PO-08 to demonstrate that policy obligation coverage is complete, gap analysis is current, and remediation plans are active. The package is a required input to the PE-08 PolicyAttestation production process.",
        "threat": {
          "context": "Without periodic structured compilation of policy obligation layer evidence, the PolicyAttestation (PE-08) rests on unverified assertions from individual controls rather than compiled, reviewed, and signed layer evidence. Layer-level coverage deficiencies are only visible through compilation.",
          "tags": [
            "governance-evidence-gap",
            "attestation-unverifiable",
            "compliance-deficit"
          ]
        },
        "standard_references": [
          {
            "id": "iso_42001",
            "section": "\u00a7 9.3",
            "title": "Management review of AI governance system at planned intervals"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 1.5",
            "title": "Ongoing monitoring and periodic review of the risk management process and its outcomes are planned"
          },
          {
            "id": "eu_ai_act",
            "section": "Art. 17",
            "title": "Quality management system for high-risk AI"
          }
        ],
        "sources": [
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PO-09 Policy Obligation Layer Evidence Package control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PO-09 Policy Obligation Layer Evidence Package control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Define a quarterly evidence compilation process for the Policy Obligation layer. Collect required artifacts from PO-01 through PO-08. Review for completeness, currency, and identified gaps. Produce a signed evidence package and submit it as input to the PE-08 PolicyAttestation production cycle.",
          "steps": [
            "Define the PO-layer evidence package schema: required_artifacts[], acceptance_criteria[], gap_register, package_owner, and review_signatories.",
            "For each control in PO-01 through PO-08, define specific required evidence artifacts and freshness criteria.",
            "Compile artifacts quarterly: generate or collect required evidence and stage for structured review.",
            "Conduct a review session to evaluate completeness, identify gaps, and assign remediation owners with deadlines.",
            "Produce a signed policy obligation layer evidence package with an overall verdict and submit it as input to PE-08 PolicyAttestation.",
            "Retain the package as an immutable record for the period required by applicable regulations and internal policy."
          ],
          "anti_patterns": [
            "Treating PE-08 attestation as a substitute for per-layer evidence compilation.",
            "Compiling evidence only when an audit or regulatory inquiry is pending rather than on a recurring quarterly cycle."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that a PO-layer evidence package schema exists with defined required artifacts for each control in PO-01 through PO-08.",
            "Verify that a quarterly compilation schedule is established with named package owners and review signatories.",
            "Check that the evidence package output format is accepted as input to PE-08 attestation production."
          ],
          "runtime_tests": [
            "Verify a completed evidence package was produced in the most recent quarter with all required artifacts present.",
            "Confirm that a gap register exists and identified gaps have assigned owners and remediation deadlines.",
            "Confirm the package is signed and retained in the tamper-evident record store."
          ],
          "evidence": [
            "Signed policy obligation layer evidence package for each of the four most recent quarters.",
            "Gap registers with assigned owners and remediation deadlines for any identified deficiencies.",
            "Submission record linking the package to the PE-08 attestation production cycle."
          ]
        },
        "lenses": {
          "grc_auditor": {
            "summary": "The PO-09 evidence package is the audit-ready artifact for the Policy Obligation layer.",
            "actions": [
              "Request the four most recent PO-layer evidence packages and review for completeness.",
              "Verify that gap registers from prior quarters have remediation outcomes documented.",
              "Confirm the package submission record links to PE-08 attestation inputs."
            ],
            "failure_signals": [
              "Missing PO-layer evidence packages for any quarter in the audit period.",
              "Gap registers with items open for more than two consecutive quarters without documented remediation plans.",
              "Evidence packages that are unsigned or not retained in the tamper-evident record store."
            ],
            "metrics": [
              "Package completeness rate: all required artifacts present in each quarterly package (target: 100%).",
              "Gap remediation rate: all prior-quarter gaps have documented outcomes before current quarter package.",
              "Package timeliness: submitted to PE-08 attestation cycle within 10 business days of quarter end."
            ]
          },
          "general_counsel": {
            "summary": "The PO-09 package is the defensibility record for the Policy Obligation layer: when a regulator, counterparty, or court asks whether the organization's internal policy, contractual obligation, and data use enforcement controls were operating, the quarterly package is the evidence the organization produces.",
            "actions": [
              "Confirm the package format and retention period satisfy the evidentiary requirements of applicable law and contractual audit rights before the first submission cycle.",
              "Review each quarterly package for gaps in PO-01 through PO-08 evidence that could undermine a future regulatory or litigation position.",
              "Verify that the package is signed by an identified accountable owner whose authority to certify the layer can be demonstrated."
            ],
            "failure_signals": [
              "A regulator or counterparty request for layer evidence that cannot be answered from a compiled, signed package.",
              "Packages whose contents conflict with representations previously made in disclosures or contract certifications.",
              "Retention lapses that leave quarters within the evidentiary period unrecoverable."
            ]
          },
          "cfo_procurement": {
            "summary": "The PO-09 package converts Policy Obligation layer control operation into a periodic, reviewable deliverable \u2014 the artifact that lets finance and procurement rely on the layer without re-auditing individual controls each quarter.",
            "actions": [
              "Fund the compilation process as a recurring governance obligation rather than an ad hoc audit response.",
              "Require the package (or its gap register) as an input to renewal, budget, and vendor decisions that depend on internal policy, contractual obligation, and data use enforcement controls operating.",
              "Track the cost of gap remediation surfaced by the package to prioritize control investment."
            ],
            "failure_signals": [
              "Business decisions that assume the layer is operating when the most recent package shows open gaps.",
              "Compilation effort repeatedly funded from audit contingency rather than the governance budget.",
              "Vendor or renewal approvals proceeding in quarters with missing packages."
            ]
          },
          "risk_officer": {
            "summary": "The PO-09 package is where the risk function sees whether every obligation the organization is bound by is actually mapped to an operating control. Its gap register presents the layer's exposures as coverage gaps: obligations with no addressing control, partially covered obligations, and remediation plans that have stalled. An unmet obligation carried across quarters is a direct compliance and enforcement exposure.",
            "actions": [
              "Prioritize gaps where a binding obligation has no addressing control at all above gaps that are merely partial, and assign each an owner and deadline in the risk register.",
              "Track the age of every open coverage gap so obligations unresolved beyond a quarter escalate in severity automatically.",
              "Confirm remediation plans in the package are funded and moving, so gap analysis does not become a standing list that never closes.",
              "Reconcile the obligation inventory against new or amended regulation each quarter so newly binding obligations enter the coverage view promptly."
            ]
          },
          "board_governance": {
            "summary": "For the board, the PO-09 package answers whether the organization can show complete coverage of the obligations its AI activity is subject to. It is the layer evidence that obligation coverage is measured, gaps are known, and remediation is under way.",
            "actions": [
              "Ask for obligation coverage as a proportion, together with the count of obligations that currently have no addressing control.",
              "Require any obligation gap open beyond two consecutive quarters to be reported to the board with a remediation commitment.",
              "Confirm that emerging regulatory obligations are entering the coverage register before they take effect.",
              "Make PolicyAttestation acceptance conditional on no material obligation being left uncovered without an accepted, documented risk decision."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_42001",
            "requirement_id": "\u00a79.3",
            "fit": "direct",
            "rationale": "ISO/IEC 42001 \u00a79.3 requires management review at planned intervals. PO-09 provides the structured review artifact for the Policy Obligation layer.",
            "normative_force": "certification-standard",
            "source_version": "2023",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "requirement_id": "GOVERN 1.5",
            "fit": "direct",
            "rationale": "NIST AI RMF GOVERN 1.5 requires planned ongoing monitoring and periodic review of the risk management process and its outcomes, with clear roles and review cadence. PO-09 instantiates this periodic layer-level review at the Policy Obligation layer.",
            "normative_force": "voluntary-standard",
            "source_version": "1.0",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "eu_ai_act",
            "requirement_id": "Art. 17",
            "fit": "direct",
            "rationale": "EU AI Act Art. 17 requires a quality management system. PO-09 is the QMS artifact for the Policy Obligation layer.",
            "normative_force": "binding-law",
            "source_version": "2024",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "satisfies"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "high-risk-sector"
        ],
        "implementers": [
          "GRC / Internal Audit",
          "AI Operations",
          "Risk Management"
        ],
        "validation_objective": "A complete, signed Policy Obligation layer evidence package must be compiled and submitted as input to the PE-08 PolicyAttestation production process within 10 business days of each quarter end, containing all required artifacts from PO-01 through PO-08 with a gap register that assigns owners and remediation deadlines to any identified deficiencies.",
        "evidence_required": [
          "signed_po_layer_evidence_package for each of the four most recent quarters, with required_artifacts[], gap_register, package_owner_id, review_signatories[], overall_verdict, and package_signed_at timestamp",
          "artifact_completeness_checklist for each package confirming that each of PO-01 through PO-08 contributed its required evidence artifact with freshness_status for each",
          "gap_register for any deficiencies with gap_id, source_control_id, gap_description, owner_id, remediation_target_date, and prior_quarter_gap_status for recurring items",
          "pe08_attestation_submission_record linking each PO-layer evidence package to the PE-08 PolicyAttestation production cycle input log with submission_timestamp and accepted_by"
        ],
        "machine_tests": [
          "Attempt to initiate a PE-08 PolicyAttestation production cycle without a signed PO-layer evidence package for the current quarter \u2192 assert the attestation workflow blocks initiation with error=missing_po_layer_evidence",
          "Submit a PO-layer evidence package with one required artifact marked as missing \u2192 assert the package is flagged as incomplete and a gap_register entry is automatically created for the missing artifact's source control",
          "Query the evidence package retention store for the most recent four quarters \u2192 assert all four packages are present, signed, and tamper-evident record integrity is verified"
        ],
        "human_review": [
          "Review the most recent PO-layer evidence package for artifact freshness, verifying each artifact from PO-01 through PO-08 was produced within the required freshness window for the current quarter",
          "Assess the gap register for recurring gaps (items open across two or more consecutive quarters) and confirm that escalation actions have been taken and documented for each recurring item",
          "Verify that the package_owner and review_signatories listed in each evidence package have the organizational authority appropriate for signing layer-level governance evidence"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "binding-law",
        "anti_patterns": [
          "Treating the PE-08 PolicyAttestation as a substitute for the PO-layer evidence package, skipping per-layer compilation and relying on individual control owners to assert compliance directly to the attestation",
          "Compiling the evidence package only when a regulatory audit or audit committee review is imminent rather than on a fixed quarterly schedule",
          "Signing the evidence package without a structured review that evaluates artifact completeness, freshness, and gap register status \u2014 treating it as a pro forma administrative step",
          "Retaining evidence packages in a mutable document store rather than a tamper-evident record store, undermining the integrity of the package as an attestation input"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PO",
        "lens_enrichment": "ap42 2026-07-08"
      },
      {
        "id": "PR-01",
        "name": "AI Procurement Policy Integration",
        "canonical_id": "apeiris://authority/controls/PR-01",
        "layer": "PR",
        "prefix": "PR",
        "plane": "both",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Integrate AI-specific authority policy requirements into the enterprise procurement process so that all acquisitions of AI systems, components, or services are evaluated against documented governance criteria before purchase approval. Procurement decisions must reflect current AI authority policy, not default vendor terms.",
        "threat": {
          "context": "When AI procurement proceeds without policy integration, vendors are engaged under default commercial terms that may conflict with enterprise authority limits, creating governance gaps from the moment AI systems are activated.",
          "tags": [
            "procurement-bypass",
            "policy-bypass",
            "authority-limit-breach"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 15",
            "title": "Assesses Substantial Change"
          },
          {
            "id": "iso_37301",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_800_53",
            "section": "SA-4",
            "title": "Acquisition Process"
          },
          {
            "id": "oecd_cg",
            "section": "V.D",
            "title": "Board responsibilities \u2014 key functions (risk management oversight)"
          }
        ],
        "sources": [
          {
            "id": "src-pr01-1",
            "title": "COSO Enterprise Risk Management Framework",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management Framework requirements informing the apeiris://authority/controls/PR-01 AI Procurement Policy Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr01-2",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PR-01 AI Procurement Policy Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr01-3",
            "title": "NIST SP 800-53 Rev 5 \u2014 Acquisition Process",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Acquisition Process requirements informing the apeiris://authority/controls/PR-01 AI Procurement Policy Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr01-4",
            "title": "G20/OECD Principles of Corporate Governance 2023",
            "authority": "Organisation for Economic Co-operation and Development",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "2023",
            "published_on": "2023-09-11",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.oecd.org/en/publications/2023/09/g20-oecd-principles-of-corporate-governance-2023_60836fcb.html",
            "license": "open-access",
            "status": "current",
            "flagship": false,
            "source_id": "oecd_cg",
            "relationship": "implementation_pattern",
            "rationale": "Establishes OECD Principles of Corporate Governance requirements informing the apeiris://authority/controls/PR-01 AI Procurement Policy Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PR-01 AI Procurement Policy Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PR-01 AI Procurement Policy Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PR-01 AI Procurement Policy Integration control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "AI procurement checklist embedded in the purchase approval workflow, with mandatory compliance review gate before any AI vendor engagement is authorized.",
          "steps": [
            "Develop an AI procurement checklist covering authority policy alignment, commitment capability assessment, required contract terms, and governance documentation requirements, integrated into the purchase approval workflow",
            "Require Compliance Officer review and approval of the checklist before any AI procurement request advances to vendor engagement",
            "Update the AI procurement checklist quarterly to reflect changes in AI authority policy and capture lessons from prior procurement cycles"
          ],
          "anti_patterns": [
            "Applying the AI procurement checklist only after a vendor has been selected, limiting the organization's ability to influence contract terms",
            "Treating general procurement policy as a substitute for AI-specific authority policy integration"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify the AI procurement checklist covers all required authority policy areas and is version-controlled with a quarterly review cadence",
            "Confirm the purchase approval workflow blocks advancement to vendor engagement without a completed and approved checklist",
            "Validate that Compliance Officer approval records are retained for all AI procurement approvals"
          ],
          "runtime_tests": [
            "Submit an AI procurement request without a completed checklist and verify the workflow blocks progression to vendor engagement",
            "Update the AI procurement checklist and confirm all pending procurement reviews are re-evaluated against the new version",
            "Audit a sample of completed AI procurement approvals to confirm checklist completion and Compliance Officer sign-off are present"
          ],
          "evidence": [
            "doc:ai-procurement-checklist-current",
            "log:procurement-checklist-completion-audit-log",
            "authority:compliance-officer-procurement-approval-records",
            "config:purchase-approval-workflow-checklist-gate"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "AI procurement policy integration ensures that authority constraints and required contract terms are embedded in vendor engagements from the outset, not retrofitted after default terms are accepted.",
            "actions": [
              "Review and approve the AI procurement checklist annually to ensure required contract terms reflect current legal and policy requirements",
              "Require General Counsel review of any AI procurement where the vendor declines to accept required authority policy terms"
            ],
            "failure_signals": [
              "An AI vendor was engaged under default commercial terms that conflict with enterprise authority policy",
              "The AI procurement checklist was not updated following a material change in AI authority policy"
            ]
          },
          "cfo_procurement": {
            "summary": "Authority policy integration in procurement prevents AI systems from being activated under vendor terms that permit commitment capabilities exceeding enterprise financial limits.",
            "actions": [
              "Confirm that financial authority limit requirements are included in the AI procurement checklist and enforced as a condition of vendor contract execution",
              "Require CFO sign-off on AI procurements where commitment capability exceeds defined thresholds"
            ],
            "failure_signals": [
              "An AI system was activated under vendor terms permitting commitment capabilities that exceed CFO-approved limits",
              "Financial authority requirements were absent from the AI procurement checklist during a procurement cycle"
            ]
          },
          "risk_officer": {
            "summary": "Procurement policy integration is the first line of defense against authority governance gaps; checklist completion rate is a leading risk indicator for downstream control failures.",
            "actions": [
              "Track AI procurement checklist completion rate as a KRI \u2014 % of AI procurement requests that completed the checklist before vendor engagement",
              "Escalate any AI procurement that bypassed the checklist gate to the CRO within 24 hours of discovery"
            ],
            "failure_signals": [
              "An AI procurement was initiated without completing the authority policy checklist",
              "Checklist completion rate falls below 100% for AI procurement requests in any quarter"
            ]
          },
          "grc_auditor": {
            "summary": "Completed procurement checklists and Compliance Officer approval records are the primary audit artifacts demonstrating that AI acquisitions were evaluated against governance criteria before purchase.",
            "actions": [
              "Verify that all AI procurements completed during the audit period have a completed checklist and Compliance Officer approval on file",
              "Confirm that the AI procurement checklist version used for each procurement matches the version in effect at the time of the request",
              "Test the purchase approval workflow gate by attempting to advance a request without a completed checklist"
            ],
            "failure_signals": [
              "An AI procurement record lacks a completed checklist or Compliance Officer approval",
              "The checklist version used for a procurement predates a material policy update that should have been reflected"
            ],
            "metrics": [
              "Checklist completion rate: % of AI procurement requests with a completed checklist prior to vendor engagement (target: 100%)",
              "Compliance Officer approval rate: % of AI procurements with documented Compliance Officer sign-off (target: 100%)",
              "Checklist currency: % of procurements using the most recent checklist version (target: 100%)"
            ]
          },
          "board_governance": {
            "summary": "AI procurement policy integration is a governance infrastructure control that ensures the board's AI authority expectations are enforced at the point of acquisition, before vendors gain access.",
            "actions": [
              "Confirm the AI procurement checklist is reviewed by General Counsel and Compliance Officer annually and reported to the audit committee",
              "Require board-level disclosure of AI procurements that proceeded with exceptions to the standard checklist requirements"
            ],
            "failure_signals": [
              "The AI procurement checklist was not presented to the audit committee in the last 12 months",
              "Material AI procurements proceeded with undisclosed exceptions to the standard authority policy requirements"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 15",
            "title": "Assesses substantial change",
            "principle_number": 15,
            "component_name": "Review and Revision",
            "normative_force": "industry-framework",
            "fit": "partial",
            "fit_rationale": "Evaluating AI acquisitions against governance criteria treats procurement as a substantial change, partially reflecting Principle 15.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Evaluating AI acquisitions against governance criteria treats procurement as a substantial change, partially reflecting Principle 15.",
            "requirement_id": "Principle 15 \u2014 Assesses substantial change",
            "relation": "informs"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Embedding an AI procurement checklist in purchasing is operational control under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Embedding an AI procurement checklist in purchasing is operational control under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "SA-4",
            "title": "Acquisition Process",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Gating AI acquisitions on a governance checklist reflects SA-4 acquisition-process requirements, scoped to AI authority policy.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Gating AI acquisitions on a governance checklist reflects SA-4 acquisition-process requirements, scoped to AI authority policy.",
            "requirement_id": "SA-4 \u2014 Acquisition Process",
            "relation": "equivalent_to"
          },
          {
            "framework": "oecd_cg",
            "ref": "V.D",
            "title": "Board responsibilities \u2014 key functions (risk management oversight)",
            "normative_force": "voluntary-standard",
            "source_version": "2023",
            "fit": "adjacent",
            "fit_rationale": "AI procurement gating is an operational control, only loosely connected to the board risk-oversight function OECD V.D describes.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "AI procurement gating is an operational control, only loosely connected to the board risk-oversight function OECD V.D describes.",
            "requirement_id": "V.D \u2014 Board responsibilities \u2014 key functions (risk management oversight)",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Marketplace + Control Tower \u2014 Procurement Policy Integration",
            "rationale": "AWS Marketplace governance integrates AI service procurement with organizational SCP restrictions, ensuring that procurement of AI services is automatically evaluated against declared governance policies. Control Tower preventive guardrails can block activation of procured AI services that do not meet organizational compliance requirements, implementing AI procurement policy as a gate before service activation.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Marketplace governance with Control Tower guardrails gates procured AI services against policy, partially implementing integration.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Marketplace + Org Policy \u2014 Approved AI Service Procurement",
            "rationale": "Google Cloud Organization Policy constraints restrict procurement of AI services to approved vendors and service categories through service usage restriction policies. Google Cloud Marketplace integrations are subject to organizational IAM and policy constraints, ensuring that AI service procurement complies with declared governance requirements before services are activated.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Org Policy constraints restrict AI procurement to approved vendors and categories, partially implementing procurement integration.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          }
        ],
        "tiers": [
          "procurement-ai"
        ],
        "implementers": [
          "Procurement",
          "General Counsel",
          "CFO"
        ],
        "validation_objective": "Every AI procurement request must complete a Compliance-Officer-approved AI procurement checklist using the current approved version before any vendor engagement is initiated, with no AI system activated under vendor terms that have not been evaluated against the enterprise AI authority policy checklist.",
        "evidence_required": [
          "ai_procurement_checklist_current with version_id, effective_date, compliance_officer_approval_signature, and general_counsel_approval_signature covering all required authority policy areas",
          "procurement_checklist_completion_record for each AI procurement request with checklist_version_used, completed_by, completed_at, compliance_officer_approval_id, and verdict (approved/rejected/escalated)",
          "purchase_approval_workflow_gate_log confirming each AI procurement request was blocked from advancing to vendor engagement until a completed checklist record was on file",
          "quarterly_checklist_review_record documenting that the AI procurement checklist was reviewed against current AI authority policy and either confirmed current or updated with a change rationale"
        ],
        "machine_tests": [
          "Submit an AI procurement request through the purchase approval workflow without a completed checklist \u2192 assert the workflow blocks advancement to vendor engagement with error=missing_procurement_checklist",
          "Attempt to initiate a vendor engagement with a checklist_version_used that predates the most recent policy update \u2192 assert the workflow requires re-evaluation against the current checklist version",
          "Audit five completed AI procurement approvals \u2192 assert each has a procurement_checklist_completion_record with a Compliance Officer approval_id matching an active approver in the approver registry"
        ],
        "human_review": [
          "Review the AI procurement checklist to verify it addresses all required authority policy areas including commitment capability assessment, required contract terms, data use restrictions, and authority limit documentation requirements",
          "Assess a sample of completed procurement checklist records to verify the checklist was used substantively \u2014 examining whether documented exceptions or escalations correspond to the procurement context",
          "Confirm that the quarterly checklist review record documents specific policy changes considered and reflects lessons from procurement cycles completed in the review period"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Applying the AI procurement checklist only after a vendor has been selected and commercial terms are substantially agreed, limiting the organization's ability to negotiate required authority policy terms",
          "Treating general enterprise procurement policy compliance as a substitute for AI-specific authority policy integration without verifying that the general policy covers AI governance criteria",
          "Permitting AI system activation before the procurement checklist is completed on the basis that the system is already deployed in a pilot or proof-of-concept context",
          "Maintaining a single AI procurement checklist without updating it to reflect changes in AI authority policy, resulting in procurements evaluated against outdated governance criteria",
          "Delegating checklist completion to the vendor relationship manager without requiring Compliance Officer review, removing independent governance oversight from the procurement gate"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PR"
      },
      {
        "id": "PR-02",
        "name": "AI-Initiated Commitment Controls",
        "canonical_id": "apeiris://authority/controls/PR-02",
        "layer": "PR",
        "prefix": "PR",
        "plane": "both",
        "capability_risk": {
          "capability_level": "elevated"
        },
        "baseline": false,
        "plain": "Establish explicit controls over commitments initiated autonomously by AI systems in procurement contexts, including spend authorization, vendor selection, and contract term acceptance. Cross-domain dependency: unauthorized AI commitments may also violate data governance constraints (see apeiris://data/controls/DX-01) and agentic behavior boundaries (see apeiris://agentic/controls/AT-05).",
        "threat": {
          "context": "AI systems with procurement access can initiate binding financial commitments autonomously at machine speed, bypassing human review checkpoints. Without hard commitment controls, a single misconfigured or manipulated AI agent can exceed approved authority limits, create multi-year obligations, or commit the organization under unfavorable terms before escalation is triggered. This risk amplifies when combined with agentic chaining (apeiris://agentic/controls/AT-05) or unauthorized data access (apeiris://data/controls/DX-01).",
          "tags": [
            "unauthorized-commitment",
            "commitment-without-authority",
            "escalation-failure"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 7",
            "title": "Defines Risk Appetite"
          },
          {
            "id": "iso_37301",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 2.3",
            "title": "Executive leadership takes responsibility for decisions about risks associated with AI system development and deployment"
          },
          {
            "id": "nist_800_53",
            "section": "AC-5",
            "title": "Separation of Duties"
          }
        ],
        "sources": [
          {
            "id": "src-pr02-1",
            "title": "COSO Enterprise Risk Management Framework",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management Framework requirements informing the apeiris://authority/controls/PR-02 AI-Initiated Commitment Controls control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr02-2",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PR-02 AI-Initiated Commitment Controls control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr02-3",
            "title": "NIST AI Risk Management Framework",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI Risk Management Framework requirements informing the apeiris://authority/controls/PR-02 AI-Initiated Commitment Controls control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr02-4",
            "title": "NIST SP 800-53 Rev 5 \u2014 Separation of Duties",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Separation of Duties requirements informing the apeiris://authority/controls/PR-02 AI-Initiated Commitment Controls control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PR-02 AI-Initiated Commitment Controls control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PR-02 AI-Initiated Commitment Controls control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PR-02 AI-Initiated Commitment Controls control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Hard commitment ceiling enforced at the AI system capability layer, with multi-step human approval gates for commitments above defined thresholds and real-time alerting for any commitment attempt near or above the ceiling.",
          "steps": [
            "Define a tiered commitment authority matrix for each AI system specifying hard ceilings by commitment type (spend, term length, vendor selection), with any attempt to exceed the ceiling resulting in a hard block \u2014 not a soft escalation",
            "Implement multi-step human approval gates for commitments above defined intermediate thresholds, requiring CFO or General Counsel approval before the AI system may proceed",
            "Deploy real-time alerting to the CRO and General Counsel for any AI commitment attempt that reaches or exceeds 80% of the hard ceiling, with a mandatory human review hold until acknowledgment is received"
          ],
          "anti_patterns": [
            "Relying on soft escalation prompts rather than hard blocks for AI commitments approaching authority ceilings",
            "Setting commitment ceilings in AI system configuration only without a separate enforcement layer that cannot be overridden by the AI system's own logic"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify a tiered commitment authority matrix exists for each AI system with procurement access, with hard ceilings approved by CFO and General Counsel",
            "Confirm that commitment ceiling enforcement is implemented at a layer the AI system cannot self-modify or bypass",
            "Validate that multi-step approval gates are enforced for commitments above intermediate thresholds with documented approver roles and response SLAs"
          ],
          "runtime_tests": [
            "Attempt an AI commitment that exceeds the hard ceiling and verify it results in a hard block with an immediate alert to CRO and General Counsel",
            "Trigger a commitment at 80% of the ceiling and confirm the real-time alert fires and a human review hold is placed before the AI system can proceed",
            "Test a commitment requiring multi-step approval and verify it cannot complete until all required approver sign-offs are received"
          ],
          "evidence": [
            "doc:ai-commitment-authority-matrix-current",
            "log:ai-commitment-enforcement-event-log",
            "config:commitment-ceiling-enforcement-layer-config",
            "authority:cfo-general-counsel-commitment-matrix-approvals"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Hard commitment controls are the legal backstop preventing AI systems from autonomously binding the organization to obligations that exceed documented authority \u2014 the liability exposure without these controls is uncapped.",
            "actions": [
              "Review and approve the commitment authority matrix for every AI system with procurement access before activation",
              "Require General Counsel co-sign on any commitment above the intermediate threshold requiring human approval"
            ],
            "failure_signals": [
              "An AI system made a binding commitment exceeding its hard ceiling, creating an unintended contractual obligation",
              "The commitment authority matrix was not reviewed following a change in the organization's delegation of authority policy"
            ]
          },
          "cfo_procurement": {
            "summary": "AI-initiated commitment controls are a direct financial risk control; hard ceilings prevent AI systems from creating unbudgeted obligations at machine speed without human review.",
            "actions": [
              "Set and regularly review hard commitment ceilings for each AI system in alignment with the enterprise delegation of authority and budget cycle",
              "Require CFO approval for any request to raise an AI commitment ceiling above the current approved level"
            ],
            "failure_signals": [
              "An AI system committed spend in excess of the approved ceiling in its authority matrix",
              "Commitment ceilings were not updated to reflect budget cycle changes, leaving AI systems with stale authority limits"
            ]
          },
          "risk_officer": {
            "summary": "Elevated capability risk rating reflects the potential for rapid, large-scale unauthorized commitments; this is a high-priority control requiring hard enforcement, not advisory limits.",
            "actions": [
              "Classify AI systems with unconstrained procurement access as high-risk and require hard ceiling enforcement as a condition of continued operation",
              "Track AI commitment enforcement events as a KRI and investigate any hard block occurrence within 24 hours"
            ],
            "failure_signals": [
              "An AI system with procurement access lacks a hard commitment ceiling",
              "A hard block event was not investigated within 24 hours of occurrence"
            ]
          },
          "grc_auditor": {
            "summary": "The commitment authority matrix and enforcement event log are the primary audit artifacts for this elevated-risk control; completeness and accuracy of the log are non-negotiable for audit purposes.",
            "actions": [
              "Verify the commitment authority matrix for all AI systems with procurement access is current and has documented CFO and General Counsel approval",
              "Review the commitment enforcement event log for the audit period and confirm every hard block was investigated and documented",
              "Test commitment ceiling enforcement by simulating a commitment attempt at and above the ceiling"
            ],
            "failure_signals": [
              "The commitment enforcement event log has gaps during the audit period",
              "A hard block event lacks a documented investigation record"
            ],
            "metrics": [
              "Commitment ceiling coverage: % of AI systems with procurement access that have an approved, enforced hard ceiling (target: 100%)",
              "Hard block investigation rate: % of hard block events with a documented investigation within 24 hours (target: 100%)",
              "Matrix review currency: % of commitment authority matrices reviewed within the last 12 months (target: 100%)"
            ]
          },
          "board_governance": {
            "summary": "AI-initiated commitment controls are a material governance risk \u2014 the board must confirm that no AI system can autonomously bind the organization beyond board-approved delegation of authority limits.",
            "actions": [
              "Confirm annually that AI commitment ceilings across all systems are consistent with the board-approved enterprise delegation of authority",
              "Require disclosure to the audit committee of any hard block event that involved a commitment attempt above the intermediate approval threshold"
            ],
            "failure_signals": [
              "AI commitment ceilings have not been reconciled with the board-approved delegation of authority in the last 12 months",
              "A material hard block event was not disclosed to the audit committee"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 7",
            "title": "Defines risk appetite",
            "principle_number": 7,
            "component_name": "Strategy and Objective-Setting",
            "normative_force": "industry-framework",
            "fit": "partial",
            "fit_rationale": "Hard commitment ceilings operationalize risk appetite but do not define it per Principle 7.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Hard commitment ceilings operationalize risk appetite but do not define it per Principle 7.",
            "requirement_id": "Principle 7 \u2014 Defines risk appetite",
            "relation": "informs"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Technically enforced commitment ceilings are operational control under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Technically enforced commitment ceilings are operational control under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 2.3",
            "title": "Executive leadership takes responsibility for decisions about risks associated with AI system development and deployment",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "CFO/GC-approved commitment ceilings route authority to leadership, partially addressing GOVERN 2.3.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "CFO/GC-approved commitment ceilings route authority to leadership, partially addressing GOVERN 2.3.",
            "requirement_id": "GOVERN 2.3 \u2014 Executive leadership takes responsibility for decisions about risks associated with AI system development and deployment",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "AC-5",
            "title": "Separation of Duties",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Multi-step human approval gates for above-threshold commitments partially reflect AC-5 duty separation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Multi-step human approval gates for above-threshold commitments partially reflect AC-5 duty separation.",
            "requirement_id": "AC-5 \u2014 Separation of Duties",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Organizations SCP + AWS Budgets \u2014 AI-Initiated Financial Commitment Controls",
            "rationale": "AWS Organizations SCPs restrict which service activations and resource provisioning actions AI workload principals can take at all; SCPs cannot condition on spend. Monetary commitment thresholds are enforced through AWS Budgets actions, which trigger alerts and automated restrictions when AI-initiated spend approaches or exceeds authorized limits, implementing financial commitment controls at the infrastructure layer.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "SCP action restrictions and Budgets spend controls partially enforce AI financial-commitment ceilings at infrastructure level.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta Authorization Server \u2014 Commitment-Scoped Token Restrictions",
            "rationale": "Okta's authorization server issues scoped tokens that restrict AI agents to pre-approved commitment categories and monetary thresholds. Commitment-making API calls require tokens with explicit commitment scopes; agents operating on general-purpose tokens cannot execute actions that imply financial obligations beyond declared authorization limits.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta commitment-scoped tokens restrict agents to approved commitment categories and thresholds, partially enforcing commitment controls.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure Policy \u2014 AI Resource Provisioning Commitment Approval Gates",
            "rationale": "Azure Policy custom definitions can enforce approval requirements for AI-initiated resource provisioning that implies financial commitment above declared thresholds. Policy effects deny or audit high-cost resource types when initiated by AI workload identities without explicit approval from a human principal with appropriate authority.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Azure Policy can deny or audit high-cost AI provisioning above thresholds, partially enforcing commitment controls.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "consequential-commitment",
          "procurement-ai"
        ],
        "implementers": [
          "CFO",
          "General Counsel",
          "AI Engineering"
        ],
        "validation_objective": "All AI systems with procurement access must have a technically enforced hard commitment ceiling that produces a hard block \u2014 not a soft escalation \u2014 for any commitment attempt exceeding the CFO and General Counsel-approved authority matrix ceiling. Multi-step human approval gates must be technically enforced for above-threshold commitments, and an 80%-ceiling approach must trigger an immediate alert with a mandatory hold before the AI system can proceed.",
        "evidence_required": [
          "ai_commitment_authority_matrix with documented CFO and General Counsel co-approval dates, ceiling values by commitment type (spend, term length, vendor category), and effective date",
          "commitment_enforcement_event_log showing each commitment attempt, ceiling comparison result, block or proceed outcome, and event timestamp",
          "commitment_ceiling_enforcement_layer_config confirming the enforcement layer operates separately from and cannot be modified by the AI system's own logic or API surface",
          "alert_routing_records showing 80%-ceiling approach alerts delivered to CRO and General Counsel with receipt and mandatory hold acknowledgment timestamps",
          "multi_step_approval_records for above-threshold commitments showing all required approver sign-offs with identities and timestamps before commitment completion"
        ],
        "machine_tests": [
          "Submit AI commitment request with value equal to hard ceiling + 1 unit \u2192 assert request is hard-blocked and alert is immediately delivered to CRO and General Counsel with block_reason=ceiling_exceeded",
          "Submit AI commitment request at 80% of hard ceiling \u2192 assert real-time alert fires and human review hold is placed, preventing the AI system from proceeding until hold is acknowledged",
          "Submit above-threshold commitment without all required approver sign-offs \u2192 assert commitment cannot complete and returns error_code=pending_approval_required",
          "Attempt to modify commitment ceiling value through the AI system's own API surface \u2192 assert modification is rejected with error_code=self_modification_denied"
        ],
        "human_review": [
          "Review commitment authority matrix for each AI system with procurement access to verify ceilings are current, reflect the latest delegation of authority update, and have documented CFO and General Counsel co-approval",
          "Assess enforcement layer architecture to confirm the commitment ceiling check operates at a layer the AI system cannot self-modify or bypass through prompt engineering, API calls, or configuration changes",
          "Review hard block event investigation records to confirm each event was documented and closed within 24 hours with a root cause finding"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Implementing soft escalation prompts that notify a human but permit the AI system to proceed if no response is received within a defined timeout, rather than requiring affirmative approval before any commitment completes",
          "Storing commitment ceiling values in the AI system's own configuration or system prompt where the system could theoretically modify or reference them directly",
          "Setting a single flat commitment ceiling that applies uniformly across all procurement categories rather than a tiered authority matrix reflecting different risk levels by commitment type",
          "Failing to reconcile commitment ceiling values against the current enterprise delegation of authority after each delegation of authority review cycle, leaving AI systems operating against stale limits",
          "Treating the 80%-threshold alert as informational rather than enforcing a mandatory hold that requires human acknowledgment before the AI system can proceed"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PR"
      },
      {
        "id": "PR-03",
        "name": "Vendor Qualification Enforcement",
        "canonical_id": "apeiris://authority/controls/PR-03",
        "layer": "PR",
        "prefix": "PR",
        "plane": "both",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Enforce documented vendor qualification criteria before any AI vendor or AI-assisted procurement action is completed, ensuring that vendors of AI systems and AI procurement decision targets meet minimum standards for authority policy compliance, security, and governance documentation.",
        "threat": {
          "context": "Without enforced qualification criteria, AI-assisted procurement may select vendors or execute purchases with entities that lack the governance infrastructure to support enterprise authority controls, introducing principal accountability gaps and procurement bypass risk.",
          "tags": [
            "procurement-bypass",
            "authority-limit-breach",
            "principal-accountability-gap"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_800_53",
            "section": "SA-9",
            "title": "External System Services"
          },
          {
            "id": "oecd_cg",
            "section": "V.D",
            "title": "Board responsibilities \u2014 key functions (risk management oversight)"
          }
        ],
        "sources": [
          {
            "id": "src-pr03-1",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PR-03 Vendor Qualification Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr03-2",
            "title": "NIST SP 800-53 Rev 5 \u2014 External System Services",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 External Information System Services requirements informing the apeiris://authority/controls/PR-03 Vendor Qualification Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr03-3",
            "title": "G20/OECD Principles of Corporate Governance 2023",
            "authority": "Organisation for Economic Co-operation and Development",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "2023",
            "published_on": "2023-09-11",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.oecd.org/en/publications/2023/09/g20-oecd-principles-of-corporate-governance-2023_60836fcb.html",
            "license": "open-access",
            "status": "current",
            "flagship": false,
            "source_id": "oecd_cg",
            "relationship": "implementation_pattern",
            "rationale": "Establishes OECD Principles of Corporate Governance requirements informing the apeiris://authority/controls/PR-03 Vendor Qualification Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr03-4",
            "title": "ISO 42001 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 42001 AI Management Systems requirements informing the apeiris://authority/controls/PR-03 Vendor Qualification Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PR-03 Vendor Qualification Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PR-03 Vendor Qualification Enforcement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PR-03 Vendor Qualification Enforcement control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Vendor qualification scorecard embedded in the AI procurement workflow, with automated disqualification for vendors failing minimum authority policy compliance criteria.",
          "steps": [
            "Define and publish a vendor qualification scorecard covering AI governance documentation requirements, authority policy compliance evidence, security posture, and contractual term flexibility",
            "Integrate scorecard evaluation into the AI procurement workflow so that no vendor may advance to contract negotiation without meeting the minimum qualification threshold",
            "Maintain a qualified vendor list updated quarterly by Vendor Management, with expired qualifications triggering re-evaluation before renewal orders are placed"
          ],
          "anti_patterns": [
            "Applying vendor qualification criteria only to initial procurement while permitting renewals without re-qualification",
            "Accepting vendor SOC 2 reports as complete qualification evidence without verifying AI authority-specific controls are in scope"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify the vendor qualification scorecard covers all required AI authority policy compliance areas and has a defined minimum passing threshold",
            "Confirm the procurement workflow blocks vendors from advancing to contract negotiation without a passed qualification scorecard",
            "Validate that the qualified vendor list is reviewed and updated quarterly by Vendor Management"
          ],
          "runtime_tests": [
            "Submit a vendor for qualification who fails the minimum authority policy compliance threshold and verify they are disqualified and blocked from advancing",
            "Expire a vendor's qualification record and confirm that renewal order placement is blocked until re-qualification is completed",
            "Audit the qualified vendor list and verify all entries have a current qualification scorecard within the last 12 months"
          ],
          "evidence": [
            "doc:vendor-qualification-scorecard-template",
            "log:vendor-qualification-evaluation-history",
            "config:procurement-workflow-qualification-gate",
            "doc:qualified-vendor-list-current"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Vendor qualification enforcement ensures that the organization only contracts with AI vendors who can support the authority policy requirements that are conditions of the vendor agreement.",
            "actions": [
              "Review the vendor qualification scorecard annually to ensure it reflects current legal and policy requirements",
              "Require General Counsel review for any exception that permits a vendor below the qualification threshold to proceed to contract negotiation"
            ],
            "failure_signals": [
              "A vendor was contracted who subsequently failed to meet the authority policy compliance requirements specified in the agreement",
              "A vendor qualification exception was granted without General Counsel review"
            ]
          },
          "cfo_procurement": {
            "summary": "Vendor qualification criteria protect against procurement with vendors who lack the governance infrastructure to support enterprise authority controls, reducing the risk of uncontrolled spend or commitment exposure.",
            "actions": [
              "Confirm that financial commitment capability controls are included in the vendor qualification scorecard",
              "Require CFO review for any AI vendor exception where commitment capability controls are below the minimum threshold"
            ],
            "failure_signals": [
              "An AI vendor was qualified despite failing financial commitment capability controls",
              "A CFO review was not obtained for a vendor exception involving commitment capability gaps"
            ]
          },
          "risk_officer": {
            "summary": "Vendor qualification enforcement is a risk perimeter control; the exception rate and requalification compliance rate are key indicators of procurement risk exposure.",
            "actions": [
              "Track exception rate as a KRI \u2014 % of AI procurements where a vendor exception was granted below the qualification threshold",
              "Require risk assessment for all vendor exceptions involving authority policy compliance gaps"
            ],
            "failure_signals": [
              "Exception rate exceeds 5% of AI procurement decisions in any quarter",
              "A vendor requalification was overdue at the time a renewal order was placed"
            ]
          },
          "grc_auditor": {
            "summary": "Vendor qualification scorecards and the qualified vendor list are the primary audit artifacts demonstrating that AI procurement targets met documented governance standards before contract execution.",
            "actions": [
              "Verify that all AI vendor contracts executed during the audit period have a corresponding passed qualification scorecard",
              "Confirm the qualified vendor list was reviewed quarterly and that expired entries triggered re-evaluation before renewals",
              "Sample vendor scorecards against the vendor's actual governance documentation to verify accuracy"
            ],
            "failure_signals": [
              "An AI vendor contract lacks a corresponding qualification scorecard",
              "A renewal order was placed for a vendor with an expired qualification record"
            ],
            "metrics": [
              "Qualification completion rate: % of AI vendor contracts with a passed scorecard on file (target: 100%)",
              "Vendor list currency: % of qualified vendor entries with a scorecard updated within 12 months (target: 100%)",
              "Exception rate: % of AI procurements granted a vendor exception (target: \u22645%)"
            ]
          },
          "board_governance": {
            "summary": "Vendor qualification enforcement provides the board with assurance that AI vendor relationships are built on documented governance standards, not assumed capability.",
            "actions": [
              "Request annual reporting on qualified vendor coverage and exception rate from Procurement",
              "Require disclosure to the audit committee of vendor exceptions granted for material AI procurements"
            ],
            "failure_signals": [
              "Material AI vendor relationships lack qualification records at the time of board review",
              "Exception rate has been consistently above target for multiple quarters without remediation"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "A qualification gate in the procurement workflow is operational control under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A qualification gate in the procurement workflow is operational control under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "SA-9",
            "title": "External System Services",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Requiring vendors meet minimum authority and security standards reflects SA-9 external-service provider requirements, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Requiring vendors meet minimum authority and security standards reflects SA-9 external-service provider requirements, partially.",
            "requirement_id": "SA-9 \u2014 External System Services",
            "relation": "equivalent_to"
          },
          {
            "framework": "oecd_cg",
            "ref": "V.D",
            "title": "Board responsibilities \u2014 key functions (risk management oversight)",
            "normative_force": "voluntary-standard",
            "source_version": "2023",
            "fit": "adjacent",
            "fit_rationale": "Vendor qualification enforcement is operational, only loosely tied to the board risk-oversight function OECD V.D describes.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Vendor qualification enforcement is operational, only loosely tied to the board risk-oversight function OECD V.D describes.",
            "requirement_id": "V.D \u2014 Board responsibilities \u2014 key functions (risk management oversight)",
            "relation": "informs"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Scorecard-gated vendor qualification is operational planning under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Scorecard-gated vendor qualification is operational planning under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Marketplace + Partner Network \u2014 Vendor Qualification Framework",
            "rationale": "AWS Marketplace vendor vetting and the AWS Partner Network qualification tiers provide a governance framework for AI vendor qualification. Organizations can restrict AI service procurement to AWS Marketplace vendors with specific qualification levels (e.g., AWS Competency Program designations), implementing vendor qualification enforcement as a procurement gate through SCP restrictions.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Restricting procurement to qualified Marketplace and Partner tiers via SCPs partially implements vendor qualification enforcement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Assured Workloads \u2014 Compliance-Certified Service Restriction",
            "rationale": "Google Assured Workloads constrains AI workload deployments to Google Cloud services that have achieved defined compliance certifications. Organization Policy constraints restrict use of services below the required compliance certification level, implementing vendor qualification enforcement as an automated infrastructure control for AI deployments in regulated environments.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Assured Workloads restricts deployments to compliance-certified services, partially implementing vendor qualification for regulated use.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          }
        ],
        "tiers": [
          "procurement-ai"
        ],
        "implementers": [
          "Procurement",
          "Vendor Management",
          "General Counsel"
        ],
        "validation_objective": "Every vendor engaged through AI-assisted procurement must have a passing vendor qualification scorecard on file before the procurement workflow advances to contract negotiation, and no vendor with an expired qualification record may receive a renewal order. The procurement workflow must technically prevent advancement past the qualification gate for any vendor that has not met the documented minimum qualification threshold.",
        "evidence_required": [
          "vendor_qualification_scorecard for each AI vendor contracted during the review period, showing scores across all required authority policy compliance areas, a pass/fail determination, reviewer identity, and scorecard effective date",
          "procurement_workflow_qualification_gate_config demonstrating the gate is technically enforced and that no advancement path to contract negotiation exists for a vendor without a current passed scorecard",
          "qualified_vendor_list with last_reviewed_date and scorecard_expiry_date for each entry, confirmed updated within the last quarter by Vendor Management",
          "vendor_exception_records for any vendor granted an exception below the minimum threshold, each with documented General Counsel approval and risk assessment"
        ],
        "machine_tests": [
          "Submit a vendor with a failed qualification scorecard to the procurement workflow \u2192 assert advancement to contract negotiation is blocked and returns error_code=vendor_qualification_failed",
          "Submit a vendor with a qualification record expired more than 12 months ago \u2192 assert renewal order placement is blocked until re-qualification is completed",
          "Submit a vendor with a current passing scorecard \u2192 assert workflow permits advancement and records the scorecard_id and pass_date in the procurement event log"
        ],
        "human_review": [
          "Review a sample of vendor qualification scorecards against vendors' actual governance documentation and SOC 2 reports to verify scoring accuracy and that AI-specific authority controls were explicitly evaluated",
          "Assess the minimum qualification threshold to confirm it reflects current legal and policy requirements and was reviewed and approved by General Counsel within the last 12 months",
          "Verify that vendor exceptions have documented General Counsel approval and that the exception rate for the review period does not exceed 5% of AI procurement decisions"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Accepting a vendor's existing SOC 2 Type II report as complete qualification evidence without verifying that AI authority policy compliance controls (commitment ceiling enforcement, delegation of authority documentation) are explicitly in the SOC 2 scope",
          "Applying vendor qualification criteria only to initial procurement events while permitting annual renewals to proceed without re-qualification or scorecard refresh",
          "Treating the vendor qualification gate as a documentation checkpoint that can be bypassed with a manual override rather than a technical block that prevents contract negotiation from initiating",
          "Maintaining the qualified vendor list in a static document updated on request rather than a system that automatically flags and blocks vendors with expired qualification records",
          "Granting vendor exceptions without requiring General Counsel approval, treating them as routine procurement decisions rather than risk escalations requiring documented legal review"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PR"
      },
      {
        "id": "PR-04",
        "name": "Contract Review Gate Compliance",
        "canonical_id": "apeiris://authority/controls/PR-04",
        "layer": "PR",
        "prefix": "PR",
        "plane": "both",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Enforce mandatory contract review gates before any AI system may finalize, accept, or execute a contract or binding agreement. All contracts within scope must pass legal and authority policy review before execution, regardless of whether initiation was AI-assisted or human-initiated.",
        "threat": {
          "context": "AI systems that can initiate or accept contracts autonomously may do so at a speed that bypasses mandatory review gates, creating binding obligations under terms that have not been evaluated for authority policy compliance, legal risk, or financial exposure.",
          "tags": [
            "unauthorized-commitment",
            "policy-bypass",
            "commitment-without-authority"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_800_53",
            "section": "SA-4",
            "title": "Acquisition Process"
          },
          {
            "id": "iso_42001",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          }
        ],
        "sources": [
          {
            "id": "src-pr04-1",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PR-04 Contract Review Gate Compliance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr04-2",
            "title": "NIST SP 800-53 Rev 5 \u2014 Acquisition Process",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Acquisition Process requirements informing the apeiris://authority/controls/PR-04 Contract Review Gate Compliance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr04-3",
            "title": "ISO 42001 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 42001 AI Management Systems requirements informing the apeiris://authority/controls/PR-04 Contract Review Gate Compliance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr04-4",
            "title": "ACC Legal Operations Contract Management Best Practices",
            "authority": "Association of Corporate Counsel",
            "source_type": "framework",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.acc.com/legalops",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "acc_legal_ops_contract_mgmt",
            "relationship": "informative_reference",
            "rationale": "Establishes ACC Legal Operations Contract Management Best Practices requirements informing the apeiris://authority/controls/PR-04 Contract Review Gate Compliance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PR-04 Contract Review Gate Compliance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PR-04 Contract Review Gate Compliance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PR-04 Contract Review Gate Compliance control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Technical enforcement layer that intercepts contract finalization events from AI systems and holds execution pending completion of all required review gates, with no bypass path available to the AI system.",
          "steps": [
            "Identify all paths by which AI systems can initiate or complete contract execution and implement a technical interception layer on each path that holds the action pending review gate completion",
            "Define the mandatory review gate sequence \u2014 legal review, authority policy check, CFO approval for above-threshold commitments \u2014 with documented approver roles, SLAs, and escalation paths for delayed approvals",
            "Log all contract execution holds, approvals, rejections, and elapsed review times in an immutable audit log reviewed monthly by Contract Management and General Counsel"
          ],
          "anti_patterns": [
            "Implementing review gates as advisory prompts that AI systems or users can dismiss rather than as hard technical holds",
            "Defining review gates only for new contracts while permitting AI auto-renewal of existing contracts without re-review"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that all AI contract execution paths are intercepted by the technical enforcement layer with no bypass routes",
            "Confirm that the review gate sequence is defined with documented approver roles, SLAs, and escalation paths",
            "Validate that the contract execution hold log is immutable and reviewed monthly"
          ],
          "runtime_tests": [
            "Trigger an AI contract execution attempt and verify the enforcement layer holds execution and initiates the review gate sequence",
            "Attempt to bypass the review gate by direct API call and verify the enforcement layer blocks the attempt and logs it as an anomaly",
            "Test an auto-renewal scenario and confirm it triggers the review gate sequence before the renewal executes"
          ],
          "evidence": [
            "config:contract-execution-enforcement-layer-config",
            "log:contract-execution-hold-and-approval-log",
            "doc:review-gate-sequence-and-approver-matrix",
            "test:review-gate-bypass-attempt-test-results"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Contract review gate compliance is the legal control that prevents AI systems from creating binding obligations before legal review has confirmed compliance, authority, and term acceptability.",
            "actions": [
              "Confirm General Counsel review is a mandatory gate in the review sequence for all contracts above defined value or term length thresholds",
              "Review the contract execution hold log monthly for patterns indicating AI systems are repeatedly attempting to bypass review gates"
            ],
            "failure_signals": [
              "An AI system executed a contract before the mandatory General Counsel review gate was completed",
              "The contract execution hold log shows AI systems repeatedly reaching the gate without having completed pre-gate authority checks"
            ]
          },
          "cfo_procurement": {
            "summary": "Contract review gates prevent AI systems from executing contracts that create unbudgeted financial commitments; the CFO approval gate for above-threshold commitments is the financial control point.",
            "actions": [
              "Confirm the CFO approval gate is active and enforced for all contracts above defined financial thresholds",
              "Review monthly hold log reports for contracts approaching the CFO approval threshold to anticipate pipeline review volume"
            ],
            "failure_signals": [
              "A contract above the CFO approval threshold was executed by an AI system without a recorded CFO approval in the gate log",
              "CFO approval gate SLAs are regularly breached, creating backlogs that pressure the review process"
            ]
          },
          "risk_officer": {
            "summary": "The contract review gate enforcement rate is a critical risk indicator; any gate bypass event represents a control failure with direct liability exposure.",
            "actions": [
              "Track the gate bypass attempt rate as a KRI and investigate every attempted bypass within four hours of detection",
              "Include contract review gate effectiveness in the quarterly AI risk review"
            ],
            "failure_signals": [
              "A contract was executed by an AI system without a completed gate sequence",
              "Gate bypass attempt rate shows an upward trend across consecutive reporting periods"
            ]
          },
          "grc_auditor": {
            "summary": "The contract execution hold and approval log is the primary audit artifact demonstrating that all AI contract executions were subject to mandatory review before binding obligations were created.",
            "actions": [
              "Reconcile the contract execution log against the hold and approval log for the audit period to confirm no executions bypassed the gate sequence",
              "Review elapsed review times in the hold log to assess whether SLA compliance creates pressure that leads to inadequate reviews",
              "Test the enforcement layer by simulating direct API contract execution attempts"
            ],
            "failure_signals": [
              "A contract execution record lacks a corresponding hold and approval record in the gate log",
              "Elapsed review times consistently approach or exceed SLA limits, suggesting review quality risk"
            ],
            "metrics": [
              "Gate compliance rate: % of AI contract executions with a complete gate sequence record (target: 100%)",
              "Bypass attempt rate: number of detected gate bypass attempts per quarter (target: 0)",
              "Gate SLA compliance: % of review gates completed within the defined SLA (target: \u226595%)"
            ]
          },
          "board_governance": {
            "summary": "Contract review gate compliance provides the board with assurance that AI systems cannot create binding obligations without the human oversight the board has mandated.",
            "actions": [
              "Confirm the contract review gate sequence is reviewed and approved by General Counsel and CFO annually",
              "Require disclosure to the audit committee of any gate bypass event that resulted in an executed contract"
            ],
            "failure_signals": [
              "A gate bypass event resulted in an executed contract without mandatory human review",
              "The contract review gate sequence has not been reviewed in the last 12 months"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "A mandatory contract review gate before execution is operational control under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A mandatory contract review gate before execution is operational control under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Holding AI contract execution pending review is operational planning under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Holding AI contract execution pending review is operational planning under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "SA-4",
            "title": "Acquisition Process",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Mandatory legal and authority review before contract execution reflects SA-4 acquisition-process requirements, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Mandatory legal and authority review before contract execution reflects SA-4 acquisition-process requirements, partially.",
            "requirement_id": "SA-4 \u2014 Acquisition Process",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 2.3",
            "title": "Executive leadership takes responsibility for decisions about risks associated with AI system development and deployment",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "CFO approval within the review gate routes above-threshold decisions to leadership, partially addressing GOVERN 2.3.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "CFO approval within the review gate routes above-threshold decisions to leadership, partially addressing GOVERN 2.3.",
            "requirement_id": "GOVERN 2.3 \u2014 Executive leadership takes responsibility for decisions about risks associated with AI system development and deployment",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Artifact \u2014 Contract Review Gate Documentation",
            "rationale": "AWS Artifact provides on-demand access to compliance documentation, certifications, and AWS agreements that constitute required artifacts for AI system contract review gates. The compliance reports and Data Processing Addenda available through Artifact provide the technical and legal documentation required to complete contract review gate compliance checks before AI deployment approval.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "AWS Artifact supplies compliance documents used in review but does not itself gate AI contract execution.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Responsible AI Standard v2 \u2014 Goal A1: Impact Assessment (Pre-Deployment Review)",
            "rationale": "Microsoft's Responsible AI Impact Assessment (Goal A1) must be completed and reviewed before production deployment, providing a documented pre-deployment review gate. The same gating pattern supports contract review gates: deployment proceeds only after the required review artifact exists and is approved.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "The RAI pre-deployment review gate shares the require-review-before-proceed pattern, partially aligning with contract review gates.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Security Foundations Blueprint \u2014 Pre-Deployment Constraint Verification",
            "rationale": "Google Cloud's security foundations blueprint \u2014 together with the secure-by-default organization policies enforced on newly created organizations \u2014 defines a baseline set of constraints that should be in place before AI systems go live. Organizations can use organization policy status against this baseline as evidence for pre-deployment review gates.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Org Policy status against the secure-baseline blueprint can evidence pre-deployment review gates, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          }
        ],
        "tiers": [
          "contract-ai",
          "procurement-ai"
        ],
        "implementers": [
          "General Counsel",
          "Contract Management",
          "Procurement"
        ],
        "validation_objective": "All AI-assisted or AI-initiated contract execution attempts must be intercepted by a technical enforcement layer that holds execution pending completion of the full mandatory review gate sequence, with no bypass path available to the AI system. Every contract execution in the production environment must have a corresponding hold-and-approval record documenting completion of legal review, authority policy check, and CFO approval for above-threshold commitments before the contract was finalized.",
        "evidence_required": [
          "contract_execution_hold_and_approval_log (immutable) showing each AI contract execution attempt, hold timestamp, review gate sequence steps completed with approver identity and timestamp for each step, and final execution or rejection outcome",
          "contract_execution_enforcement_layer_config documenting all AI contract execution paths with interception points and confirming no bypass routes exist",
          "review_gate_sequence_and_approver_matrix defining mandatory gate steps, approver roles, response SLAs, and escalation paths for delayed approvals",
          "bypass_attempt_detection_log showing any direct API contract execution attempts detected, with alert delivery records and investigation outcomes"
        ],
        "machine_tests": [
          "Trigger an AI contract execution API call \u2192 assert enforcement layer intercepts and holds execution with hold_id assigned and review gate sequence initiated before any commitment is created",
          "Attempt direct API contract execution bypassing the enforcement layer \u2192 assert the attempt is blocked with error_code=review_gate_required and logged as an anomaly",
          "Simulate an AI auto-renewal scenario \u2192 assert renewal triggers the review gate sequence and cannot complete without gate sequence completion",
          "Allow a CFO approval gate to exceed its defined SLA without response \u2192 assert escalation path fires and escalation_timestamp is recorded in the hold log"
        ],
        "human_review": [
          "Reconcile contract execution records against the hold-and-approval log for the audit period to identify any executions that lack a complete gate sequence record",
          "Review elapsed review times in the hold log to assess whether SLA compliance is creating time pressure that may be compromising the quality of review decisions",
          "Assess the enforcement layer architecture to confirm all AI contract execution paths are intercepted, including any edge paths created by new AI system deployments since the last architecture review"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Implementing contract review gates as advisory prompts within the AI system's interface that a human user can dismiss or acknowledge without actual legal review being completed",
          "Defining review gates only for net-new contracts while treating AI auto-renewals of existing contracts as exempt from the mandatory gate sequence",
          "Routing review gate notifications to a shared inbox or group alias rather than a named approver with a documented response SLA, creating accountability gaps when the inbox is unmonitored",
          "Building the contract execution enforcement layer inside the AI system's own logic, allowing the system to theoretically modify or bypass the gate check",
          "Logging only the final contract execution outcome without recording each review gate step, approver identity, and approval timestamp, making it impossible to audit whether the full gate sequence was completed"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PR"
      },
      {
        "id": "PR-05",
        "name": "SLA Commitment Governance",
        "canonical_id": "apeiris://authority/controls/PR-05",
        "layer": "PR",
        "prefix": "PR",
        "plane": "both",
        "capability_risk": {
          "capability_level": "elevated"
        },
        "baseline": false,
        "plain": "Govern AI system commitments to service level agreement terms \u2014 including availability targets, response time guarantees, and penalty clauses \u2014 ensuring that no SLA commitment is made or accepted autonomously by an AI system without explicit authority approval and financial risk review.",
        "threat": {
          "context": "AI systems participating in contract negotiation or vendor management may accept SLA terms that impose penalty clauses, availability guarantees, or remediation obligations that exceed the organization's risk appetite. At machine speed, multiple conflicting or stacked SLA commitments can accumulate before human oversight triggers.",
          "tags": [
            "unauthorized-commitment",
            "commitment-without-authority",
            "escalation-failure"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_800_53",
            "section": "SA-4",
            "title": "Acquisition Process"
          },
          {
            "id": "soc2",
            "section": "A1.1",
            "title": "Capacity management and monitoring"
          }
        ],
        "sources": [
          {
            "id": "src-pr05-1",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PR-05 SLA Commitment Governance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr05-2",
            "title": "NIST SP 800-53 Rev 5 \u2014 Acquisition Process",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Acquisition Process requirements informing the apeiris://authority/controls/PR-05 SLA Commitment Governance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr05-3",
            "title": "AICPA SOC 2 Trust Services Criteria \u2014 Availability",
            "authority": "American Institute of Certified Public Accountants",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "TSC 2017",
            "published_on": "2017-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "aicpa-soc2",
            "relationship": "normative_requirement",
            "rationale": "Establishes AICPA SOC 2 Trust Services Criteria \u2014 Availability requirements informing the apeiris://authority/controls/PR-05 SLA Commitment Governance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr05-4",
            "title": "ITIL 4 \u2014 Service Level Management",
            "authority": "Axelos Limited",
            "source_type": "framework",
            "normative_force": "best-practice",
            "version": "4",
            "published_on": "2019-02-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.axelos.com/certifications/itil-service-management",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "itil4_service_level_mgmt",
            "relationship": "informative_reference",
            "rationale": "Establishes ITIL 4 \u2014 Service Level Management requirements informing the apeiris://authority/controls/PR-05 SLA Commitment Governance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PR-05 SLA Commitment Governance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PR-05 SLA Commitment Governance control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PR-05 SLA Commitment Governance control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "SLA commitment classification engine that categorizes proposed SLA terms by risk tier, with hard blocks for AI acceptance of terms above the approved risk tier and mandatory CFO and General Counsel review for elevated-tier commitments.",
          "steps": [
            "Define an SLA risk tier taxonomy classifying SLA term types \u2014 availability targets, penalty clauses, remediation obligations \u2014 by financial exposure and operational risk, with maximum values approved by CFO and General Counsel for each tier",
            "Implement an SLA commitment classification engine that evaluates proposed SLA terms before AI system acceptance and blocks acceptance of any term exceeding the approved maximum for its risk tier",
            "Require CFO and General Counsel joint approval before any AI system may accept an elevated-tier SLA commitment, with all such approvals logged with the accepted terms and approval timestamp"
          ],
          "anti_patterns": [
            "Permitting AI systems to accept or propose SLA terms in real time without pre-classification against the approved risk tier taxonomy",
            "Setting SLA commitment limits only in natural language policy without a technical enforcement mechanism that the AI system cannot override"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify the SLA risk tier taxonomy covers all SLA term types relevant to the organization's AI system use cases, with approved maximums for each tier",
            "Confirm the SLA commitment classification engine is integrated into all AI contract negotiation and vendor management paths",
            "Validate that the CFO and General Counsel joint approval gate is technically enforced for elevated-tier commitments, not advisory"
          ],
          "runtime_tests": [
            "Present an AI system with a proposed SLA term that exceeds the approved maximum for its risk tier and verify the classification engine blocks acceptance",
            "Test an elevated-tier SLA commitment scenario and confirm it cannot proceed without documented CFO and General Counsel approval",
            "Review the SLA commitment log for the audit period and verify all accepted SLA terms are within approved tier maximums"
          ],
          "evidence": [
            "doc:sla-risk-tier-taxonomy-current",
            "log:sla-commitment-classification-and-approval-log",
            "config:sla-classification-engine-config",
            "authority:cfo-general-counsel-sla-commitment-approvals"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "SLA commitment governance prevents AI systems from accepting penalty clauses or remediation obligations that create legal liability exceeding the organization's documented risk appetite.",
            "actions": [
              "Review and approve the SLA risk tier taxonomy annually and ensure penalty clause parameters reflect current legal risk tolerance",
              "Co-approve all elevated-tier SLA commitments before AI system acceptance"
            ],
            "failure_signals": [
              "An AI system accepted an SLA penalty clause that exceeded the approved maximum without a recorded joint approval",
              "The SLA risk tier taxonomy was not updated following a change in the organization's legal risk tolerance"
            ]
          },
          "cfo_procurement": {
            "summary": "SLA penalty clauses and remediation obligations represent contingent financial liabilities; AI acceptance of elevated-tier SLA terms without CFO review creates unbudgeted exposure.",
            "actions": [
              "Confirm that maximum SLA commitment values in the risk tier taxonomy are aligned with CFO-approved financial risk parameters",
              "Co-approve all elevated-tier SLA commitments before AI system acceptance and track cumulative SLA liability exposure quarterly"
            ],
            "failure_signals": [
              "An AI system accepted SLA terms creating contingent financial liability exceeding CFO-approved limits",
              "Cumulative SLA liability from AI-accepted commitments was not reported in the quarterly financial risk review"
            ]
          },
          "risk_officer": {
            "summary": "Elevated capability risk rating reflects the potential for rapid accumulation of SLA obligations at machine speed; classification engine coverage and tier breach rate are the key risk indicators.",
            "actions": [
              "Track SLA tier breach attempts as a KRI and investigate any blocked elevated-tier commitment within 24 hours",
              "Include cumulative AI-accepted SLA liability in the quarterly risk dashboard"
            ],
            "failure_signals": [
              "The SLA classification engine is not integrated into all AI contract negotiation paths",
              "Cumulative AI-accepted SLA liability is not tracked or reported in the quarterly risk review"
            ]
          },
          "grc_auditor": {
            "summary": "The SLA commitment classification and approval log is the primary audit artifact demonstrating that AI-accepted SLA terms were within approved risk parameters and subject to required human approval for elevated commitments.",
            "actions": [
              "Review all AI-accepted SLA commitments during the audit period against the risk tier taxonomy to verify none exceeded approved maximums without joint approval",
              "Confirm that all elevated-tier SLA commitments have documented CFO and General Counsel co-approval in the log",
              "Test the classification engine by submitting known elevated-tier SLA terms and verifying they are blocked"
            ],
            "failure_signals": [
              "An AI-accepted SLA commitment exceeds the approved tier maximum without a recorded joint approval",
              "The SLA commitment classification log has gaps during the audit period"
            ],
            "metrics": [
              "SLA tier compliance rate: % of AI-accepted SLA commitments within approved tier maximums (target: 100%)",
              "Elevated-tier approval rate: % of elevated-tier SLA commitments with documented joint approval (target: 100%)",
              "Taxonomy review currency: SLA risk tier taxonomy reviewed within the last 12 months (target: true)"
            ]
          },
          "board_governance": {
            "summary": "SLA commitment governance provides the board with assurance that AI systems cannot autonomously accumulate contingent liabilities from SLA penalty clauses beyond board-approved risk appetite.",
            "actions": [
              "Request quarterly reporting on cumulative AI-accepted SLA liability against approved risk appetite thresholds",
              "Confirm the SLA risk tier taxonomy is reviewed and approved by CFO and General Counsel annually and reported to the audit committee"
            ],
            "failure_signals": [
              "Cumulative AI-accepted SLA liability has not been reported to the board in the last quarter",
              "An elevated-tier SLA commitment was accepted without disclosure to the audit committee"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Classifying and gating SLA-term acceptance is operational control under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Classifying and gating SLA-term acceptance is operational control under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "SA-4",
            "title": "Acquisition Process",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Governing acceptance of SLA terms reflects SA-4 acquisition-process requirements, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Governing acceptance of SLA terms reflects SA-4 acquisition-process requirements, partially.",
            "requirement_id": "SA-4 \u2014 Acquisition Process",
            "relation": "equivalent_to"
          },
          {
            "framework": "soc2",
            "ref": "A1.1",
            "title": "Capacity management and monitoring",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "SLA commitment governance concerns approving SLA terms, distinct from the capacity management A1.1 addresses.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "SLA commitment governance concerns approving SLA terms, distinct from the capacity management A1.1 addresses.",
            "requirement_id": "A1.1 \u2014 Capacity management and monitoring",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "SLA classification and blocking above-tier acceptance is operational planning under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "SLA classification and blocking above-tier acceptance is operational planning under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Service Level Agreements + CloudWatch \u2014 SLA Governance",
            "rationale": "AWS Service Level Agreements (accessible through AWS Artifact) define the commitment baseline for AI infrastructure services. AWS CloudWatch and Config enable continuous monitoring of SLA-relevant service metrics, detecting potential breaches before they are confirmed violations. Audit Manager can map SLA compliance monitoring evidence to contractual commitment governance requirements.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "AWS SLAs and CloudWatch monitor infrastructure SLA metrics, related to but not the authority-gating of AI SLA commitments.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud SLA Terms + Assured Workloads \u2014 Commitment Enforcement",
            "rationale": "Google Cloud SLA terms for AI services (Vertex AI, Gemini) define commitment boundaries that are enforced through service-level constraints in Assured Workloads environments. Organization Policy constraints ensure that AI deployment configurations remain within the conditions required for SLA applicability, preventing configurations that would void SLA commitments.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "Constraints keeping configs within SLA-applicability conditions differ from governing AI acceptance of SLA commitments.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure SLA + Azure Monitor \u2014 SLA Commitment Monitoring",
            "rationale": "Azure Service Level Agreements integrate with Azure Monitor alert rules for SLA compliance monitoring and early breach detection. For AI workloads, SLA commitment governance requires configuring Monitor alert thresholds below SLA boundaries to provide warning periods before SLA violations occur, enabling proactive commitment governance rather than reactive breach response.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "Azure SLA monitoring detects breaches but does not gate AI acceptance of SLA commitment terms.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "consequential-commitment",
          "procurement-ai",
          "contract-ai"
        ],
        "implementers": [
          "Procurement",
          "General Counsel",
          "CFO"
        ],
        "validation_objective": "Every AI system participating in SLA commitment acceptance must classify all proposed SLA terms against the approved risk tier taxonomy before acceptance, and any term exceeding the approved maximum for its risk tier must be technically blocked from AI acceptance pending CFO and General Counsel joint approval. The SLA commitment classification log must document every term evaluated, its tier classification, and the block-or-proceed outcome; elevated-tier commitments must each have a documented joint approval record before acceptance.",
        "evidence_required": [
          "sla_risk_tier_taxonomy document showing SLA term type classifications, maximum approved values per tier, and documented CFO and General Counsel co-approval with effective date",
          "sla_commitment_classification_and_approval_log showing each SLA term evaluated, its tier classification, block or proceed outcome, and for elevated-tier terms the joint approval record with approver identities and timestamps",
          "sla_classification_engine_config confirming integration with all AI contract negotiation and vendor management paths with no bypass routes",
          "cfo_general_counsel_joint_approval_records for all elevated-tier SLA commitments accepted during the review period"
        ],
        "machine_tests": [
          "Submit proposed SLA penalty clause with a value exceeding the approved maximum for its risk tier \u2192 assert classification engine blocks acceptance and routes to CFO and General Counsel for joint approval before any commitment is recorded",
          "Submit proposed SLA term within the approved tier maximum \u2192 assert classification engine permits acceptance and logs the term with tier_classification, tier_max, and accepted_at timestamp",
          "Initiate an AI contract negotiation session on a path without SLA classification engine integration \u2192 assert the session is blocked with error_code=sla_governance_not_configured",
          "Accept multiple SLA commitments in sequence \u2192 assert cumulative SLA liability is tracked and reflected in the quarterly risk dashboard export"
        ],
        "human_review": [
          "Review the SLA risk tier taxonomy against current CFO-approved financial risk parameters to verify tier maximum values are current and reflect the organization's actual risk appetite",
          "Assess a sample of elevated-tier SLA commitment approval records to confirm joint CFO and General Counsel co-approval was obtained before acceptance, not ratified after the fact",
          "Verify the cumulative AI-accepted SLA liability tracker is reported in the quarterly financial risk review and reconciles with the SLA commitment classification log"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Setting SLA commitment limits only in natural language policy documents or system prompts without a separate technical classification engine that evaluates terms before acceptance and cannot be overridden by the AI system",
          "Allowing the AI system to propose or accept SLA terms in real-time negotiation before classification against the risk tier taxonomy, treating classification as a post-acceptance review step",
          "Approving elevated-tier SLA commitments through email chains rather than a workflow that requires affirmative CFO and General Counsel approval before the AI system can complete acceptance",
          "Failing to track cumulative SLA liability across all AI-accepted commitments, evaluating each commitment in isolation without awareness of stacked penalty exposure",
          "Reviewing the SLA risk tier taxonomy infrequently, leaving AI systems operating against tier maximums that no longer reflect current financial risk tolerance or delegation of authority limits"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PR"
      },
      {
        "id": "PR-06",
        "name": "AI in Contract Negotiation Controls",
        "canonical_id": "apeiris://authority/controls/PR-06",
        "layer": "PR",
        "prefix": "PR",
        "plane": "both",
        "capability_risk": {
          "capability_level": "elevated"
        },
        "baseline": false,
        "plain": "Establish explicit controls governing AI system participation in contract negotiation, including limits on what positions AI systems may propose or accept, mandatory human co-presence for material negotiation events, and logging of all AI-generated negotiation outputs before they are communicated to counterparties.",
        "threat": {
          "context": "AI systems participating in contract negotiation can generate positions, concessions, or acceptances at speeds and volumes that outpace human oversight. Without explicit controls, AI negotiation outputs may commit the organization to terms that exceed authority limits, introduce intent drift from originally approved negotiation parameters, or create reputational harm through unauthorized representations.",
          "tags": [
            "unauthorized-commitment",
            "commitment-without-authority",
            "intent-drift"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a78.1",
            "title": "Operational planning and control"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 2.3",
            "title": "Executive leadership takes responsibility for decisions about risks associated with AI system development and deployment"
          },
          {
            "id": "nist_800_53",
            "section": "SA-4",
            "title": "Acquisition Process"
          }
        ],
        "sources": [
          {
            "id": "src-pr06-1",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PR-06 AI in Contract Negotiation Controls control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr06-2",
            "title": "NIST AI Risk Management Framework",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI Risk Management Framework requirements informing the apeiris://authority/controls/PR-06 AI in Contract Negotiation Controls control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr06-3",
            "title": "NIST SP 800-53 Rev 5 \u2014 Acquisition Process",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Acquisition Process requirements informing the apeiris://authority/controls/PR-06 AI in Contract Negotiation Controls control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr06-4",
            "title": "World Commerce and Contracting AI in Contracting Guidelines",
            "authority": "Association of Corporate Counsel",
            "source_type": "framework",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.acc.com/legalops",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "acc_legal_ops_contract_mgmt",
            "relationship": "informative_reference",
            "rationale": "Establishes World Commerce and Contracting AI in Contracting Guidelines requirements informing the apeiris://authority/controls/PR-06 AI in Contract Negotiation Controls control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PR-06 AI in Contract Negotiation Controls control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "openai_preparedness_fw_v2",
            "title": "OpenAI Preparedness Framework v2",
            "authority": "OpenAI, L.L.C.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2025-04-15",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "openai_preparedness",
            "relationship": "informative_reference",
            "rationale": "Establishes OpenAI Preparedness Framework v2 requirements informing the apeiris://authority/controls/PR-06 AI in Contract Negotiation Controls control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PR-06 AI in Contract Negotiation Controls control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Negotiation parameter envelope pre-approved by General Counsel, with AI outputs logged and reviewed before counterparty communication, and mandatory human co-presence for any negotiation event that approaches envelope boundaries.",
          "steps": [
            "Before any AI-assisted negotiation begins, require General Counsel to approve a negotiation parameter envelope specifying the range of positions the AI system is authorized to propose or accept, including fallback positions and hard limits",
            "Implement output logging that captures all AI-generated negotiation positions, concessions, and acceptances before they are communicated to the counterparty, with a mandatory human review hold for outputs approaching envelope boundaries",
            "Require human co-presence for all negotiation events where AI outputs approach or reach the approved envelope boundary, with the human reviewer's approval logged before the AI output is transmitted"
          ],
          "anti_patterns": [
            "Allowing AI systems to communicate negotiation positions directly to counterparties without pre-transmission logging and review",
            "Defining negotiation parameter envelopes informally in system prompts rather than in a versioned, General Counsel-approved document"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify a negotiation parameter envelope exists for each AI-assisted negotiation engagement, with General Counsel approval documented before the negotiation begins",
            "Confirm pre-transmission logging is implemented on all AI negotiation output paths with no bypass routes",
            "Validate that human co-presence is technically enforced for outputs approaching envelope boundaries, not only advisory"
          ],
          "runtime_tests": [
            "Generate an AI negotiation output that approaches the envelope boundary and verify the mandatory human review hold is placed before transmission",
            "Attempt to transmit an AI negotiation output without pre-transmission logging and verify the attempt is blocked",
            "Review the negotiation output log for a completed AI-assisted negotiation and confirm all AI positions are logged with transmission timestamps and reviewer approvals"
          ],
          "evidence": [
            "doc:negotiation-parameter-envelope-current",
            "log:ai-negotiation-output-log",
            "authority:general-counsel-negotiation-envelope-approvals",
            "test:pre-transmission-hold-test-results"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "AI in contract negotiation requires General Counsel to define the parameter envelope in advance \u2014 a pre-approved boundary within which AI may operate, not a post-hoc review of what AI actually said.",
            "actions": [
              "Approve the negotiation parameter envelope before each AI-assisted negotiation engagement and confirm it reflects current legal strategy and authority limits",
              "Review the negotiation output log after each engagement to confirm AI outputs remained within the approved envelope"
            ],
            "failure_signals": [
              "An AI system communicated a negotiation position to a counterparty that exceeded the approved parameter envelope",
              "A negotiation engagement began without a General Counsel-approved parameter envelope"
            ]
          },
          "cfo_procurement": {
            "summary": "The negotiation parameter envelope must include explicit financial position limits; AI systems that can propose concessions on price, payment terms, or penalty structures without financial controls create uncapped exposure.",
            "actions": [
              "Confirm that financial position limits in the negotiation parameter envelope are consistent with CFO-approved authority thresholds",
              "Review AI negotiation output logs for financial concessions to verify they remained within approved parameters"
            ],
            "failure_signals": [
              "An AI system proposed a financial concession in excess of the CFO-approved limit in its negotiation parameter envelope",
              "Financial position limits were absent from the negotiation parameter envelope"
            ]
          },
          "risk_officer": {
            "summary": "Elevated capability risk rating reflects the potential for AI systems to generate unauthorized positions or create intent drift in negotiation at a pace that human oversight cannot follow without structural controls.",
            "actions": [
              "Track negotiation parameter envelope boundary approaches as a KRI and investigate every case where an AI output reached the envelope limit within 24 hours",
              "Include AI-assisted negotiation controls in the quarterly risk review"
            ],
            "failure_signals": [
              "An AI negotiation output exceeded the approved parameter envelope before the human review hold fired",
              "Envelope boundary approach events are increasing across consecutive reporting periods"
            ]
          },
          "grc_auditor": {
            "summary": "Negotiation parameter envelopes and AI negotiation output logs are the primary audit artifacts demonstrating that AI participation in contract negotiation remained within approved authority limits.",
            "actions": [
              "Review all AI-assisted negotiation engagements during the audit period and verify each has a General Counsel-approved parameter envelope on file",
              "Sample AI negotiation output logs against the approved envelopes to confirm no transmitted outputs exceeded approved parameters",
              "Verify that pre-transmission holds and human reviewer approvals are documented in the output log"
            ],
            "failure_signals": [
              "An AI-assisted negotiation engagement lacks a General Counsel-approved parameter envelope",
              "The negotiation output log shows outputs transmitted without a corresponding pre-transmission hold record"
            ],
            "metrics": [
              "Envelope coverage: % of AI-assisted negotiation engagements with a General Counsel-approved parameter envelope (target: 100%)",
              "Pre-transmission compliance: % of AI negotiation outputs with a logged pre-transmission hold and review record (target: 100%)",
              "Envelope breach rate: % of AI negotiation outputs that exceeded approved envelope parameters (target: 0%)"
            ]
          },
          "board_governance": {
            "summary": "AI participation in contract negotiation requires explicit board-level awareness; the board must confirm that AI negotiation capabilities are bounded by governance controls that protect the organization from unauthorized representations.",
            "actions": [
              "Require annual disclosure to the audit committee of all AI-assisted negotiation programs, including the scope of AI negotiation authority",
              "Confirm that General Counsel-approved negotiation parameter envelopes are reviewed at the board level for material negotiation engagements"
            ],
            "failure_signals": [
              "Material negotiation engagements involving AI systems were not disclosed to the audit committee",
              "The board learns of a negotiation liability event originating from an AI output that exceeded its approved parameter envelope"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "A GC-approved negotiation envelope with output logging is operational control under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A GC-approved negotiation envelope with output logging is operational control under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 2.3",
            "title": "Executive leadership takes responsibility for decisions about risks associated with AI system development and deployment",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "GC-approved negotiation parameters route authority to leadership, partially addressing GOVERN 2.3.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "GC-approved negotiation parameters route authority to leadership, partially addressing GOVERN 2.3.",
            "requirement_id": "GOVERN 2.3 \u2014 Executive leadership takes responsibility for decisions about risks associated with AI system development and deployment",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "SA-4",
            "title": "Acquisition Process",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Controlling AI negotiation positions is part of the acquisition process, partially reflecting SA-4.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Controlling AI negotiation positions is part of the acquisition process, partially reflecting SA-4.",
            "requirement_id": "SA-4 \u2014 Acquisition Process",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a78.1",
            "title": "Operational planning and control",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Negotiation envelope and pre-transmission review are operational planning under \u00a78.1, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Negotiation envelope and pre-transmission review are operational planning under \u00a78.1, partially.",
            "requirement_id": "\u00a78.1 \u2014 Operational planning and control",
            "relation": "equivalent_to"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "Anthropic Usage Policy + Claude's Constitution \u2014 Human Oversight for Consequential Use",
            "rationale": "Anthropic's Usage Policy contains no negotiation-specific provision; it does require human oversight for high-risk and consequential automated decisions, and Claude's Constitution frames Claude as operating within operator-granted permissions. For contract negotiation deployments this supports restricting the agent to advisory drafting roles, with human approval required before any position becomes a commitment.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "adjacent",
            "fit_rationale": "The AUP and Constitution require human oversight for consequential use, supporting advisory-only negotiation as an analog, not the control.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Responsible AI Standard v2 \u2014 Goal A5: Human Oversight and Control",
            "rationale": "Microsoft's Responsible AI Standard v2 contains no negotiation-specific provision. Goal A5 requires that AI systems be designed so humans retain effective oversight and control over consequential decisions, which supports treating AI-generated negotiation outputs as advisory recommendations subject to human approval before any commitment is made.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "RAI Goal A5 human-oversight design supports treating AI negotiation outputs as advisory pending human approval, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "contract-ai",
          "procurement-ai"
        ],
        "implementers": [
          "General Counsel",
          "Contract Management",
          "AI Engineering"
        ],
        "validation_objective": "Every AI system participating in contract negotiation must operate within a General Counsel-approved negotiation parameter envelope established before the engagement begins, and all AI-generated negotiation outputs must be logged before transmission to counterparties. Any output approaching or reaching the approved envelope boundary must trigger a mandatory human review hold that technically prevents transmission until the reviewer approves.",
        "evidence_required": [
          "negotiation_parameter_envelope document for each AI-assisted negotiation engagement with General Counsel approval signature, approval date, defined fallback positions, and hard limits by position type",
          "ai_negotiation_output_log (pre-transmission) showing all AI-generated positions with generation timestamp, envelope proximity indicator, hold status, and human reviewer identity and approval timestamp for outputs at or near envelope boundary",
          "general_counsel_negotiation_envelope_approvals confirming approval was granted before each engagement commenced",
          "pre_transmission_hold_test_results demonstrating the technical hold fires before transmission for outputs at envelope boundary and cannot be bypassed by the AI system"
        ],
        "machine_tests": [
          "Generate AI negotiation output that reaches 95% of the financial limit in the approved parameter envelope \u2192 assert mandatory human review hold is placed and transmission is blocked pending explicit reviewer approval",
          "Attempt to transmit an AI negotiation output without a pre-transmission log entry \u2192 assert transmission is blocked with error_code=pre_transmission_logging_required",
          "Initiate AI-assisted negotiation without a General Counsel-approved parameter envelope on file \u2192 assert the session is blocked with error_code=no_approved_envelope",
          "Generate AI negotiation output within the approved envelope \u2192 assert output is logged with transmission_approved=auto and delivered to counterparty within defined SLA"
        ],
        "human_review": [
          "Verify General Counsel-approved negotiation parameter envelopes exist and were approved before each AI-assisted negotiation engagement commenced during the audit period",
          "Review a sample of AI negotiation output logs against the corresponding approved envelopes to confirm no transmitted outputs exceeded approved financial or term-level parameters",
          "Assess the pre-transmission hold architecture to confirm it is implemented at a layer the AI system cannot bypass, and review reviewer approval records for hold events to assess review quality"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Defining negotiation parameter envelopes informally in system prompts or model configuration where they can be modified between sessions without General Counsel re-approval",
          "Allowing AI systems to communicate negotiation positions directly to counterparties through integrated communication tools without a mandatory pre-transmission logging and hold layer",
          "Treating the human review hold for envelope-boundary outputs as advisory, permitting AI systems to transmit after a timeout if no reviewer response is received rather than requiring affirmative approval",
          "Failing to version or retain negotiation parameter envelopes after each engagement, making it impossible to audit whether AI outputs were within the approved envelope current at the time of transmission",
          "Setting a single negotiation parameter envelope for all contract types rather than engagement-specific envelopes that reflect the legal and financial parameters of the specific transaction"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PR"
      },
      {
        "id": "PR-07",
        "name": "Contract Obligation Monitoring",
        "canonical_id": "apeiris://authority/controls/PR-07",
        "layer": "PR",
        "prefix": "PR",
        "plane": "both",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Monitor ongoing obligations under active contracts in real time to ensure AI systems do not take actions that would constitute a breach, and to alert human reviewers when contractual milestones, deadlines, or constraints are approaching. Obligation monitoring feeds directly into AI authority constraint updates when contract terms change.",
        "threat": {
          "context": "AI systems acting across a portfolio of active contracts may inadvertently trigger breach conditions \u2014 missing delivery milestones, exceeding usage caps, or violating exclusivity clauses \u2014 because contract obligations are not actively monitored and fed back into AI authority constraints at runtime.",
          "tags": [
            "contract-violation",
            "authority-limit-breach",
            "escalation-failure"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "nist_800_53",
            "section": "SA-9",
            "title": "External System Services"
          },
          {
            "id": "coso_erm",
            "section": "Principle 13",
            "title": "Implements Risk Responses"
          }
        ],
        "sources": [
          {
            "id": "src-pr07-1",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PR-07 Contract Obligation Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr07-2",
            "title": "NIST SP 800-53 Rev 5 \u2014 External System Services",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 External Information System Services requirements informing the apeiris://authority/controls/PR-07 Contract Obligation Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr07-3",
            "title": "COSO Enterprise Risk Management Framework",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management Framework requirements informing the apeiris://authority/controls/PR-07 Contract Obligation Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr07-4",
            "title": "ISO 42001 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 42001 AI Management Systems requirements informing the apeiris://authority/controls/PR-07 Contract Obligation Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PR-07 Contract Obligation Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PR-07 Contract Obligation Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PR-07 Contract Obligation Monitoring control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Contract obligation monitoring engine that ingests obligation manifests from active contracts, tracks AI system actions against obligation constraints in real time, and generates alerts when breach risk thresholds are approached.",
          "steps": [
            "Ingest all active contract obligation manifests into the monitoring engine, including usage caps, exclusivity windows, milestone dates, and penalty trigger conditions, with automated re-ingestion on contract amendment",
            "Implement real-time tracking of AI system actions against each obligation constraint, generating breach risk alerts when an action brings the organization within 80% of a usage cap or within 5 business days of a milestone deadline",
            "Route breach risk alerts to the responsible Contract Management owner and General Counsel within one hour of detection, with an escalation path to the CRO for obligations with material financial exposure"
          ],
          "anti_patterns": [
            "Monitoring contract obligations only at scheduled review points rather than in real time against AI system actions",
            "Generating breach risk alerts without routing them to a named human owner with a documented response SLA"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify all active contract obligation manifests are ingested into the monitoring engine within 24 hours of contract execution or amendment",
            "Confirm the monitoring engine tracks AI system actions against each obligation constraint in real time, not only at scheduled intervals",
            "Validate that breach risk alert routing is configured with named owners, SLAs, and escalation paths for material obligations"
          ],
          "runtime_tests": [
            "Simulate AI system actions that bring an obligation to 85% of its usage cap and verify a breach risk alert is generated and routed within one hour",
            "Amend an active contract and confirm the monitoring engine re-ingests the updated obligation manifest within 24 hours",
            "Test the escalation path by allowing a breach risk alert to exceed its response SLA and verify the CRO escalation fires"
          ],
          "evidence": [
            "log:contract-obligation-monitoring-engine-event-log",
            "doc:breach-risk-alert-routing-matrix",
            "config:monitoring-engine-obligation-manifest-registry",
            "test:breach-risk-alert-simulation-test-results"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Contract obligation monitoring provides General Counsel with real-time awareness of breach risk conditions arising from AI system actions, enabling intervention before an obligation is violated.",
            "actions": [
              "Confirm General Counsel is a named breach risk alert recipient for all obligations with material legal exposure",
              "Review the monitoring engine's obligation manifest registry monthly to confirm all active contracts are included"
            ],
            "failure_signals": [
              "A breach condition arose from AI system actions that the monitoring engine had not detected and alerted",
              "An active contract was not represented in the obligation manifest registry at the time of a breach event"
            ]
          },
          "cfo_procurement": {
            "summary": "Breach of contract obligations can trigger penalty clauses with material financial impact; real-time obligation monitoring is the financial risk control that prevents surprise penalty exposure.",
            "actions": [
              "Confirm that financial penalty trigger conditions are included in the monitoring engine's obligation manifests for all material contracts",
              "Review quarterly monitoring reports for obligations approaching financial penalty thresholds"
            ],
            "failure_signals": [
              "A financial penalty clause was triggered by an AI action that the monitoring engine did not detect in advance",
              "Financial penalty trigger conditions were absent from the monitoring engine manifest for a material contract"
            ]
          },
          "risk_officer": {
            "summary": "The breach risk alert rate and mean alert response time are the primary risk indicators for this control; unclosed alerts represent real-time liability exposure.",
            "actions": [
              "Track open breach risk alert count and mean response time as KRIs in the quarterly risk dashboard",
              "Escalate any breach risk alert for a material financial obligation that has not been acknowledged within one hour"
            ],
            "failure_signals": [
              "Open breach risk alerts are not acknowledged within the defined SLA",
              "A breach event occurred for which a breach risk alert was not generated by the monitoring engine"
            ]
          },
          "grc_auditor": {
            "summary": "The monitoring engine event log and alert routing records are the primary audit artifacts demonstrating that contract obligation constraints were actively monitored against AI system actions.",
            "actions": [
              "Verify the monitoring engine's obligation manifest registry covers all active contracts during the audit period",
              "Review breach risk alert logs to confirm all alerts were acknowledged within SLA and have documented response records",
              "Test monitoring coverage by confirming a sample of known obligation constraints appear in the manifest registry"
            ],
            "failure_signals": [
              "An active contract during the audit period was not included in the monitoring engine manifest",
              "Breach risk alert acknowledgment SLA compliance falls below 95%"
            ],
            "metrics": [
              "Obligation manifest coverage: % of active contracts with a manifest in the monitoring engine (target: 100%)",
              "Breach risk alert acknowledgment rate: % of alerts acknowledged within the defined SLA (target: \u226595%)",
              "Breach event rate: number of contract breaches arising from AI system actions per quarter (target: 0)"
            ]
          },
          "board_governance": {
            "summary": "Contract obligation monitoring provides the board with assurance that AI system actions are tracked against the organization's contractual commitments in real time, not discovered after breach.",
            "actions": [
              "Request quarterly reporting on breach risk alert volume, acknowledgment rate, and any breach events that occurred during the period",
              "Confirm that material contract obligations are included in the monitoring engine manifest and reported to the audit committee"
            ],
            "failure_signals": [
              "A material contract breach arising from AI system actions was not detected by the monitoring engine before the breach occurred",
              "Quarterly breach risk reporting was not provided to the audit committee"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "Real-time tracking of AI actions against contract obligations with breach alerts directly implements \u00a79.1 monitoring and analysis.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Real-time tracking of AI actions against contract obligations with breach alerts directly implements \u00a79.1 monitoring and analysis.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "SA-9",
            "title": "External System Services",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Monitoring compliance with external contract obligations partially reflects SA-9 external-service requirements.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Monitoring compliance with external contract obligations partially reflects SA-9 external-service requirements.",
            "requirement_id": "SA-9 \u2014 External System Services",
            "relation": "equivalent_to"
          },
          {
            "framework": "coso_erm",
            "ref": "Principle 13",
            "title": "Implements risk responses",
            "principle_number": 13,
            "component_name": "Performance",
            "normative_force": "industry-framework",
            "fit": "partial",
            "fit_rationale": "Real-time breach-risk alerting is a risk response, partially implementing Principle 13.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Real-time breach-risk alerting is a risk response, partially implementing Principle 13.",
            "requirement_id": "Principle 13 \u2014 Implements risk responses",
            "relation": "informs"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "Continuous monitoring of AI actions against obligation constraints directly implements \u00a79.1 monitoring and evaluation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Continuous monitoring of AI actions against obligation constraints directly implements \u00a79.1 monitoring and evaluation.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Config Continuous Compliance \u2014 Contract Obligation Monitoring",
            "rationale": "AWS Config provides continuous compliance monitoring against declared contract obligation requirements by evaluating resource configurations against custom Config rules mapped to specific contractual terms. When deployed AI system configurations drift from contract-compliant states, Config generates non-compliant findings and can trigger automated remediation workflows.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Config continuously evaluates configs against contract-mapped rules, partially implementing obligation monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Asset Inventory + Organization Policy \u2014 Ongoing Obligation Compliance Monitoring",
            "rationale": "Organization Policy has no contract awareness: obligations from contracts must first be translated into constraints. Cloud Asset Inventory monitoring and the AnalyzeOrgPolicies API then provide continuous visibility that those constraints remain in force across the hierarchy, enabling proactive obligation monitoring rather than point-in-time audit checks.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Once obligations are translated to constraints, Asset Inventory monitoring keeps them in force, partially supporting obligation monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Purview Compliance Manager \u2014 Custom Assessments for Obligation Tracking",
            "rationale": "Microsoft Purview Compliance Manager tracks compliance scores against regulatory and standards templates and generates structured evidence for audit readiness. It has no native contract-obligation model; organizations can build custom assessments whose improvement actions map to specific contract obligations, enabling continuous monitoring of obligation fulfillment and automated evidence collection for contract audit review.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Custom Compliance Manager assessments mapped to contract terms enable continuous obligation tracking, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "contract-ai",
          "procurement-ai"
        ],
        "implementers": [
          "Contract Management",
          "General Counsel",
          "Procurement"
        ],
        "validation_objective": "The contract obligation monitoring engine must have active obligation manifests for all active contracts ingested within 24 hours of execution or amendment, and must track AI system actions against each obligation constraint in real time. Breach risk alerts must be generated and routed to named human owners within one hour of detecting that an AI action has brought an obligation to 80% of a usage cap or within 5 business days of a milestone deadline.",
        "evidence_required": [
          "contract_obligation_monitoring_engine_event_log showing obligation manifest ingestion events, real-time AI action tracking records, breach risk alerts generated with timestamps, and alert routing records with acknowledgment timestamps",
          "obligation_manifest_registry confirming all active contracts are represented with their obligation constraints (usage caps, exclusivity windows, milestone dates, penalty trigger conditions) and last_ingested_at timestamps",
          "breach_risk_alert_routing_matrix showing named owner assignments, response SLAs, and escalation paths for each contract category by financial exposure level",
          "breach_risk_alert_simulation_test_results confirming alerts fire within one hour of simulated 80% usage cap and 5-business-day milestone approach events"
        ],
        "machine_tests": [
          "Simulate AI system actions that bring an active obligation to 85% of its usage cap \u2192 assert breach risk alert is generated with breach_risk=elevated and routed to named owner within one hour",
          "Amend an active contract obligation and verify the monitoring engine re-ingests the updated manifest \u2192 assert updated obligation constraints are reflected in real-time tracking within 24 hours",
          "Allow a breach risk alert to exceed its response SLA without acknowledgment \u2192 assert CRO escalation fires with escalation_timestamp recorded within the defined escalation window"
        ],
        "human_review": [
          "Verify the obligation manifest registry covers all active contracts and that amendment re-ingestion is triggered automatically rather than requiring manual intervention by Contract Management",
          "Review a sample of breach risk alert records to confirm alerts were routed to named individual owners, acknowledged within SLA, and have documented response and disposition records",
          "Assess the monitoring engine's real-time tracking coverage to confirm AI system actions across all procurement systems are captured, not only those originating through the primary procurement platform"
        ],
        "blocking_effect": "advisory",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Monitoring contract obligations only at scheduled review intervals (weekly or monthly) rather than tracking AI system actions in real time and alerting the moment a threshold is approached",
          "Routing breach risk alerts to a group alias or shared mailbox rather than to named individual owners with documented response SLAs and escalation paths",
          "Ingesting obligation manifests only at contract execution without triggering re-ingestion on amendment, leaving the monitoring engine tracking stale constraints after contract modifications",
          "Treating breach risk alerts as informational log entries rather than actionable notifications requiring acknowledged response within a defined SLA",
          "Omitting penalty trigger conditions from obligation manifests, monitoring only milestone deadlines and usage caps while leaving the financial consequences of breach untracked"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PR"
      },
      {
        "id": "PR-08",
        "name": "Procurement Audit Trail",
        "canonical_id": "apeiris://authority/controls/PR-08",
        "layer": "PR",
        "prefix": "PR",
        "plane": "both",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Maintain a comprehensive, tamper-evident audit trail for all AI-assisted procurement activities, capturing the AI system identity, authority basis, input data, decision output, human review events, and final procurement action for every transaction. The audit trail must support both internal accountability review and external regulatory or legal inquiry.",
        "threat": {
          "context": "When AI systems participate in procurement without a comprehensive audit trail, accountability for procurement decisions cannot be reconstructed, creating principal accountability gaps that obscure whether the AI system operated within its authority and whether human oversight was adequately exercised.",
          "tags": [
            "principal-accountability-gap",
            "authority-limit-breach",
            "procurement-bypass"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "nist_800_53",
            "section": "AU-12",
            "title": "Audit Record Generation"
          },
          {
            "id": "soc2",
            "section": "CC7.2",
            "title": "Detection and Monitoring"
          }
        ],
        "sources": [
          {
            "id": "src-pr08-1",
            "title": "ISO 37301 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301 Compliance Management Systems requirements informing the apeiris://authority/controls/PR-08 Procurement Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr08-2",
            "title": "NIST SP 800-53 Rev 5 \u2014 Audit Record Generation",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Audit Record Generation requirements informing the apeiris://authority/controls/PR-08 Procurement Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr08-3",
            "title": "AICPA SOC 2 Trust Services Criteria \u2014 Detection and Monitoring",
            "authority": "American Institute of Certified Public Accountants",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "TSC 2017",
            "published_on": "2017-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "aicpa-soc2",
            "relationship": "normative_requirement",
            "rationale": "Establishes AICPA SOC 2 Trust Services Criteria \u2014 Detection and Monitoring requirements informing the apeiris://authority/controls/PR-08 Procurement Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pr08-4",
            "title": "Sarbanes-Oxley Act \u2014 Internal Controls over Financial Reporting",
            "authority": "United States Congress",
            "source_type": "regulation",
            "normative_force": "binding-law",
            "version": "Pub. L. 107-204",
            "published_on": "2002-07-30",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.sec.gov/about/laws/soa2002.pdf",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "sox",
            "relationship": "normative_requirement",
            "rationale": "Establishes Sarbanes-Oxley Act \u2014 Internal Controls over Financial Reporting requirements informing the apeiris://authority/controls/PR-08 Procurement Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PR-08 Procurement Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PR-08 Procurement Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PR-08 Procurement Audit Trail control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Immutable, structured procurement audit log capturing all AI-assisted procurement events with standardized record schema, tamper-evident storage, and automated completeness verification.",
          "steps": [
            "Define a procurement audit record schema capturing: AI system ID, authority basis (policy version and commitment ceiling), input data hash, decision output with reasoning summary, human review events with reviewer ID and timestamp, and final procurement action with outcome",
            "Implement tamper-evident storage for all procurement audit records using append-only logging with cryptographic integrity checks, with records retained for a minimum of seven years to satisfy regulatory and litigation hold requirements",
            "Deploy automated completeness verification that confirms a procurement audit record exists for every procurement event within 15 minutes of event completion, with alerts for missing records sent to the GRC Auditor within one hour"
          ],
          "anti_patterns": [
            "Storing procurement audit records in mutable storage that can be modified or deleted after the fact",
            "Capturing only the final procurement outcome without the AI system's decision basis, input data, and authority reference"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify the procurement audit record schema captures all required fields including AI system ID, authority basis, input data hash, decision output, human review events, and final action",
            "Confirm tamper-evident storage is implemented with cryptographic integrity checks and a seven-year minimum retention period",
            "Validate that automated completeness verification runs within 15 minutes of each procurement event and alerts for missing records within one hour"
          ],
          "runtime_tests": [
            "Complete an AI-assisted procurement transaction and verify a complete audit record is generated in tamper-evident storage within 15 minutes",
            "Attempt to modify a written audit record and verify the cryptographic integrity check detects and alerts the attempted modification",
            "Suppress an audit record for a test transaction and confirm the completeness verification alert fires within one hour"
          ],
          "evidence": [
            "log:procurement-audit-trail-immutable-store",
            "config:audit-log-cryptographic-integrity-config",
            "test:audit-completeness-verification-test-results",
            "doc:procurement-audit-record-schema-current"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "A comprehensive procurement audit trail is the foundation of legal defensibility for AI-assisted procurement; without it, the organization cannot demonstrate that AI actions were within authority or subject to human oversight.",
            "actions": [
              "Confirm the audit record schema captures sufficient detail to support litigation discovery and regulatory inquiry without supplemental reconstruction",
              "Ensure the seven-year retention period is enforced by policy and technical controls, with litigation hold extensions applied on notice of dispute"
            ],
            "failure_signals": [
              "A procurement audit record is missing or incomplete for a transaction subject to litigation discovery",
              "Audit records for a disputed transaction cannot demonstrate the AI system's authority basis or the human review events that took place"
            ]
          },
          "cfo_procurement": {
            "summary": "The procurement audit trail is a financial internal control; SOX-covered organizations require audit trails for AI-assisted procurement transactions to support management's attestation on internal controls over financial reporting.",
            "actions": [
              "Confirm the procurement audit trail is included in the scope of the annual SOX internal controls assessment",
              "Review audit trail completeness quarterly to confirm no gaps exist for procurement transactions above the materiality threshold"
            ],
            "failure_signals": [
              "The procurement audit trail was not included in the SOX internal controls scope during the annual assessment",
              "Audit record gaps exist for procurement transactions above the SOX materiality threshold"
            ]
          },
          "risk_officer": {
            "summary": "Audit trail completeness is a binary risk indicator for procurement accountability \u2014 a missing record for any material transaction is an immediate control failure requiring investigation.",
            "actions": [
              "Track audit record completeness as a zero-tolerance KRI \u2014 any missing record for a production procurement event triggers an immediate incident",
              "Include procurement audit trail integrity in the quarterly AI risk review"
            ],
            "failure_signals": [
              "A missing audit record alert was not escalated as an immediate incident",
              "Cryptographic integrity check failures are not investigated within four hours of detection"
            ]
          },
          "grc_auditor": {
            "summary": "The procurement audit trail is the central artifact for authority domain procurement audit; its completeness, integrity, and retention are non-negotiable audit requirements.",
            "actions": [
              "Verify audit trail completeness by reconciling the audit log against the procurement transaction log for the full audit period",
              "Test cryptographic integrity of a sample of audit records to confirm tamper-evident storage is functioning correctly",
              "Confirm the seven-year retention period is enforced and that records from seven years prior are still accessible"
            ],
            "failure_signals": [
              "Procurement transactions in the audit period lack corresponding audit records",
              "Cryptographic integrity checks fail for any audit records in the sample"
            ],
            "metrics": [
              "Audit record completeness: % of procurement events with a complete audit record within 15 minutes (target: 100%)",
              "Cryptographic integrity pass rate: % of audit records passing integrity verification (target: 100%)",
              "Retention compliance: % of audit records within the required retention window that are accessible and intact (target: 100%)"
            ]
          },
          "board_governance": {
            "summary": "A comprehensive procurement audit trail provides the board with the assurance that AI-assisted procurement decisions are fully accountable, attributable, and reconstructable for any future inquiry.",
            "actions": [
              "Confirm the procurement audit trail is included in the scope of the external auditor's review for SOX-covered entities",
              "Require annual confirmation from GRC Auditor and General Counsel that audit trail completeness and retention requirements are being met"
            ],
            "failure_signals": [
              "The external auditor identifies procurement audit trail gaps during the annual SOX attestation process",
              "Annual confirmation of audit trail completeness was not provided to the audit committee"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "A tamper-evident procurement audit trail supports \u00a79.1 monitoring but is the record substrate, not the monitoring activity.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A tamper-evident procurement audit trail supports \u00a79.1 monitoring but is the record substrate, not the monitoring activity.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "AU-12",
            "title": "Audit Record Generation",
            "normative_force": "voluntary-standard",
            "fit": "direct",
            "fit_rationale": "Generating a complete structured audit record for every procurement event directly implements AU-12.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Generating a complete structured audit record for every procurement event directly implements AU-12.",
            "requirement_id": "AU-12 \u2014 Audit Record Generation",
            "relation": "equivalent_to"
          },
          {
            "framework": "soc2",
            "ref": "CC7.2",
            "title": "Detection and Monitoring",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "A procurement audit trail feeds detection but does not itself perform the CC7.2 monitoring function.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "A procurement audit trail feeds detection but does not itself perform the CC7.2 monitoring function.",
            "requirement_id": "CC7.2 \u2014 Detection and Monitoring",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Procurement audit records support \u00a79.1 monitoring and analysis but are the substrate rather than the activity.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Procurement audit records support \u00a79.1 monitoring and analysis but are the substrate rather than the activity.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS CloudTrail + Audit Manager \u2014 Procurement Audit Trail",
            "rationale": "AWS CloudTrail provides an immutable, organization-wide audit trail for all procurement and service activation events across AWS Organizations. Combined with AWS Audit Manager, procurement audit evidence is automatically collected, organized, and retained in audit-ready packages, covering all AI service activations, configuration changes, and access modifications within the procurement lifecycle.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "CloudTrail immutable logs and Audit Manager packaging partially implement the procurement audit trail.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Admin Activity Audit Logs \u2014 Procurement Event Records",
            "rationale": "Google Cloud Admin Activity Audit Logs provide complete, immutable records of all resource provisioning and procurement decisions within the organization. These logs cannot be disabled for admin activity events, ensuring complete procurement audit trail coverage. Organization-level log routing to Cloud Storage provides long-term, tamper-resistant retention for procurement audit evidence.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Immutable Admin Activity logs record provisioning and procurement events, partially implementing the procurement audit trail.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta System Log \u2014 Identity-Mediated Procurement Authorization Records",
            "rationale": "Okta System Log records all identity-mediated procurement authorization events with tamper-evident timestamps and principal identity attribution. For AI procurement workflows that use Okta-managed identities, the System Log provides a non-repudiable audit trail linking each procurement authorization decision to the authenticated principal who approved it.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta System Log records identity-mediated procurement authorizations non-repudiably, partially implementing the audit trail.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          }
        ],
        "tiers": [
          "procurement-ai",
          "public-company-governance"
        ],
        "implementers": [
          "Procurement",
          "GRC Auditor",
          "General Counsel"
        ],
        "validation_objective": "A complete, tamper-evident procurement audit record must be generated and stored within 15 minutes of every AI-assisted procurement event, capturing AI system identity, authority basis (policy version and commitment ceiling), input data hash, decision output with reasoning summary, human review events with reviewer identity and timestamp, and final procurement action with outcome. Cryptographic integrity verification must confirm the record has not been modified since creation, and records must remain accessible for the full seven-year minimum retention period.",
        "evidence_required": [
          "procurement_audit_trail_immutable_store containing all audit records for the review period with cryptographic integrity hashes confirming records are unmodified and retention timestamps within the seven-year minimum window",
          "audit_log_cryptographic_integrity_config documenting the append-only logging mechanism, hash algorithm, and verification schedule protecting records from post-creation modification",
          "audit_completeness_verification_test_results confirming automated completeness checks ran within 15 minutes of each procurement event and that alerts were generated for any missing records",
          "procurement_audit_record_schema_current documenting all required fields and their validation rules",
          "sox_internal_controls_scope_document or equivalent confirming the procurement audit trail is included in the annual internal controls assessment scope"
        ],
        "machine_tests": [
          "Complete an AI-assisted procurement transaction \u2192 assert a complete audit record is generated in tamper-evident storage within 15 minutes with all required schema fields populated including ai_system_id, authority_basis, input_data_hash, and human_review_events",
          "Attempt to modify a written audit record directly in the audit store \u2192 assert the cryptographic integrity check detects the modification and generates an alert within one hour",
          "Suppress audit record generation for a test procurement event \u2192 assert automated completeness verification alert fires within one hour and is routed to the GRC Auditor with missing_record_id populated"
        ],
        "human_review": [
          "Reconcile the procurement audit trail against the complete procurement transaction log for the audit period to verify no transactions are missing audit records and all records contain the required fields",
          "Verify the seven-year retention period is enforced and that records from seven years prior remain accessible and pass cryptographic integrity verification",
          "Confirm the procurement audit trail is included in the current SOX or equivalent internal controls assessment scope and that the external auditor has reviewed audit trail completeness as part of that assessment"
        ],
        "blocking_effect": "advisory",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Storing procurement audit records in mutable database tables where records can be updated or deleted after creation without append-only enforcement or cryptographic integrity protection",
          "Capturing only the final procurement outcome without the AI system's decision basis, input data hash, authority reference, and human review events, making it impossible to reconstruct whether the AI operated within its authority",
          "Logging AI procurement events in application logs subject to log rotation, overwrite policies, or retention periods shorter than the seven-year minimum required for regulatory and litigation hold purposes",
          "Treating audit record completeness verification as a periodic manual review task rather than an automated continuous check that generates immediate alerts for missing records",
          "Excluding AI-initiated contract modifications and auto-renewals from the procurement audit trail scope, capturing only net-new procurement events"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PR"
      },
      {
        "id": "PR-09",
        "name": "Procurement Governance Layer Evidence Package",
        "canonical_id": "apeiris://authority/controls/PR-09",
        "layer": "PR",
        "prefix": "PR",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Compile a structured procurement governance layer evidence package on a quarterly basis, consolidating artifacts from PR-01 through PR-08 to demonstrate that AI procurement policies, approval limits, and audit trails are complete and current. The package is a required input to the PE-08 PolicyAttestation production process.",
        "threat": {
          "context": "Without periodic structured compilation of procurement governance layer evidence, the PolicyAttestation (PE-08) rests on unverified assertions from individual controls rather than compiled, reviewed, and signed layer evidence. Layer-level coverage deficiencies are only visible through compilation.",
          "tags": [
            "governance-evidence-gap",
            "attestation-unverifiable",
            "compliance-deficit"
          ]
        },
        "standard_references": [
          {
            "id": "iso_42001",
            "section": "\u00a7 9.3",
            "title": "Management review of AI governance system at planned intervals"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 1.5",
            "title": "Ongoing monitoring and periodic review of the risk management process and its outcomes are planned"
          },
          {
            "id": "eu_ai_act",
            "section": "Art. 17",
            "title": "Quality management system for high-risk AI"
          }
        ],
        "sources": [
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PR-09 Procurement Governance Layer Evidence Package control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PR-09 Procurement Governance Layer Evidence Package control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Define a quarterly evidence compilation process for the Procurement Governance layer. Collect required artifacts from PR-01 through PR-08. Review for completeness, currency, and identified gaps. Produce a signed evidence package and submit it as input to the PE-08 PolicyAttestation production cycle.",
          "steps": [
            "Define the PR-layer evidence package schema: required_artifacts[], acceptance_criteria[], gap_register, package_owner, and review_signatories.",
            "For each control in PR-01 through PR-08, define specific required evidence artifacts and freshness criteria.",
            "Compile artifacts quarterly: generate or collect required evidence and stage for structured review.",
            "Conduct a review session to evaluate completeness, identify gaps, and assign remediation owners with deadlines.",
            "Produce a signed procurement governance layer evidence package with an overall verdict and submit it as input to PE-08 PolicyAttestation.",
            "Retain the package as an immutable record for the period required by applicable regulations and internal policy."
          ],
          "anti_patterns": [
            "Treating PE-08 attestation as a substitute for per-layer evidence compilation.",
            "Compiling evidence only when an audit or regulatory inquiry is pending rather than on a recurring quarterly cycle."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that a PR-layer evidence package schema exists with defined required artifacts for each control in PR-01 through PR-08.",
            "Verify that a quarterly compilation schedule is established with named package owners and review signatories.",
            "Check that the evidence package output format is accepted as input to PE-08 attestation production."
          ],
          "runtime_tests": [
            "Verify a completed evidence package was produced in the most recent quarter with all required artifacts present.",
            "Confirm that a gap register exists and identified gaps have assigned owners and remediation deadlines.",
            "Confirm the package is signed and retained in the tamper-evident record store."
          ],
          "evidence": [
            "Signed procurement governance layer evidence package for each of the four most recent quarters.",
            "Gap registers with assigned owners and remediation deadlines for any identified deficiencies.",
            "Submission record linking the package to the PE-08 attestation production cycle."
          ]
        },
        "lenses": {
          "grc_auditor": {
            "summary": "The PR-09 evidence package is the audit-ready artifact for the Procurement Governance layer.",
            "actions": [
              "Request the four most recent PR-layer evidence packages and review for completeness.",
              "Verify that gap registers from prior quarters have remediation outcomes documented.",
              "Confirm the package submission record links to PE-08 attestation inputs."
            ],
            "failure_signals": [
              "Missing PR-layer evidence packages for any quarter in the audit period.",
              "Gap registers with items open for more than two consecutive quarters without documented remediation plans.",
              "Evidence packages that are unsigned or not retained in the tamper-evident record store."
            ],
            "metrics": [
              "Package completeness rate: all required artifacts present in each quarterly package (target: 100%).",
              "Gap remediation rate: all prior-quarter gaps have documented outcomes before current quarter package.",
              "Package timeliness: submitted to PE-08 attestation cycle within 10 business days of quarter end."
            ]
          },
          "general_counsel": {
            "summary": "The PR-09 package is the defensibility record for the Procurement Governance layer: when a regulator, counterparty, or court asks whether the organization's AI procurement, vendor qualification, and contract commitment controls were operating, the quarterly package is the evidence the organization produces.",
            "actions": [
              "Confirm the package format and retention period satisfy the evidentiary requirements of applicable law and contractual audit rights before the first submission cycle.",
              "Review each quarterly package for gaps in PR-01 through PR-08 evidence that could undermine a future regulatory or litigation position.",
              "Verify that the package is signed by an identified accountable owner whose authority to certify the layer can be demonstrated."
            ],
            "failure_signals": [
              "A regulator or counterparty request for layer evidence that cannot be answered from a compiled, signed package.",
              "Packages whose contents conflict with representations previously made in disclosures or contract certifications.",
              "Retention lapses that leave quarters within the evidentiary period unrecoverable."
            ]
          },
          "cfo_procurement": {
            "summary": "The PR-09 package converts Procurement Governance layer control operation into a periodic, reviewable deliverable \u2014 the artifact that lets finance and procurement rely on the layer without re-auditing individual controls each quarter.",
            "actions": [
              "Fund the compilation process as a recurring governance obligation rather than an ad hoc audit response.",
              "Require the package (or its gap register) as an input to renewal, budget, and vendor decisions that depend on AI procurement, vendor qualification, and contract commitment controls operating.",
              "Track the cost of gap remediation surfaced by the package to prioritize control investment."
            ],
            "failure_signals": [
              "Business decisions that assume the layer is operating when the most recent package shows open gaps.",
              "Compilation effort repeatedly funded from audit contingency rather than the governance budget.",
              "Vendor or renewal approvals proceeding in quarters with missing packages."
            ]
          },
          "risk_officer": {
            "summary": "The PR-09 package gives the risk function visibility into how AI is acquired: whether procurement followed policy, stayed within approval limits, and left an audit trail for every third-party model or service brought in. Its gap register surfaces supply-chain and shadow-acquisition exposures, including AI obtained outside the approval path or from vendors that were never assessed.",
            "actions": [
              "Cross-check the procurement audit trail against systems running in production to detect AI acquired outside the governed path, and log each instance as a third-party exposure.",
              "Confirm that acquisitions above the defined approval limits carry the required sign-off, and flag any that do not.",
              "Assess whether the third-party AI vendors in the package were risk-assessed before onboarding, and treat unassessed vendors as open exposures.",
              "Feed concentration in a single AI vendor or model provider into the risk register as a supply-chain dependency."
            ]
          },
          "board_governance": {
            "summary": "The PR-09 package shows the board that AI is being acquired within policy and that third-party AI risk is under governance. It is the layer evidence that procurement approval limits and vendor audit trails are complete, so the organization is not depending on AI it never formally evaluated.",
            "actions": [
              "Require reporting of any AI acquired outside the approved procurement path during the quarter.",
              "Ask for the organization's exposure to its largest AI vendors and whether those dependencies sit within appetite.",
              "Confirm that third-party AI entering production was assessed against the same authority and obligation controls as internally built systems.",
              "Condition PolicyAttestation acceptance on a complete procurement audit trail, since ungoverned acquisition breaks the authority chain the attestation relies on."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_42001",
            "requirement_id": "\u00a79.3",
            "fit": "direct",
            "rationale": "ISO/IEC 42001 \u00a79.3 requires management review at planned intervals. PR-09 provides the structured review artifact for the Procurement Governance layer.",
            "normative_force": "certification-standard",
            "source_version": "2023",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "requirement_id": "GOVERN 1.5",
            "fit": "direct",
            "rationale": "NIST AI RMF GOVERN 1.5 requires planned ongoing monitoring and periodic review of the risk management process and its outcomes, with clear roles and review cadence. PR-09 instantiates this periodic layer-level review at the Procurement Governance layer.",
            "normative_force": "voluntary-standard",
            "source_version": "1.0",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "eu_ai_act",
            "requirement_id": "Art. 17",
            "fit": "direct",
            "rationale": "EU AI Act Art. 17 requires a quality management system. PR-09 is the QMS artifact for the Procurement Governance layer.",
            "normative_force": "binding-law",
            "source_version": "2024",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "satisfies"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "high-risk-sector"
        ],
        "implementers": [
          "GRC / Internal Audit",
          "AI Operations",
          "Risk Management"
        ],
        "validation_objective": "The procurement governance layer evidence package for each quarter must contain complete, signed artifacts from all controls PR-01 through PR-08, with a gap register containing no items unresolved beyond two consecutive quarters, and the package must be submitted to the PE-08 PolicyAttestation production cycle within 10 business days of quarter end.",
        "evidence_required": [
          "Signed quarterly procurement governance layer evidence package covering required artifacts from all controls PR-01 through PR-08, with package_owner, review_signatories, and submission_timestamp fields populated",
          "Gap register for each quarterly package listing identified deficiencies with assigned owner, remediation deadline, and resolution status from prior quarters",
          "Submission record linking each quarterly evidence package to the PE-08 PolicyAttestation production cycle input with accepted_at timestamp",
          "Artifact collection audit trail showing the date each PR-layer artifact was retrieved and the review session outcome record"
        ],
        "machine_tests": [
          "Query evidence package records for the trailing 12 months \u2192 assert 4 quarterly packages exist with status=complete, signed=true, and submission_timestamp within 10 business days of quarter end",
          "Parse gap register from each package \u2192 assert no gap register item has remained open for more than 2 consecutive quarters without a documented remediation plan",
          "Verify PE-08 attestation input records \u2192 assert each quarterly evidence package has a corresponding submission_record linking it to the attestation production cycle"
        ],
        "human_review": [
          "Review the completeness of artifact collection for each PR control layer item and confirm that acceptance criteria are met, with no placeholder or partial artifacts accepted as satisfying a required artifact slot",
          "Assess whether gap register closures from prior quarters reflect genuine control improvement backed by evidence rather than administrative closure without remediation",
          "Verify that review signatories have sufficient authority and domain knowledge to validate the procurement governance layer artifacts they attested to"
        ],
        "blocking_effect": "requires-review",
        "normative_status": "binding-law",
        "anti_patterns": [
          "Submitting PE-08 PolicyAttestation without a complete PR-layer evidence package, substituting summary assertions for compiled per-control artifacts",
          "Compiling the evidence package only after an audit request or regulatory inquiry rather than on the defined quarterly schedule",
          "Closing gap register items as resolved without retaining evidence that the underlying control deficiency was addressed",
          "Using the same individual for both evidence package compilation and independent review, eliminating the oversight function the process is designed to provide",
          "Carrying forward prior-quarter evidence artifacts without verifying they remain current, inflating apparent coverage while masking stale control state"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PR",
        "lens_enrichment": "ap42 2026-07-08"
      },
      {
        "id": "PG-01",
        "name": "Policy Adherence Monitoring",
        "canonical_id": "apeiris://authority/controls/PG-01",
        "layer": "PG",
        "prefix": "PG",
        "plane": "data",
        "capability_risk": {
          "capability_level": "low"
        },
        "baseline": true,
        "plain": "Continuously monitors AI system behavior against registered internal policies to detect adherence failures before they become compliance incidents.",
        "threat": {
          "context": "AI systems operating without continuous policy monitoring may silently drift into non-compliant behaviors, accumulating risk that only surfaces during audits or after incidents have already occurred.",
          "tags": [
            "policy-bypass",
            "internal-policy-violation",
            "scope-creep"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "iso_42001",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "nist_rmf",
            "section": "MEASURE 3.1",
            "title": "Approaches, personnel, and documentation are in place to regularly identify and track existing, unanticipated, and emergent AI risks"
          },
          {
            "id": "coso_erm",
            "section": "Principle 9",
            "title": "Formulates business objectives"
          }
        ],
        "sources": [
          {
            "id": "iso-37301-2021",
            "title": "ISO 37301:2021 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 Compliance Management Systems requirements informing the apeiris://authority/controls/PG-01 Policy Adherence Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-rmf-measure-3-1",
            "title": "NIST AI RMF MEASURE 3.1",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI RMF MEASURE 3.1 requirements informing the apeiris://authority/controls/PG-01 Policy Adherence Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-42001-2023",
            "title": "ISO/IEC 42001:2023 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 AI Management Systems requirements informing the apeiris://authority/controls/PG-01 Policy Adherence Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "internal-policy-ai-governance-003",
            "title": "Example adopter artifact \u2014 AI Governance Policy \u2014 Behavioral Monitoring Requirements (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PG-01 Policy Adherence Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PG-01 Policy Adherence Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PG-01 Policy Adherence Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PG-01 Policy Adherence Monitoring control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Integrate a policy registry with a behavioral telemetry pipeline so that every AI system action is evaluated against applicable policy rules at ingest time, with deviation events routed to the compliance team within a defined SLA.",
          "steps": [
            "Catalog all applicable internal policies and translate them into machine-evaluable rule sets with explicit pass/fail criteria",
            "Instrument AI system outputs and actions to emit structured telemetry events for each operation, including actor, intent, resource, and outcome fields",
            "Deploy a policy evaluation engine that scores each telemetry event against active rule sets and raises prioritized alerts on deviations to accountable reviewers"
          ],
          "anti_patterns": [
            "Batch-reviewing policy adherence only during quarterly audits rather than in real time, allowing violations to accumulate undetected",
            "Relying on self-reported compliance from AI system operators without independent telemetry verification"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that all registered internal policies have corresponding machine-evaluable rule definitions with documented translation rationale",
            "Confirm that the telemetry pipeline captures all AI-initiated actions with sufficient context for accurate policy evaluation",
            "Validate that deviation alerting routes to accountable human reviewers within the documented SLA window"
          ],
          "runtime_tests": [
            "Inject a known policy-violating synthetic action into the AI system and verify that a correctly classified alert is raised within the SLA window",
            "Simulate a policy rule update and confirm that the evaluation engine applies the new rule to subsequent events within one evaluation cycle",
            "Verify that monitoring coverage metrics meet the defined threshold for all in-scope AI systems with no uncovered system gaps"
          ],
          "evidence": [
            "log: policy-evaluation-engine event logs showing per-action rule evaluation outcomes and alert generation timestamps",
            "config: policy registry export listing all active rules, their effective dates, and mapped policy source references",
            "doc: compliance monitoring SLA definition and escalation procedures with sign-off from Compliance Officer",
            "policy: AI-GOV-POL-003 signed approval record and version history confirming current rule set alignment"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Continuous monitoring creates a defensible evidentiary record that the organization actively enforces its own AI policies, reducing exposure in regulatory inquiries and litigation.",
            "actions": [
              "Ensure policy definitions are legally reviewed before encoding as monitoring rules to prevent divergence from authoritative policy text",
              "Confirm that monitoring evidence is retained in a legally admissible, tamper-evident format with documented chain of custody",
              "Establish procedures for counsel review when systemic policy deviation patterns are identified"
            ],
            "failure_signals": [
              "Policy monitoring rules are encoded without legal review and diverge materially from the authoritative policy text",
              "Monitoring logs are stored in mutable systems that cannot be authenticated or produced in discovery"
            ]
          },
          "cfo_procurement": {
            "summary": "Policy adherence monitoring protects the organization from hidden compliance costs that accumulate when AI systems operate outside sanctioned boundaries without detection.",
            "actions": [
              "Include monitoring operational costs and tooling in the AI system total cost of ownership model at procurement",
              "Require monitoring coverage attestation as a procurement condition for third-party AI systems before deployment"
            ],
            "failure_signals": [
              "Compliance remediation costs spike unexpectedly due to undetected policy drift discovered only at audit time",
              "Third-party AI vendors cannot demonstrate equivalent policy monitoring capabilities for systems operating in scope"
            ]
          },
          "risk_officer": {
            "summary": "Real-time policy adherence monitoring converts latent compliance risk into quantifiable, manageable signals trackable on the enterprise risk register.",
            "actions": [
              "Define risk thresholds for policy deviation rates and integrate them with enterprise risk dashboards and risk appetite statements",
              "Establish escalation triggers when deviation rates exceed acceptable bounds, with defined accountable responders",
              "Require periodic risk reviews of monitoring rule coverage against the evolving policy and regulatory landscape"
            ],
            "failure_signals": [
              "No quantitative policy adherence metrics are available for inclusion in risk reporting cycles",
              "Monitoring rule sets have not been updated to reflect recent policy changes, creating coverage gaps"
            ]
          },
          "grc_auditor": {
            "summary": "Policy adherence monitoring provides the primary evidence base for compliance audits, demonstrating that controls are operating continuously rather than only at point-in-time assessments.",
            "actions": [
              "Audit the completeness of policy-to-rule translation to identify gaps in monitoring coverage across all in-scope AI systems",
              "Sample monitoring event logs to verify that rule evaluations are accurate, consistent, and aligned with policy intent",
              "Validate that deviation alerts are actioned within documented SLA windows and that resolution evidence is retained"
            ],
            "failure_signals": [
              "Monitoring logs show coverage gaps for specific AI systems or policy categories without documented risk acceptance",
              "Deviation alerts are raised but not actioned within SLA, indicating a response process failure"
            ],
            "metrics": [
              "Policy coverage ratio: percentage of active policies with corresponding machine-evaluable monitoring rules",
              "Mean time to detect: average elapsed time from policy deviation occurrence to alert generation",
              "Deviation resolution rate: percentage of deviation alerts actioned and closed within the defined SLA window"
            ]
          },
          "board_governance": {
            "summary": "Continuous policy monitoring demonstrates that the board's governance intent is operationalized within AI systems, supporting fiduciary duty and board-level oversight obligations.",
            "actions": [
              "Receive quarterly summary reports on AI policy adherence rates and systemic deviation trends across business units",
              "Mandate that material policy deviation patterns be escalated to audit or risk committees before external reporting cycles"
            ],
            "failure_signals": [
              "Board receives no routine reporting on AI policy adherence, creating a material governance blind spot",
              "Material policy deviations are not escalated to the board until they become public incidents or regulatory findings"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "managed"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 9",
            "title": "Formulates business objectives",
            "principle_number": 9,
            "component_name": "Strategy and Objective-Setting",
            "normative_force": "industry-framework",
            "fit": "adjacent",
            "fit_rationale": "Policy adherence monitoring detects deviations, unrelated to Principle 9's formulation of business objectives.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Policy adherence monitoring detects deviations, unrelated to Principle 9's formulation of business objectives.",
            "requirement_id": "Principle 9 \u2014 Formulates business objectives",
            "relation": "informs"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "Real-time evaluation of every AI action against policy rules directly implements \u00a79.1 monitoring and analysis.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Real-time evaluation of every AI action against policy rules directly implements \u00a79.1 monitoring and analysis.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "Continuous policy-adherence monitoring directly implements \u00a79.1 monitoring, measurement, and evaluation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Continuous policy-adherence monitoring directly implements \u00a79.1 monitoring, measurement, and evaluation.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "MEASURE 3.1",
            "title": "Approaches, personnel, and documentation are in place to regularly identify and track existing, unanticipated, and emergent AI risks",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Continuous adherence monitoring helps identify emergent policy risks, partially addressing MEASURE 3.1.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Continuous adherence monitoring helps identify emergent policy risks, partially addressing MEASURE 3.1.",
            "requirement_id": "MEASURE 3.1 \u2014 Approaches, personnel, and documentation are in place to regularly identify and track existing, unanticipated, and emergent AI risks",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Config + Security Hub \u2014 Continuous Policy Adherence Monitoring",
            "rationale": "AWS Config with managed and custom rules provides continuous policy adherence monitoring across all AI workload accounts. AWS Security Hub aggregates Config compliance findings with other security signals into a unified compliance posture dashboard, enabling organization-wide visibility into policy adherence status. Security Hub compliance standards map Config rules to governance framework requirements.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Config rules with Security Hub aggregation provide continuous adherence monitoring, partially implementing PG-01.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Asset Inventory AnalyzeOrgPolicies + Policy Simulator \u2014 Policy Adherence Analysis",
            "rationale": "Cloud Asset Inventory's AnalyzeOrgPolicies API reports which organization policy constraints are in force on which resources, and Policy Simulator evaluates the impact of constraint changes before enforcement. Together they support systematic policy adherence review. Policy Analyzer itself answers IAM access questions \u2014 which principals hold which access \u2014 rather than providing real-time constraint adherence monitoring.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "AnalyzeOrgPolicies and Policy Simulator support systematic adherence review, partially implementing continuous monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta System Log \u2014 Authorization Policy Adherence Monitoring",
            "rationale": "Okta System Log provides continuous monitoring of authorization policy adherence with real-time alerting on policy exceptions. Log streaming to SIEM platforms enables continuous analysis of authorization events for policy adherence patterns, and Okta's built-in threat detection identifies anomalous authorization patterns that indicate policy adherence gaps.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta System Log streaming with threat detection monitors authorization-policy adherence, partially implementing PG-01.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure Policy Compliance Dashboard \u2014 AI Workload Policy Adherence",
            "rationale": "Azure Policy compliance dashboard provides real-time policy adherence monitoring across all AI workload deployments, showing compliance states for each policy definition and assignment. Dashboard data is queryable via API for integration with enterprise governance reporting workflows, enabling continuous policy adherence monitoring at both the resource and initiative levels.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "The Azure Policy compliance dashboard provides real-time adherence monitoring across AI workloads, partially implementing PG-01.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "Compliance Officer",
          "GRC Auditor",
          "AI Governance Lead"
        ],
        "validation_objective": "All in-scope AI systems must have 100% of their active internal policies represented by machine-evaluable monitoring rules in the policy registry, with every AI system action evaluated against applicable rules in real time, and deviation alerts routed to accountable reviewers within the documented SLA.",
        "evidence_required": [
          "Policy registry export listing all active internal policies with corresponding machine-evaluable rule definitions, effective dates, and policy source references",
          "Policy evaluation engine event logs showing per-action rule evaluation outcomes, deviation alert generation timestamps, and SLA compliance metrics for the reporting period",
          "Compliance monitoring SLA definition document signed by the Compliance Officer, specifying alert routing targets and resolution timeframes",
          "Monitoring coverage report confirming the percentage of in-scope AI systems and action types evaluated against active policy rules, with no coverage gaps documented without risk acceptance"
        ],
        "machine_tests": [
          "Inject a known policy-violating synthetic action into the evaluation pipeline \u2192 assert a deviation alert with correct rule_id and violation_class is raised within the documented SLA window",
          "Update a policy monitoring rule in the registry \u2192 assert the updated rule is applied to evaluation of the next action within one processing interval without requiring a system restart",
          "Query the monitoring coverage report \u2192 assert that 100% of in-scope AI systems have at least one active policy rule and no in-scope action categories are excluded from evaluation"
        ],
        "human_review": [
          "Review the policy-to-rule translation mapping for a representative sample of active policies to verify that machine-evaluable rules accurately reflect policy intent and do not over- or under-represent compliance obligations",
          "Assess whether deviation alerts are reaching the correct accountable reviewers and that escalation procedures are understood, tested, and documented",
          "Evaluate whether monitoring coverage metrics identify AI systems or policy categories with inadequate rule coverage and confirm that gaps have documented risk acceptance or remediation plans"
        ],
        "blocking_effect": "advisory",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Reviewing policy adherence only during quarterly audits rather than in real time, allowing violations to accumulate and compound between assessment cycles",
          "Accepting self-reported compliance from AI system operators as a substitute for independent telemetry-based evaluation against registered policy rules",
          "Encoding policy monitoring rules without legal review of the source policy text, causing encoded rules to diverge from the authoritative policy intent",
          "Storing monitoring event logs in mutable, non-authenticated systems that cannot demonstrate tamper-evident chain of custody in audits or litigation",
          "Accepting monitoring coverage gaps as normal operating state without documented risk acceptance and a remediation deadline"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PG"
      },
      {
        "id": "PG-02",
        "name": "Authority Limit Monitoring",
        "canonical_id": "apeiris://authority/controls/PG-02",
        "layer": "PG",
        "prefix": "PG",
        "plane": "data",
        "capability_risk": {
          "capability_level": "low"
        },
        "baseline": true,
        "plain": "Tracks real-time utilization of delegated authority limits by AI systems to detect approaching thresholds and prevent unauthorized commitment.",
        "threat": {
          "context": "AI systems with delegated spending or commitment authority may exhaust authorized limits faster than human reviewers can track, resulting in unauthorized financial or contractual commitments that exceed the delegated scope.",
          "tags": [
            "authority-limit-breach",
            "unauthorized-commitment",
            "commitment-without-authority"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 13",
            "title": "Implements risk responses"
          },
          {
            "id": "iso_37301",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "nist_rmf",
            "section": "MEASURE 3.1",
            "title": "Approaches, personnel, and documentation are in place to regularly identify and track existing, unanticipated, and emergent AI risks"
          },
          {
            "id": "nist_800_53",
            "section": "AU-6",
            "title": "Audit Record Review, Analysis, and Reporting"
          }
        ],
        "sources": [
          {
            "id": "nist-800-53-r5-au6",
            "title": "NIST SP 800-53 Rev. 5 \u2014 Audit and Accountability",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev. 5 \u2014 Audit and Accountability requirements informing the apeiris://authority/controls/PG-02 Authority Limit Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "coso-erm-2017-p13",
            "title": "COSO Enterprise Risk Management Framework 2017",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management Framework 2017 requirements informing the apeiris://authority/controls/PG-02 Authority Limit Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-37301-2021-s9",
            "title": "ISO 37301:2021 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 Compliance Management Systems requirements informing the apeiris://authority/controls/PG-02 Authority Limit Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "internal-policy-authority-limits-001",
            "title": "Example adopter artifact \u2014 Delegated Authority Policy \u2014 AI System Commitment Limits (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PG-02 Authority Limit Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PG-02 Authority Limit Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PG-02 Authority Limit Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PG-02 Authority Limit Monitoring control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Instrument every AI commitment action against a live authority ledger that tracks cumulative utilization per delegated scope, triggering graduated warnings at defined threshold percentages and hard stops at the authorized limit.",
          "steps": [
            "Register all delegated authority grants for AI systems in a central authority ledger with defined scope, limit, currency, and expiry for each grant",
            "Intercept and record each AI commitment action at the integration layer, decrementing the relevant authority balance in the ledger in real time",
            "Configure graduated threshold alerts at 70% and 90% of each authority limit, with automatic hold and human escalation at 100% before any further commitment is permitted"
          ],
          "anti_patterns": [
            "Reconciling authority utilization only after commitment actions complete, allowing limit breaches before detection",
            "Maintaining authority limits in static configuration files rather than a live ledger queryable at commitment time"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that every AI system with delegated authority has a corresponding entry in the authority ledger with explicit limit, scope, and expiry fields",
            "Confirm that the commitment interception layer queries the live ledger before every commitment action, not on a batch or periodic basis",
            "Validate that hard-stop logic prevents commitment issuance when the authority balance would be exhausted, even under concurrent load"
          ],
          "runtime_tests": [
            "Submit a sequence of test commitments that cumulatively reach 100% of an authority limit and verify that the hard stop activates and escalation is triggered before the limit is exceeded",
            "Simulate a concurrent load scenario where two AI processes simultaneously attempt to commit against the same authority grant and verify that double-spending is prevented",
            "Verify that the 70% and 90% threshold alerts are received by the correct accountable parties within the defined notification window"
          ],
          "evidence": [
            "log: authority ledger transaction records showing real-time balance decrements and threshold alert events for each AI system",
            "config: authority grant registry export listing all active delegations with limits, scopes, and expiry dates",
            "authority: signed delegation instruments authorizing each AI system's commitment scope and limit",
            "test: load test results demonstrating that concurrent commitment attempts do not produce double-spend outcomes"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Authority limit monitoring ensures that AI-executed commitments remain within legally sanctioned delegation bounds, preserving the organization's ability to disclaim unauthorized obligations.",
            "actions": [
              "Confirm that delegation instruments are legally reviewed and signed before being entered into the authority ledger",
              "Ensure that hard-stop events generate a legally preserved record that can demonstrate the organization's control was functioning at the time of any disputed commitment",
              "Review the escalation chain for limit breaches to confirm that accountable human authorization is required before overrides are granted"
            ],
            "failure_signals": [
              "AI systems have executed commitments beyond their authorized limits with no record of human override authorization",
              "Delegation instruments in the ledger are unsigned or lack legal review, undermining their enforceability as authority constraints"
            ]
          },
          "cfo_procurement": {
            "summary": "Real-time authority limit monitoring is the primary financial control preventing AI systems from committing organizational resources beyond sanctioned approval thresholds.",
            "actions": [
              "Define authority limit schedules for AI systems as part of the annual delegation of authority review process",
              "Require that any increase to an AI system's authority limit follows the same approval process as equivalent human delegation increases",
              "Review authority utilization reports monthly to assess whether limit levels are appropriately calibrated to operational need"
            ],
            "failure_signals": [
              "AI systems are operating with authority limits that have not been reviewed or recalibrated against actual utilization patterns",
              "Authority limit breaches have occurred and were discovered only through financial reconciliation rather than real-time monitoring"
            ]
          },
          "risk_officer": {
            "summary": "Authority limit monitoring operationalizes financial risk appetite for AI-driven commitments, providing a real-time signal when the enterprise's delegated authority exposure approaches defined boundaries.",
            "actions": [
              "Map authority limit thresholds to risk appetite statements to ensure that monitoring triggers align with risk tolerance",
              "Include authority limit utilization rates in enterprise risk dashboards as a leading indicator of unauthorized commitment risk",
              "Define escalation procedures that engage risk management when cumulative AI commitment exposure across systems approaches board-approved thresholds"
            ],
            "failure_signals": [
              "Authority limit thresholds are set without reference to the enterprise risk appetite, creating misalignment between monitoring triggers and acceptable risk levels",
              "No aggregated view of authority limit utilization across all AI systems is available for enterprise risk reporting"
            ]
          },
          "grc_auditor": {
            "summary": "Authority limit monitoring provides auditable evidence that AI commitment authority is being exercised within sanctioned bounds, supporting delegation of authority audits and control effectiveness assessments.",
            "actions": [
              "Reconcile authority ledger transaction records against actual commitments executed to detect any off-ledger commitment activity",
              "Verify that all AI system authority grants are traceable to signed delegation instruments with documented approval chains",
              "Test hard-stop controls annually to confirm they activate correctly before limit exhaustion"
            ],
            "failure_signals": [
              "Authority ledger records cannot be reconciled against executed commitment records, indicating potential off-ledger activity",
              "Hard-stop controls have not been tested and there is no evidence of their activation in production environments"
            ],
            "metrics": [
              "Authority limit utilization rate: current commitment balance as a percentage of authorized limit per AI system",
              "Hard-stop activation count: number of times hard-stop controls prevented commitment issuance in the reporting period",
              "Threshold alert response time: mean elapsed time from threshold alert to human acknowledgment"
            ]
          },
          "board_governance": {
            "summary": "Authority limit monitoring ensures that board-approved delegation schedules are enforced operationally in AI systems, closing the gap between governance intent and runtime execution.",
            "actions": [
              "Confirm that AI system authority limits are incorporated into the board-approved delegation of authority schedule and reviewed annually",
              "Receive reporting on authority limit breach events and hard-stop activations as part of audit committee oversight"
            ],
            "failure_signals": [
              "AI system authority limits are not reflected in the board-approved delegation schedule, creating uncontrolled de facto authority",
              "The board has no visibility into authority limit utilization trends or breach events involving AI systems"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "managed"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 13",
            "title": "Implements risk responses",
            "principle_number": 13,
            "component_name": "Performance",
            "normative_force": "industry-framework",
            "fit": "partial",
            "fit_rationale": "Real-time limit tracking with hard stops is a risk response, partially implementing Principle 13.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Real-time limit tracking with hard stops is a risk response, partially implementing Principle 13.",
            "requirement_id": "Principle 13 \u2014 Implements risk responses",
            "relation": "informs"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "Continuous tracking of authority-limit utilization directly implements \u00a79.1 monitoring and measurement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Continuous tracking of authority-limit utilization directly implements \u00a79.1 monitoring and measurement.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "MEASURE 3.1",
            "title": "Approaches, personnel, and documentation are in place to regularly identify and track existing, unanticipated, and emergent AI risks",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Tracking approaching authority thresholds helps identify emergent commitment risks, partially addressing MEASURE 3.1.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Tracking approaching authority thresholds helps identify emergent commitment risks, partially addressing MEASURE 3.1.",
            "requirement_id": "MEASURE 3.1 \u2014 Approaches, personnel, and documentation are in place to regularly identify and track existing, unanticipated, and emergent AI risks",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "AU-6",
            "title": "Audit Record Review, Analysis, and Reporting",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Analyzing utilization with threshold alerts partially reflects AU-6 audit review and analysis, though the control is largely preventive.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Analyzing utilization with threshold alerts partially reflects AU-6 audit review and analysis, though the control is largely preventive.",
            "requirement_id": "AU-6 \u2014 Audit Record Review, Analysis, and Reporting",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Config Rules + CloudTrail Alerting \u2014 Authority Limit Violation Detection",
            "rationale": "AWS Config rules detect when IAM permissions or resource configurations exceed declared authority limits, generating non-compliant findings for review. CloudTrail event-based CloudWatch alarms trigger immediate alerts when AI workload principals attempt actions that exceed declared authority limits, enabling real-time authority limit monitoring across all organizational accounts.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Config rules and CloudTrail alarms detect actions exceeding declared limits, partially implementing authority-limit monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Organization Policy Monitoring \u2014 Authority Boundary Violation Detection",
            "rationale": "Google Cloud Organization Policy monitoring detects constraint violations when resources attempt operations that exceed declared authority boundaries. Constraint violation events are recorded in Cloud Audit Logs and can trigger Pub/Sub notifications for real-time alerting, enabling authority limit monitoring at the platform level before violations result in unauthorized actions.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Org Policy monitoring records constraint violations for real-time alerting, partially implementing authority-limit monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta System Log + Identity Governance Reports \u2014 Authority Limit Anomaly Detection",
            "rationale": "Okta System Log events, queryable through System Log reporting and Okta Identity Governance access reports, combined with Okta's behavior detection signals, support identification of authority limit violations in AI agent authorization patterns. Token scope anomalies, unexpected permission escalation attempts, and out-of-pattern authorization requests can be alerted on to drive authority limit monitoring responses. (Okta has no product named 'Authorization Analytics.')",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta System Log and governance reports with behavior signals surface authorization-limit anomalies, partially implementing monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Defender for Cloud \u2014 AI Workload Posture and Threat Signals",
            "rationale": "Microsoft Defender for Cloud surfaces security posture recommendations and threat signals for AI workloads (Defender for Cloud AI security posture management), which can be used to alert on activity inconsistent with configured permission boundaries. Integration with Microsoft Sentinel enables automated response, including access restriction and incident creation for governance review. Defender does not natively understand business authority limits \u2014 those must be expressed as configured policies for its findings to reflect them.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "Defender surfaces posture and threat signals but does not natively understand business authority limits, making it adjacent support.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "consequential-commitment",
          "procurement-ai"
        ],
        "implementers": [
          "CFO",
          "Chief Risk Officer",
          "GRC Auditor"
        ],
        "validation_objective": "Every AI system with delegated commitment authority must have a live entry in the authority ledger with an explicit limit, scope, currency, and expiry, with the commitment interception layer querying the ledger synchronously before each commitment action and enforcing a hard stop that prevents any action that would exhaust the authorized balance.",
        "evidence_required": [
          "Authority grant registry export listing all active AI system delegations with limit, scope, currency, expiry date, and reference to the signed delegation instrument that authorized each grant",
          "Authority ledger transaction log showing real-time balance decrements, 70% and 90% threshold alert events, and hard-stop activations with timestamps for the reporting period",
          "Load test results demonstrating that concurrent commitment attempts against the same authority grant cannot produce a double-spend outcome",
          "Threshold alert acknowledgment records showing mean elapsed time from alert generation to accountable party acknowledgment within the defined notification window"
        ],
        "machine_tests": [
          "Submit a sequence of test commitments cumulatively reaching 100% of an authority limit \u2192 assert hard stop activates before the limit is exceeded and an escalation event is generated with no over-limit commitment recorded",
          "Submit two simultaneous commitment requests against the same authority grant that would together exceed the limit \u2192 assert only one succeeds and the second is rejected without double-spending",
          "Advance a delegation grant record past its expiry date in the test ledger \u2192 assert the commitment interception layer treats the expired grant as invalid and blocks all commitment actions referencing it",
          "Attempt to bypass the commitment interception layer by submitting a direct API call to the downstream commitment system \u2192 assert the action is rejected without a valid ledger authorization token"
        ],
        "human_review": [
          "Verify that all AI system authority grants in the ledger are traceable to signed delegation instruments with documented approval chains that match the organization's delegation of authority policy",
          "Assess whether authority limit values are appropriately calibrated against actual operational utilization patterns and current enterprise risk appetite statements, with limits that have never been triggered reviewed for potential under-scoping",
          "Review hard-stop override procedures to confirm that any override requires documented human authorization with a retained audit record that includes the authorizing principal and justification"
        ],
        "blocking_effect": "blocks-runtime-action",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Reconciling authority utilization only after commitment actions complete in batch rather than querying the live ledger before each action, allowing limit breaches to occur before detection",
          "Maintaining AI system authority limits in static configuration files rather than a live, queryable ledger that is decremented synchronously at commitment time",
          "Sharing a single authority grant across multiple AI systems rather than issuing per-system grants, preventing attribution of individual limit breaches and enabling uncontrolled aggregate exposure",
          "Implementing threshold alerts without a hard-stop mechanism, converting a control designed to prevent limit breaches into an advisory that only reports them",
          "Setting authority limits at initial deployment without a documented recalibration cadence, allowing limits to become permanently misaligned with evolving operational scope"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PG"
      },
      {
        "id": "PG-03",
        "name": "Contract Obligation Compliance Monitoring",
        "canonical_id": "apeiris://authority/controls/PG-03",
        "layer": "PG",
        "prefix": "PG",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Monitors AI system activities against contracted third-party obligations to ensure that agentic actions do not breach vendor, partner, or customer contract terms.",
        "threat": {
          "context": "AI systems acting autonomously in procurement or contract execution contexts may inadvertently violate third-party contract obligations \u2014 such as minimum purchase commitments, exclusivity clauses, or data handling restrictions \u2014 without any human reviewer detecting the breach in real time.",
          "tags": [
            "contract-violation",
            "procurement-bypass",
            "unauthorized-commitment"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "nist_800_53",
            "section": "SA-9",
            "title": "External System Services"
          },
          {
            "id": "coso_erm",
            "section": "Principle 13",
            "title": "Implements risk responses"
          },
          {
            "id": "nist_rmf",
            "section": "MEASURE 3.1",
            "title": "Approaches, personnel, and documentation are in place to regularly identify and track existing, unanticipated, and emergent AI risks"
          }
        ],
        "sources": [
          {
            "id": "nist-800-53-r5-sa9",
            "title": "NIST SP 800-53 Rev. 5 \u2014 Supply Chain Risk Management",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev. 5 \u2014 Supply Chain Risk Management requirements informing the apeiris://authority/controls/PG-03 Contract Obligation Compliance Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-37301-2021-s9-contract",
            "title": "ISO 37301:2021 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 Compliance Management Systems requirements informing the apeiris://authority/controls/PG-03 Contract Obligation Compliance Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "coso-erm-2017-p13-contract",
            "title": "COSO Enterprise Risk Management Framework 2017",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management Framework 2017 requirements informing the apeiris://authority/controls/PG-03 Contract Obligation Compliance Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "internal-policy-contract-monitoring-002",
            "title": "Example adopter artifact \u2014 Contract Management Policy \u2014 AI-Executed Transaction Monitoring (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PG-03 Contract Obligation Compliance Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PG-03 Contract Obligation Compliance Monitoring control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PG-03 Contract Obligation Compliance Monitoring control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Maintain a contract obligation registry where each active third-party agreement is decomposed into machine-evaluable obligation rules, and route all AI-executed transactions through an obligation evaluation layer before or immediately after execution.",
          "steps": [
            "Build and maintain a contract obligation registry by extracting key obligation clauses from active agreements \u2014 minimum volumes, exclusivity, data handling, pricing floors \u2014 into structured rule objects",
            "Integrate the obligation evaluation layer with AI system transaction pipelines so that each AI-executed action is checked against the relevant contract's obligation rules",
            "Configure alerts for obligation proximity events \u2014 such as approaching minimum purchase thresholds \u2014 and deviation events, routing them to Contract Management and General Counsel within a defined SLA"
          ],
          "anti_patterns": [
            "Relying on AI systems to self-report contract compliance without an independent obligation evaluation layer",
            "Loading obligation rules only at contract inception and never updating them when amendments or addenda are executed"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that all active third-party contracts in scope have corresponding obligation profiles in the contract obligation registry",
            "Confirm that the obligation evaluation layer is invoked for every AI-executed transaction touching a third-party relationship",
            "Validate that the registry update process is triggered by contract amendments within a documented SLA to prevent stale obligation rules"
          ],
          "runtime_tests": [
            "Simulate an AI transaction that would breach a minimum purchase commitment and verify that the deviation alert is raised before or immediately after execution",
            "Update a contract obligation rule in the registry and confirm that subsequent AI transactions are evaluated against the updated rule within one evaluation cycle",
            "Verify that obligation proximity alerts for approaching minimum commitments are delivered to Contract Management within the defined notification window"
          ],
          "evidence": [
            "contract: contract obligation registry export showing active agreements, obligation rules, and last-updated timestamps",
            "log: obligation evaluation event logs showing per-transaction rule evaluation outcomes and alert events",
            "doc: contract amendment update procedure with documented SLA for obligation registry synchronization",
            "policy: CONTRACT-POL-002 signed approval record and version history"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Contract obligation monitoring reduces the organization's exposure to breach of contract claims by ensuring AI-executed transactions remain within the bounds of existing third-party agreements.",
            "actions": [
              "Lead the decomposition of contract obligation clauses into machine-evaluable rules to ensure legal accuracy of obligation profiles",
              "Establish a protocol for General Counsel review of obligation rule changes triggered by contract amendments before the updated rules are activated",
              "Confirm that deviation evidence is captured in a format suitable for use in dispute resolution or litigation"
            ],
            "failure_signals": [
              "AI systems have executed transactions that breach third-party contract terms with no prior deviation alert generated",
              "Contract obligation profiles are outdated and do not reflect executed amendments, creating undetected compliance gaps"
            ]
          },
          "cfo_procurement": {
            "summary": "Contract obligation monitoring protects the organization from financial penalties and relationship damage arising from AI-driven inadvertent breaches of supplier or customer agreements.",
            "actions": [
              "Require contract obligation profiles as a mandatory deliverable before any AI system is authorized to execute transactions against a third-party agreement",
              "Include contract breach penalty exposure in procurement risk assessments for AI-enabled sourcing and vendor management systems"
            ],
            "failure_signals": [
              "The organization has incurred contract breach penalties attributable to AI-executed transactions that exceeded or violated agreement terms",
              "Procurement AI systems are operating without obligation profiles for active supplier agreements"
            ]
          },
          "risk_officer": {
            "summary": "Contract obligation monitoring converts third-party contractual risk into a monitored, quantifiable exposure that can be tracked and reported as part of enterprise risk management.",
            "actions": [
              "Include contract obligation violation rates in enterprise risk dashboards as an operational risk indicator",
              "Assess the aggregate financial exposure from AI-driven contract breaches across all third-party relationships and include it in risk appetite assessments",
              "Define escalation thresholds for obligation deviations that trigger mandatory risk officer review before further AI transactions are permitted"
            ],
            "failure_signals": [
              "No quantitative contract obligation compliance metrics are available for enterprise risk reporting",
              "Risk appetite assessments for AI-executed transactions do not account for third-party contract breach exposure"
            ]
          },
          "grc_auditor": {
            "summary": "Contract obligation monitoring provides auditable evidence that AI systems are operating within the boundaries of third-party agreements, supporting supply chain compliance and procurement audits.",
            "actions": [
              "Verify that the contract obligation registry is complete and current for all in-scope third-party agreements",
              "Reconcile obligation evaluation logs against AI-executed transaction records to identify any transactions processed without obligation evaluation",
              "Test obligation evaluation logic against sample contract clauses to verify that rule interpretation matches legal intent"
            ],
            "failure_signals": [
              "The contract obligation registry does not cover all active third-party agreements in scope for AI transaction execution",
              "Transaction records show AI-executed actions that bypassed the obligation evaluation layer"
            ],
            "metrics": [
              "Obligation registry coverage: percentage of active in-scope contracts with complete machine-evaluable obligation profiles",
              "Obligation deviation rate: number of AI-executed transactions that triggered obligation deviation alerts per reporting period",
              "Registry synchronization lag: mean elapsed time from contract amendment execution to obligation rule update in registry"
            ]
          },
          "board_governance": {
            "summary": "Contract obligation monitoring supports board-level assurance that autonomous AI operations do not create undisclosed contractual liabilities with third parties.",
            "actions": [
              "Receive summary reporting on contract obligation compliance rates for AI-executed transactions as part of audit committee oversight",
              "Ensure material contract breach events involving AI systems are escalated to the board before external disclosure obligations are triggered"
            ],
            "failure_signals": [
              "Material contract breach events attributable to AI system actions are not escalated to the board in a timely manner",
              "The board has no visibility into the aggregate contractual risk exposure created by AI-executed transactions"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "Evaluating every AI transaction against machine-evaluable obligation rules directly implements \u00a79.1 monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Evaluating every AI transaction against machine-evaluable obligation rules directly implements \u00a79.1 monitoring.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "SA-9",
            "title": "External System Services",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Monitoring AI activity against third-party obligations partially reflects SA-9 external-service requirements.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Monitoring AI activity against third-party obligations partially reflects SA-9 external-service requirements.",
            "requirement_id": "SA-9 \u2014 External System Services",
            "relation": "equivalent_to"
          },
          {
            "framework": "coso_erm",
            "ref": "Principle 13",
            "title": "Implements risk responses",
            "principle_number": 13,
            "component_name": "Performance",
            "normative_force": "industry-framework",
            "fit": "partial",
            "fit_rationale": "Deviation alerting on obligation breaches is a risk response, partially implementing Principle 13.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Deviation alerting on obligation breaches is a risk response, partially implementing Principle 13.",
            "requirement_id": "Principle 13 \u2014 Implements risk responses",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Audit Manager \u2014 Contract Compliance Evidence Collection",
            "rationale": "AWS Audit Manager custom frameworks map AWS Config rules and CloudTrail events to contract compliance obligations, automatically collecting evidence of compliance across the organizational account hierarchy. Audit Manager generates assessment reports that demonstrate contract obligation compliance status for each evidence collection period, supporting continuous contract obligation compliance monitoring.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Audit Manager maps Config and CloudTrail evidence to contract obligations, partially implementing obligation compliance monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Assured Workloads \u2014 Continuous Regulatory Contract Compliance Monitoring",
            "rationale": "Google Assured Workloads provides continuous compliance monitoring against regulatory and contractual obligations with automatic violation alerting. The Assured Workloads compliance dashboard displays real-time compliance status for all applicable contractual obligations, and violation events trigger automated notifications to governance contacts.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Assured Workloads continuously monitors regulatory and contract obligation compliance with alerting, partially implementing PG-03.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Purview Compliance Manager \u2014 Regulatory Template Compliance Scoring",
            "rationale": "Microsoft Purview Compliance Manager tracks compliance scores against regulatory and standards assessment templates, with continuous assessment updates and structured evidence collection for audit readiness. Contractual obligations are not scored natively: organizations can create custom assessments representing contract terms so that improvement actions and scores reflect obligation fulfillment status.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Custom Compliance Manager assessments track obligation fulfillment scores, partially implementing obligation compliance monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "contract-ai",
          "procurement-ai"
        ],
        "implementers": [
          "Contract Management",
          "General Counsel",
          "GRC Auditor"
        ],
        "validation_objective": "All active third-party contracts in scope for AI-executed transactions must have complete, machine-evaluable obligation profiles in the contract obligation registry, and every AI-executed transaction touching a third-party relationship must be evaluated against the applicable obligation rules, with deviation alerts generated before or within one evaluation cycle of execution.",
        "evidence_required": [
          "Contract obligation registry export listing all active in-scope agreements with structured obligation rule profiles, coverage status, and last-updated timestamps reflecting the current amendment state of each contract",
          "Obligation evaluation event logs showing per-transaction rule evaluation outcomes, deviation alerts, and proximity alerts for approaching commitment thresholds in the reporting period",
          "Contract amendment update procedure document specifying the SLA for obligation registry synchronization after amendments are executed, with evidence of SLA compliance",
          "Registry completeness assessment cross-referencing the obligation registry against the AI system transaction log to confirm no third-party transactions are processed without obligation evaluation"
        ],
        "machine_tests": [
          "Simulate an AI-executed transaction that would breach a minimum purchase commitment defined in the obligation registry \u2192 assert a deviation alert is raised before or within one evaluation cycle of transaction execution",
          "Update a contract obligation rule to reflect a simulated amendment \u2192 assert subsequent AI transactions are evaluated against the updated rule within one evaluation cycle",
          "Cross-reference AI system transaction logs against obligation evaluation event logs \u2192 assert 100% of transactions touching in-scope third-party relationships have a corresponding evaluation record",
          "Query the registry for an active in-scope contract that has no obligation profile \u2192 assert the system flags the gap and prevents AI transaction execution against that contract until a profile is created"
        ],
        "human_review": [
          "Verify that obligation rule decompositions for a representative sample of active contracts accurately reflect the legal intent of the underlying agreement clauses, with General Counsel confirmation that rules do not misrepresent material obligations",
          "Assess whether the obligation registry is complete relative to all contracts under which AI systems currently execute transactions, including recent amendments, addenda, and side letters not yet reflected in the registry",
          "Review deviation alert history to identify recurring obligation proximity events that may indicate contract minimum commitments or exclusivity terms require renegotiation or AI system behavioral constraints"
        ],
        "blocking_effect": "advisory",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Relying on AI systems to self-report contract compliance without an independent obligation evaluation layer operating on structured, registry-maintained rules",
          "Loading obligation rules only at contract inception without updating them when amendments, addenda, or side letters modify original obligation terms",
          "Decomposing contract obligations into monitoring rules without General Counsel review, producing rules that misrepresent legally significant obligation nuances",
          "Treating the obligation evaluation layer as optional for low-value AI-executed transactions, creating coverage gaps exploited by cumulative commitment patterns that breach thresholds incrementally",
          "Closing deviation alerts as false positives without documenting the rationale, preventing audit review of exception patterns and masking systemic obligation evaluation weaknesses"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PG"
      },
      {
        "id": "PG-04",
        "name": "Policy Incident Classification and Response",
        "canonical_id": "apeiris://authority/controls/PG-04",
        "layer": "PG",
        "prefix": "PG",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Classifies detected policy violations by severity and routes them to appropriate response workflows to ensure proportionate and timely remediation of AI governance incidents.",
        "threat": {
          "context": "Without a structured classification and response process, policy violations detected by monitoring systems may be routed inconsistently, treated with disproportionate severity, or remain unresolved \u2014 allowing root causes to persist and repeat.",
          "tags": [
            "policy-bypass",
            "escalation-failure",
            "internal-policy-violation"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 11",
            "title": "Assesses Severity of Risk"
          },
          {
            "id": "iso_37301",
            "section": "\u00a78.2",
            "title": "Establishing controls and procedures"
          },
          {
            "id": "nist_rmf",
            "section": "MANAGE 4.1",
            "title": "Post-deployment AI system monitoring plans are implemented, including mechanisms for incident response, recovery, and change management"
          },
          {
            "id": "nist_800_53",
            "section": "IR-4",
            "title": "Incident Handling"
          }
        ],
        "sources": [
          {
            "id": "nist-800-53-r5-ir4",
            "title": "NIST SP 800-53 Rev. 5 \u2014 Incident Response",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev. 5 \u2014 Incident Response requirements informing the apeiris://authority/controls/PG-04 Policy Incident Classification and Response control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-37301-2021-s8-2",
            "title": "ISO 37301:2021 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 Compliance Management Systems requirements informing the apeiris://authority/controls/PG-04 Policy Incident Classification and Response control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-rmf-manage-4-1",
            "title": "NIST AI RMF MANAGE 4.1",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI RMF MANAGE 4.1 (post-deployment monitoring and incident response mechanisms) requirements informing the apeiris://authority/controls/PG-04 Policy Incident Classification and Response control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "internal-policy-incident-response-005",
            "title": "Example adopter artifact \u2014 AI Policy Incident Response Procedure (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PG-04 Policy Incident Classification and Response control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PG-04 Policy Incident Classification and Response control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PG-04 Policy Incident Classification and Response control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Define a tiered severity taxonomy for AI policy incidents and automate initial classification using the monitoring telemetry context, then route each classified incident to a predefined response playbook with role-assigned owners and resolution SLAs.",
          "steps": [
            "Define a four-tier severity taxonomy for AI policy incidents \u2014 from Severity 4 (minor deviation, self-remediate) to Severity 1 (material breach, immediate executive escalation) \u2014 with explicit classification criteria for each tier",
            "Automate initial severity classification by applying taxonomy rules to monitoring alert context fields, and route each incident to the corresponding response playbook with role-assigned owners",
            "Track incident lifecycle from detection through classification, containment, resolution, and closure, with SLA monitoring and escalation triggers for overdue incidents"
          ],
          "anti_patterns": [
            "Routing all policy incidents to a single queue regardless of severity, causing critical incidents to be delayed behind minor deviations",
            "Closing incidents without a documented root cause and corrective action record, preventing lessons-learned from being captured"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that the severity taxonomy covers all classes of policy violations that monitoring controls in PG-01 through PG-03 can detect",
            "Confirm that each severity tier has a documented response playbook with named role owners and defined resolution SLAs",
            "Validate that the escalation chain for Severity 1 and 2 incidents reaches accountable executive and legal leadership within the required timeframe"
          ],
          "runtime_tests": [
            "Inject synthetic policy incidents matching each severity tier and verify that automated classification assigns the correct severity and routes to the correct playbook within the defined window",
            "Simulate a Severity 1 incident and verify that the escalation chain is activated within the required timeframe and that all designated recipients acknowledge receipt",
            "Verify that the incident management system enforces SLA monitoring and generates escalation alerts for overdue incidents at all severity tiers"
          ],
          "evidence": [
            "log: incident management system records showing classification outcomes, escalation events, and resolution timestamps for the reporting period",
            "policy: AI-IRP-005 signed approval record, severity taxonomy definitions, and playbook inventory",
            "doc: SLA definition document with documented approval from Chief Risk Officer and General Counsel",
            "test: tabletop exercise records demonstrating that the escalation chain functions correctly for Severity 1 scenarios"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "A structured incident classification process ensures that legally significant policy violations receive immediate counsel engagement, preserving privilege and enabling timely response before exposure escalates.",
            "actions": [
              "Define the legal review trigger criteria within the severity taxonomy to ensure that incidents with potential legal exposure are routed to General Counsel at Severity 2 or above",
              "Confirm that incident records are created and managed in a manner consistent with legal hold and privilege preservation requirements",
              "Participate in tabletop exercises for Severity 1 incident scenarios to verify that the escalation chain functions correctly"
            ],
            "failure_signals": [
              "Legal counsel is not engaged until after an AI policy incident has been disclosed externally, eliminating privilege protection windows",
              "Incident classification criteria do not adequately identify incidents with regulatory reporting obligations"
            ]
          },
          "cfo_procurement": {
            "summary": "Incident classification enables proportionate resource allocation for policy incident response, avoiding both under-investment in material incidents and over-investment in minor deviations.",
            "actions": [
              "Ensure that the incident response budget accounts for Severity 1 and 2 incident response costs, including external counsel and forensic support",
              "Review the financial impact threshold criteria in the severity taxonomy to confirm alignment with materiality definitions"
            ],
            "failure_signals": [
              "Material AI policy incidents have generated unexpected remediation costs not captured in budget forecasts",
              "The severity taxonomy does not incorporate financial impact thresholds, resulting in misclassification of financially significant incidents"
            ]
          },
          "risk_officer": {
            "summary": "Incident classification and response provides risk management with a structured, consistent mechanism to assess, contain, and learn from AI policy violations as they occur.",
            "actions": [
              "Integrate the incident management system with the enterprise risk register so that Severity 1 and 2 incidents automatically create risk events",
              "Review incident classification patterns quarterly to identify systemic root causes that warrant updates to risk appetite or control design",
              "Define risk-based criteria for when a pattern of lower-severity incidents warrants aggregation into a material risk event"
            ],
            "failure_signals": [
              "Policy incidents are managed in isolation with no integration into the enterprise risk register, preventing risk aggregation analysis",
              "Repeated Severity 3 and 4 incidents with the same root cause are not escalated as a systemic risk pattern"
            ]
          },
          "grc_auditor": {
            "summary": "The incident classification and response process creates an auditable lifecycle record for every policy violation, supporting control effectiveness assessments and regulatory audit responses.",
            "actions": [
              "Audit the completeness of incident records for the reporting period, verifying that all monitoring alerts resulted in classified incidents",
              "Assess whether resolution actions were completed within documented SLAs and that root cause and corrective action records are complete",
              "Verify that the severity taxonomy is reviewed and updated at least annually to remain current with the evolving policy and regulatory landscape"
            ],
            "failure_signals": [
              "Monitoring alerts cannot be reconciled to incident records, indicating that some alerts were not actioned through the classification process",
              "Incident records are closed without documented root cause or corrective action, preventing audit traceability"
            ],
            "metrics": [
              "Classification timeliness rate: percentage of incidents classified within the two-hour SLA from detection",
              "Resolution on-time rate: percentage of incidents resolved within the tier-specific SLA by severity",
              "Repeat incident rate: percentage of incidents sharing a root cause with a prior incident in the trailing 90-day period"
            ]
          },
          "board_governance": {
            "summary": "A disciplined incident classification process ensures that the board receives timely, calibrated information about material AI policy violations without being overwhelmed by minor operational events.",
            "actions": [
              "Confirm that the severity taxonomy's Severity 1 escalation path includes board notification criteria and that the board receives incident summaries for all Severity 1 events",
              "Review aggregate incident classification statistics in audit committee reports to assess the health of AI policy governance"
            ],
            "failure_signals": [
              "The board learns of material AI policy incidents through external sources rather than the internal escalation process",
              "No aggregate incident statistics are provided to the board, preventing oversight of AI governance trends"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 11",
            "title": "Assesses Severity of Risk",
            "principle_number": 11,
            "component_name": "Performance",
            "normative_force": "industry-framework",
            "fit": "partial",
            "fit_rationale": "Classifying incidents to a severity taxonomy operationalizes Principle 11 severity assessment for policy incidents.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Classifying incidents to a severity taxonomy operationalizes Principle 11 severity assessment for policy incidents.",
            "requirement_id": "Principle 11 \u2014 Assesses Severity of Risk",
            "relation": "informs"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a78.2",
            "title": "Establishing controls and procedures",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Defined severity taxonomy and response playbooks establish controls and procedures per \u00a78.2, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Defined severity taxonomy and response playbooks establish controls and procedures per \u00a78.2, partially.",
            "requirement_id": "\u00a78.2 \u2014 Establishing controls and procedures",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "MANAGE 4.1",
            "title": "Post-deployment AI system monitoring plans are implemented, including mechanisms for incident response, recovery, and change management",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Classifying and routing incidents to response playbooks partially implements MANAGE 4.1 incident-response mechanisms.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Classifying and routing incidents to response playbooks partially implements MANAGE 4.1 incident-response mechanisms.",
            "requirement_id": "MANAGE 4.1 \u2014 Post-deployment AI system monitoring plans are implemented, including mechanisms for incident response, recovery, and change management",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "IR-4",
            "title": "Incident Handling",
            "normative_force": "voluntary-standard",
            "fit": "direct",
            "fit_rationale": "Severity classification, playbook routing, and SLA-bound resolution of policy incidents directly implement IR-4 incident handling.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Severity classification, playbook routing, and SLA-bound resolution of policy incidents directly implement IR-4 incident handling.",
            "requirement_id": "IR-4 \u2014 Incident Handling",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Security Hub \u2014 Policy Incident Classification and Routing",
            "rationale": "AWS Security Hub classifies policy incidents by severity using standardized finding formats and routes findings to appropriate response teams via EventBridge integration. Security Hub's automated response and remediation (SOAR) capabilities enable predefined response workflows to activate automatically when AI governance policy incidents are detected, reducing mean time to respond.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Security Hub classifies findings by severity and routes them via EventBridge SOAR, partially implementing classification and response.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Security Command Center \u2014 Policy Violation Triage and Response",
            "rationale": "Google Cloud Security Command Center classifies and triages organization policy violations, assigning severity levels and routing findings to appropriate response teams. SCC's muted findings feature allows governance teams to manage known exceptions while maintaining visibility into genuinely novel policy incidents requiring active response.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "SCC classifies and triages policy violations with severity and routing, partially implementing incident response.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Sentinel \u2014 AI Policy Incident Classification and SOAR Response",
            "rationale": "Microsoft Sentinel can classify AI policy incidents using custom analytics rules and trigger automated response playbooks (SOAR) when governance violations are detected. Sentinel's fusion engine correlates signals across Azure Policy, Purview, and Defender for Cloud to identify multi-signal AI governance incidents that warrant escalated response.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Sentinel analytics classify AI policy incidents and trigger SOAR playbooks, partially implementing classification and response.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "Chief Risk Officer",
          "General Counsel",
          "Compliance Officer"
        ],
        "validation_objective": "Every policy violation detected by AI monitoring controls must be classified to the defined severity taxonomy within the two-hour SLA, routed to the corresponding response playbook with role-assigned owners, and resolved within the tier-specific SLA, with root cause and corrective action records retained for every closed incident.",
        "evidence_required": [
          "Incident management system records for the reporting period showing classification outcome, assigned severity tier, playbook routing, escalation events, resolution timestamps, and SLA compliance for all detected violations",
          "Severity taxonomy definition document and response playbook inventory with documented role owners, resolution SLAs by tier, and signed approval from Chief Risk Officer and General Counsel",
          "Tabletop exercise records from the most recent annual exercise demonstrating that the Severity 1 escalation chain functions correctly, with participant records and identified gaps with remediation actions",
          "Root cause and corrective action records for all incidents closed in the reporting period, with repeat incident flags where the same root cause recurs within 90 days"
        ],
        "machine_tests": [
          "Inject synthetic policy incidents matching each of the four severity tiers into the classification engine \u2192 assert each is assigned the correct severity tier and routed to the correct playbook within the two-hour SLA",
          "Simulate a Severity 1 incident \u2192 assert the escalation chain notifies all designated executive and legal recipients within the required escalation window and acknowledgment records are generated for each recipient",
          "Advance an open incident past its tier-specific resolution SLA deadline \u2192 assert the incident management system generates an escalation alert routed to the defined escalation owner",
          "Inject a synthetic incident sharing the root cause of a prior incident from the trailing 90 days \u2192 assert the system flags it as a repeat and applies the repeat escalation protocol"
        ],
        "human_review": [
          "Review a sample of incident classification records to assess whether the automated severity taxonomy applies classification criteria consistently with policy intent, with particular attention to borderline Severity 2 and 3 boundary cases",
          "Assess whether root cause records for closed incidents reflect genuine causal analysis enabling systemic improvements, rather than template-filled entries that satisfy the record requirement without extracting lessons learned",
          "Verify that the severity taxonomy has been reviewed and updated within the past 12 months to reflect new policy categories, AI capabilities, or regulatory requirements that create classification gaps"
        ],
        "blocking_effect": "requires-review",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Routing all policy incidents to a single undifferentiated queue regardless of severity, causing Severity 1 material breaches to queue behind low-priority minor deviations and breach their escalation SLAs",
          "Closing incidents without documented root cause or corrective action records, preventing lessons learned from reducing repeat incident rates",
          "Assigning the same individual who detected and reported an incident as the sole classifier, removing the independent assessment that accurate severity assignment requires",
          "Treating the severity taxonomy as static without annual review, allowing classification gaps to accumulate as new policy categories and AI capabilities emerge",
          "Conducting tabletop exercises only for Severity 1 scenarios and not testing Severity 2 and 3 response workflows, leaving mid-tier incident response procedures unvalidated"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PG"
      },
      {
        "id": "PG-05",
        "name": "Knowledge Source Staleness Detection",
        "canonical_id": "apeiris://authority/controls/PG-05",
        "layer": "PG",
        "prefix": "PG",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Detects when AI systems are operating on outdated or stale knowledge sources \u2014 cross-referencing currency requirements defined in apeiris://knowledge/controls/KM-01 \u2014 to prevent policy decisions grounded in superseded regulatory or factual context.",
        "threat": {
          "context": "AI systems that reference internal policy documents, regulatory guidance, or factual knowledge bases may continue to apply superseded rules after updates, creating a silent compliance gap between the organization's current obligations and the AI system's operating context.",
          "tags": [
            "knowledge-source-staleness",
            "intent-drift",
            "policy-bypass"
          ]
        },
        "standard_references": [
          {
            "id": "iso_42001",
            "section": "A.6.2.6",
            "title": "AI system operation and monitoring"
          },
          {
            "id": "nist_rmf",
            "section": "MEASURE 2.4",
            "title": "The functionality and behavior of the AI system and its components are monitored when in production"
          },
          {
            "id": "nist_800_53",
            "section": "CM-3",
            "title": "Configuration Change Control"
          },
          {
            "id": "iso_37301",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          }
        ],
        "sources": [
          {
            "id": "iso-42001-2023-s8-4",
            "title": "ISO/IEC 42001:2023 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 AI Management Systems requirements informing the apeiris://authority/controls/PG-05 Knowledge Source Staleness Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-rmf-measure-2-5",
            "title": "NIST AI RMF MEASURE 2.5",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI RMF MEASURE 2.5 requirements informing the apeiris://authority/controls/PG-05 Knowledge Source Staleness Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-800-53-r5-cm3",
            "title": "NIST SP 800-53 Rev. 5 \u2014 Configuration Management",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev. 5 \u2014 Configuration Management requirements informing the apeiris://authority/controls/PG-05 Knowledge Source Staleness Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "internal-policy-knowledge-currency-004",
            "title": "Example adopter artifact \u2014 Knowledge Management Policy \u2014 AI Knowledge Source Currency (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PG-05 Knowledge Source Staleness Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PG-05 Knowledge Source Staleness Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PG-05 Knowledge Source Staleness Detection control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Attach versioned metadata to every knowledge source used by AI systems and implement a staleness monitor that compares the version timestamp of each source in active use against the latest published version, alerting when the lag exceeds the defined currency threshold.",
          "steps": [
            "Catalog all knowledge sources consumed by in-scope AI systems \u2014 policy documents, regulatory guidance, pricing schedules, contract terms \u2014 and attach version metadata including publication date, version identifier, and expiry flag",
            "Implement a staleness monitor that queries the knowledge source catalog on a defined schedule and compares the version in active use by each AI system against the latest published version, calculating the staleness lag",
            "Configure alerts for knowledge sources exceeding the maximum permissible staleness lag, routing them to Knowledge Management and the AI system owner with a remediation deadline and optional runtime hold"
          ],
          "anti_patterns": [
            "Relying on manual processes to notify AI system owners of knowledge source updates, which creates undocumented lag and human-factor gaps",
            "Treating knowledge source version metadata as optional, preventing the staleness monitor from calculating accurate lag values"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that all knowledge sources consumed by in-scope AI systems are cataloged with version metadata including publication date and version identifier",
            "Confirm that the staleness monitor runs on a schedule aligned with the maximum permissible lag threshold and queries all cataloged sources",
            "Validate that staleness alerts are routed to both Knowledge Management and the AI system owner, with documented remediation SLAs"
          ],
          "runtime_tests": [
            "Update a knowledge source in the catalog and verify that the staleness monitor detects the lag and generates an alert within one monitoring cycle",
            "Simulate a knowledge source that has been stale for longer than the maximum permissible lag and verify that a runtime hold is applied to the AI system pending refresh",
            "Verify that the knowledge source catalog is complete by cross-referencing it against the AI system's declared dependencies at last deployment"
          ],
          "evidence": [
            "log: staleness monitor run logs showing per-source lag calculations and alert events for the reporting period",
            "config: knowledge source catalog export with version metadata, staleness lag values, and last-checked timestamps",
            "doc: knowledge currency policy defining maximum permissible lag thresholds per source category",
            "policy: KM-POL-004 signed approval record and version history"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Knowledge source staleness detection prevents AI systems from applying superseded regulatory or legal requirements, reducing the organization's exposure to inadvertent non-compliance arising from outdated reference material.",
            "actions": [
              "Identify which knowledge sources contain regulatory or legal content and confirm they are cataloged with the most conservative staleness thresholds",
              "Establish a protocol for General Counsel review when AI systems have operated on stale regulatory knowledge sources, to assess whether any outputs require correction or disclosure",
              "Confirm that staleness detection evidence is retained in a format suitable for demonstrating due diligence in regulatory inquiries"
            ],
            "failure_signals": [
              "AI systems have issued guidance or made decisions based on superseded regulatory requirements without detection",
              "Regulatory knowledge sources are not included in the staleness monitoring catalog, leaving legal currency blind spots"
            ]
          },
          "cfo_procurement": {
            "summary": "Staleness detection prevents AI systems from applying outdated pricing schedules, contract terms, or financial thresholds, avoiding commitments that are inconsistent with current commercial arrangements.",
            "actions": [
              "Confirm that pricing schedules, vendor rate cards, and financial thresholds referenced by AI systems are included in the staleness monitoring catalog",
              "Include knowledge source currency management costs in the AI system operational budget"
            ],
            "failure_signals": [
              "AI systems have executed transactions at superseded pricing schedules due to stale knowledge sources",
              "Financial threshold knowledge sources are not cataloged and their currency cannot be verified"
            ]
          },
          "risk_officer": {
            "summary": "Knowledge source staleness is a leading risk indicator for AI system intent drift, representing the gap between the AI system's operating context and the organization's current obligations and environment.",
            "actions": [
              "Include knowledge source staleness lag metrics in enterprise AI risk dashboards as a leading indicator",
              "Define risk appetite thresholds for acceptable staleness lag by knowledge source category and integrate them with monitoring alert thresholds",
              "Require staleness risk assessments for AI systems operating in rapidly evolving regulatory domains"
            ],
            "failure_signals": [
              "No knowledge source currency metrics are tracked in the enterprise risk framework, leaving staleness risk unquantified",
              "Staleness thresholds have not been calibrated against the pace of change in relevant regulatory domains"
            ]
          },
          "grc_auditor": {
            "summary": "Staleness detection provides auditable evidence of knowledge currency management discipline, supporting AI system governance audits and regulatory readiness assessments.",
            "actions": [
              "Audit the completeness of the knowledge source catalog against AI system dependency manifests to identify uncataloged sources",
              "Verify that staleness alerts have been actioned within documented remediation SLAs and that refresh evidence is retained",
              "Assess whether maximum permissible lag thresholds are appropriately calibrated for each source category and reviewed annually"
            ],
            "failure_signals": [
              "Knowledge source catalog is incomplete relative to AI system dependencies, leaving uncovered currency gaps",
              "Staleness alert records show remediation SLAs being breached repeatedly without documented escalation"
            ],
            "metrics": [
              "Catalog coverage ratio: percentage of AI system knowledge source dependencies with version metadata in the staleness catalog",
              "Mean staleness lag: average elapsed time between source publication update and AI system knowledge refresh across all cataloged sources",
              "Threshold breach rate: number of knowledge sources exceeding the maximum permissible staleness lag per reporting period"
            ]
          },
          "board_governance": {
            "summary": "Ensuring AI systems operate on current knowledge is a foundational assurance that board-level obligations \u2014 including regulatory compliance and fiduciary accuracy \u2014 are being carried through to autonomous system behavior.",
            "actions": [
              "Receive summary reporting on aggregate knowledge source currency health as part of AI governance reporting to the audit committee",
              "Mandate that material staleness events involving regulatory or legally significant knowledge sources are escalated to the board"
            ],
            "failure_signals": [
              "The board has no visibility into whether AI systems are operating on current regulatory and policy knowledge",
              "Material staleness events have not been escalated, and the board is unaware of potential compliance exposure"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_42001",
            "ref": "A.6.2.6",
            "title": "AI system operation and monitoring",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Monitoring knowledge-source currency in operation partially addresses A.6.2.6 AI system operation and monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Monitoring knowledge-source currency in operation partially addresses A.6.2.6 AI system operation and monitoring.",
            "requirement_id": "A.6.2.6 \u2014 AI system operation and monitoring",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "MEASURE 2.4",
            "title": "The functionality and behavior of the AI system and its components are monitored when in production",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Detecting stale knowledge sources monitors an input to production behavior, partially addressing MEASURE 2.4.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Detecting stale knowledge sources monitors an input to production behavior, partially addressing MEASURE 2.4.",
            "requirement_id": "MEASURE 2.4 \u2014 The functionality and behavior of the AI system and its components are monitored when in production",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "CM-3",
            "title": "Configuration Change Control",
            "normative_force": "voluntary-standard",
            "fit": "adjacent",
            "fit_rationale": "Staleness detection flags outdated sources but is not the configuration change-control process CM-3 defines.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Staleness detection flags outdated sources but is not the configuration change-control process CM-3 defines.",
            "requirement_id": "CM-3 \u2014 Configuration Change Control",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Config \u2014 Knowledge Resource Configuration Drift Detection",
            "rationale": "AWS Config continuously evaluates knowledge resource configurations against approved baselines and detects configuration drift when knowledge source references change from authorized versions. Config rules generate non-compliant findings when AI system knowledge source configurations diverge from approved state, enabling prompt staleness detection and remediation.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Config drift detection flags knowledge-source reference changes, partially supporting staleness detection.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Asset Inventory \u2014 Knowledge Resource Change Detection",
            "rationale": "Google Cloud Asset Inventory provides real-time change detection for knowledge resources across the resource hierarchy. Pub/Sub notification feeds alert governance teams immediately when approved knowledge source versions are modified, enabling staleness detection before stale knowledge propagates to AI system outputs.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Asset Inventory change feeds alert on knowledge-source version changes, partially supporting staleness detection.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure Machine Learning Model Monitoring \u2014 Knowledge Source Staleness Signals",
            "rationale": "Azure Machine Learning model monitoring (which supersedes the deprecated v1 data drift detector) monitors data quality and drift for production model inputs on configurable schedules, alerting when statistical properties shift beyond thresholds. Applied to the datasets behind RAG and knowledge-grounded deployments, these signals support proactive staleness detection for AI knowledge sources.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Azure ML data-drift monitoring on RAG datasets surfaces staleness signals, partially supporting the control.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "AI Engineering",
          "Knowledge Management",
          "Compliance Officer"
        ],
        "validation_objective": "Every knowledge source consumed by in-scope AI systems must be cataloged with version metadata including publication date and version identifier, the staleness monitor must calculate the lag for each source on the defined schedule, and a runtime hold must be applied to any AI system operating on a knowledge source whose staleness lag exceeds the maximum permissible threshold for its category.",
        "evidence_required": [
          "Knowledge source catalog export listing all cataloged sources with version metadata, publication date, version identifier, assigned staleness threshold, last-checked timestamp, and current calculated lag value",
          "Staleness monitor run logs for the reporting period showing per-source lag calculations, alert generation events, and runtime holds applied with hold start and lift timestamps",
          "Knowledge currency policy document defining maximum permissible staleness lag thresholds per source category, signed and dated by the accountable policy owner",
          "Knowledge source refresh records confirming that staleness alerts were actioned within documented remediation SLAs, including post-refresh lag recalculation confirming the source returned to current status"
        ],
        "machine_tests": [
          "Update the external version of a cataloged knowledge source while leaving the AI system's active reference unchanged \u2192 assert the staleness monitor detects the lag and generates an alert within one monitoring cycle",
          "Set a knowledge source's staleness lag to exceed the maximum permissible threshold for its category in the test catalog \u2192 assert a runtime hold is applied to the affected AI system and a remediation alert is routed to Knowledge Management and the AI system owner",
          "Cross-reference the knowledge source catalog against the AI system's dependency manifest at last deployment \u2192 assert all declared knowledge source dependencies are present in the catalog with version metadata",
          "Verify staleness monitor schedule execution logs \u2192 assert monitor runs completed within the defined schedule window for every source category with no missed cycles in the trailing 30 days"
        ],
        "human_review": [
          "Audit the knowledge source catalog for completeness by comparing it against AI system configuration files, RAG pipeline dependency declarations, and prompt context injections to identify uncataloged sources not yet covered by the staleness monitor",
          "Assess whether maximum permissible staleness lag thresholds are appropriately calibrated for each source category, with stricter thresholds applied to regulatory and legal sources where supersession risk is highest",
          "Review post-refresh validation records to verify that knowledge source refreshes were validated for accuracy and consistency with the AI system's operating context before the runtime hold was lifted"
        ],
        "blocking_effect": "advisory",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Relying on manual notification processes for knowledge source updates rather than automated version comparison against a structured catalog, creating undocumented lag and human-factor coverage gaps",
          "Treating knowledge source version metadata as optional in AI system configuration, preventing the staleness monitor from calculating accurate lag values for affected sources",
          "Applying a single universal staleness threshold to all knowledge source categories rather than stricter thresholds for regulatory and legal sources where supersession risk is materially higher",
          "Cataloging knowledge sources at AI system deployment but failing to maintain catalog completeness as the AI system's dependencies evolve through model updates and RAG configuration changes",
          "Applying runtime holds without a documented procedure for validating the refreshed knowledge source before lifting the hold, allowing unvalidated refreshes to reintroduce accuracy risks"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PG"
      },
      {
        "id": "PG-06",
        "name": "Operating Intent Drift Detection",
        "canonical_id": "apeiris://authority/controls/PG-06",
        "layer": "PG",
        "prefix": "PG",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Detects when AI system operating behavior has drifted from its original approved intent specification, triggering human review before the drift becomes a material governance or compliance failure.",
        "threat": {
          "context": "AI systems that gradually expand their effective operating scope \u2014 through model updates, prompt evolution, or accumulating behavioral patterns \u2014 may diverge from their approved intent specification without any single change triggering a review, resulting in unacknowledged scope expansion and uncontrolled capability growth.",
          "tags": [
            "intent-drift",
            "scope-creep",
            "principal-accountability-gap"
          ]
        },
        "standard_references": [
          {
            "id": "nist_rmf",
            "section": "MEASURE 2.4",
            "title": "The functionality and behavior of the AI system and its components are monitored when in production"
          },
          {
            "id": "iso_42001",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "nist_800_53",
            "section": "SI-7",
            "title": "Software, Firmware, and Information Integrity"
          },
          {
            "id": "iso_37301",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          }
        ],
        "sources": [
          {
            "id": "nist-rmf-measure-2-5-drift",
            "title": "NIST AI RMF MEASURE 2.5",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI RMF MEASURE 2.5 requirements informing the apeiris://authority/controls/PG-06 Operating Intent Drift Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-800-53-r5-si7",
            "title": "NIST SP 800-53 Rev. 5 \u2014 System and Information Integrity",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev. 5 \u2014 System and Information Integrity requirements informing the apeiris://authority/controls/PG-06 Operating Intent Drift Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-42001-2023-s9-1-drift",
            "title": "ISO/IEC 42001:2023 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 AI Management Systems requirements informing the apeiris://authority/controls/PG-06 Operating Intent Drift Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "internal-policy-intent-governance-006",
            "title": "Example adopter artifact \u2014 AI System Intent Governance Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PG-06 Operating Intent Drift Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PG-06 Operating Intent Drift Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PG-06 Operating Intent Drift Detection control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PG-06 Operating Intent Drift Detection control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Formalize the approved operating intent of each AI system into a machine-evaluable intent specification at deployment time, then continuously score behavioral telemetry against the specification to detect cumulative drift and trigger human review when drift thresholds are exceeded.",
          "steps": [
            "At deployment, author an intent specification for each AI system that formally defines its approved task scope, permitted action categories, and behavioral boundaries in a structured, version-controlled format",
            "Instrument behavioral telemetry collection to capture task categories, action types, and resource interactions for each AI system operation, enabling scoring against the intent specification",
            "Deploy a drift detection engine that computes rolling similarity scores between observed behavior distributions and the approved intent specification, generating review requests when cumulative drift exceeds the defined threshold"
          ],
          "anti_patterns": [
            "Relying on subjective human observation to detect intent drift rather than quantitative behavioral scoring against a formal specification",
            "Reviewing intent specifications only at major version releases rather than continuously against live behavioral telemetry"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that every in-scope production AI system has a current, version-controlled intent specification approved by the AI Governance Lead",
            "Confirm that the behavioral telemetry pipeline captures sufficient task category and action type granularity to support accurate drift scoring",
            "Validate that drift threshold values are documented, justified against the AI system's risk profile, and approved by the Chief Risk Officer"
          ],
          "runtime_tests": [
            "Introduce synthetic behavioral telemetry reflecting task categories outside the approved intent specification and verify that a drift alert is generated within the defined detection window",
            "Gradually introduce borderline behavioral patterns over multiple cycles and verify that cumulative drift scoring captures the pattern before the individual event threshold is crossed",
            "Confirm that a drift alert generates a human review request routed to the AI Governance Lead within the defined escalation window"
          ],
          "evidence": [
            "config: intent specification version-controlled repository with approval records and change history for all in-scope AI systems",
            "log: drift detection engine logs showing rolling similarity scores, drift events, and review request generation for the reporting period",
            "doc: drift threshold definition and justification documentation approved by Chief Risk Officer",
            "policy: AI-INT-POL-006 signed approval record and version history"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Intent drift detection provides legal assurance that AI systems are not expanding their operational scope beyond what was disclosed to regulators, counterparties, or customers at the time of deployment.",
            "actions": [
              "Confirm that intent specifications capture the AI system's disclosed purpose as represented in regulatory filings, customer agreements, and internal governance documents",
              "Establish a protocol for General Counsel review when material intent drift is detected, to assess disclosure and contractual implications",
              "Ensure drift event records are retained in a legally admissible format for use in regulatory inquiries"
            ],
            "failure_signals": [
              "AI systems have materially expanded their operational scope without triggering a governance review or external disclosure",
              "Intent specifications do not align with the system's disclosed purpose in customer-facing or regulatory documentation"
            ]
          },
          "cfo_procurement": {
            "summary": "Operating intent drift can create unanticipated cost exposure when AI systems expand their task scope beyond what was procured and budgeted, consuming additional compute, data, or third-party service capacity.",
            "actions": [
              "Include intent boundary enforcement as a requirement in AI system procurement contracts to ensure vendor accountability for scope containment",
              "Monitor intent drift alerts as a leading indicator of unbudgeted operational cost expansion"
            ],
            "failure_signals": [
              "AI system operational costs are exceeding budget forecasts due to undiscovered scope expansion detected only after cost overruns materialize",
              "Vendor-supplied AI systems are operating outside their contracted scope without triggering contractual remedies"
            ]
          },
          "risk_officer": {
            "summary": "Intent drift is a leading risk indicator for emerging AI capability risk, representing the divergence between what the AI system was approved to do and what it is actually doing.",
            "actions": [
              "Include intent drift rates and drift alert counts in the enterprise AI risk dashboard as leading indicators",
              "Define risk appetite thresholds for cumulative intent drift and integrate them with the drift detection engine's alert thresholds",
              "Require risk assessment reviews for AI systems that generate repeated drift alerts, to determine whether re-scoping or decommissioning is appropriate"
            ],
            "failure_signals": [
              "No intent drift metrics are included in the enterprise AI risk framework, leaving behavioral scope expansion untracked",
              "Repeated drift alerts for the same AI system are not triggering risk reviews or corrective action"
            ]
          },
          "grc_auditor": {
            "summary": "Intent drift detection provides auditors with a behavioral compliance trail demonstrating that AI systems are operating within their approved scope throughout the audit period.",
            "actions": [
              "Verify that all in-scope production AI systems have current, approved intent specifications with no expired or draft-only versions in active use",
              "Audit drift detection logs for the reporting period and verify that all drift alerts were actioned with documented human review outcomes",
              "Assess whether intent specification update processes are triggered by model updates, prompt changes, or scope amendments"
            ],
            "failure_signals": [
              "Production AI systems are operating without an approved intent specification or against an expired specification version",
              "Drift alerts are generated but not actioned, with no evidence of human review or risk acceptance"
            ],
            "metrics": [
              "Intent specification coverage: percentage of production AI systems with current, approved intent specifications",
              "Drift alert rate: number of intent drift alerts generated per AI system per reporting period",
              "Drift review completion rate: percentage of drift alerts resulting in documented human review outcomes within the defined SLA"
            ]
          },
          "board_governance": {
            "summary": "Operating intent drift detection provides the board with assurance that AI systems are not silently acquiring capabilities or scope beyond what was approved, protecting against undisclosed liability expansion.",
            "actions": [
              "Receive summary reporting on aggregate intent drift rates and material drift events as part of AI governance oversight",
              "Mandate that material intent drift events \u2014 where AI systems have operated significantly outside their approved scope \u2014 are escalated to the board"
            ],
            "failure_signals": [
              "The board has approved AI system deployments but has no visibility into whether those systems have drifted from their approved purpose",
              "Material intent drift events have not been disclosed to the board, creating fiduciary gaps"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "nist_rmf",
            "ref": "MEASURE 2.4",
            "title": "The functionality and behavior of the AI system and its components are monitored when in production",
            "normative_force": "voluntary-standard",
            "fit": "direct",
            "fit_rationale": "Continuous scoring of behavioral telemetry against an intent specification directly implements MEASURE 2.4 production monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Continuous scoring of behavioral telemetry against an intent specification directly implements MEASURE 2.4 production monitoring.",
            "requirement_id": "MEASURE 2.4 \u2014 The functionality and behavior of the AI system and its components are monitored when in production",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "Continuous drift monitoring against the approved intent specification directly implements \u00a79.1 monitoring and evaluation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Continuous drift monitoring against the approved intent specification directly implements \u00a79.1 monitoring and evaluation.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "SI-7",
            "title": "Software, Firmware, and Information Integrity",
            "normative_force": "voluntary-standard",
            "fit": "adjacent",
            "fit_rationale": "SI-7 verifies software and information integrity, related to but distinct from behavioral intent-drift detection.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "SI-7 verifies software and information integrity, related to but distinct from behavioral intent-drift detection.",
            "requirement_id": "SI-7 \u2014 Software, Firmware, and Information Integrity",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "Continuous behavioral drift monitoring directly implements \u00a79.1 monitoring and analysis.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Continuous behavioral drift monitoring directly implements \u00a79.1 monitoring and analysis.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "CloudTrail + AWS GuardDuty \u2014 Behavioral Anomaly Detection for Intent Drift",
            "rationale": "AWS CloudTrail anomaly detection combined with Amazon GuardDuty can identify behavioral patterns indicating AI agent operating intent drift. GuardDuty threat intelligence and ML-based anomaly detection identify unusual API call patterns that may indicate an agent has begun operating outside its declared intent boundaries.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "CloudTrail and GuardDuty anomaly detection flag unusual agent API patterns, partially indicating intent drift.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta Behavior Detection + System Log \u2014 Sign-In Anomaly Signals for Intent Drift",
            "rationale": "Okta Behavior Detection evaluates sign-in context \u2014 new device, location, IP, and velocity anomalies \u2014 rather than token scope usage. Sign-in behavior signals for AI agent service identities, combined with Okta System Log queries over authorization events, give governance teams early indicators of out-of-pattern agent activity worth investigating for potential operating intent drift.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "Okta sign-in anomaly signals give indirect indicators of out-of-pattern agent activity, adjacent to behavioral intent-drift detection.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Azure AI Foundry Observability \u2014 Operating Intent Drift Monitoring",
            "rationale": "Azure AI Foundry Observability and model monitoring tools detect behavioral drift from declared operating intent in production AI deployments. Foundry's evaluation framework supports continuous comparison of production behavior against declared intent baselines, generating alerts when drift metrics exceed governance thresholds.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Foundry observability compares production behavior against declared intent baselines, partially implementing drift detection.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "AI Engineering",
          "Chief Risk Officer",
          "AI Governance Lead"
        ],
        "validation_objective": "Every in-scope production AI system must have a current, version-controlled intent specification approved by the AI Governance Lead, with the drift detection engine computing rolling similarity scores against behavioral telemetry on a continuous basis and generating a human review request when cumulative drift exceeds the documented and approved threshold.",
        "evidence_required": [
          "Intent specification version-controlled repository with approval records, change history, and current approved version for all in-scope production AI systems, with no draft-only or expired specifications in active use",
          "Drift detection engine logs for the reporting period showing rolling similarity scores, drift threshold breach events, and review request generation with routing confirmation to the AI Governance Lead",
          "Drift threshold definition and justification document for each AI system approved by the Chief Risk Officer, with threshold calibration rationale tied to the system's risk profile",
          "Human review outcome records for all drift alerts actioned in the reporting period, including disposition (accepted with risk acceptance, remediated, or re-scoped with intent specification update)"
        ],
        "machine_tests": [
          "Introduce synthetic behavioral telemetry reflecting task categories explicitly outside the approved intent specification \u2192 assert a drift alert is generated within the defined detection window with the correct AI system identifier and drift score",
          "Inject borderline behavioral patterns incrementally across multiple evaluation cycles \u2192 assert cumulative drift scoring captures the aggregate pattern and triggers a review request before any single event individually crosses the threshold",
          "Submit a drift alert to the routing layer \u2192 assert a review request record is created and routed to the AI Governance Lead within the defined escalation window with required context fields populated",
          "Query all in-scope production AI systems against the intent specification repository \u2192 assert every system resolves to a current, non-expired approved specification with no systems referencing draft or archived versions"
        ],
        "human_review": [
          "Review a sample of intent specifications to confirm they accurately capture each AI system's disclosed purpose as represented in deployment approvals, regulatory filings, and customer agreements, with no undisclosed capability scope elements present",
          "Assess whether drift threshold values are appropriately calibrated for each AI system's risk profile, with more conservative thresholds set for systems operating in high-consequence or regulated domains",
          "Verify that intent specification update processes are consistently triggered by model updates, prompt changes, agentic capability additions, or integration scope changes that could alter the system's effective operating scope"
        ],
        "blocking_effect": "requires-review",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Relying on subjective human observation to detect intent drift rather than quantitative behavioral scoring against a formal intent specification, making detection dependent on reviewer awareness rather than systematic measurement",
          "Reviewing intent specifications only at major model version releases rather than continuously comparing live behavioral telemetry against the current approved specification",
          "Maintaining intent specifications as unstructured prose documents rather than structured, machine-evaluable formats that enable automated drift scoring",
          "Applying the same drift sensitivity threshold to all AI systems regardless of risk profile, treating high-consequence systems with the same tolerance as low-risk ones",
          "Closing drift alerts with a risk acceptance disposition without updating the intent specification, allowing the approved specification to permanently diverge from observed behavior and rendering subsequent drift scores meaningless"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PG"
      },
      {
        "id": "PG-07",
        "name": "Policy Governance Reporting",
        "canonical_id": "apeiris://authority/controls/PG-07",
        "layer": "PG",
        "prefix": "PG",
        "plane": "data",
        "capability_risk": {
          "capability_level": "low"
        },
        "baseline": false,
        "plain": "Aggregates policy governance metrics, adherence trends, and incident summaries into structured reports for leadership, audit committees, and regulatory stakeholders to enable informed governance decisions.",
        "threat": {
          "context": "Without structured governance reporting, leadership and boards cannot assess the cumulative state of AI policy compliance, creating accountability gaps and preventing risk-informed decisions about AI system governance investments and risk appetite calibration.",
          "tags": [
            "principal-accountability-gap",
            "escalation-failure"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 18",
            "title": "Leverages information and technology"
          },
          {
            "id": "coso_erm",
            "section": "Principle 20",
            "title": "Reports on risk, culture, and performance"
          },
          {
            "id": "iso_37301",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "oecd_cg",
            "section": "V.D",
            "title": "Board responsibilities \u2014 key functions (oversight, accountability, and disclosure)"
          }
        ],
        "sources": [
          {
            "id": "coso-erm-2017-p18-p20",
            "title": "COSO Enterprise Risk Management Framework 2017",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO Enterprise Risk Management Framework 2017 requirements informing the apeiris://authority/controls/PG-07 Policy Governance Reporting control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-37301-2021-s9-reporting",
            "title": "ISO 37301:2021 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 Compliance Management Systems requirements informing the apeiris://authority/controls/PG-07 Policy Governance Reporting control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "oecd-cg-2023-vi-d",
            "title": "G20/OECD Principles of Corporate Governance 2023",
            "authority": "Organisation for Economic Co-operation and Development",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "2023",
            "published_on": "2023-09-11",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.oecd.org/en/publications/2023/09/g20-oecd-principles-of-corporate-governance-2023_60836fcb.html",
            "license": "open-access",
            "status": "current",
            "flagship": false,
            "source_id": "oecd_cg",
            "relationship": "implementation_pattern",
            "rationale": "Establishes OECD Principles of Corporate Governance 2023 requirements informing the apeiris://authority/controls/PG-07 Policy Governance Reporting control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "internal-policy-governance-reporting-007",
            "title": "Example adopter artifact \u2014 AI Governance Reporting Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PG-07 Policy Governance Reporting control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PG-07 Policy Governance Reporting control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PG-07 Policy Governance Reporting control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Aggregate monitoring telemetry, incident records, and policy evaluation metrics from all PG controls into a structured governance reporting pipeline that produces quarterly management summaries and event-driven escalation reports on a defined schedule.",
          "steps": [
            "Define report templates for each audience tier \u2014 executive management, audit committee, board \u2014 specifying the required metrics, incident summaries, trend indicators, and corrective action status fields for each",
            "Build a reporting pipeline that aggregates data from the policy evaluation engine, incident management system, authority ledger, and drift detection engine into a normalized data model for each reporting period",
            "Automate report generation on the defined schedule with distribution to designated recipients, and implement event-driven supplemental reports for material incidents above the defined severity threshold"
          ],
          "anti_patterns": [
            "Producing governance reports as manual spreadsheet compilations without a defined data pipeline, creating inconsistency and reconciliation burden",
            "Distributing identical reports to all audience tiers without tailoring content to the governance decision context of each audience"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that report templates are defined and approved for each audience tier and that metric definitions are consistently applied across all reporting periods",
            "Confirm that the reporting pipeline sources data from all active PG monitoring controls with no manual data entry points that could introduce transcription errors",
            "Validate that distribution lists, report schedules, and submission deadlines are documented and aligned with audit committee and board meeting calendars"
          ],
          "runtime_tests": [
            "Generate a quarterly governance report and verify that all defined metric fields are populated with data sourced from the correct upstream control systems",
            "Simulate a material Severity 1 incident and verify that an event-driven supplemental report is generated and distributed to the correct recipients within the defined escalation window",
            "Verify that the reporting pipeline produces consistent metric values when run against the same underlying data set, confirming reproducibility"
          ],
          "evidence": [
            "doc: approved report templates for each audience tier with documented metric definitions and data source mappings",
            "log: report generation logs showing scheduled and event-driven report production and distribution timestamps for the reporting period",
            "policy: AI-RPT-POL-007 signed approval record and version history",
            "authority: audit committee submission records confirming receipt of quarterly governance reports within the defined deadline"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Structured governance reporting creates a documented record of AI policy oversight activities that supports regulatory inquiries, demonstrates board engagement, and evidences the organization's compliance program effectiveness.",
            "actions": [
              "Review governance report templates to ensure that incident disclosures and corrective action language are legally reviewed before distribution",
              "Confirm that governance reports are retained with appropriate access controls and that their distribution is logged for discovery purposes",
              "Advise on the appropriate level of detail for board and audit committee reports to balance governance transparency with legal risk management"
            ],
            "failure_signals": [
              "Governance reports contain unvetted legal characterizations of incidents or violations that could be used adversarially in regulatory or litigation contexts",
              "No retention policy governs governance report archives, creating discovery risk"
            ]
          },
          "cfo_procurement": {
            "summary": "Policy governance reports provide financial leadership with the structured visibility needed to make informed investment decisions about AI governance controls and risk remediation.",
            "actions": [
              "Use governance report metrics to justify budget allocations for AI monitoring infrastructure and compliance program investments",
              "Require that governance reports include a cost-of-compliance-failures section that quantifies remediation costs from detected policy incidents"
            ],
            "failure_signals": [
              "AI governance budget requests cannot be substantiated with data-driven evidence from governance reports",
              "The financial cost of AI policy incidents is not tracked or reported, preventing cost-benefit analysis of control investments"
            ]
          },
          "risk_officer": {
            "summary": "Policy governance reporting consolidates the risk signals from all PG monitoring controls into a unified risk picture, enabling risk management to assess cumulative AI governance risk posture and report to the enterprise risk framework.",
            "actions": [
              "Integrate AI governance report metrics into the enterprise risk register and risk committee reporting cycle",
              "Define risk thresholds for each governance metric that trigger risk register updates or escalation when breached",
              "Use trend analysis from governance reports to inform AI risk appetite calibration and control investment priorities"
            ],
            "failure_signals": [
              "AI governance metrics are reported in isolation without integration into the enterprise risk management framework",
              "Governance report trends show deteriorating policy adherence but risk appetite and control investment decisions are not updated in response"
            ]
          },
          "grc_auditor": {
            "summary": "Governance reporting provides the structured, aggregated evidence base for AI compliance audits, enabling auditors to assess program effectiveness across all PG controls in a single review cycle.",
            "actions": [
              "Audit the completeness and accuracy of governance reports against underlying data sources for at least one reporting period per audit cycle",
              "Verify that governance reports are produced on schedule and submitted to the audit committee within the defined deadline",
              "Assess whether report metrics are sufficient to evaluate the effectiveness of all active PG monitoring controls"
            ],
            "failure_signals": [
              "Governance reports cannot be reconciled against underlying monitoring system data, indicating potential data integrity issues in the reporting pipeline",
              "Reports are consistently produced late or with missing metric fields, indicating a reporting process breakdown"
            ],
            "metrics": [
              "Report delivery timeliness: percentage of scheduled governance reports delivered within the defined deadline across all audience tiers",
              "Metric completeness rate: percentage of defined report metric fields populated with verified data in each reporting period",
              "Corrective action closure rate: percentage of corrective actions listed in governance reports closed within their defined target dates"
            ]
          },
          "board_governance": {
            "summary": "Structured AI policy governance reporting is the primary mechanism through which the board exercises its oversight obligation over AI risk, enabling informed decisions about risk appetite and governance investment.",
            "actions": [
              "Receive and review quarterly AI governance reports at the audit committee level, with material incidents and trend deteriorations escalated to the full board",
              "Confirm that governance report content is sufficient to enable the board to assess whether AI risk is being managed within its stated risk appetite",
              "Mandate management responses to governance reports that identify systemic policy adherence failures"
            ],
            "failure_signals": [
              "The board is not receiving structured AI governance reports, leaving AI risk ungoverned at the board level",
              "Governance reports are received but not actioned by the board, indicating a governance engagement failure"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 18",
            "title": "Leverages information and technology",
            "principle_number": 18,
            "component_name": "Information, Communication, and Reporting",
            "normative_force": "industry-framework",
            "fit": "adjacent",
            "fit_rationale": "Automated governance reporting uses technology but is not the information-and-technology leverage Principle 18 broadly addresses.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Automated governance reporting uses technology but is not the information-and-technology leverage Principle 18 broadly addresses.",
            "requirement_id": "Principle 18 \u2014 Leverages information and technology",
            "relation": "informs"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Aggregating adherence metrics into reports supports \u00a79.1 analysis and evaluation, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Aggregating adherence metrics into reports supports \u00a79.1 analysis and evaluation, partially.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "oecd_cg",
            "ref": "V.D",
            "title": "Board responsibilities \u2014 key functions (oversight, accountability, and disclosure)",
            "normative_force": "voluntary-standard",
            "source_version": "2023",
            "fit": "partial",
            "fit_rationale": "Structured board and audit-committee governance reports support the oversight and disclosure functions OECD V.D describes, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Structured board and audit-committee governance reports support the oversight and disclosure functions OECD V.D describes, partially.",
            "requirement_id": "V.D \u2014 Board responsibilities \u2014 key functions (oversight, accountability, and disclosure)",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Security Hub + Audit Manager \u2014 Policy Governance Reports",
            "rationale": "AWS Security Hub generates policy governance reports with compliance posture summaries and trend analysis across the organizational hierarchy. Audit Manager produces structured governance reports mapping compliance evidence to framework requirements, providing the documentation needed for board-level policy governance reporting and regulatory submission.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Security Hub and Audit Manager generate compliance-posture governance reports, partially implementing policy governance reporting.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Organization Policy + Cloud Asset Inventory \u2014 Governance Reporting",
            "rationale": "The Organization Policy console page lists the constraints in force at each hierarchy node, and Cloud Asset Inventory's AnalyzeOrgPolicies API makes constraint coverage queryable for integration into enterprise governance reporting workflows; Security Command Center adds violation findings. Together these support automated policy governance report generation aligned to defined reporting cadences \u2014 there is no single built-in 'Organization Policy compliance dashboard.'",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Constraint-coverage queries plus SCC findings support automated governance report generation, partially implementing PG-07.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Purview + Azure Policy Compliance Reports \u2014 AI Governance Reporting",
            "rationale": "Microsoft Purview Compliance Manager and Azure Policy compliance reports provide structured governance reporting for AI workload policy adherence. Purview's assessment reporting capabilities generate regulation-specific compliance scorecards, and Azure Policy's compliance reports provide control-level adherence evidence suitable for governance committee and board reporting.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Purview and Azure Policy compliance reports provide control-level adherence evidence for governance reporting, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "public-company-governance"
        ],
        "implementers": [
          "Chief Risk Officer",
          "Compliance Officer",
          "Board Secretary"
        ],
        "validation_objective": "Policy governance reports must be generated on the defined schedule for all audience tiers (executive management, audit committee, board), with every defined metric field populated from verified upstream data sources. Distribution logs must confirm delivery within the deadline for each audience.",
        "evidence_required": [
          "governance_report_package containing report templates per audience tier, populated metric fields, and data-source mappings for each reporting period",
          "report_distribution_log showing recipient, delivery timestamp, and report version for each scheduled and event-driven governance report",
          "reporting_pipeline_audit_trail confirming each metric value was sourced from the canonical upstream control system with no manual entry points",
          "audit_committee_submission_record confirming receipt of quarterly governance reports within the defined deadline",
          "event_driven_report_log showing supplemental reports triggered by material incidents above the defined severity threshold with generation-to-delivery elapsed time"
        ],
        "machine_tests": [
          "Execute reporting pipeline against the previous quarter data set \u2192 assert all defined metric fields are populated and no null values appear in required columns",
          "Inject a synthetic Severity 1 incident into the incident management system \u2192 assert an event-driven supplemental report is generated and distributed within the defined escalation window",
          "Run the reporting pipeline twice against the same underlying data set \u2192 assert metric values are identical across both runs, confirming reproducibility",
          "Query distribution log for the most recent reporting cycle \u2192 assert all defined audience tiers appear with delivery timestamps within the scheduled deadline"
        ],
        "human_review": [
          "Verify that report templates for each audience tier have been formally approved and that metric definitions are documented and consistently applied across reporting periods",
          "Assess whether the aggregated governance metrics are sufficient to allow the board and audit committee to evaluate AI risk posture within the stated risk appetite",
          "Review the corrective action section of the most recent governance report and confirm that open items have accountable owners and defined target closure dates"
        ],
        "blocking_effect": "advisory",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Compiling governance reports as manual spreadsheet aggregations from multiple disconnected sources, introducing transcription errors and preventing reproducibility",
          "Distributing identical reports to all audience tiers without tailoring content to each audience's governance decision context and accountability level",
          "Generating governance reports on an ad-hoc basis rather than on a defined, board-calendar-aligned schedule, creating gaps in the documented oversight record",
          "Populating report metric fields with estimates or manually adjusted values when upstream data is unavailable, masking actual control failure signals",
          "Failing to produce event-driven supplemental reports for material incidents, leaving the audit committee and board unaware of significant AI policy failures between quarterly cycles"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PG"
      },
      {
        "id": "PG-08",
        "name": "Lessons Learned and Policy Improvement",
        "canonical_id": "apeiris://authority/controls/PG-08",
        "layer": "PG",
        "prefix": "PG",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Captures structured lessons from AI policy incidents and near-misses to drive systematic improvement of authority policies and AI governance frameworks, closing root-cause gaps before they generate repeat failures.",
        "threat": {
          "context": "Organizations that resolve AI policy incidents without formalizing lessons learned are condemned to repeat the same failures, as root causes remain embedded in policy design, system configuration, or process gaps that no improvement cycle has been initiated to address.",
          "tags": [
            "internal-policy-violation",
            "intent-drift",
            "scope-creep"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a710.1",
            "title": "Continual improvement"
          },
          {
            "id": "iso_42001",
            "section": "\u00a710.1",
            "title": "Continual improvement"
          },
          {
            "id": "nist_rmf",
            "section": "MANAGE 4.1",
            "title": "Post-deployment AI system monitoring plans are implemented, including mechanisms for incident response, recovery, and change management"
          },
          {
            "id": "coso_erm",
            "section": "Principle 20",
            "title": "Reports on risk, culture, and performance"
          }
        ],
        "sources": [
          {
            "id": "iso-37301-2021-s10-1",
            "title": "ISO 37301:2021 Compliance Management Systems",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 Compliance Management Systems requirements informing the apeiris://authority/controls/PG-08 Lessons Learned and Policy Improvement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-42001-2023-s10-1",
            "title": "ISO/IEC 42001:2023 AI Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 AI Management Systems requirements informing the apeiris://authority/controls/PG-08 Lessons Learned and Policy Improvement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-rmf-manage-4-1",
            "title": "NIST AI RMF MANAGE 4.1",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI RMF MANAGE 4.1 (post-deployment monitoring, feedback capture, and change management) requirements informing the apeiris://authority/controls/PG-08 Lessons Learned and Policy Improvement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "internal-policy-lessons-learned-008",
            "title": "Example adopter artifact \u2014 AI Governance Continuous Improvement Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PG-08 Lessons Learned and Policy Improvement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PG-08 Lessons Learned and Policy Improvement control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PG-08 Lessons Learned and Policy Improvement control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Establish a structured lessons-learned process triggered by incident closure that extracts root causes, maps them to policy or control gaps, proposes improvement actions, assigns owners with deadlines, and tracks implementation through to verified effectiveness.",
          "steps": [
            "Within the incident management workflow, embed a mandatory lessons-learned template that captures root cause analysis, contributing factors, policy or control gaps identified, and proposed improvement actions with assigned owners and target completion dates",
            "Maintain an improvement action register that tracks all open improvement actions from lessons learned across all incident tiers, with status updates required from owners on a monthly basis",
            "Schedule quarterly policy and control review sessions where the AI Governance Lead and Compliance Officer assess completed improvement actions for effectiveness and incorporate validated improvements into the policy and control framework"
          ],
          "anti_patterns": [
            "Treating the lessons-learned template as a bureaucratic checkbox filled after incident closure without genuine root cause investigation",
            "Completing improvement actions on paper without verifying that the implemented changes actually address the root cause in the live system environment"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that the incident management workflow enforces mandatory lessons-learned completion before incident closure for Severity 1 and 2 incidents",
            "Confirm that the improvement action register tracks all open actions with defined owners, deadlines, and status, and is reviewed at each governance cycle",
            "Validate that the quarterly policy review process includes a structured assessment of improvement action effectiveness with documented outcomes"
          ],
          "runtime_tests": [
            "Close a Severity 1 test incident and verify that the lessons-learned template is triggered and cannot be bypassed before closure is permitted",
            "Verify that improvement actions in the register that have passed their target completion dates generate escalation alerts to the AI Governance Lead",
            "Select a recently implemented improvement action and test whether the root cause condition that generated the original incident can still be reproduced, confirming effectiveness verification"
          ],
          "evidence": [
            "doc: completed lessons-learned records for all Severity 1 and 2 incidents in the reporting period, including root cause analysis and improvement actions",
            "log: improvement action register showing all open and closed actions with owner, status, and completion date for the trailing 12 months",
            "policy: AI-CI-POL-008 signed approval record and version history",
            "test: effectiveness verification records for improvement actions completed in the reporting period, confirming that root cause conditions are no longer reproducible"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "A structured lessons-learned process demonstrates that the organization responds to AI policy failures with genuine corrective intent, supporting a defense of good faith compliance effort in regulatory and litigation contexts.",
            "actions": [
              "Confirm that lessons-learned records are created under conditions that preserve legal privilege where appropriate, particularly for Severity 1 incidents with regulatory exposure",
              "Review improvement action plans for Severity 1 incidents before they are distributed to external parties to ensure appropriate legal characterization",
              "Advise on lessons-learned record retention periods and access controls consistent with litigation hold obligations"
            ],
            "failure_signals": [
              "Lessons-learned records for material incidents are distributed without legal review, creating adversarial exposure",
              "No improvement actions have been completed for prior Severity 1 incidents, undermining the organization's good faith compliance defense"
            ]
          },
          "cfo_procurement": {
            "summary": "Lessons-learned processes reduce the total cost of AI governance by systematically eliminating root causes that generate repeat incidents, each of which carries remediation, legal, and reputational cost.",
            "actions": [
              "Require that improvement action plans include an estimated cost-benefit analysis to justify investment prioritization",
              "Track the repeat incident rate as a financial efficiency metric \u2014 a declining rate indicates that lessons-learned investments are generating returns"
            ],
            "failure_signals": [
              "The organization is experiencing repeat AI policy incidents with the same root cause, indicating that lessons-learned investments are not generating cost reduction",
              "Improvement action budgets are not allocated, stalling corrective actions that would reduce future incident costs"
            ]
          },
          "risk_officer": {
            "summary": "Lessons learned and policy improvement close the feedback loop in the risk management cycle, translating incident experience into systematic risk reduction that reduces forward-looking AI governance risk exposure.",
            "actions": [
              "Integrate the improvement action register with the enterprise risk management framework so that open actions are tracked as risk treatment items",
              "Define risk reduction targets for improvement actions associated with high-severity incidents and track progress against those targets",
              "Include the improvement action completion rate and repeat incident rate in enterprise AI risk reporting as indicators of risk management system effectiveness"
            ],
            "failure_signals": [
              "The improvement action register has a high proportion of overdue actions, indicating that risk treatment is stalling",
              "Repeat incidents continue to occur for root causes that have open, unimplemented improvement actions"
            ]
          },
          "grc_auditor": {
            "summary": "The lessons-learned process provides auditors with evidence of a functioning improvement cycle \u2014 the most direct indicator that an AI governance program is maturing rather than stagnating at initial control maturity.",
            "actions": [
              "Audit the lessons-learned record completeness for all Severity 1 and 2 incidents in the audit period, verifying root cause analysis quality and action completeness",
              "Trace a sample of improvement actions from root cause through to effectiveness verification to confirm the full cycle is functioning",
              "Assess the repeat incident rate as a primary indicator of lessons-learned process effectiveness"
            ],
            "failure_signals": [
              "Lessons-learned records are incomplete, boilerplate, or missing for material incidents, indicating the process is not functioning",
              "Effectiveness verification has not been conducted for completed improvement actions, preventing confirmation that root causes have been addressed"
            ],
            "metrics": [
              "Lessons-learned completion rate: percentage of Severity 1 and 2 incidents with completed root cause analysis and improvement action plan within the 30-day SLA",
              "Improvement action on-time completion rate: percentage of improvement actions completed within their target dates",
              "Repeat incident rate: percentage of incidents in the reporting period sharing a root cause with a prior incident in the trailing 90-day period"
            ]
          },
          "board_governance": {
            "summary": "A functioning lessons-learned and improvement cycle is the most direct evidence that AI governance is a living, maturing program rather than a static control inventory, supporting board confidence in management's AI oversight commitment.",
            "actions": [
              "Receive annual summary reporting on improvement cycle effectiveness, including improvement action completion rates and repeat incident trend data",
              "Confirm that material lessons from Severity 1 incidents are reflected in updated AI governance policies within the defined improvement cycle"
            ],
            "failure_signals": [
              "The board cannot point to specific governance improvements that resulted from AI policy incidents, indicating the improvement cycle is not producing outcomes",
              "Repeat incidents continue to occur at similar rates year over year, indicating that the lessons-learned process is not driving systematic risk reduction"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a710.1",
            "title": "Continual improvement",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "Capturing root causes and driving versioned policy improvement from incidents directly implements \u00a710.1 continual improvement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Capturing root causes and driving versioned policy improvement from incidents directly implements \u00a710.1 continual improvement.",
            "requirement_id": "\u00a710.1 \u2014 Continual improvement",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a710.1",
            "title": "Continual improvement",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "The structured lessons-learned-to-policy-update cycle directly implements \u00a710.1 continual improvement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "The structured lessons-learned-to-policy-update cycle directly implements \u00a710.1 continual improvement.",
            "requirement_id": "\u00a710.1 \u2014 Continual improvement",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "MANAGE 4.1",
            "title": "Post-deployment AI system monitoring plans are implemented, including mechanisms for incident response, recovery, and change management",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Lessons-learned closing root-cause gaps partially implements MANAGE 4.1 post-incident change management.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Lessons-learned closing root-cause gaps partially implements MANAGE 4.1 post-incident change management.",
            "requirement_id": "MANAGE 4.1 \u2014 Post-deployment AI system monitoring plans are implemented, including mechanisms for incident response, recovery, and change management",
            "relation": "equivalent_to"
          },
          {
            "framework": "coso_erm",
            "ref": "Principle 20",
            "title": "Reports on risk, culture, and performance",
            "principle_number": 20,
            "component_name": "Information, Communication, and Reporting",
            "normative_force": "industry-framework",
            "fit": "adjacent",
            "fit_rationale": "Lessons-learned records drive improvement, only loosely related to Principle 20's risk, culture, and performance reporting.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Lessons-learned records drive improvement, only loosely related to Principle 20's risk, culture, and performance reporting.",
            "requirement_id": "Principle 20 \u2014 Reports on risk, culture, and performance",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Security Hub Findings History \u2014 Policy Improvement Input",
            "rationale": "AWS Security Hub findings history and AWS Config rule change history provide structured, time-series input for AI governance policy improvement cycles. Security Hub's trending and benchmark features identify recurring policy adherence patterns, enabling data-driven identification of policy gaps that warrant improvement in the next governance cycle.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Security Hub findings and Config history provide time-series input identifying recurring gaps, partially supporting improvement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud IAM Recommender \u2014 Least-Privilege Policy Improvement Recommendations",
            "rationale": "IAM Recommender analyzes actual access patterns and recommends removing over-broad permissions, providing evidence-based, actionable input to the lessons-learned process for tightening policy. (Recommendations are produced by IAM Recommender; Policy Analyzer answers access queries and does not generate improvement suggestions.)",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "IAM Recommender's least-privilege recommendations give evidence-based input to policy tightening, partially supporting improvement.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Responsible AI Transparency Report \u2014 Systematic Lessons Learned",
            "rationale": "Microsoft's annual Responsible AI Transparency Report systematically captures lessons learned from responsible AI incidents, red team findings, and governance program improvements. The report's structured disclosure of improvement actions and new capabilities provides a public model for lessons learned documentation that organizations can adapt for their own AI governance policy improvement cycles.",
            "normative_force": "best-practice",
            "fit": "supporting",
            "fit_rationale": "Microsoft's public RAI transparency report is a reference model for structured lessons-learned disclosure, providing pattern context only.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "AI Governance Lead",
          "Compliance Officer",
          "Chief Risk Officer"
        ],
        "validation_objective": "Every AI policy incident and near-miss must generate a structured lessons-learned record that identifies the root cause, the policy gap exploited, and a documented improvement action with an assigned owner and target closure date. The improvement cycle must be confirmed closed in the policy registry before the control is considered passing.",
        "evidence_required": [
          "lessons_learned_record for each qualifying incident containing root_cause, policy_gap_reference, improvement_action, assigned_owner, and target_closure_date fields",
          "policy_improvement_log confirming that each improvement action triggered a versioned policy update or documented risk-acceptance decision with sign-off",
          "incident_classification_record distinguishing incidents requiring formal lessons-learned review from those below threshold, with classification rationale",
          "policy_registry_update_record showing the policy version that incorporated each improvement action, with before-and-after change diff and approver identity",
          "improvement_cycle_closure_record confirming that each open improvement action was closed within its target date or escalated with documented justification for extension"
        ],
        "machine_tests": [
          "Query incident management system for incidents closed in the last quarter without a linked lessons_learned_record \u2192 assert count is zero",
          "For each lessons_learned_record, verify that a policy_registry_update_record exists with a matching improvement_action_id and a version timestamp after the record creation date \u2192 assert all records are linked",
          "Inject a synthetic near-miss incident above the defined threshold \u2192 assert a lessons_learned_record with all required fields is created and assigned within the defined SLA",
          "Query improvement_cycle_closure_records \u2192 assert no open improvement action has exceeded its target_closure_date without a documented escalation and extension approval"
        ],
        "human_review": [
          "Review a sample of lessons-learned records to assess whether root cause analysis is substantive and specific to the policy gap, not superficial or generic",
          "Evaluate whether documented improvement actions are proportionate to the root cause identified and whether implemented policy changes meaningfully close the identified gap",
          "Verify that the lessons-learned review process includes cross-functional participation from policy owners, risk management, and affected system operators"
        ],
        "blocking_effect": "requires-review",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Closing policy incidents in the incident management system without triggering a formal lessons-learned review, allowing root causes to persist unaddressed",
          "Recording lessons-learned as narrative summaries without structured fields for root cause, policy gap reference, improvement action, and closure date, preventing systematic tracking",
          "Documenting improvement actions that restate the incident symptoms rather than addressing the underlying policy design or process gap",
          "Assigning improvement actions without a named accountable owner and a defined target closure date, creating improvement debt with no accountability mechanism",
          "Treating every minor deviation as requiring a full lessons-learned cycle while failing to distinguish material incidents and near-misses that warrant formal review from low-impact operational variances"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PG"
      },
      {
        "id": "PG-09",
        "name": "Policy Governance Layer Evidence Package",
        "canonical_id": "apeiris://authority/controls/PG-09",
        "layer": "PG",
        "prefix": "PG",
        "plane": "data",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Compile a structured policy governance layer evidence package on a quarterly basis, consolidating artifacts from PG-01 through PG-08 to demonstrate that policy incident records, lessons-learned reviews, and improvement cycles are documented and closed-loop. The package is a required input to the PE-08 PolicyAttestation production process.",
        "threat": {
          "context": "Without periodic structured compilation of policy governance layer evidence, the PolicyAttestation (PE-08) rests on unverified assertions from individual controls rather than compiled, reviewed, and signed layer evidence. Layer-level coverage deficiencies are only visible through compilation.",
          "tags": [
            "governance-evidence-gap",
            "attestation-unverifiable",
            "compliance-deficit"
          ]
        },
        "standard_references": [
          {
            "id": "iso_42001",
            "section": "\u00a7 9.3",
            "title": "Management review of AI governance system at planned intervals"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 1.5",
            "title": "Ongoing monitoring and periodic review of the risk management process and its outcomes are planned"
          },
          {
            "id": "eu_ai_act",
            "section": "Art. 17",
            "title": "Quality management system for high-risk AI"
          }
        ],
        "sources": [
          {
            "id": "iso-iec-42001-2023",
            "title": "ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": true,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO/IEC 42001:2023 \u2014 Artificial Intelligence Management System requirements informing the apeiris://authority/controls/PG-09 Policy Governance Layer Evidence Package control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "nist-ai-rmf-1.0",
            "title": "NIST Artificial Intelligence Risk Management Framework 1.0",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST Artificial Intelligence Risk Management Framework 1.0 requirements informing the apeiris://authority/controls/PG-09 Policy Governance Layer Evidence Package control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Define a quarterly evidence compilation process for the Policy Governance layer. Collect required artifacts from PG-01 through PG-08. Review for completeness, currency, and identified gaps. Produce a signed evidence package and submit it as input to the PE-08 PolicyAttestation production cycle.",
          "steps": [
            "Define the PG-layer evidence package schema: required_artifacts[], acceptance_criteria[], gap_register, package_owner, and review_signatories.",
            "For each control in PG-01 through PG-08, define specific required evidence artifacts and freshness criteria.",
            "Compile artifacts quarterly: generate or collect required evidence and stage for structured review.",
            "Conduct a review session to evaluate completeness, identify gaps, and assign remediation owners with deadlines.",
            "Produce a signed policy governance layer evidence package with an overall verdict and submit it as input to PE-08 PolicyAttestation.",
            "Retain the package as an immutable record for the period required by applicable regulations and internal policy."
          ],
          "anti_patterns": [
            "Treating PE-08 attestation as a substitute for per-layer evidence compilation.",
            "Compiling evidence only when an audit or regulatory inquiry is pending rather than on a recurring quarterly cycle."
          ]
        },
        "validation": {
          "design_checks": [
            "Confirm that a PG-layer evidence package schema exists with defined required artifacts for each control in PG-01 through PG-08.",
            "Verify that a quarterly compilation schedule is established with named package owners and review signatories.",
            "Check that the evidence package output format is accepted as input to PE-08 attestation production."
          ],
          "runtime_tests": [
            "Verify a completed evidence package was produced in the most recent quarter with all required artifacts present.",
            "Confirm that a gap register exists and identified gaps have assigned owners and remediation deadlines.",
            "Confirm the package is signed and retained in the tamper-evident record store."
          ],
          "evidence": [
            "Signed policy governance layer evidence package for each of the four most recent quarters.",
            "Gap registers with assigned owners and remediation deadlines for any identified deficiencies.",
            "Submission record linking the package to the PE-08 attestation production cycle."
          ]
        },
        "lenses": {
          "grc_auditor": {
            "summary": "The PG-09 evidence package is the audit-ready artifact for the Policy Governance layer.",
            "actions": [
              "Request the four most recent PG-layer evidence packages and review for completeness.",
              "Verify that gap registers from prior quarters have remediation outcomes documented.",
              "Confirm the package submission record links to PE-08 attestation inputs."
            ],
            "failure_signals": [
              "Missing PG-layer evidence packages for any quarter in the audit period.",
              "Gap registers with items open for more than two consecutive quarters without documented remediation plans.",
              "Evidence packages that are unsigned or not retained in the tamper-evident record store."
            ],
            "metrics": [
              "Package completeness rate: all required artifacts present in each quarterly package (target: 100%).",
              "Gap remediation rate: all prior-quarter gaps have documented outcomes before current quarter package.",
              "Package timeliness: submitted to PE-08 attestation cycle within 10 business days of quarter end."
            ]
          },
          "general_counsel": {
            "summary": "The PG-09 package is the defensibility record for the Policy Governance layer: when a regulator, counterparty, or court asks whether the organization's policy adherence, authority limit, and obligation compliance monitoring controls were operating, the quarterly package is the evidence the organization produces.",
            "actions": [
              "Confirm the package format and retention period satisfy the evidentiary requirements of applicable law and contractual audit rights before the first submission cycle.",
              "Review each quarterly package for gaps in PG-01 through PG-08 evidence that could undermine a future regulatory or litigation position.",
              "Verify that the package is signed by an identified accountable owner whose authority to certify the layer can be demonstrated."
            ],
            "failure_signals": [
              "A regulator or counterparty request for layer evidence that cannot be answered from a compiled, signed package.",
              "Packages whose contents conflict with representations previously made in disclosures or contract certifications.",
              "Retention lapses that leave quarters within the evidentiary period unrecoverable."
            ]
          },
          "cfo_procurement": {
            "summary": "The PG-09 package converts Policy Governance layer control operation into a periodic, reviewable deliverable \u2014 the artifact that lets finance and procurement rely on the layer without re-auditing individual controls each quarter.",
            "actions": [
              "Fund the compilation process as a recurring governance obligation rather than an ad hoc audit response.",
              "Require the package (or its gap register) as an input to renewal, budget, and vendor decisions that depend on policy adherence, authority limit, and obligation compliance monitoring controls operating.",
              "Track the cost of gap remediation surfaced by the package to prioritize control investment."
            ],
            "failure_signals": [
              "Business decisions that assume the layer is operating when the most recent package shows open gaps.",
              "Compilation effort repeatedly funded from audit contingency rather than the governance budget.",
              "Vendor or renewal approvals proceeding in quarters with missing packages."
            ]
          },
          "risk_officer": {
            "summary": "The PG-09 package tells the risk function whether the governance system itself is working: whether policy incidents are recorded, reviewed for lessons, and closed with a change that prevents recurrence. Its gap register is the layer's meta-risk view, exposing incidents with no lessons-learned review and improvement cycles that were opened but never closed. A governance layer that does not learn is the exposure this package exists to catch.",
            "actions": [
              "Verify that every policy incident in the quarter has a completed lessons-learned review and a resulting change, and log open loops as governance-effectiveness exposures.",
              "Track the time from incident to closed improvement cycle; a lengthening interval signals a governance function falling behind its own findings.",
              "Confirm the CRO sign-off and the package integrity hash are present, since this layer's own evidence must be tamper-evident to be trusted upward.",
              "Escalate recurring incident themes that reappear across quarters despite prior remediation as evidence the improvement cycle is not closing the loop."
            ]
          },
          "board_governance": {
            "summary": "The PG-09 package is the board's evidence that the AI policy program is self-correcting: that incidents produce lessons, lessons produce change, and the loop is documented and signed. Because it carries the Chief Risk Officer sign-off and an integrity hash, it is the layer the board can most directly rely on when it stands behind the PolicyAttestation.",
            "actions": [
              "Ask whether every policy incident this quarter closed with a concrete change, and review any that remain open.",
              "Look for repeat incident themes across quarters as a direct measure of whether governance improvement is real.",
              "Confirm the package carries CRO sign-off and a verified integrity hash before treating it as reliable board evidence.",
              "Use the closed-loop trend across all five authority-layer packages to judge whether the governance program as a whole is maturing or stalling."
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_42001",
            "requirement_id": "\u00a79.3",
            "fit": "direct",
            "rationale": "ISO/IEC 42001 \u00a79.3 requires management review at planned intervals. PG-09 provides the structured review artifact for the Policy Governance layer.",
            "normative_force": "certification-standard",
            "source_version": "2023",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "requirement_id": "GOVERN 1.5",
            "fit": "direct",
            "rationale": "NIST AI RMF GOVERN 1.5 requires planned ongoing monitoring and periodic review of the risk management process and its outcomes, with clear roles and review cadence. PG-09 instantiates this periodic layer-level review at the Policy Governance layer.",
            "normative_force": "voluntary-standard",
            "source_version": "1.0",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "equivalent_to"
          },
          {
            "framework": "eu_ai_act",
            "requirement_id": "Art. 17",
            "fit": "direct",
            "rationale": "EU AI Act Art. 17 requires a quality management system. PG-09 is the QMS artifact for the Policy Governance layer.",
            "normative_force": "binding-law",
            "source_version": "2024",
            "reviewed_on": "2026-06-29",
            "basis": "anchored",
            "relation": "satisfies"
          }
        ],
        "tiers": [
          "universal-enterprise",
          "high-risk-sector"
        ],
        "implementers": [
          "GRC / Internal Audit",
          "AI Operations",
          "Risk Management"
        ],
        "validation_objective": "A consolidated policy governance layer evidence package covering PG-01 through PG-08 must be produced each quarter, with every required artifact present, versioned, and cross-referenced by control ID. The package must be accepted as a valid input by the PE-08 PolicyAttestation production process before the quarter is considered governed.",
        "evidence_required": [
          "evidence_package_manifest listing every PG-01 through PG-08 artifact included in the quarterly package, with control_id, artifact_type, version, and collection_timestamp for each entry",
          "package_integrity_record containing a SHA-256 hash of the complete evidence package and a digital signature from the authorized governance officer",
          "pe_08_attestation_input_confirmation showing that the evidence package was accepted as a valid input to the PolicyAttestation process, with acceptance timestamp and package hash",
          "gap_analysis_record documenting any PG controls with missing or incomplete evidence, with remediation status and risk-acceptance sign-off for each gap",
          "quarterly_package_approval_record showing sign-off by the Chief Risk Officer or designated governance authority within the defined submission deadline"
        ],
        "machine_tests": [
          "Run the evidence package compiler for the current quarter \u2192 assert the output manifest contains at least one artifact entry for each of PG-01 through PG-08 with a non-null collection_timestamp",
          "Verify the package integrity record against the evidence package \u2192 assert the computed SHA-256 hash matches the recorded hash and the signature validates against the authorized governance officer's public key",
          "Submit the evidence package to the PE-08 attestation intake API \u2192 assert a 200 response with status=accepted and a confirmation token, with no validation errors",
          "Query the gap_analysis_record for the most recent quarter \u2192 assert all identified gaps have a remediation_status of closed or a dated risk-acceptance sign-off"
        ],
        "human_review": [
          "Review the evidence package manifest to verify that artifact quality and completeness for each PG control is sufficient to support a credible PolicyAttestation production",
          "Assess whether the gap analysis record accurately reflects the actual evidence state and whether documented risk acceptances for missing evidence are proportionate and appropriately authorized",
          "Confirm that the package compilation and approval process is completed within the defined quarterly deadline and that the PE-08 input confirmation is received before attestation production begins"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "binding-law",
        "anti_patterns": [
          "Submitting a PG evidence package to the PE-08 attestation process that references artifacts from prior quarters without verifying their continued currency and relevance",
          "Treating the evidence package as a document collection exercise rather than a structured artifact inventory with integrity controls, leaving the package vulnerable to post-hoc modification",
          "Producing the quarterly package without a formal gap analysis step, allowing missing PG control evidence to pass undetected into the PolicyAttestation production process",
          "Failing to obtain a package integrity hash and authorized signature before submission, making it impossible to prove the package was not altered after compilation",
          "Bundling evidence artifacts without control-ID cross-references, preventing the PE-08 attestation process from mapping evidence to the specific PG controls it is intended to satisfy"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PG",
        "lens_enrichment": "ap42 2026-07-08"
      },
      {
        "id": "PE-01",
        "name": "Policy Evidence Archive",
        "canonical_id": "apeiris://authority/controls/PE-01",
        "layer": "PE",
        "prefix": "PE",
        "plane": "lifecycle",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Maintains a tamper-evident, versioned archive of all policy evidence artifacts to support audit, regulatory inquiry, and litigation hold requirements. Archive entries are immutable once committed and are indexed for rapid retrieval during regulatory examination.",
        "threat": {
          "context": "Without a durable, versioned archive, policy evidence may be lost, altered, or unavailable during audits or litigation, exposing the organization to compliance failures and legal liability.",
          "tags": [
            "policy-bypass",
            "internal-policy-violation",
            "principal-accountability-gap"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a77.5",
            "title": "Documented information"
          },
          {
            "id": "iso_42001",
            "section": "\u00a77.5",
            "title": "Documented information"
          },
          {
            "id": "nist_800_53",
            "section": "AU-11",
            "title": "Audit Record Retention"
          },
          {
            "id": "iso_27001",
            "section": "A.5.33",
            "title": "Protection of records"
          }
        ],
        "sources": [
          {
            "id": "src-pe01-01",
            "title": "ISO 37301:2021 Compliance Management Systems \u2014 Documented Information",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 Compliance Management Systems \u2014 Documented Information requirements informing the apeiris://authority/controls/PE-01 Policy Evidence Archive control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe01-02",
            "title": "NIST SP 800-53 Rev 5 \u2014 Audit Record Retention",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Audit Record Retention requirements informing the apeiris://authority/controls/PE-01 Policy Evidence Archive control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe01-03",
            "title": "Example adopter artifact \u2014 Records Retention and Litigation Hold Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PE-01 Policy Evidence Archive control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PE-01 Policy Evidence Archive control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "openai_preparedness_fw_v2",
            "title": "OpenAI Preparedness Framework v2",
            "authority": "OpenAI, L.L.C.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2025-04-15",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "openai_preparedness",
            "relationship": "informative_reference",
            "rationale": "Establishes OpenAI Preparedness Framework v2 requirements informing the apeiris://authority/controls/PE-01 Policy Evidence Archive control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PE-01 Policy Evidence Archive control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "iso-iec-27001-2022",
            "title": "ISO/IEC 27001:2022 \u2014 Information Security Management Systems",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2022",
            "published_on": "2022-10-25",
            "retrieved_on": "2026-07-02",
            "canonical_url": "https://www.iso.org/standard/27001",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_27001",
            "relationship": "normative_requirement",
            "rationale": "ISO/IEC 27001:2022 Annex A control A.5.33 (Protection of records) informs the apeiris://authority/controls/PE-01 Policy Evidence Archive control.",
            "reviewed_on": "2026-07-02"
          }
        ],
        "implementation": {
          "pattern": "Write-once, append-only evidence store with cryptographic hash chaining; each artifact is signed at ingest and indexed by control ID, domain, and timestamp.",
          "steps": [
            "Deploy write-once object storage with COMPLIANCE-mode object lock and versioning enabled, ensuring no delete permissions exist outside of retention-expiry automation",
            "Implement hash-chain manifest so each new archive entry references the SHA-256 of the prior entry, establishing tamper-evidence across the corpus",
            "Automate ingest pipelines from all policy-generating systems with metadata tagging for control ID, domain, effective date, and approving authority"
          ],
          "anti_patterns": [
            "Storing evidence in mutable relational databases without integrity controls, permitting post-hoc modification",
            "Relying on manual file exports to shared drives with no access logging, version control, or hash verification"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that the storage backend enforces immutability and that no delete permissions are granted outside of approved retention-expiry workflows",
            "Confirm that each artifact record includes a SHA-256 hash computed at ingest and stored in a separate manifest index",
            "Review the index schema to confirm full-text search and filtering by control ID, date range, and domain are operational"
          ],
          "runtime_tests": [
            "Attempt to overwrite an archived artifact and confirm the storage layer rejects the operation with an immutability error",
            "Retrieve a random sample of archived artifacts and verify that stored hashes match recomputed values",
            "Simulate a litigation hold request and measure time-to-production against the documented SLA"
          ],
          "evidence": [
            "config:object-storage-worm-settings \u2014 COMPLIANCE-mode object lock configuration confirming immutability enforcement",
            "log:archive-ingest-audit-log \u2014 pipeline logs showing artifact IDs, timestamps, SHA-256 hash values, and ingest outcomes",
            "test:hash-integrity-verification-report \u2014 automated integrity scan results for the full archive corpus",
            "doc:records-retention-schedule \u2014 approved retention schedule signed by General Counsel"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "A tamper-evident archive ensures the organization can respond to regulatory inquiries and litigation holds with verifiable, unaltered policy records that are defensible in adversarial proceedings.",
            "actions": [
              "Approve the litigation hold trigger process and maximum production time SLA documented in the records retention policy",
              "Review archive access controls to ensure outside counsel can retrieve records without chain-of-custody concerns"
            ],
            "failure_signals": [
              "Inability to produce policy records within required timeframes during regulatory examination or e-discovery",
              "Evidence of altered or missing records surfaced during litigation discovery"
            ]
          },
          "cfo_procurement": {
            "summary": "Durable evidence archives reduce financial exposure from regulatory penalties and litigation costs by ensuring records are always available and unimpeachable.",
            "actions": [
              "Approve budget for compliant WORM storage infrastructure including annual retention-expiry audit costs",
              "Ensure cloud storage procurement contracts include data sovereignty, immutability SLA, and breach notification clauses"
            ],
            "failure_signals": [
              "Regulatory fines issued due to inability to produce required records on demand",
              "Unbudgeted legal costs arising from inadequate evidence preservation during litigation"
            ]
          },
          "risk_officer": {
            "summary": "Archive gaps create compounding audit and litigation risk; this control ensures the evidence posture is defensible under adversarial scrutiny at any point in time.",
            "actions": [
              "Include archive integrity verification results in quarterly risk assessments and board risk reporting",
              "Escalate any hash-chain integrity failures to the incident response team immediately upon detection"
            ],
            "failure_signals": [
              "Hash-chain integrity violations detected during automated verification runs",
              "Archive coverage gaps identified during internal audit sampling against the control registry"
            ]
          },
          "grc_auditor": {
            "summary": "Provides the foundational evidence corpus that all other PE-layer controls draw from; archive completeness and integrity directly determine audit readiness and examiner confidence.",
            "actions": [
              "Run quarterly completeness checks against the control registry to identify controls with no corresponding archived artifact",
              "Verify that retention periods for all archived artifacts comply with the approved records retention schedule"
            ],
            "failure_signals": [
              "Controls listed in the domain registry with no corresponding archive entry within the expected evidence window",
              "Artifacts discovered in mutable storage rather than the approved WORM backend"
            ],
            "metrics": [
              "Archive coverage rate: percentage of active controls with at least one archived evidence artifact in the current cycle",
              "Hash integrity pass rate: percentage of randomly sampled artifacts passing recomputed hash verification",
              "Mean time to production: average hours to fulfill a records production request from litigation hold trigger"
            ]
          },
          "board_governance": {
            "summary": "An auditable evidence archive underpins the board's fiduciary obligation to demonstrate that governance processes are documented, traceable, and defensible.",
            "actions": [
              "Request annual attestation from General Counsel confirming archive completeness and litigation hold readiness",
              "Include archive integrity pass rate and coverage metrics in board-level compliance reporting"
            ],
            "failure_signals": [
              "Regulatory actions citing inadequate record retention or inability to produce evidence",
              "External auditors issuing qualified opinions due to evidence gaps or integrity failures"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a77.5",
            "title": "Documented information",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "A versioned, immutable evidence archive maintains documented information under \u00a77.5, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A versioned, immutable evidence archive maintains documented information under \u00a77.5, partially.",
            "requirement_id": "\u00a77.5 \u2014 Documented information",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a77.5",
            "title": "Documented information",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Tamper-evident retention of policy evidence reflects \u00a77.5 documented information control, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Tamper-evident retention of policy evidence reflects \u00a77.5 documented information control, partially.",
            "requirement_id": "\u00a77.5 \u2014 Documented information",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "AU-11",
            "title": "Audit Record Retention",
            "normative_force": "voluntary-standard",
            "fit": "direct",
            "fit_rationale": "A write-once, retention-controlled evidence archive directly implements AU-11 audit record retention.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A write-once, retention-controlled evidence archive directly implements AU-11 audit record retention.",
            "requirement_id": "AU-11 \u2014 Audit Record Retention",
            "relation": "equivalent_to"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "RSP v3.3 \u2014 Documented Capability and Safeguards Assessments",
            "rationale": "The RSP's governance and transparency commitments include documenting capability and safeguards assessments for frontier models and publicly releasing key information about deployment decisions. Retaining this evaluation evidence in reviewable form is treated as a governance obligation rather than an optional practice.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "adjacent",
            "fit_rationale": "The RSP's retain-and-disclose posture for assessments is an analogous governance obligation, not the deployer's evidence archive.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "openai_preparedness",
            "requirement_id": "Preparedness Framework v2 \u2014 Building Trust (Documented Evaluations)",
            "rationale": "Preparedness Framework v2 commits OpenAI to documenting capability evaluations and safeguards and to publishing system cards as the publicly accessible record for each deployment, with internal evaluation evidence retained to support future re-assessment \u2014 the evidence-retention posture PE-01 generalizes.",
            "normative_force": "best-practice",
            "source_version": "2",
            "fit": "adjacent",
            "fit_rationale": "Preparedness evidence-retention commitments are an analogous vendor posture, not the deployer-side evidence archive.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Audit Manager \u2014 Automated Policy Evidence Archive",
            "rationale": "AWS Audit Manager automatically collects, organizes, and archives policy compliance evidence across organizational accounts with configurable retention controls. Evidence is organized by framework control and assessment period, creating a structured policy evidence archive that supports both internal audit and regulatory examination requirements.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Audit Manager collects and archives compliance evidence with retention controls, partially implementing the evidence archive.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Responsible AI Standard v2 \u2014 Goal A1: Impact Assessment (Documentation)",
            "rationale": "Microsoft's Responsible AI Standard v2 requires Responsible AI Impact Assessments and governance review artifacts to be documented and maintained across the AI system lifecycle. Azure Blob Storage with immutable storage policies provides tamper-resistant long-term evidence archive capabilities for retaining these artifacts.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "RAI documentation retained in immutable Blob storage partially implements a tamper-resistant evidence archive.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "GRC Auditor",
          "Compliance Officer",
          "General Counsel"
        ],
        "validation_objective": "All policy evidence artifacts must be stored in a tamper-evident, versioned archive where entries are immutable once committed, indexed by artifact type and control ID, and retrievable within the defined SLA during regulatory examination or litigation hold. The archive must produce a cryptographic proof of immutability on demand.",
        "evidence_required": [
          "archive_commit_log showing every artifact entry with artifact_id, control_id, committed_at timestamp, SHA-256 hash, and committer identity \u2014 with no modification events after initial commit",
          "tamper_evidence_record containing the Merkle root or audit log hash for the archive state at each quarterly checkpoint, signed by the archive operator",
          "retrieval_test_record showing that a representative sample of archived artifacts was successfully retrieved within the defined SLA, with retrieval timestamps and artifact hashes",
          "litigation_hold_activation_record documenting hold scope, activation timestamp, and confirmation that affected artifacts are locked against deletion for the hold duration",
          "archive_access_control_manifest listing authorized readers and writers with role assignments, confirming write access is restricted to the ingestion pipeline and no interactive modification is permitted"
        ],
        "machine_tests": [
          "Attempt to modify a committed archive entry via the archive API \u2192 assert 403 Forbidden with error_code=immutable_record and no change to the stored artifact",
          "Query the archive for a known artifact by control_id and artifact_type \u2192 assert the response includes the original SHA-256 hash and that the retrieved artifact's computed hash matches",
          "Trigger the archive's tamper-evidence verification routine \u2192 assert it returns a valid Merkle root or audit log hash that matches the most recent checkpoint record",
          "Submit a retrieval request for an artifact under litigation hold \u2192 assert the artifact is returned within the defined SLA and the hold status field is set to active"
        ],
        "human_review": [
          "Verify that the archive's immutability guarantees are implemented at the storage layer (write-once buckets, append-only audit log) and not solely enforced at the application layer",
          "Assess whether the archive indexing scheme enables auditors and regulators to locate all evidence for a specific control or incident within the defined examination window",
          "Review the litigation hold activation procedure to confirm it can be triggered within the required notice period and that all affected artifacts are reliably identified and locked"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Storing policy evidence in a mutable document repository without write-once enforcement, allowing post-hoc modification that undermines evidentiary value",
          "Relying on application-layer controls to prevent archive modification rather than enforcing immutability at the storage layer via write-once bucket policies or append-only logs",
          "Maintaining the archive without a systematic index by control_id and artifact_type, forcing ad-hoc search during regulatory examinations and increasing response time beyond the defined SLA",
          "Failing to maintain cryptographic proofs of archive state at regular checkpoints, making it impossible to demonstrate that the archive has not been tampered with between audits",
          "Neglecting to test the litigation hold activation process until an actual hold is required, discovering process gaps under time pressure during a regulatory inquiry"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PE"
      },
      {
        "id": "PE-02",
        "name": "Regulatory Disclosure Readiness",
        "canonical_id": "apeiris://authority/controls/PE-02",
        "layer": "PE",
        "prefix": "PE",
        "plane": "lifecycle",
        "capability_risk": {
          "capability_level": "low"
        },
        "baseline": false,
        "plain": "Ensures the organization maintains current, complete disclosure packages for AI systems subject to regulatory transparency obligations, including technical documentation, conformity assessments, and incident notification readiness. Packages are pre-staged for rapid submission to competent authorities.",
        "threat": {
          "context": "Failure to maintain disclosure-ready packages for high-risk AI systems can result in regulatory penalties, market withdrawal orders, and reputational damage when regulators request documentation under accelerated timelines.",
          "tags": [
            "policy-bypass",
            "internal-policy-violation",
            "scope-creep",
            "escalation-failure"
          ]
        },
        "standard_references": [
          {
            "id": "eu_ai_act",
            "section": "Art. 13",
            "title": "Transparency and provision of information to deployers"
          },
          {
            "id": "eu_ai_act",
            "section": "Art. 21",
            "title": "Cooperation with competent authorities"
          },
          {
            "id": "oecd_cg",
            "section": "IV",
            "title": "Disclosure and transparency"
          },
          {
            "id": "soc2",
            "section": "CC2.3 / CC7.4",
            "title": "External communication and incident response obligations"
          }
        ],
        "sources": [
          {
            "id": "src-pe02-01",
            "title": "EU AI Act \u2014 Transparency Obligations for High-Risk AI Systems",
            "authority": "European Parliament and Council of the European Union",
            "source_type": "regulation",
            "normative_force": "binding-law",
            "version": "2024/1689",
            "published_on": "2024-07-12",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689",
            "license": "open-access",
            "status": "current",
            "flagship": false,
            "source_id": "eu_ai_act",
            "relationship": "normative_requirement",
            "rationale": "Establishes EU AI Act \u2014 Transparency Obligations for High-Risk AI Systems requirements informing the apeiris://authority/controls/PE-02 Regulatory Disclosure Readiness control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe02-02",
            "title": "EU AI Act \u2014 Cooperation with Competent Authorities",
            "authority": "European Parliament and Council of the European Union",
            "source_type": "regulation",
            "normative_force": "binding-law",
            "version": "2024/1689",
            "published_on": "2024-07-12",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689",
            "license": "open-access",
            "status": "current",
            "flagship": false,
            "source_id": "eu_ai_act",
            "relationship": "normative_requirement",
            "rationale": "Establishes EU AI Act \u2014 Cooperation with Competent Authorities requirements informing the apeiris://authority/controls/PE-02 Regulatory Disclosure Readiness control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe02-03",
            "title": "G20/OECD Principles of Corporate Governance 2023",
            "authority": "Organisation for Economic Co-operation and Development",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "2023",
            "published_on": "2023-09-11",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.oecd.org/en/publications/2023/09/g20-oecd-principles-of-corporate-governance-2023_60836fcb.html",
            "license": "open-access",
            "status": "current",
            "flagship": false,
            "source_id": "oecd_cg",
            "relationship": "implementation_pattern",
            "rationale": "Establishes OECD Corporate Governance Guidelines \u2014 Disclosure requirements informing the apeiris://authority/controls/PE-02 Regulatory Disclosure Readiness control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe02-04",
            "title": "Example adopter artifact \u2014 Regulatory Disclosure and Notification Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PE-02 Regulatory Disclosure Readiness control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PE-02 Regulatory Disclosure Readiness control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "openai_preparedness_fw_v2",
            "title": "OpenAI Preparedness Framework v2",
            "authority": "OpenAI, L.L.C.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2025-04-15",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "openai_preparedness",
            "relationship": "informative_reference",
            "rationale": "Establishes OpenAI Preparedness Framework v2 requirements informing the apeiris://authority/controls/PE-02 Regulatory Disclosure Readiness control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PE-02 Regulatory Disclosure Readiness control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Structured disclosure package per AI system maintained in version-controlled document management, with automated staleness alerts and pre-staged submission templates mapped to each competent authority.",
          "steps": [
            "Enumerate all deployed AI systems subject to regulatory transparency requirements and classify by disclosure tier using the EU AI Act Annex III risk categories",
            "Build and maintain a disclosure package per system containing technical documentation, conformity assessment evidence, incident log extracts, and a system data sheet in regulator-ready format",
            "Automate quarterly staleness checks that flag packages where underlying system characteristics have changed but the disclosure package has not been updated within 30 days"
          ],
          "anti_patterns": [
            "Constructing disclosure packages reactively only after a regulator request arrives, guaranteeing inadequate response timelines",
            "Maintaining a single generic disclosure template shared across all systems without system-specific technical documentation"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that every AI system in the high-risk inventory has a corresponding disclosure package in the document management system with a last-reviewed date within 90 days",
            "Confirm that package templates include all mandatory fields required by EU AI Act Art. 11 technical documentation requirements",
            "Review that submission contacts and authority routing tables for each relevant competent authority are current"
          ],
          "runtime_tests": [
            "Execute a tabletop disclosure drill simulating a competent authority request and measure actual time to produce a complete package",
            "Trigger a staleness alert by modifying a system configuration and verify the notification reaches the responsible compliance officer within the configured window",
            "Validate that the most recent conformity assessment evidence in each package post-dates the system's last material change"
          ],
          "evidence": [
            "doc:ai-system-disclosure-package \u2014 versioned technical documentation package for each high-risk AI system",
            "log:package-review-log \u2014 audit trail of quarterly disclosure package reviews with reviewer identity and approval date",
            "test:disclosure-drill-report \u2014 tabletop exercise results including measured time-to-production and identified gaps",
            "config:staleness-alert-config \u2014 automated alert configuration showing review-window thresholds and notification routing"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Pre-staged disclosure packages are the organization's primary defense against regulatory enforcement action; failure to produce compliant documentation on demand is itself a breach under the EU AI Act.",
            "actions": [
              "Approve the disclosure package template against EU AI Act Art. 11 technical documentation requirements before first system registration",
              "Establish legal review checkpoints for disclosure packages when systems undergo material changes"
            ],
            "failure_signals": [
              "Competent authority requests that cannot be fulfilled within the legally required response window",
              "Disclosure packages that omit mandatory technical documentation fields identified during external legal review"
            ]
          },
          "cfo_procurement": {
            "summary": "Regulatory fines for transparency failures under the EU AI Act can reach 3% of worldwide annual turnover (Art. 99(4)); investment in pre-staged disclosure readiness is materially cost-effective.",
            "actions": [
              "Approve annual budget for regulatory disclosure readiness including external legal review of package templates",
              "Include disclosure readiness obligations in procurement contracts for third-party AI systems subject to provider responsibilities"
            ],
            "failure_signals": [
              "EU AI Act enforcement fines or market withdrawal orders resulting from inadequate disclosure",
              "Third-party AI vendors unable to produce required technical documentation under provider obligations"
            ]
          },
          "risk_officer": {
            "summary": "Regulatory disclosure risk is a first-order compliance risk for organizations deploying high-risk AI; this control provides continuous visibility into disclosure posture.",
            "actions": [
              "Include disclosure package coverage and staleness metrics in the enterprise risk register with quarterly updates",
              "Escalate any system operating as high-risk without a current disclosure package to the Chief Compliance Officer immediately"
            ],
            "failure_signals": [
              "High-risk AI systems identified in deployment inventory with no corresponding disclosure package",
              "Packages not updated within 90 days of a material system change"
            ]
          },
          "grc_auditor": {
            "summary": "Disclosure readiness is auditable against EU AI Act Art. 11 and Art. 21; gap analysis against mandatory documentation fields provides a clear compliance scorecard.",
            "actions": [
              "Map each disclosure package against the EU AI Act Art. 11 mandatory documentation checklist and report gap percentage",
              "Verify that quarterly review cycles are completed on schedule and evidenced by signed review records"
            ],
            "failure_signals": [
              "Disclosure packages missing mandatory Art. 11 technical documentation sections",
              "Review log gaps showing packages not reviewed within the required cycle"
            ],
            "metrics": [
              "Disclosure package completeness rate: percentage of high-risk AI systems with fully compliant Art. 11 documentation",
              "Package staleness rate: percentage of packages not reviewed within 90 days of a material system change",
              "Mean time to produce: average hours from authority request to package delivery in drill exercises"
            ]
          },
          "board_governance": {
            "summary": "Disclosure obligations under the EU AI Act and public company governance frameworks require the board to understand the organization's readiness to satisfy regulatory transparency demands.",
            "actions": [
              "Receive semi-annual disclosure readiness reports covering all high-risk AI systems and any identified gaps",
              "Ensure that AI disclosure obligations are reflected in the board's risk oversight framework alongside financial and operational disclosures"
            ],
            "failure_signals": [
              "Regulatory enforcement action or public market withdrawal order for a high-risk AI system",
              "External audit findings citing deficient AI system transparency documentation"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "eu_ai_act",
            "ref": "Art. 13",
            "title": "Transparency and provision of information to deployers",
            "normative_force": "binding-law",
            "fit": "partial",
            "fit_rationale": "Pre-staged disclosure packages support Art. 13 transparency obligations, partially, focused on submission readiness.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Pre-staged disclosure packages support Art. 13 transparency obligations, partially, focused on submission readiness.",
            "requirement_id": "Art. 13 \u2014 Transparency and provision of information to deployers",
            "relation": "satisfies"
          },
          {
            "framework": "oecd_cg",
            "ref": "IV",
            "title": "Disclosure and transparency",
            "normative_force": "voluntary-standard",
            "source_version": "2023",
            "fit": "partial",
            "fit_rationale": "Maintaining current disclosure packages supports OECD Chapter IV disclosure and transparency, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Maintaining current disclosure packages supports OECD Chapter IV disclosure and transparency, partially.",
            "requirement_id": "IV \u2014 Disclosure and transparency",
            "relation": "informs"
          },
          {
            "framework": "soc2",
            "ref": "CC2.3 / CC7.4",
            "title": "External communication and incident response obligations",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Pre-staged incident-notification templates and disclosure packages partially address CC2.3/CC7.4 external communication obligations.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Pre-staged incident-notification templates and disclosure packages partially address CC2.3/CC7.4 external communication obligations.",
            "requirement_id": "CC2.3 / CC7.4 \u2014 External communication and incident response obligations",
            "relation": "equivalent_to"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "RSP v3.3 \u2014 Governance and Transparency (Public Disclosures)",
            "rationale": "The RSP commits Anthropic to public disclosure of key information about capability assessments, safeguards, and deployment decisions. Maintaining evidence in a form suitable for disclosure at any time is the same readiness posture PE-02 requires of enterprises facing regulatory transparency obligations.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "adjacent",
            "fit_rationale": "The RSP's disclosure-readiness posture is an analogous vendor practice, not the deployer's regulatory disclosure packages.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "openai_preparedness",
            "requirement_id": "Preparedness Framework v2 \u2014 Building Trust (Disclosure and Government Engagement)",
            "rationale": "The Preparedness Framework v2 commits to publishing system cards with model deployments and describes engagement with government authorities for frontier capabilities, establishing disclosure readiness as a pre-deployment governance posture.",
            "normative_force": "best-practice",
            "source_version": "2",
            "fit": "adjacent",
            "fit_rationale": "Preparedness disclosure-readiness commitments are an analogous vendor posture, not deployer-side regulatory packages.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Artifact \u2014 On-Demand Regulatory Compliance Disclosure",
            "rationale": "AWS Artifact provides on-demand access to AWS regulatory compliance reports and third-party certifications required for regulatory disclosure readiness. Organizations can use Artifact to access the upstream compliance attestations that underpin their AI deployment compliance posture, supporting timely regulatory disclosure without manual evidence collection.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "AWS Artifact provides upstream compliance attestations but not the deployment-specific regulatory disclosure packages this control stages.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Responsible AI Transparency Report + Purview \u2014 Disclosure Infrastructure",
            "rationale": "Microsoft's annual Responsible AI Transparency Report provides a public disclosure model and demonstrates the evidence packaging required for regulatory disclosure. Microsoft Purview supports regulatory disclosure workflows with structured evidence packaging capabilities, enabling organizations to assemble deployment-specific disclosure packages aligned to regulatory requirements.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Purview evidence packaging plus the RAI report model support assembling regulatory disclosure packages, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "eu-high-risk-ai",
          "public-company-governance"
        ],
        "implementers": [
          "General Counsel",
          "Compliance Officer",
          "CFO"
        ],
        "validation_objective": "For every AI system subject to a regulatory transparency obligation, a complete, current disclosure package must be pre-staged and retrievable within the defined submission window. Each package must include technical documentation, conformity assessment records, and incident notification templates validated against the applicable regulatory schema.",
        "evidence_required": [
          "disclosure_package_inventory listing every AI system in scope with system_id, applicable_regulation, package_version, last_updated timestamp, and package_completeness_status",
          "technical_documentation_record per system containing model card, system architecture summary, intended use case, risk classification rationale, and conformity assessment reference",
          "conformity_assessment_record per applicable system demonstrating compliance with the relevant regulatory article, with assessor identity, assessment date, and findings summary",
          "incident_notification_template per applicable regulation validated against the regulatory authority's published schema, with a test submission record confirming schema acceptance",
          "package_readiness_drill_record showing that a disclosure package was successfully retrieved and formatted for submission within the defined regulatory response window during a tabletop or live drill"
        ],
        "machine_tests": [
          "Query the disclosure package inventory for all in-scope AI systems \u2192 assert every system has a package with last_updated within the defined currency window and package_completeness_status=complete",
          "Submit a disclosure package's technical documentation record to the regulatory schema validator \u2192 assert zero validation errors and all required fields present",
          "Trigger the package retrieval API with a system_id and regulation_id \u2192 assert the complete package is returned within the defined submission-window SLA",
          "Validate the incident notification template against the regulatory authority's published JSON schema \u2192 assert schema_valid=true with no required-field violations"
        ],
        "human_review": [
          "Review a sample of disclosure packages to verify that technical documentation accurately reflects the current system architecture and that conformity assessments cover the applicable regulatory obligations",
          "Assess whether the incident notification templates are legally reviewed and aligned with the regulatory authority's current submission guidance, including any recent regulatory updates",
          "Evaluate the package readiness drill results to confirm that the response team can retrieve, complete, and submit a disclosure package within the regulatory deadline under realistic conditions"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "binding-law",
        "anti_patterns": [
          "Staging disclosure packages once at initial deployment and never updating them as system architecture, intended use, or regulatory requirements change, causing packages to be stale at the point of submission",
          "Preparing disclosure packages only after a regulatory inquiry is received, requiring disclosure content to be assembled under time pressure with no pre-validated templates",
          "Maintaining disclosure packages without schema validation against the regulatory authority's published requirements, discovering format errors only upon submission",
          "Including conformity assessment records from assessors who are not independent of the system under assessment, undermining the credibility of the conformity claim",
          "Scoping disclosure readiness only to high-risk AI systems while omitting limited-risk or general-purpose AI systems subject to transparency obligations under the applicable regulation"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PE"
      },
      {
        "id": "PE-03",
        "name": "Internal Audit Support Package",
        "canonical_id": "apeiris://authority/controls/PE-03",
        "layer": "PE",
        "prefix": "PE",
        "plane": "lifecycle",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Assembles a structured, control-mapped evidence package for each internal audit cycle covering policy design, implementation, and operating effectiveness, enabling auditors to perform efficient, risk-based testing without relying on ad-hoc evidence collection. Packages are pre-indexed to the audit universe and refreshed on each audit cycle.",
        "threat": {
          "context": "Without structured audit support packages, internal audit teams must collect evidence ad-hoc, increasing audit duration, reducing coverage depth, and creating gaps that obscure policy failures from organizational oversight.",
          "tags": [
            "policy-bypass",
            "internal-policy-violation",
            "principal-accountability-gap",
            "escalation-failure"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a79.2",
            "title": "Internal audit"
          },
          {
            "id": "iso_42001",
            "section": "\u00a79.2",
            "title": "Internal audit"
          },
          {
            "id": "soc2",
            "section": "CC4.1",
            "title": "COSO Principle 16 \u2014 ongoing and/or separate evaluations"
          },
          {
            "id": "nist_800_53",
            "section": "CA-7",
            "title": "Continuous Monitoring"
          }
        ],
        "sources": [
          {
            "id": "src-pe03-01",
            "title": "ISO 37301:2021 \u2014 Internal Audit",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 \u2014 Internal Audit requirements informing the apeiris://authority/controls/PE-03 Internal Audit Support Package control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe03-02",
            "title": "NIST SP 800-53 Rev 5 \u2014 Continuous Monitoring",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Continuous Monitoring requirements informing the apeiris://authority/controls/PE-03 Internal Audit Support Package control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe03-03",
            "title": "SOC 2 Trust Services Criteria \u2014 Monitoring Activities",
            "authority": "American Institute of Certified Public Accountants",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "TSC 2017",
            "published_on": "2017-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "aicpa-soc2",
            "relationship": "normative_requirement",
            "rationale": "Establishes SOC 2 Trust Services Criteria \u2014 Monitoring Activities requirements informing the apeiris://authority/controls/PE-03 Internal Audit Support Package control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe03-04",
            "title": "Example adopter artifact \u2014 Internal Audit Charter and Evidence Standards Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PE-03 Internal Audit Support Package control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PE-03 Internal Audit Support Package control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PE-03 Internal Audit Support Package control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PE-03 Internal Audit Support Package control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Audit support packages are generated by automated assembly from the PE-01 archive, mapped to the audit universe, and delivered to the internal audit team at the start of each engagement.",
          "steps": [
            "Define a standard audit support package schema mapping each auditable control to required evidence types, expected sources, and freshness criteria",
            "Build an automated assembly workflow that pulls current evidence from the PE-01 archive for each in-scope control and packages it with a control-mapping index",
            "Implement a package delivery workflow that logs handoff to the internal audit team with a timestamp and completeness percentage against the defined schema"
          ],
          "anti_patterns": [
            "Requiring auditors to independently collect evidence from multiple systems without a pre-staged package, increasing engagement duration and creating inconsistent coverage",
            "Delivering evidence packages without a control-mapping index, forcing auditors to manually correlate artifacts to audit objectives"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that the audit support package schema covers all controls in the current audit universe with explicit evidence-type mappings",
            "Confirm that the automated assembly workflow pulls from the immutable PE-01 archive rather than mutable operational systems",
            "Review the package delivery log to confirm all prior audit engagements received packages within the policy-defined lead time"
          ],
          "runtime_tests": [
            "Trigger a test package assembly for a sample of 10 controls and verify completeness against the defined schema",
            "Validate that evidence items in the assembled package carry hash values matching the PE-01 archive manifest",
            "Simulate an audit commencement notification and measure actual package delivery time against the ten-business-day SLA"
          ],
          "evidence": [
            "doc:audit-support-package-schema \u2014 approved schema defining required evidence types per auditable control",
            "log:package-assembly-log \u2014 assembly workflow logs showing controls covered, evidence items included, and completeness scores",
            "log:package-delivery-log \u2014 delivery records showing handoff timestamps and auditor acknowledgment",
            "test:package-completeness-report \u2014 test assembly results showing schema coverage percentage for a sample engagement"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Structured audit support packages reduce litigation exposure by demonstrating that the organization maintains a systematic, documented approach to compliance verification.",
            "actions": [
              "Review the audit support package schema to confirm it captures evidence sufficient for regulatory self-assessment and potential external examination",
              "Ensure audit charter language requires acceptance of pre-staged packages to preserve chain-of-custody integrity"
            ],
            "failure_signals": [
              "Internal audit reports citing inability to obtain evidence from first-line compliance within required lead times",
              "Audit findings citing evidence gaps that a complete support package would have surfaced proactively"
            ]
          },
          "cfo_procurement": {
            "summary": "Pre-staged audit support packages reduce internal audit engagement costs and compress audit cycles, lowering the total cost of compliance assurance.",
            "actions": [
              "Track and report on audit cycle duration before and after package pre-staging to demonstrate ROI",
              "Ensure audit support package assembly is included in the compliance function's operating budget with defined headcount"
            ],
            "failure_signals": [
              "Extended audit engagements attributed to delayed or incomplete evidence delivery from the compliance function",
              "Audit cost overruns caused by ad-hoc evidence collection not accounted for in the audit budget"
            ]
          },
          "risk_officer": {
            "summary": "Incomplete or delayed audit support packages reduce audit coverage depth, allowing policy failures to go undetected and accumulate into material risk exposures.",
            "actions": [
              "Include audit support package completeness scores in the quarterly risk dashboard",
              "Escalate any audit engagement where the support package completeness falls below 80% to the Chief Compliance Officer"
            ],
            "failure_signals": [
              "Audit reports issuing findings on controls for which evidence was available but not included in the support package",
              "Repeated audit cycle delays attributed to evidence collection bottlenecks in the compliance function"
            ]
          },
          "grc_auditor": {
            "summary": "Pre-staged, hash-verified audit support packages are the primary tool for efficient, risk-based internal audit execution and provide a defensible audit trail for external review.",
            "actions": [
              "Validate package completeness against the schema before accepting commencement and document any gaps with remediation timelines",
              "Verify hash values for all evidence items against the PE-01 archive manifest before relying on them in audit testing"
            ],
            "failure_signals": [
              "Evidence items in the support package with hashes that do not match the PE-01 archive manifest",
              "Package completeness scores below 80% for any in-scope control at commencement"
            ],
            "metrics": [
              "Package completeness rate: average percentage of required evidence types present at commencement across all engagements",
              "On-time delivery rate: percentage of engagements where the package was delivered within the policy-defined lead time",
              "Hash integrity rate: percentage of evidence items in delivered packages with hashes matching the PE-01 archive"
            ]
          },
          "board_governance": {
            "summary": "Systematic audit support provisioning signals that the organization has mature first-line compliance operations capable of substantiating governance assertions to the board.",
            "actions": [
              "Request that the Audit Committee receive annual reporting on audit support package completeness trends and any chronic gaps",
              "Include internal audit cycle efficiency metrics in the board's oversight of the compliance management system"
            ],
            "failure_signals": [
              "Audit Committee reports citing repeated evidence collection failures delaying internal audit conclusions",
              "External auditor management letters noting inadequate internal audit support as a material weakness"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a79.2",
            "title": "Internal audit",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "A pre-indexed, control-mapped evidence package enabling auditor testing directly supports \u00a79.2 internal audit.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A pre-indexed, control-mapped evidence package enabling auditor testing directly supports \u00a79.2 internal audit.",
            "requirement_id": "\u00a79.2 \u2014 Internal audit",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a79.2",
            "title": "Internal audit",
            "normative_force": "certification-standard",
            "fit": "direct",
            "fit_rationale": "Control-mapped audit support packages directly enable the \u00a79.2 internal audit process.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Control-mapped audit support packages directly enable the \u00a79.2 internal audit process.",
            "requirement_id": "\u00a79.2 \u2014 Internal audit",
            "relation": "equivalent_to"
          },
          {
            "framework": "soc2",
            "ref": "CC4.1",
            "title": "COSO Principle 16 \u2014 ongoing and/or separate evaluations",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Refreshed control-mapped evidence packages support the ongoing and separate evaluations CC4.1 requires, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Refreshed control-mapped evidence packages support the ongoing and separate evaluations CC4.1 requires, partially.",
            "requirement_id": "CC4.1 \u2014 COSO Principle 16 \u2014 ongoing and/or separate evaluations",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "CA-7",
            "title": "Continuous Monitoring",
            "normative_force": "voluntary-standard",
            "fit": "adjacent",
            "fit_rationale": "Per-cycle audit support packages aid assessment but are not the continuous monitoring program CA-7 defines.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Per-cycle audit support packages aid assessment but are not the continuous monitoring program CA-7 defines.",
            "requirement_id": "CA-7 \u2014 Continuous Monitoring",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Audit Manager \u2014 Internal Audit Evidence Package Generation",
            "rationale": "AWS Audit Manager automated evidence collection populates structured internal audit support packages aligned to compliance framework controls. Audit Manager organizes evidence by control objective and assessment period, generates audit-ready reports with evidence links, and supports auditor access delegation, providing a complete internal audit support package without manual evidence assembly.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Audit Manager auto-populates control-mapped audit support packages, partially implementing PE-03.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Audit Logs + Policy Analyzer \u2014 Internal Audit Evidence",
            "rationale": "Google Cloud Admin Activity Audit Logs and Policy Analyzer reports provide structured evidence packages supporting internal audit of governance control effectiveness. Logs can be exported to BigQuery for audit query analysis, and Policy Analyzer findings provide governance intent versus implementation comparison evidence required for comprehensive internal audit support packages.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Exported audit logs and Policy Analyzer findings provide structured internal-audit evidence, partially implementing the package.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta System Log Compliance Reports \u2014 Authorization Audit Evidence",
            "rationale": "Okta System Log exports and compliance report generation provide comprehensive authorization audit evidence for internal audit review. Okta's built-in reporting capabilities can generate structured audit evidence packages covering all identity and authorization events within the audit scope period, supporting efficient internal audit fieldwork.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta System Log compliance reports supply authorization audit evidence for internal audit, partially implementing the package.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Purview Compliance Manager \u2014 Structured Internal Audit Packages",
            "rationale": "Microsoft Purview Audit and Compliance Manager generate structured audit support packages mapping control evidence to governance framework requirements. Compliance Manager's assessment export capabilities produce audit-ready packages with control status, evidence links, and improvement action documentation suitable for internal audit committee review.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Compliance Manager exports control-mapped audit-ready packages, partially implementing the internal audit support package.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "GRC Auditor",
          "Internal Audit",
          "Compliance Officer"
        ],
        "validation_objective": "For each internal audit cycle, a pre-indexed, control-mapped evidence package must be available covering all in-scope authority controls, with each evidence artifact tagged to the specific control it satisfies and to the audit test procedure it supports. Auditors must be able to initiate testing without requesting additional evidence collection.",
        "evidence_required": [
          "audit_evidence_package_manifest listing each in-scope control with control_id, mapped_audit_test_id, artifact_type, artifact_id, and collection_timestamp for every evidence item",
          "control_design_documentation per in-scope control including policy reference, control objective, implementation description, and last-review date",
          "operating_effectiveness_sample_set containing the auditor-defined population, the selected sample, and the corresponding evidence artifacts with provenance metadata",
          "prior_cycle_finding_remediation_record showing each finding from the previous audit cycle with remediation action, implementation date, and retesting result",
          "audit_package_completeness_certification signed by the control owner confirming that all evidence is current, accurately represents the control state, and covers the defined audit period"
        ],
        "machine_tests": [
          "Query the audit evidence package for all in-scope controls \u2192 assert every control has at least one artifact entry with a collection_timestamp within the defined audit period",
          "Verify the cross-reference mapping \u2192 assert every artifact_id in the manifest resolves to an existing archived artifact with a matching SHA-256 hash",
          "Run the completeness check script against the package manifest \u2192 assert zero controls have missing required evidence fields and no unmapped audit test IDs",
          "Query prior cycle finding remediation records \u2192 assert every open finding from the previous cycle has a documented remediation action with an implementation date before the current audit start date"
        ],
        "human_review": [
          "Review the control design documentation to verify that each control objective accurately reflects current policy intent and that implementation descriptions match actual deployed configurations",
          "Assess whether the operating effectiveness sample set is sufficient in size and selection method for the auditor to draw a reasonable conclusion about control effectiveness",
          "Verify that prior cycle findings have been genuinely remediated rather than administratively closed, by testing a sample of remediated controls for current operating effectiveness"
        ],
        "blocking_effect": "requires-review",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Assembling audit evidence packages on an ad-hoc, auditor-request basis rather than maintaining pre-indexed packages, extending audit timelines and increasing control owner burden during the audit window",
          "Providing evidence artifacts without control-ID mapping, forcing auditors to manually determine which artifacts satisfy which controls and increasing the risk of misaligned evidence",
          "Including evidence artifacts that fall outside the defined audit period without flagging them as out-of-period, leading auditors to incorrectly assess operating effectiveness based on stale evidence",
          "Failing to include prior cycle finding remediation records in the package, requiring auditors to reconstruct the remediation history and slowing down follow-up testing",
          "Certifying package completeness without control owner review, causing auditors to discover missing or contradictory evidence during testing rather than before the audit begins"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PE"
      },
      {
        "id": "PE-04",
        "name": "Cross-Domain Policy Evidence Integration",
        "canonical_id": "apeiris://authority/controls/PE-04",
        "layer": "PE",
        "prefix": "PE",
        "plane": "lifecycle",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Aggregates policy evidence from across Apeiris domains into a unified evidence package, enabling end-to-end policy coverage assessment and cross-domain gap detection. The integrated package is the authoritative source for enterprise-wide policy posture reporting and supports federation attestation workflows.",
        "threat": {
          "context": "Policy evidence siloed within individual domains creates blind spots where cross-cutting policy obligations are met in one domain but violated in another, enabling gap exploitation that no single-domain view would detect.",
          "tags": [
            "policy-bypass",
            "scope-creep",
            "knowledge-source-staleness",
            "principal-accountability-gap"
          ]
        },
        "standard_references": [
          {
            "id": "nist_rmf",
            "section": "GOVERN 4.2",
            "title": "Organizational teams document the risks and potential impacts of AI systems and communicate about them more broadly"
          },
          {
            "id": "iso_42001",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "iso_37301",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "nist_800_53",
            "section": "PL-2",
            "title": "System Security and Privacy Plans"
          }
        ],
        "sources": [
          {
            "id": "src-pe04-01",
            "title": "NIST AI RMF 1.0 \u2014 Organizational Governance",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI RMF 1.0 \u2014 Organizational Governance requirements informing the apeiris://authority/controls/PE-04 Cross-Domain Policy Evidence Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe04-02",
            "title": "ISO 42001:2023 \u2014 Monitoring, Measurement, Analysis and Evaluation",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 42001:2023 \u2014 Monitoring, Measurement, Analysis and Evaluation requirements informing the apeiris://authority/controls/PE-04 Cross-Domain Policy Evidence Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe04-03",
            "title": "Example adopter artifact \u2014 Enterprise AI Governance and Cross-Domain Evidence Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PE-04 Cross-Domain Policy Evidence Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PE-04 Cross-Domain Policy Evidence Integration control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PE-04 Cross-Domain Policy Evidence Integration control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Federated evidence aggregation pipeline that pulls domain-level evidence packages from each Apeiris domain endpoint, normalizes them to the shared evidence ontology, and produces a unified cross-domain posture report with gap analysis.",
          "steps": [
            "Define a cross-domain evidence manifest schema specifying which control evidence types from each domain are required for the integrated package, mapped to cross-cutting obligations",
            "Build an aggregation pipeline that queries each domain's evidence endpoint using the apeiris:// URI scheme, validates hashes against domain manifests, and normalizes to the shared ontology",
            "Implement automated gap analysis that flags cross-domain coverage holes where a policy obligation is evidenced in fewer than the required number of contributing domains"
          ],
          "anti_patterns": [
            "Treating each domain's evidence as fully independent and never aggregating across domains, missing cross-cutting policy obligations entirely",
            "Aggregating evidence without normalizing to a shared ontology, producing a collection of incompatible artifacts that cannot be compared or cross-referenced"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that the cross-domain manifest schema covers all cross-cutting policy obligations identified in the federation specification",
            "Confirm that the aggregation pipeline validates artifact hashes against each contributing domain's manifest before including them in the integrated package",
            "Review the gap analysis logic to ensure it correctly identifies cases where a policy obligation is evidenced in fewer than the required domains"
          ],
          "runtime_tests": [
            "Remove evidence for a cross-cutting obligation from one domain and verify the gap analysis flags it in the next aggregation cycle",
            "Validate that all artifact URIs in the integrated package resolve to the correct apeiris://[domain]/controls/[ID] canonical form",
            "Verify that the integrated package hash manifest is consistent with the individual domain hashes after aggregation"
          ],
          "evidence": [
            "doc:cross-domain-evidence-manifest \u2014 approved manifest schema defining required evidence types per cross-cutting obligation",
            "log:aggregation-pipeline-log \u2014 pipeline execution logs showing contributing domains, artifact counts, and gap detection results",
            "test:cross-domain-gap-analysis-report \u2014 automated gap analysis output showing coverage scores by domain and obligation",
            "authority:integrated-posture-report \u2014 signed cross-domain policy posture report reviewed and approved by the AI Governance Lead"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Cross-domain evidence integration is essential for demonstrating enterprise-wide compliance with obligations that span multiple AI governance domains, such as data privacy obligations that intersect with model governance.",
            "actions": [
              "Review cross-domain gap analysis reports to identify cross-cutting legal obligations not fully evidenced across relevant domains",
              "Ensure the integrated posture report is included in the legal hold scope so cross-domain evidence relationships are preserved"
            ],
            "failure_signals": [
              "Regulatory examination revealing a cross-cutting obligation evidenced in one domain but not another, creating inconsistent compliance assertions",
              "Cross-domain gap analysis reports showing persistent uncovered obligations with no remediation timeline"
            ]
          },
          "cfo_procurement": {
            "summary": "Integrated cross-domain evidence reduces the cost of enterprise compliance reporting by eliminating duplicative evidence collection efforts across business units.",
            "actions": [
              "Track cost reduction from centralized cross-domain aggregation versus prior per-domain evidence collection efforts",
              "Ensure budget for cross-domain aggregation infrastructure is allocated to the AI Governance function rather than individual domain teams"
            ],
            "failure_signals": [
              "Duplicate evidence collection costs identified in domain team budgets that should be consolidated into the cross-domain pipeline",
              "Cross-domain posture reports not produced within budget due to manual aggregation overhead"
            ]
          },
          "risk_officer": {
            "summary": "Cross-domain gaps are a primary source of systemic policy risk; this control provides the only enterprise-level view of where policy coverage is incomplete across the AI governance fabric.",
            "actions": [
              "Include cross-domain gap count and severity in the quarterly enterprise risk report",
              "Escalate any cross-cutting obligation identified as uncovered in two or more domains to the AI Governance Lead for immediate remediation"
            ],
            "failure_signals": [
              "Cross-domain gap analysis showing the same cross-cutting obligation uncovered across multiple consecutive reporting cycles",
              "Integrated posture report not produced within the monthly reporting cycle due to pipeline failures"
            ]
          },
          "grc_auditor": {
            "summary": "The integrated cross-domain evidence package is the definitive input for enterprise-level compliance assessments; its completeness and accuracy directly determine audit scope adequacy.",
            "actions": [
              "Validate that the cross-domain manifest schema is current against the latest federation specification before each audit cycle",
              "Sample artifact hashes from the integrated package against individual domain manifests to verify aggregation fidelity"
            ],
            "failure_signals": [
              "Cross-domain package artifacts whose hashes do not match the corresponding domain-level manifests",
              "Manifest schema not updated to reflect new cross-cutting obligations introduced in the current federation specification version"
            ],
            "metrics": [
              "Cross-domain coverage rate: percentage of cross-cutting obligations fully evidenced across all required contributing domains",
              "Aggregation fidelity rate: percentage of integrated package artifacts with hashes matching the contributing domain manifests",
              "Gap remediation rate: percentage of identified cross-domain gaps with active remediation plans and target closure dates"
            ]
          },
          "board_governance": {
            "summary": "Integrated cross-domain evidence is the foundation of the enterprise AI governance posture report that the board uses to discharge its oversight obligations.",
            "actions": [
              "Request that the AI Governance Lead present the integrated cross-domain posture report to the board or a designated board committee at least annually",
              "Ensure the board's governance oversight framework explicitly includes cross-domain AI policy coverage as a monitored metric"
            ],
            "failure_signals": [
              "Board-level posture reports relying on domain-siloed evidence without cross-domain integration, missing systemic gaps",
              "External auditor findings citing incomplete enterprise-level AI governance evidence as a material weakness"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 4.2",
            "title": "Organizational teams document the risks and potential impacts of AI systems and communicate about them more broadly",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "Aggregating and gap-analyzing cross-domain evidence documents and communicates risks broadly, partially addressing GOVERN 4.2.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Aggregating and gap-analyzing cross-domain evidence documents and communicates risks broadly, partially addressing GOVERN 4.2.",
            "requirement_id": "GOVERN 4.2 \u2014 Organizational teams document the risks and potential impacts of AI systems and communicate about them more broadly",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "Cross-domain evidence aggregation supports posture reporting but is an integration function, not the \u00a79.1 monitoring activity.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Cross-domain evidence aggregation supports posture reporting but is an integration function, not the \u00a79.1 monitoring activity.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "Evidence integration underpins analysis but is not itself the \u00a79.1 monitoring and evaluation activity.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Evidence integration underpins analysis but is not itself the \u00a79.1 monitoring and evaluation activity.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Security Hub \u2014 Cross-Domain Policy Evidence Normalization",
            "rationale": "AWS Security Hub normalizes policy findings from Config, GuardDuty, Inspector, and third-party tools into a unified finding format (ASFF), enabling cross-domain policy evidence integration. Security Hub's consolidated compliance view combines evidence from multiple governance domains into integrated policy evidence packages suitable for cross-domain attestation.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Security Hub normalizes multi-source findings into a unified format, partially implementing cross-domain evidence integration.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Security Command Center \u2014 Cross-Domain Evidence Integration",
            "rationale": "Google Cloud Security Command Center integrates organization policy findings with security, vulnerability, and compliance evidence from multiple domains into a unified governance view. SCC's findings API enables cross-domain policy evidence integration for comprehensive governance attestation that spans infrastructure, identity, and AI governance domains.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "SCC integrates policy findings with multi-domain evidence into a unified view, partially implementing cross-domain integration.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Defender for Cloud + Purview \u2014 Cross-Domain Policy Evidence Integration",
            "rationale": "Microsoft Defender for Cloud and Purview integrate cross-domain policy evidence across identity, data, and AI governance domains, providing unified compliance views for cross-domain policy attestation. The Microsoft compliance score aggregates evidence across all governance domains into a single integrated compliance posture metric.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Defender and Purview integrate cross-domain policy evidence into unified compliance views, partially implementing PE-04.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "GRC Auditor",
          "AI Governance Lead",
          "Compliance Officer"
        ],
        "validation_objective": "A unified cross-domain policy evidence package must be produced that aggregates evidence from all active Apeiris domains, maps each artifact to its originating domain and control ID, and identifies any cross-domain policy coverage gaps. The integrated package must be accepted as the authoritative input for enterprise-wide policy posture reporting and federation attestation workflows.",
        "evidence_required": [
          "cross_domain_evidence_manifest listing each contributing domain with domain_slug, control_count, artifact_count, last_collected timestamp, and integration_status for the current reporting cycle",
          "cross_domain_gap_analysis_record identifying policy obligations that span multiple domains but lack coverage in one or more contributing domain evidence packages, with gap_id, affected_domains, and remediation_owner",
          "domain_evidence_integrity_record containing a SHA-256 hash of each domain evidence package at the point of integration, confirming that no artifacts were altered during aggregation",
          "federation_attestation_input_confirmation showing that the integrated package was accepted as a valid input to the federation attestation workflow, with acceptance timestamp and package hash",
          "enterprise_posture_report derived from the integrated package, showing cross-domain coverage metrics, open gaps, and trend comparison against the prior reporting cycle"
        ],
        "machine_tests": [
          "Run the cross-domain integration pipeline \u2192 assert the output manifest includes at least one artifact entry for every active Apeiris domain with integration_status=complete",
          "For each domain evidence package in the integrated manifest, recompute the SHA-256 hash and compare to the domain_evidence_integrity_record \u2192 assert all hashes match with zero discrepancies",
          "Submit the integrated package to the federation attestation intake API \u2192 assert a 200 response with status=accepted and a confirmation token, with no domain coverage errors",
          "Query the cross_domain_gap_analysis_record \u2192 assert every identified gap has a remediation_owner assigned and a target_resolution_date that has not exceeded the defined SLA"
        ],
        "human_review": [
          "Review the cross-domain gap analysis to assess whether identified coverage gaps represent genuine policy obligation mismatches or documentation inconsistencies that require coordination between domain owners",
          "Verify that the enterprise posture report derived from the integrated package accurately reflects the cross-domain policy state and is suitable as the authoritative basis for board-level policy posture reporting",
          "Assess whether the integration pipeline correctly handles schema differences between domain evidence packages and that normalization logic does not silently discard or mismap artifacts from any contributing domain"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "voluntary-standard",
        "anti_patterns": [
          "Aggregating domain evidence packages by concatenating artifacts without a cross-domain control-ID mapping scheme, making it impossible to identify cross-domain gaps or map evidence to specific obligations",
          "Treating the cross-domain integration as a one-time annual exercise rather than a recurring cycle aligned to the enterprise reporting cadence, allowing the integrated package to become stale between cycles",
          "Accepting domain evidence packages into the integrated manifest without verifying their integrity hashes, creating risk that altered artifacts are treated as authoritative",
          "Generating the enterprise posture report from a subset of domains due to integration failures in one or more domain pipelines, without flagging the excluded domains or their missing contributions",
          "Using the integrated package for federation attestation workflows without first validating it against the federation attestation intake schema, discovering format or coverage errors only at submission time"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PE"
      },
      {
        "id": "PE-05",
        "name": "Contract Audit Trail",
        "canonical_id": "apeiris://authority/controls/PE-05",
        "layer": "PE",
        "prefix": "PE",
        "plane": "lifecycle",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Maintains a complete, tamper-evident audit trail for all contracts and commitments executed by or on behalf of AI systems, including approval records, signatory authority verification, and performance obligation tracking. The trail supports breach investigation, regulatory audit, and counterparty dispute resolution.",
        "threat": {
          "context": "AI systems executing or influencing contractual commitments without a complete audit trail create unresolvable disputes over authorization, terms, and performance, exposing the organization to contract litigation and regulatory scrutiny.",
          "tags": [
            "contract-violation",
            "unauthorized-commitment",
            "commitment-without-authority",
            "procurement-bypass"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "nist_800_53",
            "section": "AU-12",
            "title": "Audit Record Generation"
          },
          {
            "id": "soc2",
            "section": "CC7.2",
            "title": "Monitoring of system components"
          },
          {
            "id": "nist_800_53",
            "section": "AU-10",
            "title": "Non-Repudiation"
          }
        ],
        "sources": [
          {
            "id": "src-pe05-01",
            "title": "NIST SP 800-53 Rev 5 \u2014 Audit Record Generation",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "Rev. 5",
            "published_on": "2020-09-23",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.SP.800-53r5",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_800_53",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST SP 800-53 Rev 5 \u2014 Audit Record Generation requirements informing the apeiris://authority/controls/PE-05 Contract Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe05-02",
            "title": "ISO 37301:2021 \u2014 Monitoring, Measurement, Analysis and Evaluation",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 \u2014 Monitoring, Measurement, Analysis and Evaluation requirements informing the apeiris://authority/controls/PE-05 Contract Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe05-03",
            "title": "Example adopter artifact \u2014 Master Services Agreement \u2014 Audit Rights and Record Retention (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "contractual-obligation",
            "normative_force": "contractual-obligation",
            "version": "",
            "published_on": "",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "src-pe05-04",
            "title": "Example adopter artifact \u2014 Contract Execution and AI Authority Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PE-05 Contract Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PE-05 Contract Audit Trail control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PE-05 Contract Audit Trail control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Event-sourced contract audit trail that captures every contract lifecycle event (initiation, negotiation, approval, execution, amendment, termination) with immutable records including actor identity, authority reference, and hash of the contract version at that event.",
          "steps": [
            "Instrument all contract lifecycle touchpoints to emit structured audit events to the immutable contract audit log, including the delegating authority identifier and the PV or PA control reference that authorized the AI action",
            "Implement a non-repudiation layer using Ed25519 signatures over each audit event so no party can later deny that a recorded action occurred",
            "Build a contract audit report generator that produces counterparty-shareable reports showing the full lifecycle of any specific contract, suitable for dispute resolution"
          ],
          "anti_patterns": [
            "Logging only final execution events without capturing intermediate approval and authority verification steps, making it impossible to reconstruct the authorization chain",
            "Storing contract audit logs in the same mutable system that manages contract content, allowing records to be altered alongside the contracts they are meant to evidence"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that all contract lifecycle event types are instrumented and that the audit log schema includes actor identity, authority reference, action type, and contract version hash",
            "Confirm that Ed25519 signatures are applied to each audit event at write time and that the signing key is managed in a hardware security module",
            "Review that the contract audit log backend enforces immutability consistent with the PE-01 archive standards"
          ],
          "runtime_tests": [
            "Execute a test contract workflow end-to-end and verify that every lifecycle event generates a corresponding immutable audit record with a valid signature",
            "Attempt to delete or modify an audit record and confirm the storage layer rejects the operation",
            "Generate a contract audit report for a test contract and verify that a simulated counterparty reviewer can validate the full authorization chain from the report alone"
          ],
          "evidence": [
            "log:contract-audit-trail \u2014 immutable event log covering all contract lifecycle events with actor identity, authority reference, and hash",
            "config:non-repudiation-signing-config \u2014 HSM key management configuration and signing policy for contract audit events",
            "test:contract-workflow-audit-coverage-report \u2014 test execution results confirming all lifecycle event types generate audit records",
            "contract:msa-audit-rights-clause \u2014 executed MSA template confirming contractual obligation to maintain audit logs"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "A complete contract audit trail is the organization's primary defense against unauthorized commitment claims and counterparty disputes involving AI-executed or AI-influenced transactions.",
            "actions": [
              "Approve the contract audit trail schema to confirm it captures all information needed to reconstruct the authorization chain in dispute resolution proceedings",
              "Ensure audit rights clauses in customer and vendor contracts reference the organization's obligation to maintain and produce contract audit logs"
            ],
            "failure_signals": [
              "Contract disputes where the organization cannot produce a complete audit trail demonstrating proper authorization of an AI-executed commitment",
              "Counterparty challenges to AI-executed contracts on grounds that no human authority can be demonstrated from the audit record"
            ]
          },
          "cfo_procurement": {
            "summary": "Unauthorized AI commitments without traceable audit trails create unquantifiable financial liability; this control bounds that exposure by ensuring every commitment is attributable and traceable.",
            "actions": [
              "Require that all procurement workflows involving AI execution or recommendation maintain contract audit trail records before financial approval",
              "Include contract audit trail completeness as an acceptance criterion in vendor contracts for AI-assisted procurement platforms"
            ],
            "failure_signals": [
              "Procurement commitments surfaced in financial reconciliation that cannot be traced to an authorized approval record in the audit trail",
              "Vendor AI systems executing purchase commitments without corresponding audit trail entries"
            ]
          },
          "risk_officer": {
            "summary": "Unauthorized or untraceable commitments represent first-order financial and legal risk; complete contract audit trails are the primary control for detecting and bounding this exposure.",
            "actions": [
              "Include contract audit trail completeness and integrity metrics in the quarterly risk dashboard",
              "Escalate any contract execution event without a corresponding audit trail entry to Legal and Compliance immediately"
            ],
            "failure_signals": [
              "Financial reconciliation identifying executed contracts with no corresponding audit trail entries",
              "Contract audit trail gaps detected during sampling that correlate with unauthorized commitment incidents"
            ]
          },
          "grc_auditor": {
            "summary": "The contract audit trail provides the primary evidence basis for testing AI authority controls; completeness and signature integrity are the key audit indicators.",
            "actions": [
              "Sample contract audit trail entries and verify that Ed25519 signatures are valid and that the signing key can be traced to the approved HSM configuration",
              "Cross-reference contract audit trail coverage against the contract management system to identify any contracts with missing or incomplete audit records"
            ],
            "failure_signals": [
              "Contracts in the contract management system with no corresponding audit trail entries covering the execution event",
              "Invalid or unverifiable Ed25519 signatures on audit trail records for any contract in the sample"
            ],
            "metrics": [
              "Contract audit trail coverage rate: percentage of executed contracts with complete lifecycle event records in the audit trail",
              "Signature validity rate: percentage of audited trail entries with verifiable Ed25519 signatures",
              "Authorization chain completeness rate: percentage of contracts where the full approval-to-execution authorization chain is reconstructible from the trail"
            ]
          },
          "board_governance": {
            "summary": "Complete, tamper-evident contract audit trails are a prerequisite for board-level assurance that AI systems are not executing unauthorized commitments that create undisclosed liabilities.",
            "actions": [
              "Receive annual reporting on contract audit trail coverage and any identified gaps in AI-executed commitment logging",
              "Ensure that material contracts involving AI execution are flagged for board awareness alongside human-authorized material commitments"
            ],
            "failure_signals": [
              "Material commitments attributed to AI execution that cannot be traced to a board-authorized delegation of authority",
              "Regulatory or counterparty findings citing absent or altered contract audit records in dispute proceedings"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "An immutable contract audit trail supports \u00a79.1 monitoring but is the record substrate rather than the activity.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "An immutable contract audit trail supports \u00a79.1 monitoring but is the record substrate rather than the activity.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_800_53",
            "ref": "AU-12",
            "title": "Audit Record Generation",
            "normative_force": "voluntary-standard",
            "fit": "direct",
            "fit_rationale": "Emitting an immutable signed audit record for every contract lifecycle event directly implements AU-12.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Emitting an immutable signed audit record for every contract lifecycle event directly implements AU-12.",
            "requirement_id": "AU-12 \u2014 Audit Record Generation",
            "relation": "equivalent_to"
          },
          {
            "framework": "soc2",
            "ref": "CC7.2",
            "title": "Monitoring of system components",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "A contract audit trail supports monitoring but does not itself perform the CC7.2 detection function.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "A contract audit trail supports monitoring but does not itself perform the CC7.2 detection function.",
            "requirement_id": "CC7.2 \u2014 Monitoring of system components",
            "relation": "equivalent_to"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS CloudTrail + Audit Manager \u2014 Immutable Contract Audit Trail",
            "rationale": "AWS CloudTrail provides immutable contract-related audit trails with log file integrity validation that detects any post-creation modification or deletion. AWS Audit Manager collects and retains contract compliance evidence with configurable retention policies, maintaining complete contract audit trail packages that satisfy regulatory evidence and contractual audit right requirements.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "CloudTrail integrity-validated logs and Audit Manager retention partially implement the immutable contract audit trail.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta System Log \u2014 Non-Repudiable Contract Authorization Evidence",
            "rationale": "Okta System Log provides non-repudiable audit records of all authorization events relevant to contract obligation evidence, including identity-mediated contract review approvals, commitment authorizations, and obligation acknowledgment events. System Log records cannot be modified after creation, maintaining the integrity of contract authorization audit evidence.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Okta System Log records non-repudiable contract-authorization events, partially implementing the contract audit trail.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft Purview Audit \u2014 Contract Obligation Audit Trail Retention",
            "rationale": "Microsoft Purview Audit maintains immutable contract audit trails for AI system actions relevant to contractual obligations and compliance requirements. Purview's unified audit log captures contract-relevant events across Microsoft 365 and Azure with configurable long-term retention, supporting contractual audit right exercise and regulatory examination of contract compliance.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Purview immutable audit logs retain contract-relevant AI events, partially implementing the contract audit trail.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "contract-ai",
          "procurement-ai",
          "public-company-governance"
        ],
        "implementers": [
          "General Counsel",
          "Contract Management",
          "GRC Auditor"
        ],
        "validation_objective": "All contract lifecycle events executed by or on behalf of AI systems must generate immutable, individually Ed25519-signed audit records in the contract audit trail at the time each event occurs. The full authorization chain from authority delegation through final execution must be reconstructible from the trail alone for any executed contract without reference to external systems.",
        "evidence_required": [
          "contract_audit_trail_record with event_type, actor_id, authority_reference (PV or PA control canonical ID), contract_version_hash, and Ed25519 signature for each lifecycle event including initiation, negotiation, approval, execution, amendment, and termination",
          "hsm_key_management_attestation confirming the Ed25519 signing key is managed in an approved hardware security module and that signing is performed atomically at event write time with no deferred signing queue",
          "audit_trail_immutability_test_report showing the storage backend rejected delete and modify operations against audit trail records during automated regression testing",
          "contract_audit_report_sample for a tested contract demonstrating that all lifecycle events appear in chronological order with actor identity, authority reference, and contract version hash for each step"
        ],
        "machine_tests": [
          "Execute a test contract lifecycle (initiation, negotiation, approval, execution) \u2192 assert each stage generates an audit record in the immutable store within 30 seconds with actor_id, authority_reference, and contract_version_hash populated",
          "Attempt a DELETE and a PUT operation on an existing audit trail record via the storage API \u2192 assert both operations return a rejection error and the record remains unchanged on subsequent retrieval",
          "Verify the Ed25519 signature on three randomly sampled audit trail records using the registered HSM public key \u2192 assert all three signatures validate without error",
          "Request a contract audit report for a test contract and supply it to a simulated counterparty reviewer \u2192 assert the report contains sufficient information to independently reconstruct the full authorization chain without querying the contracting system"
        ],
        "human_review": [
          "Review the contract audit trail schema to confirm it captures all required lifecycle event types including negotiation stages and amendments that might establish binding sub-obligations, not only the final execution event",
          "Assess the Ed25519 signing key rotation schedule and HSM access controls to verify private key material cannot be extracted or used outside the approved signing workflow during key rotation windows",
          "Verify that active MSA and vendor contract templates include audit rights clauses explicitly referencing the organization's obligation to maintain and produce contract audit logs for counterparty dispute resolution proceedings"
        ],
        "blocking_effect": "advisory",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Recording only the final contract execution event without capturing intermediate approval and authority verification steps, making it impossible to reconstruct which human principal authorized the AI-executed commitment",
          "Storing contract audit log records in the same mutable database as contract content, allowing post-hoc modification of the contract and its audit record in a single transaction",
          "Writing audit log entries asynchronously after event completion without guaranteed delivery semantics, creating gaps in the audit trail during system failures or network partitions",
          "Using application-layer timestamps set by the contracting system rather than a trusted time authority, allowing clock manipulation to obscure the sequence of authorization events in dispute proceedings",
          "Signing batches of audit events together rather than signing each event individually, making it impossible to verify a single event's authenticity without producing and validating the full batch"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PE"
      },
      {
        "id": "PE-06",
        "name": "Board and Senior Management Policy Reporting",
        "canonical_id": "apeiris://authority/controls/PE-06",
        "layer": "PE",
        "prefix": "PE",
        "plane": "lifecycle",
        "capability_risk": {
          "capability_level": "low"
        },
        "baseline": false,
        "plain": "Produces structured, evidence-backed policy governance reports for board and senior management consumption, covering AI policy posture, material compliance gaps, risk-adjusted authority metrics, and remediation status. Reports are calibrated to governance-level materiality thresholds and include escalation recommendations.",
        "threat": {
          "context": "Without structured board-level reporting, senior governance bodies lack the evidence needed to exercise meaningful risk oversight of AI policy, creating accountability gaps that regulators and shareholders can challenge.",
          "tags": [
            "escalation-failure",
            "principal-accountability-gap",
            "intent-drift",
            "scope-creep"
          ]
        },
        "standard_references": [
          {
            "id": "coso_erm",
            "section": "Principle 1",
            "title": "Exercises Board Risk Oversight"
          },
          {
            "id": "coso_erm",
            "section": "Principle 20",
            "title": "Reports on risk, culture, and performance"
          },
          {
            "id": "oecd_cg",
            "section": "IV",
            "title": "Disclosure and transparency"
          },
          {
            "id": "soc2",
            "section": "CC2.3",
            "title": "Communicates with external parties"
          }
        ],
        "sources": [
          {
            "id": "src-pe06-01",
            "title": "COSO ERM 2017 \u2014 Board Risk Oversight",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO ERM 2017 \u2014 Board Risk Oversight requirements informing the apeiris://authority/controls/PE-06 Board and Senior Management Policy Reporting control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe06-02",
            "title": "COSO ERM 2017 \u2014 Reports on Risk, Culture, and Performance",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO ERM 2017 \u2014 Reports on Risk, Culture, and Performance requirements informing the apeiris://authority/controls/PE-06 Board and Senior Management Policy Reporting control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe06-03",
            "title": "G20/OECD Principles of Corporate Governance 2023",
            "authority": "Organisation for Economic Co-operation and Development",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "2023",
            "published_on": "2023-09-11",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.oecd.org/en/publications/2023/09/g20-oecd-principles-of-corporate-governance-2023_60836fcb.html",
            "license": "open-access",
            "status": "current",
            "flagship": false,
            "source_id": "oecd_cg",
            "relationship": "implementation_pattern",
            "rationale": "Establishes OECD Corporate Governance Guidelines \u2014 Disclosure requirements informing the apeiris://authority/controls/PE-06 Board and Senior Management Policy Reporting control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe06-04",
            "title": "Example adopter artifact \u2014 Board Reporting and AI Governance Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PE-06 Board and Senior Management Policy Reporting control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PE-06 Board and Senior Management Policy Reporting control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "openai_preparedness_fw_v2",
            "title": "OpenAI Preparedness Framework v2",
            "authority": "OpenAI, L.L.C.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2025-04-15",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "openai_preparedness",
            "relationship": "informative_reference",
            "rationale": "Establishes OpenAI Preparedness Framework v2 requirements informing the apeiris://authority/controls/PE-06 Board and Senior Management Policy Reporting control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PE-06 Board and Senior Management Policy Reporting control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Automated report assembly pipeline that aggregates PE-04 integrated posture data, applies board-level materiality filters, and produces a structured board pack with executive summary, risk-adjusted metrics, and escalation recommendations.",
          "steps": [
            "Define board-level materiality thresholds for AI policy risk metrics (e.g., control coverage below X%, open high-severity gaps exceeding Y days) in consultation with the Chief Risk Officer and General Counsel",
            "Build an automated report assembly workflow that pulls from the PE-04 integrated evidence package, applies materiality filters, and generates a board-ready report with standardized risk indicators",
            "Implement a review-and-sign workflow requiring the Chief Risk Officer and General Counsel to review and digitally sign the report before board distribution, with sign-off events logged in PE-01"
          ],
          "anti_patterns": [
            "Presenting AI risk metrics to the board as raw operational data without materiality filtering or executive framing, making governance-level assessment impossible",
            "Relying on ad-hoc narrative reports without an underlying evidence-mapped posture dataset, making it impossible to drill down on board questions"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that board-level materiality thresholds are documented, approved by the Chief Risk Officer, and reflected in the report assembly workflow filtering logic",
            "Confirm that the report template maps each metric to the underlying evidence source and control reference in the PE-04 integrated package",
            "Review the review-and-sign workflow to ensure CRO and General Counsel sign-off is required before report distribution and is logged"
          ],
          "runtime_tests": [
            "Inject a simulated high-severity gap into the PE-04 integrated package and verify it surfaces in the board report above the materiality threshold",
            "Verify that the CRO and General Counsel digital signatures on the most recent report are valid and traceable to their identity credentials",
            "Confirm that the report distribution log records recipient identities, distribution timestamps, and report version hashes"
          ],
          "evidence": [
            "doc:board-ai-policy-report \u2014 quarterly board-level AI policy governance report with CRO and General Counsel signatures",
            "log:report-review-sign-log \u2014 sign-off audit trail showing reviewer identity, timestamp, and report version hash",
            "log:report-distribution-log \u2014 distribution records showing recipient roles, timestamps, and acknowledgment status",
            "policy:board-reporting-materiality-thresholds \u2014 approved materiality threshold schedule referenced by the report assembly workflow"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "Structured board reporting on AI policy governance creates a documented record of the board's risk oversight activities, which is a key defense against fiduciary duty claims and regulatory accountability inquiries.",
            "actions": [
              "Review and co-sign each quarterly board AI governance report before distribution to confirm legal-risk framing is accurate and complete",
              "Advise on materiality thresholds for legal and regulatory risk metrics to ensure they reflect the organization's actual exposure profile"
            ],
            "failure_signals": [
              "Board reports that omit material legal or regulatory compliance gaps known to counsel at the time of distribution",
              "Absence of documented board action in response to escalated AI authority or compliance risks"
            ]
          },
          "cfo_procurement": {
            "summary": "Board-level AI policy reporting supports the CFO's obligation to ensure material AI-related risks are reflected in financial disclosures and investor communications.",
            "actions": [
              "Review board AI governance reports for material financial risk items before earnings release periods to ensure disclosure consistency",
              "Ensure that AI policy risk metrics that cross materiality thresholds are routed to the disclosure committee for financial reporting consideration"
            ],
            "failure_signals": [
              "AI policy risks surfaced in board reports that were not reflected in concurrent financial risk disclosures",
              "Board reports distributed to the risk committee without CFO review for financial materiality"
            ]
          },
          "risk_officer": {
            "summary": "Board-level reporting is the CRO's primary channel for ensuring the board exercises informed risk oversight of AI policy; report quality directly determines the quality of board governance.",
            "actions": [
              "Review and sign quarterly board AI governance reports before distribution, confirming risk metric accuracy and completeness",
              "Calibrate materiality thresholds annually against the enterprise risk appetite statement approved by the board"
            ],
            "failure_signals": [
              "Board risk committee meeting minutes showing no discussion of AI policy risk despite metrics above materiality thresholds",
              "CRO unable to trace a board-reported metric to its underlying evidence source in the PE-04 integrated package"
            ]
          },
          "grc_auditor": {
            "summary": "Board reporting quality is an auditable governance process; report completeness, timeliness, and evidence traceability are the primary audit indicators.",
            "actions": [
              "Audit quarterly whether board AI governance reports were produced on schedule and signed by required reviewers",
              "Verify that metrics in board reports can be traced to supporting evidence in the PE-04 integrated package"
            ],
            "failure_signals": [
              "Quarterly reporting cycle missed or delayed without documented justification",
              "Board report metrics that cannot be reconciled to the PE-04 integrated evidence package within one business day"
            ],
            "metrics": [
              "Reporting cycle compliance rate: percentage of required quarterly reporting cycles completed on schedule with required signatures",
              "Metric traceability rate: percentage of board-reported AI policy metrics traceable to supporting evidence in the PE-04 package",
              "Escalation response rate: percentage of board-reported material gaps with documented board action or acceptance within 30 days"
            ]
          },
          "board_governance": {
            "summary": "Structured AI policy governance reporting is the mechanism by which the board fulfills its risk oversight obligation with respect to AI; the board must actively engage with escalated items and document its responses.",
            "actions": [
              "Ensure the risk committee agenda includes substantive review of the AI policy governance report each quarter with documented discussion and action items",
              "Formally acknowledge receipt and review of each board AI governance report in meeting minutes, including any escalation responses"
            ],
            "failure_signals": [
              "Risk committee meeting minutes that reference receipt of the AI governance report but contain no substantive discussion",
              "Escalated AI policy risks remaining open beyond 60 days without a board-level acceptance or remediation directive"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "coso_erm",
            "ref": "Principle 1",
            "title": "Exercises Board Risk Oversight",
            "principle_number": 1,
            "component_name": "Governance and Culture",
            "normative_force": "industry-framework",
            "fit": "partial",
            "fit_rationale": "Evidence-backed board policy reports feed the board risk-oversight function, partially implementing Principle 1.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Evidence-backed board policy reports feed the board risk-oversight function, partially implementing Principle 1.",
            "requirement_id": "Principle 1 \u2014 Exercises Board Risk Oversight",
            "relation": "informs"
          },
          {
            "framework": "oecd_cg",
            "ref": "IV",
            "title": "Disclosure and transparency",
            "normative_force": "voluntary-standard",
            "source_version": "2023",
            "fit": "partial",
            "fit_rationale": "Structured board governance reporting supports OECD Chapter IV disclosure and transparency, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Structured board governance reporting supports OECD Chapter IV disclosure and transparency, partially.",
            "requirement_id": "IV \u2014 Disclosure and transparency",
            "relation": "informs"
          },
          {
            "framework": "soc2",
            "ref": "CC2.3",
            "title": "Communicates with external parties",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "Board reporting is internal governance communication, only partially aligned with CC2.3's external-party communication.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Board reporting is internal governance communication, only partially aligned with CC2.3's external-party communication.",
            "requirement_id": "CC2.3 \u2014 Communicates with external parties",
            "relation": "equivalent_to"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "RSP v3.3 \u2014 Governance (Responsible Scaling Officer and Board Oversight)",
            "rationale": "The RSP's governance provisions assign a Responsible Scaling Officer and place oversight of RSP implementation with Anthropic's board-level governance, including escalation of compliance concerns. Enterprises can reference this structure as a model for routing AI capability and deployment status into their own board risk reporting.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "supporting",
            "fit_rationale": "The RSP's RSO and board-oversight structure is a reference model enterprises can adapt for board risk reporting, providing pattern context.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "openai_preparedness",
            "requirement_id": "Preparedness Framework v2 \u2014 Safety Advisory Group Reporting Model",
            "rationale": "OpenAI's Safety Advisory Group report structure \u2014 an internal advisory body reporting to OpenAI leadership, not an independent board \u2014 demonstrates how capability evaluations, threshold assessments, and deployment conditions can be presented to senior governance bodies. Organizations can adapt this structure for their internal board AI risk committee reporting.",
            "normative_force": "best-practice",
            "source_version": "2",
            "fit": "supporting",
            "fit_rationale": "OpenAI's SAG reporting structure is a reference model for board AI-risk reporting, providing pattern context only.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Audit Manager Custom Frameworks \u2014 Board-Ready Governance Reports",
            "rationale": "AWS Audit Manager custom frameworks can generate board-ready policy governance reports aligned to enterprise risk committee requirements. Assessment reports can be configured to present compliance posture at the level of abstraction appropriate for board review, summarizing AI governance control status across organizational accounts.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Audit Manager custom frameworks generate board-ready governance reports, partially implementing PE-06.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft RAI Transparency Report \u2014 Board Governance Disclosure Model",
            "rationale": "Microsoft's annual Responsible AI Transparency Report provides a public board-level governance disclosure model demonstrating how AI governance program status, incident trends, and improvement actions can be presented to senior stakeholders. Azure Policy compliance dashboards support real-time senior management reporting on AI governance control adherence.",
            "normative_force": "best-practice",
            "fit": "supporting",
            "fit_rationale": "Microsoft's public RAI transparency report is a board-disclosure reference model, providing pattern context only.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "public-company-governance"
        ],
        "implementers": [
          "Chief Risk Officer",
          "General Counsel",
          "Board Secretary"
        ],
        "validation_objective": "Quarterly AI policy governance reports must be produced on schedule, reviewed, and co-signed by both the Chief Risk Officer and General Counsel, with every reported metric traceable to a supporting evidence item in the PE-04 integrated package. All risk items exceeding the board-approved materiality thresholds must appear in the report with prioritized escalation recommendations and documented board response within 30 days.",
        "evidence_required": [
          "board_ai_policy_governance_report with executive summary, risk-adjusted metrics, open gap inventory, and escalation recommendations, dated within the quarterly reporting cycle and referencing the PE-04 integrated package version used",
          "report_sign_off_log showing CRO identity, General Counsel identity, individual sign-off timestamps, and SHA-256 hash of the signed report version to detect post-signature modification",
          "materiality_threshold_schedule approved by the CRO and version-controlled, defining numeric thresholds for AI policy risk metrics that trigger mandatory board-level reporting and escalation",
          "report_distribution_log recording recipient role, distribution timestamp, and acknowledgment status for each quarterly report to confirm the board actually received the report"
        ],
        "machine_tests": [
          "Inject a simulated high-severity control gap into the PE-04 integrated package \u2192 assert the report assembly workflow includes the gap in the report output above the defined materiality threshold with an escalation recommendation",
          "Compute SHA-256 of the most recent distributed board report and compare to the hash in the report_sign_off_log \u2192 assert values match, confirming no post-signature modification",
          "Check the report distribution timestamp against the quarterly schedule defined in the board reporting policy \u2192 assert the report was distributed within the policy-defined window"
        ],
        "human_review": [
          "Review the materiality threshold schedule to verify thresholds are calibrated to the organization's actual AI risk exposure and are not set so high as to suppress all escalation items, creating a false appearance of governance health",
          "Assess whether board risk committee meeting minutes show substantive engagement with the AI governance report, including documented discussion of escalated items and formal action directives",
          "Verify that AI policy risk items escalated in the most recent report have corresponding board-level acceptance or remediation directives logged within 30 days of report distribution"
        ],
        "blocking_effect": "requires-review",
        "normative_status": "industry-framework",
        "anti_patterns": [
          "Presenting raw operational AI risk metrics to the board without materiality filtering or executive framing, overwhelming governance bodies with data that cannot support board-level risk decision making",
          "Distributing the board AI governance report without documented CRO and General Counsel co-signature, removing the accountability link between the reporting function and senior management reviewers",
          "Producing board reports with metrics that cannot be traced back to specific evidence items in the PE-04 integrated package, making the report unverifiable when challenged by auditors or regulators",
          "Setting board-level materiality thresholds so high that no AI policy risk item ever exceeds them, creating a structurally suppressed reporting channel that never triggers board escalation",
          "Reusing the same report structure and metric set year over year without recalibrating to reflect the organization's evolving AI deployment footprint and applicable regulatory requirements"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PE"
      },
      {
        "id": "PE-07",
        "name": "Policy Governance Program Assessment",
        "canonical_id": "apeiris://authority/controls/PE-07",
        "layer": "PE",
        "prefix": "PE",
        "plane": "lifecycle",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": false,
        "plain": "Performs periodic structured assessments of the enterprise AI policy governance program against established maturity models and framework benchmarks, producing a scored maturity report with prioritized improvement recommendations. Assessment results drive the annual policy governance roadmap and feed into senior management performance objectives.",
        "threat": {
          "context": "Without periodic program-level assessment, policy governance activities may address individual control gaps without improving the underlying program capability, leaving structural weaknesses that accumulate into systemic failures.",
          "tags": [
            "policy-bypass",
            "scope-creep",
            "internal-policy-violation",
            "escalation-failure"
          ]
        },
        "standard_references": [
          {
            "id": "iso_37301",
            "section": "\u00a79.2",
            "title": "Internal audit"
          },
          {
            "id": "iso_42001",
            "section": "\u00a79.2",
            "title": "Internal audit"
          },
          {
            "id": "nist_rmf",
            "section": "MANAGE 4.1",
            "title": "Post-deployment AI system monitoring plans are implemented, including mechanisms for incident response, recovery, and change management"
          },
          {
            "id": "coso_erm",
            "section": "Principle 18",
            "title": "Leverages information and technology"
          }
        ],
        "sources": [
          {
            "id": "src-pe07-01",
            "title": "ISO 37301:2021 \u2014 Internal Audit",
            "authority": "International Organization for Standardization",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2021",
            "published_on": "2021-04-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/75080.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_37301",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 37301:2021 \u2014 Internal Audit requirements informing the apeiris://authority/controls/PE-07 Policy Governance Program Assessment control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe07-02",
            "title": "NIST AI RMF 1.0 \u2014 Improve 1.1",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI RMF 1.0 \u2014 Improve 1.1 requirements informing the apeiris://authority/controls/PE-07 Policy Governance Program Assessment control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe07-03",
            "title": "COSO ERM 2017 \u2014 Leverages Information and Technology",
            "authority": "Committee of Sponsoring Organizations of the Treadway Commission",
            "source_type": "framework",
            "normative_force": "industry-framework",
            "version": "2017",
            "published_on": "2017-09-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.coso.org/guidance-erm",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "coso_erm",
            "relationship": "implementation_pattern",
            "rationale": "Establishes COSO ERM 2017 \u2014 Leverages Information and Technology requirements informing the apeiris://authority/controls/PE-07 Policy Governance Program Assessment control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe07-04",
            "title": "Example adopter artifact \u2014 AI Policy Governance Program Review Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "microsoft_rai_standard_v2_2022",
            "title": "Microsoft Responsible AI Standard v2",
            "authority": "Microsoft Corporation",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2022-06-21",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.microsoft.com/en-us/ai/responsible-ai",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "microsoft_rai_standard_v2_2022",
            "relationship": "informative_reference",
            "rationale": "Establishes Microsoft Responsible AI Standard v2 requirements informing the apeiris://authority/controls/PE-07 Policy Governance Program Assessment control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "openai_preparedness_fw_v2",
            "title": "OpenAI Preparedness Framework v2",
            "authority": "OpenAI, L.L.C.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2025-04-15",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "openai_preparedness",
            "relationship": "informative_reference",
            "rationale": "Establishes OpenAI Preparedness Framework v2 requirements informing the apeiris://authority/controls/PE-07 Policy Governance Program Assessment control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PE-07 Policy Governance Program Assessment control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "google_org_policy_service_2024",
            "title": "Google Cloud Organization Policy Service",
            "authority": "Google LLC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cloud.google.com/resource-manager/docs/organization-policy/overview",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "google_org_policy_service_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes Google Cloud Organization Policy Service requirements informing the apeiris://authority/controls/PE-07 Policy Governance Program Assessment control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Annual structured maturity assessment using a defined capability maturity model, scored against objective evidence drawn from the PE-01 archive and PE-04 integrated package, with findings mapped to a prioritized improvement roadmap.",
          "steps": [
            "Select and document the maturity model (e.g., CMMI, a COBIT-based capability maturity assessment, or a custom AI governance maturity model aligned to ISO 42001 and NIST AI RMF), with scoring criteria approved by the Chief Risk Officer",
            "Conduct the annual assessment by mapping evidence from the PE-01 archive and PE-04 integrated package to each maturity dimension, scoring objectively against the rubric and identifying gaps",
            "Produce a scored maturity report with a prioritized improvement roadmap, assign ownership of each recommendation to named roles, and track completion in the GRC platform through the next assessment cycle"
          ],
          "anti_patterns": [
            "Conducting program assessments using self-reported capability claims without mapping to archived evidence, producing optimistic scores that do not reflect actual capability",
            "Treating the annual assessment as a standalone activity rather than the input to an improvement roadmap with tracked owners and target dates"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that the selected maturity model and scoring rubric are documented, version-controlled, and approved by the Chief Risk Officer",
            "Confirm that each maturity dimension in the scoring rubric maps to specific evidence types that can be retrieved from the PE-01 archive or PE-04 integrated package",
            "Review whether improvement recommendations from the prior assessment cycle have assigned owners and target dates tracked in the GRC platform"
          ],
          "runtime_tests": [
            "Retrieve the most recent maturity assessment report and verify that each score is backed by evidence citations referencing specific items in the PE-01 archive",
            "Verify that improvement roadmap items from the prior cycle are tracked in the GRC platform with current completion status",
            "Confirm that the Chief Risk Officer's review and sign-off on the most recent assessment is logged in PE-01"
          ],
          "evidence": [
            "doc:policy-governance-maturity-assessment \u2014 scored maturity report with evidence citations and improvement roadmap",
            "doc:maturity-model-scoring-rubric \u2014 approved scoring rubric with evidence-type mappings per dimension",
            "log:improvement-roadmap-tracking-log \u2014 GRC platform tracking records showing recommendation status, owners, and target dates",
            "authority:cro-assessment-sign-off \u2014 Chief Risk Officer sign-off record for the most recent assessment"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "A documented, evidence-backed program maturity assessment demonstrates that the organization actively monitors and improves its AI governance capability, which is a key factor in regulatory enforcement discretion decisions.",
            "actions": [
              "Review the annual maturity assessment for legal and regulatory risk dimensions and confirm that legal function input is reflected in the improvement roadmap",
              "Ensure the maturity assessment report is retained in the PE-01 archive as part of the compliance management system documentation"
            ],
            "failure_signals": [
              "Annual maturity assessment not conducted on schedule or lacking evidence citations, undermining its credibility in regulatory proceedings",
              "Legal and regulatory risk dimensions scored at initial maturity for multiple consecutive cycles without improvement roadmap action"
            ]
          },
          "cfo_procurement": {
            "summary": "Program maturity assessment results provide the business case for governance investment; lower maturity in high-risk dimensions translates directly to quantifiable financial risk exposure.",
            "actions": [
              "Use maturity assessment findings to prioritize AI governance investment in the annual budget cycle",
              "Ensure that the improvement roadmap includes cost estimates for each recommendation to enable budget planning"
            ],
            "failure_signals": [
              "Maturity assessment identifying high-priority gaps that are not funded in the subsequent budget cycle",
              "Repeated low maturity scores in financially material dimensions without commensurate improvement investment"
            ]
          },
          "risk_officer": {
            "summary": "Program assessment provides the only enterprise-level view of structural capability gaps in AI policy governance; maturity trends over time are the leading indicator of systemic risk accumulation.",
            "actions": [
              "Review and sign off on the annual maturity assessment before presentation to the board, confirming the scoring reflects the actual evidence base",
              "Include maturity trend data in the board risk reporting cadence so the board can assess improvement trajectory over time"
            ],
            "failure_signals": [
              "Maturity scores declining or stagnant across multiple dimensions for two or more consecutive assessment cycles",
              "Improvement roadmap items from the prior cycle remaining incomplete without documented justification at the time of the next assessment"
            ]
          },
          "grc_auditor": {
            "summary": "The program maturity assessment is an auditable process; assessment methodology, evidence citation quality, and improvement roadmap tracking are the primary audit indicators.",
            "actions": [
              "Verify annually that maturity scores are backed by evidence citations that can be retrieved from PE-01 and are not self-reported",
              "Audit improvement roadmap tracking completeness and verify that items are not silently closed without documented remediation evidence"
            ],
            "failure_signals": [
              "Maturity dimension scores that cannot be traced to specific evidence in the PE-01 archive",
              "Improvement roadmap items marked complete without corresponding remediation evidence in the GRC platform"
            ],
            "metrics": [
              "Assessment schedule compliance rate: whether the annual assessment is completed within the policy-defined window",
              "Evidence citation rate: percentage of scored maturity dimensions backed by retrievable PE-01 evidence citations",
              "Roadmap completion rate: percentage of prior-cycle improvement recommendations completed by the next assessment cycle"
            ]
          },
          "board_governance": {
            "summary": "Annual program maturity assessment results inform the board's understanding of the organization's AI governance capability trajectory and the adequacy of investment in governance improvement.",
            "actions": [
              "Request that the annual maturity assessment results and improvement roadmap be presented to the board's risk committee before the annual governance investment budget is finalized",
              "Set a board-level expectation for minimum target maturity levels in high-risk governance dimensions and track progress against those targets annually"
            ],
            "failure_signals": [
              "Board unable to track governance capability improvement trajectory due to inconsistent or unevidenced assessment methodology",
              "Improvement roadmap not presented to the board before budget finalization, resulting in underfunded governance gaps"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "defined"
        },
        "frameworks": [
          {
            "framework": "iso_37301",
            "ref": "\u00a79.2",
            "title": "Internal audit",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "A periodic maturity assessment of the governance program partially reflects \u00a79.2 internal audit, though it is a maturity evaluation.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A periodic maturity assessment of the governance program partially reflects \u00a79.2 internal audit, though it is a maturity evaluation.",
            "requirement_id": "\u00a79.2 \u2014 Internal audit",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_42001",
            "ref": "\u00a79.2",
            "title": "Internal audit",
            "normative_force": "certification-standard",
            "fit": "partial",
            "fit_rationale": "Structured program maturity assessment partially aligns with \u00a79.2 internal audit of the AIMS.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Structured program maturity assessment partially aligns with \u00a79.2 internal audit of the AIMS.",
            "requirement_id": "\u00a79.2 \u2014 Internal audit",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "MANAGE 4.1",
            "title": "Post-deployment AI system monitoring plans are implemented, including mechanisms for incident response, recovery, and change management",
            "normative_force": "voluntary-standard",
            "fit": "adjacent",
            "fit_rationale": "Annual program maturity assessment is a governance evaluation, only loosely related to MANAGE 4.1 post-deployment monitoring.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "Annual program maturity assessment is a governance evaluation, only loosely related to MANAGE 4.1 post-deployment monitoring.",
            "requirement_id": "MANAGE 4.1 \u2014 Post-deployment AI system monitoring plans are implemented, including mechanisms for incident response, recovery, and change management",
            "relation": "equivalent_to"
          },
          {
            "framework": "coso_erm",
            "ref": "Principle 18",
            "title": "Leverages information and technology",
            "principle_number": 18,
            "component_name": "Information, Communication, and Reporting",
            "normative_force": "industry-framework",
            "fit": "adjacent",
            "fit_rationale": "Evidence-based program assessment uses information but is not the information-and-technology leverage Principle 18 addresses.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "Evidence-based program assessment uses information but is not the information-and-technology leverage Principle 18 addresses.",
            "requirement_id": "Principle 18 \u2014 Leverages information and technology",
            "relation": "informs"
          },
          {
            "framework": "openai_preparedness",
            "requirement_id": "Preparedness Framework v2 \u2014 Safety Advisory Group Review",
            "rationale": "OpenAI's Safety Advisory Group reviews Preparedness evaluations and mitigations before deployment. It is an internal advisory body rather than an independent assessor, so it demonstrates structured internal challenge; organizations seeking genuinely independent program assessment must add external review on top of this pattern.",
            "normative_force": "best-practice",
            "source_version": "2",
            "fit": "supporting",
            "fit_rationale": "OpenAI's SAG internal challenge is a reference pattern; genuinely independent assessment needs added external review, so it is context.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "google_org_policy",
            "requirement_id": "Google Cloud Custom Org Policy \u2014 Governance Program Coverage Assessment",
            "rationale": "Google Cloud Custom Organization Policy's extensibility enables systematic assessment of whether governance program constraints cover all required risk domains. Organizations can use Custom Org Policy to implement governance program assessment checks as automated policy evaluations, verifying that all declared governance program objectives are reflected in enforced constraints.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Custom Org Policy checks can verify governance-program constraint coverage, partially supporting program assessment.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "microsoft_rai",
            "requirement_id": "Microsoft RAI Red Team Operations \u2014 Independent Program Assessment",
            "rationale": "Microsoft's Responsible AI program assessment includes red team operations (67 operations in 2024 covering all flagship Azure OpenAI models) and external transparency reporting that provide structured independent evaluation of AI governance program effectiveness. Microsoft's program assessment model can inform enterprise AI governance program assessment design.",
            "normative_force": "best-practice",
            "fit": "supporting",
            "fit_rationale": "Microsoft's red-team-based program assessment is a reference model informing enterprise assessment design, providing pattern context.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "equivalent_to"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "GRC Auditor",
          "Chief Risk Officer",
          "Compliance Officer"
        ],
        "validation_objective": "An annual structured maturity assessment of the enterprise AI policy governance program must be completed within the policy-defined window, using the CRO-approved scoring rubric, with every scored dimension backed by at least one retrievable evidence citation from the PE-01 archive. The resulting improvement roadmap must assign a named owner and target completion date to each recommendation, with all items tracked in the GRC platform through the subsequent assessment cycle.",
        "evidence_required": [
          "policy_governance_maturity_assessment_report with dimension scores, evidence citations referencing specific PE-01 archive items by document ID, and improvement recommendations with priority ranking and business justification",
          "maturity_model_scoring_rubric version-controlled and CRO-approved, with explicit evidence-type requirements per dimension specifying which artifact types constitute acceptable evidence",
          "grc_platform_roadmap_tracking_export showing all prior-cycle improvement recommendations with current status, assigned owner, and target completion date as of the assessment date",
          "cro_assessment_sign_off_record with CRO identity, sign-off timestamp, and SHA-256 hash of the signed assessment report version"
        ],
        "machine_tests": [
          "Query the GRC platform for all improvement roadmap items from the prior assessment cycle \u2192 assert each item has an assigned owner email, a target completion date, and a non-null current status value",
          "Parse the most recent maturity assessment report and cross-reference each dimension score against its PE-01 archive evidence citations \u2192 assert every scored dimension has at least one citation with a retrievable document ID",
          "Compare the assessment completion timestamp to the policy-defined annual assessment window \u2192 assert the assessment was completed within the required schedule, flagging overdue assessments"
        ],
        "human_review": [
          "Review the maturity scoring rubric to confirm that each dimension maps to concrete, retrievable evidence types rather than self-reported capability claims, and that the rubric was updated within the past 24 months to reflect current regulatory benchmarks",
          "Assess whether improvement roadmap items marked complete in the GRC platform are accompanied by documented remediation evidence in PE-01, or were silently closed without evidence of actual capability advancement",
          "Verify that the annual assessment findings were presented to the board risk committee before the subsequent budget cycle and that the committee's formal response is documented in board minutes"
        ],
        "blocking_effect": "advisory",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Scoring maturity dimensions based on self-reported capability statements from program owners without requiring retrieval and review of archived evidence, producing optimistic scores that do not withstand external audit challenge",
          "Conducting the maturity assessment as a compliance checkbox without connecting findings to a funded improvement roadmap with owner accountability, leaving structural program weaknesses unaddressed between assessment cycles",
          "Using a scoring rubric that has not been recalibrated against current regulatory requirements and industry benchmarks, making maturity scores incomparable to the external governance standards the organization is evaluated against",
          "Allowing the same team responsible for implementing governance controls to independently assess their own maturity without an independent review or challenge function, creating self-assessment bias in program scores",
          "Closing improvement roadmap items in the GRC platform based on declared remediation intent without evidence validation, inflating program improvement metrics without verifiable capability advancement"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "layer_code": "PE"
      },
      {
        "id": "PE-08",
        "name": "Policy Attestation",
        "canonical_id": "apeiris://authority/controls/PE-08",
        "layer": "PE",
        "prefix": "PE",
        "plane": "lifecycle",
        "capability_risk": {
          "capability_level": "none"
        },
        "baseline": true,
        "plain": "Produces the domain capstone PolicyAttestation artifact that asserts the enterprise AI policy governance posture is evidenced, current, and within defined authority parameters. Valid PolicyAttestation requires apeiris://identity/controls/IC-08 (IdentityAttestation) and apeiris://data/controls/DV-08 (DataGovernanceAttestation) as peer attestation prerequisites before issuance.",
        "threat": {
          "context": "Without a capstone policy attestation, the enterprise AI governance posture cannot be reliably asserted to regulators, auditors, or counterparties; gaps in any contributing domain go undetected until a material failure surfaces externally.",
          "tags": [
            "policy-bypass",
            "principal-accountability-gap",
            "authority-limit-breach",
            "escalation-failure"
          ]
        },
        "standard_references": [
          {
            "id": "iso_42001",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "iso_37301",
            "section": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation"
          },
          {
            "id": "nist_rmf",
            "section": "GOVERN 1.4",
            "title": "The risk management process and its outcomes are established through transparent policies and procedures"
          },
          {
            "id": "soc2",
            "section": "CC3.1",
            "title": "COSO Principle 6 \u2014 Specifies suitable objectives"
          }
        ],
        "sources": [
          {
            "id": "src-pe08-01",
            "title": "ISO 42001:2023 \u2014 Monitoring, Measurement, Analysis and Evaluation",
            "authority": "International Organization for Standardization / International Electrotechnical Commission",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "2023",
            "published_on": "2023-12-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.iso.org/standard/81230.html",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "iso_42001",
            "relationship": "normative_requirement",
            "rationale": "Establishes ISO 42001:2023 \u2014 Monitoring, Measurement, Analysis and Evaluation requirements informing the apeiris://authority/controls/PE-08 Policy Attestation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe08-02",
            "title": "NIST AI RMF 1.0 \u2014 Organizational Governance",
            "authority": "National Institute of Standards and Technology",
            "source_type": "standard",
            "normative_force": "voluntary-standard",
            "version": "1.0",
            "published_on": "2023-01-26",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://doi.org/10.6028/NIST.AI.100-1",
            "license": "public-domain",
            "status": "current",
            "flagship": false,
            "source_id": "nist_rmf",
            "relationship": "implementation_pattern",
            "rationale": "Establishes NIST AI RMF 1.0 \u2014 Organizational Governance requirements informing the apeiris://authority/controls/PE-08 Policy Attestation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe08-03",
            "title": "SOC 2 \u2014 COSO Principle 6: Specifies Suitable Objectives",
            "authority": "American Institute of Certified Public Accountants",
            "source_type": "standard",
            "normative_force": "certification-standard",
            "version": "TSC 2017",
            "published_on": "2017-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022",
            "license": "proprietary",
            "status": "current",
            "flagship": false,
            "source_id": "aicpa-soc2",
            "relationship": "normative_requirement",
            "rationale": "Establishes SOC 2 \u2014 COSO Principle 6: Specifies Suitable Objectives requirements informing the apeiris://authority/controls/PE-08 Policy Attestation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "src-pe08-04",
            "title": "Example adopter artifact \u2014 Delegation of Authority and Policy Attestation Policy (supplied by the deploying organization)",
            "authority": "Deploying organization (example)",
            "source_type": "internal-policy",
            "normative_force": "internal-policy",
            "version": "1.0",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-29",
            "canonical_url": "",
            "license": "proprietary",
            "status": "current",
            "flagship": false
          },
          {
            "id": "aws_organizations_scp_2024",
            "title": "AWS Organizations: Service Control Policies & Control Tower",
            "authority": "Amazon Web Services, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2024",
            "published_on": "2024-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "aws_organizations_scp_2024",
            "relationship": "informative_reference",
            "rationale": "Establishes AWS Organizations: Service Control Policies & Control Tower requirements informing the apeiris://authority/controls/PE-08 Policy Attestation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "openai_preparedness_fw_v2",
            "title": "OpenAI Preparedness Framework v2",
            "authority": "OpenAI, L.L.C.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2",
            "published_on": "2025-04-15",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64-68cdfbddebcd/preparedness-framework-v2.pdf",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "openai_preparedness",
            "relationship": "informative_reference",
            "rationale": "Establishes OpenAI Preparedness Framework v2 requirements informing the apeiris://authority/controls/PE-08 Policy Attestation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "okta_authz_server_2025",
            "title": "Okta Authorization Servers & Fine-Grained Authorization",
            "authority": "Okta, Inc.",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "2025",
            "published_on": "2025-01-01",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://developer.okta.com/docs/concepts/auth-servers/",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "okta_authz_server_2025",
            "relationship": "informative_reference",
            "rationale": "Establishes Okta Authorization Servers & Fine-Grained Authorization requirements informing the apeiris://authority/controls/PE-08 Policy Attestation control.",
            "reviewed_on": "2026-07-01"
          },
          {
            "id": "anthropic_rsp_2024",
            "title": "Anthropic Responsible Scaling Policy (RSP) v3.3",
            "authority": "Anthropic, PBC",
            "source_type": "vendor-guidance",
            "normative_force": "best-practice",
            "version": "3.3",
            "published_on": "2026-05-26",
            "retrieved_on": "2026-06-28",
            "canonical_url": "https://www.anthropic.com/responsible-scaling-policy",
            "license": "proprietary-free",
            "status": "current",
            "flagship": false,
            "source_id": "anthropic_rsp",
            "relationship": "informative_reference",
            "rationale": "Establishes Anthropic Responsible Scaling Policy (RSP) requirements informing the apeiris://authority/controls/PE-08 Policy Attestation control.",
            "reviewed_on": "2026-07-01"
          }
        ],
        "implementation": {
          "pattern": "Automated attestation assembly workflow that validates peer prerequisites (IC-08 and DV-08), aggregates evidence from all PE-layer controls and the cross-domain package, and produces a signed PolicyAttestation artifact with a structured verdict, blocking effect, and validity window.",
          "steps": [
            "Verify that valid, unexpired IdentityAttestation (apeiris://identity/controls/IC-08) and DataGovernanceAttestation (apeiris://data/controls/DV-08) artifacts exist before initiating attestation assembly; block issuance if either prerequisite is absent or expired",
            "Aggregate the current PE-layer evidence set from the PE-01 archive and PE-04 cross-domain integrated package, compute control coverage and gap scores, and apply the attestation verdict logic to produce a pass/conditional/fail verdict with confidence score",
            "Produce the PolicyAttestation artifact conforming to the Apeiris evidence ontology schema (apeiris-control-core/evidence.schema.json), sign with Ed25519 over the SHA-256 of the artifact, and log the issuance event with co-signatory records in PE-01"
          ],
          "anti_patterns": [
            "Issuing PolicyAttestation without first verifying IC-08 and DV-08 peer prerequisites, producing an attestation that does not reflect the full cross-domain governance posture",
            "Producing attestation artifacts with a 'pass' verdict when contributing controls have unresolved high-severity gaps, overstating the governance posture to regulators and auditors"
          ]
        },
        "validation": {
          "design_checks": [
            "Verify that the attestation assembly workflow enforces a hard block on issuance when IC-08 or DV-08 peer prerequisites are absent, expired, or carry a 'fail' verdict",
            "Confirm that the PolicyAttestation artifact schema includes all required fields from the Apeiris evidence ontology: evidence_id, actor, intent, action, resource, policy, obligation, verdict, blocking_effect, confidence, confidence_basis, collected_at, valid_from, valid_until, integrity.hash, and integrity.signature",
            "Review the co-signatory workflow to ensure General Counsel sign-off is required before the attestation is submitted to the enterprise risk register or shared externally"
          ],
          "runtime_tests": [
            "Remove the IC-08 prerequisite attestation and verify the assembly workflow blocks PolicyAttestation issuance with a clear prerequisite-not-met error",
            "Issue a PolicyAttestation for a test scope and verify that the Ed25519 signature over the SHA-256 hash is valid and traceable to the AI Governance Lead's signing key",
            "Confirm that the issued PolicyAttestation appears in the PE-01 archive within five minutes of issuance with a matching hash entry"
          ],
          "evidence": [
            "authority:policy-attestation-artifact \u2014 signed PolicyAttestation artifact with verdict, confidence score, validity window, and integrity block",
            "log:attestation-issuance-log \u2014 issuance event record showing prerequisite check results, assembly timestamp, and co-signatory identities",
            "policy:doa-policy-v4.2 \u2014 Delegation of Authority Policy version 4.2 governing attestation issuance authority and co-signatory requirements",
            "doc:peer-prerequisite-check-report \u2014 evidence that IC-08 and DV-08 were verified as valid and unexpired before attestation assembly",
            "test:attestation-schema-validation-report \u2014 schema validation results confirming the artifact conforms to the Apeiris evidence ontology"
          ]
        },
        "lenses": {
          "general_counsel": {
            "summary": "The PolicyAttestation is the organization's formal legal assertion of AI policy governance posture; as required co-signatory, General Counsel bears responsibility for confirming the evidentiary basis before signing.",
            "actions": [
              "Review the attestation evidence summary and peer prerequisite verification records before co-signing each quarterly PolicyAttestation",
              "Ensure the PolicyAttestation is treated as a legal document subject to the same retention and hold obligations as other compliance certifications"
            ],
            "failure_signals": [
              "PolicyAttestation issued without General Counsel co-signature in violation of the DOA Policy v4.2 requirement",
              "Attestation verdict of 'pass' issued when the evidence summary shows unresolved high-severity gaps known to counsel"
            ]
          },
          "cfo_procurement": {
            "summary": "A valid, current PolicyAttestation is increasingly a prerequisite for enterprise AI procurement contracts and regulatory filings; its absence creates commercial and compliance risk.",
            "actions": [
              "Include PolicyAttestation validity as a contract condition in enterprise AI vendor agreements requiring policy governance assurance",
              "Ensure quarterly attestation budget and scheduling are protected from deferral during budget cycles"
            ],
            "failure_signals": [
              "Expired PolicyAttestation at the time of a material customer audit or regulatory filing",
              "Procurement contracts executed without a current PolicyAttestation in place where contractually required"
            ]
          },
          "risk_officer": {
            "summary": "The PolicyAttestation verdict is the enterprise-level risk summary for AI policy governance; a conditional or fail verdict requires immediate escalation to senior management and the board.",
            "actions": [
              "Review the PolicyAttestation verdict and confidence score at each quarterly cycle and include the result in the board risk report",
              "Establish and communicate a formal escalation protocol for conditional or fail verdicts that triggers within 24 hours of attestation issuance"
            ],
            "failure_signals": [
              "PolicyAttestation verdict of 'conditional' or 'fail' not escalated to senior management within the defined escalation window",
              "Confidence score below the defined minimum threshold issued without a documented risk acceptance record"
            ]
          },
          "grc_auditor": {
            "summary": "The PolicyAttestation is the most auditable artifact in the PE layer; artifact schema compliance, prerequisite verification, and issuance cadence are the primary indicators of program maturity.",
            "actions": [
              "Verify each issued PolicyAttestation against the full Apeiris evidence ontology schema and confirm all mandatory fields are present and non-null",
              "Audit that IC-08 and DV-08 prerequisite check records accompany each issued attestation and that prerequisite artifact hashes are embedded in the issuance log"
            ],
            "failure_signals": [
              "PolicyAttestation artifacts missing mandatory evidence ontology fields such as blocking_effect, confidence_basis, or integrity.signature",
              "Issuance log entries where prerequisite IC-08 or DV-08 artifact hashes are absent or correspond to expired artifacts"
            ],
            "metrics": [
              "Attestation issuance cadence: number of PolicyAttestation artifacts issued on schedule versus required quarterly cadence",
              "Schema compliance rate: percentage of issued artifacts passing full evidence ontology schema validation",
              "Prerequisite satisfaction rate: percentage of issuances where both IC-08 and DV-08 prerequisites were valid and unexpired at time of issuance"
            ]
          },
          "board_governance": {
            "summary": "The PolicyAttestation verdict is the board's primary governance signal for AI policy posture; a fail or conditional verdict at the domain capstone level requires board-level escalation and documented response.",
            "actions": [
              "Require that the quarterly PolicyAttestation verdict and confidence score be included in every board risk committee agenda as a standing item",
              "Establish board-level acceptance criteria for attestation verdicts and require documented board action for any verdict below 'pass'"
            ],
            "failure_signals": [
              "Board meeting records showing no discussion of the PolicyAttestation verdict in a quarter where the verdict was conditional or fail",
              "PolicyAttestation lapse (expiry without renewal) for more than 30 days without a board-level risk acceptance record"
            ]
          }
        },
        "maturity": {
          "current": "initial",
          "target": "managed"
        },
        "frameworks": [
          {
            "framework": "iso_42001",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "The capstone attestation asserts posture but is an evidence artifact, not the \u00a79.1 monitoring activity itself.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "The capstone attestation asserts posture but is an evidence artifact, not the \u00a79.1 monitoring activity itself.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "iso_37301",
            "ref": "\u00a79.1",
            "title": "Monitoring, measurement, analysis and evaluation",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "PolicyAttestation certifies posture rather than performing the \u00a79.1 monitoring and evaluation function.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "PolicyAttestation certifies posture rather than performing the \u00a79.1 monitoring and evaluation function.",
            "requirement_id": "\u00a79.1 \u2014 Monitoring, measurement, analysis and evaluation",
            "relation": "equivalent_to"
          },
          {
            "framework": "nist_rmf",
            "ref": "GOVERN 1.4",
            "title": "The risk management process and its outcomes are established through transparent policies and procedures",
            "normative_force": "voluntary-standard",
            "fit": "partial",
            "fit_rationale": "A signed attestation of policy posture reflects GOVERN 1.4 transparent, documented outcomes, partially.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "rationale": "A signed attestation of policy posture reflects GOVERN 1.4 transparent, documented outcomes, partially.",
            "requirement_id": "GOVERN 1.4 \u2014 The risk management process and its outcomes are established through transparent policies and procedures",
            "relation": "equivalent_to"
          },
          {
            "framework": "soc2",
            "ref": "CC3.1",
            "title": "COSO Principle 6 \u2014 Specifies suitable objectives",
            "normative_force": "certification-standard",
            "fit": "adjacent",
            "fit_rationale": "The attestation certifies posture against parameters but is not the objective-setting CC3.1 addresses.",
            "fit_assessed_on": "2026-07-03",
            "basis": "asserted",
            "rationale": "The attestation certifies posture against parameters but is not the objective-setting CC3.1 addresses.",
            "requirement_id": "CC3.1 \u2014 COSO Principle 6 \u2014 Specifies suitable objectives",
            "relation": "equivalent_to"
          },
          {
            "framework": "anthropic_rsp",
            "requirement_id": "RSP v3.3 \u2014 Safeguards Assessment and Risk Report",
            "rationale": "The RSP's documented safeguards assessments and risk reports \u2014 approved through internal governance before deployment \u2014 are formal artifacts recording that required evaluations were completed and that the required safeguards are in place. They are the closest RSP analog of a policy attestation artifact, though they attest Anthropic's own deployment decisions rather than deployer policy compliance.",
            "normative_force": "best-practice",
            "source_version": "3.3",
            "fit": "adjacent",
            "fit_rationale": "The RSP's signed safeguards report is the closest vendor analog of a policy attestation but attests Anthropic's own deployments.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "openai_preparedness",
            "requirement_id": "Preparedness Framework v2 \u2014 System Cards and Safeguards Reports",
            "rationale": "OpenAI's published system cards and safeguards reports record that capability evaluations across the framework's Tracked Categories were completed and that deployment thresholds were satisfied. System cards function as the public deployment attestation document for OpenAI models, providing external verifiability that the framework's process was applied.",
            "normative_force": "best-practice",
            "source_version": "2",
            "fit": "adjacent",
            "fit_rationale": "System cards are OpenAI's deployment attestation analog, not the deployer-side PolicyAttestation this control produces.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "aws_organizations",
            "requirement_id": "AWS Audit Manager \u2014 Automated Policy Attestation Artifact Generation",
            "rationale": "AWS Audit Manager automated evidence collection generates policy attestation artifacts that link control implementations to compliance requirements. Audit Manager assessment reports can be used as policy attestation packages certifying that all governance control requirements are implemented, evidenced, and current as of the attestation date.",
            "normative_force": "best-practice",
            "fit": "partial",
            "fit_rationale": "Audit Manager assessment reports can serve as policy attestation packages certifying control implementation, partially implementing PE-08.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          },
          {
            "framework": "okta_authz",
            "requirement_id": "Okta Authorization Server \u2014 Signed Token Claims as Authorization Evidence",
            "rationale": "Okta authorization server access tokens are signed JWTs whose claims record the scopes granted by policy evaluation at issuance: the signature verifies issuer and integrity, and expiry bounds freshness. Each token is therefore a narrowly scoped, verifiable record that policy evaluation occurred for that authorization decision \u2014 useful attestation evidence, but not a general-purpose policy attestation artifact.",
            "normative_force": "best-practice",
            "fit": "adjacent",
            "fit_rationale": "Signed JWT claims are narrow per-authorization attestation evidence, not the general-purpose PolicyAttestation artifact.",
            "fit_assessed_on": "2026-07-03",
            "basis": "anchored",
            "relation": "informs"
          }
        ],
        "tiers": [
          "universal-enterprise"
        ],
        "implementers": [
          "AI Governance Lead",
          "General Counsel",
          "GRC Auditor"
        ],
        "validation_objective": "A valid PolicyAttestation artifact must exist and must have been issued only after confirming that both IC-08 (IdentityAttestation) and DV-08 (DataGovernanceAttestation) peer prerequisites are current and carry a non-fail verdict. The artifact must conform to the full Apeiris evidence ontology schema with all mandatory fields populated, and must carry a valid Ed25519 signature over the SHA-256 hash of the artifact body, with General Counsel co-signature recorded in the issuance log.",
        "evidence_required": [
          "policy_attestation_artifact conforming to apeiris-control-core/evidence.schema.json with all mandatory evidence ontology fields populated: evidence_id, actor, intent, action, resource, policy, obligation, verdict, blocking_effect, confidence, confidence_basis, collected_at, valid_from, valid_until, integrity.hash (SHA-256), and integrity.signature (Ed25519)",
          "attestation_issuance_log entry showing IC-08 and DV-08 prerequisite artifact canonical IDs and hashes, validity check results, assembly timestamp, and co-signatory identities with timestamps",
          "peer_prerequisite_check_report confirming both apeiris://identity/controls/IC-08 IdentityAttestation and apeiris://data/controls/DV-08 DataGovernanceAttestation were verified as valid and unexpired immediately before assembly initiation",
          "attestation_schema_validation_report confirming the issued PolicyAttestation artifact passes full evidence ontology schema validation with zero missing mandatory fields",
          "doa_policy_co_signatory_record showing General Counsel identity, sign-off timestamp, and reference to the DOA Policy version (e.g., v4.2) that governs attestation issuance authority"
        ],
        "machine_tests": [
          "Remove the IC-08 prerequisite attestation artifact and invoke the attestation assembly workflow \u2192 assert the workflow returns a prerequisite-not-met error referencing IC-08 and produces no PolicyAttestation artifact",
          "Issue a PolicyAttestation for a test scope and verify the Ed25519 signature against the declared AI Governance Lead signing key's public key over the SHA-256 of the artifact body \u2192 assert cryptographic verification succeeds",
          "Submit the issued PolicyAttestation artifact to the Apeiris evidence ontology schema validator \u2192 assert zero schema violations and confirm all mandatory fields are present and non-null",
          "Inject an expired DV-08 prerequisite artifact and invoke attestation assembly \u2192 assert the workflow blocks issuance with an expired-prerequisite error and logs the check result in the attestation issuance log"
        ],
        "human_review": [
          "Review the attestation assembly workflow's prerequisite check logic to confirm it enforces hard blocks on expired or fail-verdict peer prerequisites rather than advisory warnings that can be overridden by workflow operators under time pressure",
          "Assess the co-signatory workflow to verify that General Counsel review covers the full evidence summary and underlying gap inventory, not only the final verdict field, ensuring that sign-off reflects informed review",
          "Verify that the PolicyAttestation validity window and renewal cadence are calibrated to the organization's regulatory disclosure obligations and the contractual AI governance assurance requirements in active customer and vendor agreements"
        ],
        "blocking_effect": "blocks-deployment",
        "normative_status": "certification-standard",
        "anti_patterns": [
          "Issuing PolicyAttestation without first verifying that IC-08 IdentityAttestation and DV-08 DataGovernanceAttestation peer prerequisites are valid and unexpired, producing a domain attestation that does not reflect the full cross-domain governance posture required by the federation specification",
          "Producing a PolicyAttestation with a 'pass' verdict when contributing PE-layer controls have unresolved high-severity gaps, overstating governance posture to regulators, auditors, and counterparties who rely on the attestation for risk decisions",
          "Treating PolicyAttestation as a periodic compliance document rather than an active deployment prerequisite, allowing new AI system deployments to proceed without confirming a current valid attestation is in place",
          "Allowing the attestation assembly workflow to issue artifacts without General Counsel co-signature by treating the co-signatory step as skippable during time-constrained situations such as urgent deployment timelines",
          "Setting the attestation confidence threshold so low that PolicyAttestation artifacts with minimal evidence coverage receive 'pass' verdicts, degrading the assurance signal value of the attestation for external reliance by auditors and customers"
        ],
        "update_status": "current",
        "schema_version": "1.1.0",
        "cross_domain": {
          "feeds": [
            "apeiris://agentic/controls/AT-02",
            "apeiris://agentic/controls/AT-03",
            "apeiris://compliance/controls/AU-08"
          ]
        },
        "layer_code": "PE"
      }
    ]
  }
}
